From c1c2a0448c582f8081e27d0677239ad7561b2b3f Mon Sep 17 00:00:00 2001
From: Tommie Gannert <tommie@gannert.se>
Date: Mon, 23 May 2022 11:37:27 +0200
Subject: [PATCH] Disable m.login.token if there are no enabled login methods
 to use it.

---
 clientapi/auth/login.go          |  8 ++++++++
 clientapi/auth/login_test.go     | 10 ++++++++++
 clientapi/routing/login.go       | 21 ++++++++++++++++++---
 setup/config/config_clientapi.go |  6 ++++++
 4 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/clientapi/auth/login.go b/clientapi/auth/login.go
index 5f51c662a..7cd8bb454 100644
--- a/clientapi/auth/login.go
+++ b/clientapi/auth/login.go
@@ -62,6 +62,14 @@ func LoginFromJSONReader(ctx context.Context, r io.Reader, useraccountAPI uapi.U
 			Config:               cfg,
 		}
 	case authtypes.LoginTypeToken:
+		if !cfg.Login.LoginTokenEnabled() {
+			err := util.JSONResponse{
+				Code: http.StatusBadRequest,
+				JSON: jsonerror.InvalidArgumentValue("disabled login type: " + header.Type),
+			}
+			return nil, nil, &err
+		}
+
 		typ = &LoginTypeToken{
 			UserAPI: userAPI,
 			Config:  cfg,
diff --git a/clientapi/auth/login_test.go b/clientapi/auth/login_test.go
index 5085f0170..cb57e9552 100644
--- a/clientapi/auth/login_test.go
+++ b/clientapi/auth/login_test.go
@@ -68,6 +68,11 @@ func TestLoginFromJSONReader(t *testing.T) {
 				Matrix: &config.Global{
 					ServerName: serverName,
 				},
+				Login: config.Login{
+					SSO: config.SSO{
+						Enabled: true,
+					},
+				},
 			}
 			login, cleanup, err := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
 			if err != nil {
@@ -146,6 +151,11 @@ func TestBadLoginFromJSONReader(t *testing.T) {
 				Matrix: &config.Global{
 					ServerName: serverName,
 				},
+				Login: config.Login{
+					SSO: config.SSO{
+						Enabled: true,
+					},
+				},
 			}
 			_, cleanup, errRes := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
 			if errRes == nil {
diff --git a/clientapi/routing/login.go b/clientapi/routing/login.go
index 97b397928..ad4aca29c 100644
--- a/clientapi/routing/login.go
+++ b/clientapi/routing/login.go
@@ -59,6 +59,10 @@ func passwordLogin() []stage {
 }
 
 func ssoLogin(cfg *config.ClientAPI) []stage {
+	if !cfg.Login.SSO.Enabled {
+		return nil
+	}
+
 	var idps []identityProvider
 	for _, idp := range cfg.Login.SSO.Providers {
 		brand := idp.Brand
@@ -87,6 +91,18 @@ func ssoLogin(cfg *config.ClientAPI) []stage {
 	}
 }
 
+func tokenLogin(cfg *config.ClientAPI) []stage {
+	if !cfg.Login.LoginTokenEnabled() {
+		return nil
+	}
+
+	return []stage{
+		{
+			Type: authtypes.LoginTypeToken,
+		},
+	}
+}
+
 // Login implements GET and POST /login
 func Login(
 	req *http.Request, userAPI userapi.ClientUserAPI,
@@ -94,9 +110,8 @@ func Login(
 ) util.JSONResponse {
 	if req.Method == http.MethodGet {
 		allFlows := passwordLogin()
-		if cfg.Login.SSO.Enabled {
-			allFlows = append(allFlows, ssoLogin(cfg)...)
-		}
+		allFlows = append(allFlows, ssoLogin(cfg)...)
+		allFlows = append(allFlows, tokenLogin(cfg)...)
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: flows{Flows: allFlows},
diff --git a/setup/config/config_clientapi.go b/setup/config/config_clientapi.go
index 3781a8264..4f529dd8e 100644
--- a/setup/config/config_clientapi.go
+++ b/setup/config/config_clientapi.go
@@ -103,6 +103,12 @@ type Login struct {
 	SSO SSO `yaml:"sso"`
 }
 
+// LoginTokenEnabled returns whether any login type uses
+// authtypes.LoginTypeToken.
+func (l *Login) LoginTokenEnabled() bool {
+	return l.SSO.Enabled
+}
+
 func (l *Login) Verify(configErrs *ConfigErrors) {
 	l.SSO.Verify(configErrs)
 }