From 8d5f7797cb371703f4075c0b2aabbb95f7a92618 Mon Sep 17 00:00:00 2001
From: Jordan Dalby <jordan.dalby1@outlook.com>
Date: Mon, 25 Nov 2024 12:07:37 +0000
Subject: [PATCH] Optionally disable standard login

---
 README.md                                   |   2 +
 client/src/components/auth/LoginPage.tsx    | 124 +++++++-------
 client/src/components/auth/RegisterPage.tsx | 170 +++++++++++---------
 client/src/types/user.ts                    |   1 +
 docker-compose.yaml                         |   2 +
 server/src/middleware/auth.js               |   2 +
 server/src/routes/authRoutes.js             |  15 +-
 7 files changed, 180 insertions(+), 136 deletions(-)

diff --git a/README.md b/README.md
index b4996fb..711b933 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,8 @@ services:
       TOKEN_EXPIRY: 24h
       ALLOW_NEW_ACCOUNTS: "true"
       DEBUG: "true"
+      DISABLE_ACCOUNTS: "false"
+      DISABLE_INTERNAL_ACCOUNTS: "false"
 
       # See https://github.com/jordan-dalby/ByteStash/wiki/Single-Sign%E2%80%90on-Setup for more info
       OIDC_ENABLED: "false"
diff --git a/client/src/components/auth/LoginPage.tsx b/client/src/components/auth/LoginPage.tsx
index 35cf317..7c85fdb 100644
--- a/client/src/components/auth/LoginPage.tsx
+++ b/client/src/components/auth/LoginPage.tsx
@@ -66,6 +66,8 @@ export const LoginPage: React.FC = () => {
     window.location.href = `${window.__BASE_PATH__}/api/auth/oidc/auth`;
   };
 
+  const showInternalRegistration = !authConfig?.disableInternalAccounts;
+
   return (
     <PageContainer className="flex items-center justify-center min-h-screen">
       <div className="max-w-md w-full space-y-8">
@@ -75,7 +77,7 @@ export const LoginPage: React.FC = () => {
           </h2>
           <p className="mt-2 text-center text-sm text-gray-400">
             Please sign in to continue
-            {authConfig?.allowNewAccounts ? (
+            {authConfig?.allowNewAccounts && showInternalRegistration ? (
               <>
                 , create an{' '}
                 <Link to="/register" className="text-blue-400 hover:text-blue-300">
@@ -101,72 +103,76 @@ export const LoginPage: React.FC = () => {
             >
               Sign in with {oidcConfig.displayName}
             </button>
-            <div className="relative my-6">
-              <div className="absolute inset-0 flex items-center">
-                <div className="w-full border-t border-gray-700"></div>
-              </div>
-              <div className="relative flex justify-center">
-              <span className="px-2 bg-gray-900 text-gray-500 text-sm">
-                  Or continue with password
-                </span>
+            {showInternalRegistration && (
+              <div className="relative my-6">
+                <div className="absolute inset-0 flex items-center">
+                  <div className="w-full border-t border-gray-700"></div>
+                </div>
+                <div className="relative flex justify-center">
+                  <span className="px-2 bg-gray-900 text-gray-500 text-sm">
+                    Or continue with password
+                  </span>
+                </div>
               </div>
-            </div>
+            )}
           </>
         )}
 
