Disable password auth setting

API/Controllers/AccountController.cs

@@ -52,6 +52,7 @@ public class AccountController : BaseApiController
     private readonly IEmailService _emailService;
     private readonly IEventHub _eventHub;
     private readonly ILocalizationService _localizationService;
+    private readonly IOidcService _oidcService;
 
     /// <inheritdoc />
     public AccountController(UserManager<AppUser> userManager,
@@ -60,7 +61,8 @@ public class AccountController : BaseApiController
         ILogger<AccountController> logger,
         IMapper mapper, IAccountService accountService,
         IEmailService emailService, IEventHub eventHub,
-        ILocalizationService localizationService)
+        ILocalizationService localizationService,
+        IOidcService oidcService)
     {
         _userManager = userManager;
         _signInManager = signInManager;
@@ -72,6 +74,7 @@ public class AccountController : BaseApiController
         _emailService = emailService;
         _eventHub = eventHub;
         _localizationService = localizationService;
+        _oidcService = oidcService;
     }
 
     [HttpGet]
@@ -80,6 +83,9 @@ public class AccountController : BaseApiController
         var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.UserPreferences);
         if (user == null) throw new UnauthorizedAccessException();
 
+        var oidcSettings = (await _unitOfWork.SettingsRepository.GetSettingsDtoAsync()).OidcConfig;
+        await _oidcService.SyncUserSettings(oidcSettings, User, user);
+
         var roles = await _userManager.GetRolesAsync(user);
         if (!roles.Contains(PolicyConstants.LoginRole)) return Unauthorized(await _localizationService.Translate(user.Id, "disabled-account"));
 
@@ -236,6 +242,11 @@ public class AccountController : BaseApiController
         var roles = await _userManager.GetRolesAsync(user);
         if (!roles.Contains(PolicyConstants.LoginRole)) return Unauthorized(await _localizationService.Translate(user.Id, "disabled-account"));
 
+        var oidcConfig = (await _unitOfWork.SettingsRepository.GetSettingsDtoAsync()).OidcConfig;
+        // Setting only takes effect if OIDC is funcitonal, and if we're not logging in via ApiKey
+        var disablePasswordAuthentication = oidcConfig is {Enabled: true, DisablePasswordAuthentication: true} && string.IsNullOrEmpty(loginDto.ApiKey);
+        if (disablePasswordAuthentication && !roles.Contains(PolicyConstants.AdminRole)) return Unauthorized(await _localizationService.Translate(user.Id, "password-authentication-disabled"));
+
         if (string.IsNullOrEmpty(loginDto.ApiKey))
         {
             var result = await _signInManager

API/DTOs/Settings/OidcConfigDto.cs

@@ -1,32 +1,27 @@
 #nullable enable
+using API.Entities.Enums;
+
 namespace API.DTOs.Settings;
 
 public class OidcConfigDto
 {
-    /// <summary>
+    /// <inheritdoc cref="ServerSettingKey.OidcAuthority"/>
-    /// Base url for authority, must have /.well-known/openid-configuration
-    /// </summary>
     public string? Authority { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.OidcClientId"/>
+    public string? ClientId { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.OidcProvisionAccounts"/>
+    public bool ProvisionAccounts { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.OidcRequireVerifiedEmail"/>
+    public bool RequireVerifiedEmail { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.OidcProvisionUserSettings"/>
+    public bool ProvisionUserSettings { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.OidcAutoLogin"/>
+    public bool AutoLogin { get; set; }
+    /// <inheritdoc cref="ServerSettingKey.DisablePasswordAuthentication"/>
+    public bool DisablePasswordAuthentication { get; set; }
 