-        <form className="mt-8 space-y-6" onSubmit={handleSubmit}>
-          <div className="rounded-md shadow-sm -space-y-px">
-            <div>
-              <input
-                type="text"
-                required
-                className="appearance-none rounded-none relative block w-full px-3 py-2 border 
-                  border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-t-md 
-                  focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
-                placeholder="Username"
-                value={username}
-                onChange={(e) => setUsername(e.target.value)}
-                disabled={isLoading}
-              />
+        {showInternalRegistration && (
+          <form className="mt-8 space-y-6" onSubmit={handleSubmit}>
+            <div className="rounded-md shadow-sm -space-y-px">
+              <div>
+                <input
+                  type="text"
+                  required
+                  className="appearance-none rounded-none relative block w-full px-3 py-2 border 
+                    border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-t-md 
+                    focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
+                  placeholder="Username"
+                  value={username}
+                  onChange={(e) => setUsername(e.target.value)}
+                  disabled={isLoading}
+                />
+              </div>
+              <div>
+                <input
+                  type="password"
+                  required
+                  className="appearance-none rounded-none relative block w-full px-3 py-2 border 
+                    border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-b-md 
+                    focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
+                  placeholder="Password"
+                  value={password}
+                  onChange={(e) => setPassword(e.target.value)}
+                  disabled={isLoading}
+                />
+              </div>
             </div>
+
             <div>
-              <input
-                type="password"
-                required
-                className="appearance-none rounded-none relative block w-full px-3 py-2 border 
-                  border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-b-md 
-                  focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
-                placeholder="Password"
-                value={password}
-                onChange={(e) => setPassword(e.target.value)}
+              <button
+                type="submit"
+                className="group relative w-full flex justify-center py-2 px-4 border border-transparent 
+                  text-sm font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 
+                  focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 
+                  disabled:opacity-50 disabled:cursor-not-allowed"
                 disabled={isLoading}
-              />
+              >
+                {isLoading ? (
+                  <span className="flex items-center">
+                    <svg className="animate-spin -ml-1 mr-3 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+                      <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
+                      <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+                    </svg>
+                    Signing in...
+                  </span>
+                ) : (
+                  'Sign in'
+                )}
+              </button>
             </div>
-          </div>
-
-          <div>
-            <button
-              type="submit"
-              className="group relative w-full flex justify-center py-2 px-4 border border-transparent 
-                text-sm font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 
-                focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 
-                disabled:opacity-50 disabled:cursor-not-allowed"
-              disabled={isLoading}
-            >
-              {isLoading ? (
-                <span className="flex items-center">
-                  <svg className="animate-spin -ml-1 mr-3 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                    <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
-                    <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-                  </svg>
-                  Signing in...
-                </span>
-              ) : (
-                'Sign in'
-              )}
-            </button>
-          </div>
-        </form>
+          </form>
+        )}
       </div>
     </PageContainer>
   );
diff --git a/client/src/components/auth/RegisterPage.tsx b/client/src/components/auth/RegisterPage.tsx
index 5878360..24f16ae 100644
--- a/client/src/components/auth/RegisterPage.tsx
+++ b/client/src/components/auth/RegisterPage.tsx
@@ -91,6 +91,8 @@ export const RegisterPage: React.FC = () => {
     window.location.href = `${window.__BASE_PATH__}/api/auth/oidc/auth`;
   };
 
+  const showInternalRegistration = !authConfig?.disableInternalAccounts;
+
   return (
     <PageContainer className="flex items-center justify-center min-h-screen">
       <div className="max-w-md w-full space-y-6">
@@ -137,91 +139,111 @@ export const RegisterPage: React.FC = () => {
             >
               Sign in with {oidcConfig.displayName}
             </button>
-            <div className="relative my-6">
-              <div className="absolute inset-0 flex items-center">
-                <div className="w-full border-t border-gray-700"></div>
-              </div>
-              <div className="relative flex justify-center">
-              <span className="px-2 bg-gray-900 text-gray-500 text-sm">
-                  Or continue with password
-                </span>
+            {showInternalRegistration && (
+              <div className="relative my-6">
+                <div className="absolute inset-0 flex items-center">
+                  <div className="w-full border-t border-gray-700"></div>
+                </div>
+                <div className="relative flex justify-center">
+                  <span className="px-2 bg-gray-900 text-gray-500 text-sm">
+                    Or continue with password
+                  </span>
+                </div>
               </div>
-            </div>
+            )}
           </>
         )}
 
-        <form className="mt-8 space-y-6" onSubmit={handleSubmit}>
-          <div className="rounded-md shadow-sm -space-y-px">
-            <div>
-              <label htmlFor="username" className="sr-only">Username</label>
-              <input
-                id="username"
-                type="text"
-                required
-                className="appearance-none rounded-none relative block w-full px-3 py-2 border 
-                  border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-t-md 
-                  focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
-                placeholder="Username"
-                value={username}
-                onChange={(e) => setUsername(e.target.value)}
-                disabled={isLoading}
-              />
-            </div>
-            <div>
-              <label htmlFor="password" className="sr-only">Password</label>
-              <input
-                id="password"
-                type="password"
-                required
-                className="appearance-none rounded-none relative block w-full px-3 py-2 border 
-                  border-gray-700 placeholder-gray-500 text-white bg-gray-800
-                  focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
-                placeholder="Password"
-                value={password}
-                onChange={(e) => setPassword(e.target.value)}
-                disabled={isLoading}
-              />
+        {showInternalRegistration && (
+          <form className="mt-8 space-y-6" onSubmit={handleSubmit}>
+            <div className="rounded-md shadow-sm -space-y-px">
+              <div>
+                <label htmlFor="username" className="sr-only">Username</label>
+                <input
+                  id="username"
+                  type="text"
+                  required
+                  className="appearance-none rounded-none relative block w-full px-3 py-2 border 
+                    border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-t-md 
+                    focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
+                  placeholder="Username"
+                  value={username}
+                  onChange={(e) => setUsername(e.target.value)}
+                  disabled={isLoading}
+                />
+              </div>
+              <div>
+                <label htmlFor="password" className="sr-only">Password</label>
+                <input
+                  id="password"
+                  type="password"
+                  required
+                  className="appearance-none rounded-none relative block w-full px-3 py-2 border 
+                    border-gray-700 placeholder-gray-500 text-white bg-gray-800
+                    focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
+                  placeholder="Password"
+                  value={password}
+                  onChange={(e) => setPassword(e.target.value)}
+                  disabled={isLoading}
+                />
+              </div>
+              <div>
+                <label htmlFor="confirm-password" className="sr-only">Confirm Password</label>
+                <input
+                  id="confirm-password"
+                  type="password"
+                  required
+                  className="appearance-none rounded-none relative block w-full px-3 py-2 border 
+                    border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-b-md
+                    focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
+                  placeholder="Confirm Password"
+                  value={confirmPassword}
+                  onChange={(e) => setConfirmPassword(e.target.value)}
+                  disabled={isLoading}
+                />
+              </div>
             </div>
+
             <div>
-              <label htmlFor="confirm-password" className="sr-only">Confirm Password</label>
-              <input
-                id="confirm-password"
-                type="password"
-                required
-                className="appearance-none rounded-none relative block w-full px-3 py-2 border 
-                  border-gray-700 placeholder-gray-500 text-white bg-gray-800 rounded-b-md
-                  focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm"
-                placeholder="Confirm Password"
-                value={confirmPassword}
-                onChange={(e) => setConfirmPassword(e.target.value)}
+              <button
+                type="submit"
+                className="group relative w-full flex justify-center py-2 px-4 border border-transparent 
+                  text-sm font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 
+                  focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 
+                  disabled:opacity-50 disabled:cursor-not-allowed"
                 disabled={isLoading}
-              />
+              >
+                {isLoading ? (
+                  <span className="flex items-center">
+                    <svg className="animate-spin -ml-1 mr-3 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+                      <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
+                      <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+                    </svg>
+                    Creating Account...
+                  </span>
+                ) : (
+                  'Create Account'
+                )}
+              </button>
             </div>
-          </div>
+          </form>
+        )}
 
-          <div>
-            <button
-              type="submit"
-              className="group relative w-full flex justify-center py-2 px-4 border border-transparent 
-                text-sm font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 
-                focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 
-                disabled:opacity-50 disabled:cursor-not-allowed"
-              disabled={isLoading}
+        {!showInternalRegistration && !oidcConfig?.enabled && (
+          <div className="text-center">
+            <h2 className="text-xl font-bold text-red-400 mb-4">Registration Not Available</h2>
+            <p className="text-gray-400 mb-4">
+              Internal account registration is disabled and no SSO providers are configured.
+              Please contact your administrator.
+            </p>
+            <Link 
+              to={ROUTES.PUBLIC_SNIPPETS}
+              className="text-blue-400 hover:text-blue-300"
             >
-              {isLoading ? (
-                <span className="flex items-center">
-                  <svg className="animate-spin -ml-1 mr-3 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                    <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
-                    <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-                  </svg>
-                  Creating Account...
-                </span>
-              ) : (
-                'Create Account'
-              )}
-            </button>
+              Browse public snippets
+            </Link>
           </div>
-        </form>
+        )}
       </div>
     </PageContainer>
   );
diff --git a/client/src/types/user.ts b/client/src/types/user.ts
index efc4903..cdfdaf2 100644
--- a/client/src/types/user.ts
+++ b/client/src/types/user.ts
@@ -15,4 +15,5 @@ export interface AuthConfig {
   allowNewAccounts: boolean;
   hasUsers: boolean;
   disableAccounts: boolean;
+  disableInternalAccounts: boolean;
 }
\ No newline at end of file
diff --git a/docker-compose.yaml b/docker-compose.yaml
index ef1c3ca..d734617 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -19,6 +19,8 @@ services:
       - DEBUG=false
       # Should we use accounts at all? When enabled, it will be like starting a fresh account so export your snippets, no login required
       - DISABLE_ACCOUNTS=false
+      # Should internal accounts be disabled?
+      - DISABLE_INTERNAL_ACCOUNTS=false
 