     /// <summary>
-    /// ClientId configured in your OpenID Connect provider
+    /// Returns true if the <see cref="Authority"/> has been set
     /// </summary>
-    public string? ClientId { get; set; }
+    public bool Enabled => Authority != "";
-    /// <summary>
-    /// Create a new account when someone logs in with an unmatched account, if <see cref="RequireVerifiedEmail"/> is true,
-    /// will account will be verified by default
-    /// </summary>
-    public bool ProvisionAccounts { get; set; }
-    /// <summary>
-    /// Require emails from OpenIDConnect to be verified before use
-    /// </summary>
-    public bool RequireVerifiedEmail { get; set; }
-    /// <summary>
-    /// Overwrite Kavita roles, libraries and age rating with OpenIDConnect provides roles on log in.
-    /// </summary>
-    public bool ProvisionUserSettings { get; set; }
-    /// <summary>
-    /// Try logging in automatically when opening the app
-    /// </summary>
-    public bool AutoLogin { get; set; }
 }

API/DTOs/Settings/OidcPublicConfigDto.cs

@@ -9,4 +9,6 @@ public sealed record OidcPublicConfigDto
     public string? ClientId { get; set; }
     /// <inheritdoc cref="OidcConfigDto.AutoLogin"/>
     public bool AutoLogin { get; set; }
+    /// <inheritdoc cref="OidcConfigDto.DisablePasswordAuthentication"/>
+    public bool DisablePasswordAuthentication { get; set; }
 }

API/Data/Seed.cs

@@ -258,6 +258,7 @@ public static class Seed
             new() { Key = ServerSettingKey.OidcProvisionAccounts, Value = "false"},
             new() { Key = ServerSettingKey.OidcRequireVerifiedEmail, Value = "true"},
             new() { Key = ServerSettingKey.OidcProvisionUserSettings, Value = "false"},
+            new() { Key = ServerSettingKey.DisablePasswordAuthentication, Value = "false"},
 
             new() {Key = ServerSettingKey.EmailHost, Value = string.Empty},
             new() {Key = ServerSettingKey.EmailPort, Value = string.Empty},

API/Entities/Enums/ServerSettingKey.cs

@@ -227,4 +227,9 @@ public enum ServerSettingKey
     /// </summary>
     [Description("OpenIDConnectSyncUserSettings")]
     OidcProvisionUserSettings = 45,
+    /// <summary>
+    /// Disables password authentication for non-admin users
+    /// </summary>
+    [Description("DisablePasswordAuthentication")]
+    DisablePasswordAuthentication = 46,
 }

API/Helpers/Converters/ServerSettingConverter.cs

@@ -153,6 +153,10 @@ public class ServerSettingConverter : ITypeConverter<IEnumerable<ServerSetting>,
                     destination.OidcConfig ??= new OidcConfigDto();
                     destination.OidcConfig.ProvisionUserSettings = bool.Parse(row.Value);
                     break;
+                case ServerSettingKey.DisablePasswordAuthentication:
+                    destination.OidcConfig ??= new OidcConfigDto();
+                    destination.OidcConfig.DisablePasswordAuthentication = bool.Parse(row.Value);
+                    break;
                 case ServerSettingKey.LicenseKey:
                 case ServerSettingKey.EnableAuthentication:
                 case ServerSettingKey.EmailServiceUrl:

API/I18N/en.json

@@ -2,6 +2,7 @@
     "confirm-email": "You must confirm your email first",
     "locked-out": "You've been locked out from too many authorization attempts. Please wait 10 minutes.",
     "disabled-account": "Your account is disabled. Contact the server admin.",
+    "password-authentication-disabled": "Password authentication has been disabled, login via OpenID Connect",
     "register-user": "Something went wrong when registering user",
     "validate-email": "There was an issue validating your email: {0}",
     "confirm-token-gen": "There was an issue generating a confirmation token",