       # Optional: Enable OIDC for Single Sign On
       - OIDC_ENABLED=true
diff --git a/server/src/middleware/auth.js b/server/src/middleware/auth.js
index f160e28..01dd323 100644
--- a/server/src/middleware/auth.js
+++ b/server/src/middleware/auth.js
@@ -20,6 +20,7 @@ const JWT_SECRET = getJwtSecret();
 const ALLOW_NEW_ACCOUNTS = process.env.ALLOW_NEW_ACCOUNTS === 'true';
 const TOKEN_EXPIRY = process.env.TOKEN_EXPIRY || '24h';
 const DISABLE_ACCOUNTS = process.env.DISABLE_ACCOUNTS === 'true';
+const DISABLE_INTERNAL_ACCOUNTS = process.env.DISABLE_INTERNAL_ACCOUNTS === 'true';
 
 function generateAnonymousUsername() {
   return `anon-${crypto.randomBytes(8).toString('hex')}`;
@@ -74,5 +75,6 @@ export {
   TOKEN_EXPIRY, 
   ALLOW_NEW_ACCOUNTS, 
   DISABLE_ACCOUNTS,
+  DISABLE_INTERNAL_ACCOUNTS,
   getOrCreateAnonymousUser 
 };
\ No newline at end of file
diff --git a/server/src/routes/authRoutes.js b/server/src/routes/authRoutes.js
index ef037dc..21998c7 100644
--- a/server/src/routes/authRoutes.js
+++ b/server/src/routes/authRoutes.js
@@ -1,6 +1,6 @@
 import express from 'express';
 import jwt from 'jsonwebtoken';
-import { JWT_SECRET, TOKEN_EXPIRY, ALLOW_NEW_ACCOUNTS, DISABLE_ACCOUNTS, getOrCreateAnonymousUser } from '../middleware/auth.js';
+import { JWT_SECRET, TOKEN_EXPIRY, ALLOW_NEW_ACCOUNTS, DISABLE_ACCOUNTS, DISABLE_INTERNAL_ACCOUNTS, getOrCreateAnonymousUser } from '../middleware/auth.js';
 import userService from '../services/userService.js';
 import { getDb } from '../config/database.js';
 import { up_v1_5_0_snippets } from '../config/migrations/20241117-migration.js';
@@ -16,9 +16,10 @@ router.get('/config', async (req, res) => {
     
     res.json({ 
       authRequired: true,
-      allowNewAccounts: (!hasUsers || ALLOW_NEW_ACCOUNTS) && !DISABLE_ACCOUNTS,
+      allowNewAccounts: !hasUsers || (ALLOW_NEW_ACCOUNTS && !DISABLE_ACCOUNTS),
       hasUsers,
-      disableAccounts: DISABLE_ACCOUNTS
+      disableAccounts: DISABLE_ACCOUNTS,
+      disableInternalAccounts: DISABLE_INTERNAL_ACCOUNTS
     });
   } catch (error) {
     Logger.error('Error getting auth config:', error);
@@ -28,6 +29,10 @@ router.get('/config', async (req, res) => {
 
 router.post('/register', async (req, res) => {
   try {
+    if (DISABLE_INTERNAL_ACCOUNTS) {
+      return res.status(403).json({ error: 'Internal account registration is disabled' });
+    }
+
     const db = getDb();
     const userCount = db.prepare('SELECT COUNT(*) as count FROM users').get().count;
     const hasUsers = userCount > 0;
@@ -66,6 +71,10 @@ router.post('/register', async (req, res) => {
 
 router.post('/login', async (req, res) => {
   try {
+    if (DISABLE_INTERNAL_ACCOUNTS) {
+      return res.status(403).json({ error: 'Internal accounts are disabled' });
+    }
+
     const { username, password } = req.body;
     const user = await userService.validateUser(username, password);