API/Services/OidcService.cs

@@ -28,6 +28,13 @@ public interface IOidcService
     /// <exception cref="KavitaException">if any requirements aren't met</exception>
     Task<AppUser?> LoginOrCreate(ClaimsPrincipal principal);
     /// <summary>
+    /// Updates roles, library access and age rating. Does not assign admin role, or to admin roles
+    /// </summary>
+    /// <param name="settings"></param>
+    /// <param name="claimsPrincipal"></param>
+    /// <param name="user"></param>
+    Task SyncUserSettings(OidcConfigDto settings, ClaimsPrincipal claimsPrincipal, AppUser user);
+    /// <summary>
     /// Remove <see cref="AppUser.ExternalId"/> from all users
     /// </summary>
     /// <returns></returns>
@@ -51,7 +58,6 @@ public class OidcService(ILogger<OidcService> logger, UserManager<AppUser> userM
         var user = await unitOfWork.UserRepository.GetByExternalId(externalId, AppUserIncludes.UserPreferences);
         if (user != null)
         {
-            // await SyncUserSettings(settings, principal, user);
             return user;
         }
 
@@ -135,14 +141,7 @@ public class OidcService(ILogger<OidcService> logger, UserManager<AppUser> userM
         return user;
     }
 
-    /// <summary>
+    public async Task SyncUserSettings(OidcConfigDto settings, ClaimsPrincipal claimsPrincipal, AppUser user)
-    /// Updates roles, library access and age rating. Does not assign admin role, or to admin roles
-    /// </summary>
-    /// <param name="settings"></param>
-    /// <param name="claimsPrincipal"></param>
-    /// <param name="user"></param>
-    /// <remarks>Extra feature, little buggy for now</remarks>
-    private async Task SyncUserSettings(OidcConfigDto settings, ClaimsPrincipal claimsPrincipal, AppUser user)
     {
         if (!settings.ProvisionUserSettings) return;
 
@@ -196,7 +195,7 @@ public class OidcService(ILogger<OidcService> logger, UserManager<AppUser> userM
             .ToList();
         if (ageRatings.Count == 0) return;
 
-        var highestAgeRating = AgeRating.NotApplicable;
+        var highestAgeRating = AgeRating.Unknown;
 
         foreach (var ar in ageRatings)
         {

API/Services/SettingsService.cs

@@ -366,8 +366,10 @@ public class SettingsService : ISettingsService
         var url = authority + "/.well-known/openid-configuration";
         try
         {
-            await url.GetJsonAsync<OpenIdConnectConfiguration>();
+            //await url.GetJsonAsync<OpenIdConnectConfiguration>();
-            return true;
+            //return true;
+            var res = await url.GetAsync();
+            return res.StatusCode == 200;
         }
         catch (Exception e)
         {
@@ -455,6 +457,13 @@ public class SettingsService : ISettingsService
             _unitOfWork.SettingsRepository.Update(setting);
         }
 
+        if (setting.Key == ServerSettingKey.DisablePasswordAuthentication &&
+            updateSettingsDto.OidcConfig.DisablePasswordAuthentication + string.Empty != setting.Value)
+        {
+            setting.Value = updateSettingsDto.OidcConfig.DisablePasswordAuthentication + string.Empty;
+            _unitOfWork.SettingsRepository.Update(setting);
+        }
+
     }
 
     private void UpdateEmailSettings(ServerSetting setting, ServerSettingDto updateSettingsDto)

UI/Web/src/app/_services/account.service.ts

@@ -13,7 +13,7 @@ import {UserUpdateEvent} from '../_models/events/user-update-event';
 import {AgeRating} from '../_models/metadata/age-rating';
 import {AgeRestriction} from '../_models/metadata/age-restriction';
 import {TextResonse} from '../_types/text-response';
-import {takeUntilDestroyed} from "@angular/core/rxjs-interop";
+import {takeUntilDestroyed, toSignal} from "@angular/core/rxjs-interop";
 import {Action} from "./action-factory.service";
 import {LicenseService} from "./license.service";
 import {LocalizationService} from "./localization.service";
@@ -63,6 +63,8 @@ export class AccountService {
     return this.hasAdminRole(u);
   }), shareReplay({bufferSize: 1, refCount: true}));
 
+  public currentUserSignal = toSignal(this.currentUserSource);
+
 
 
   /**

UI/Web/src/app/_services/oidc.service.ts

@@ -91,7 +91,9 @@ export class OidcService {
   }
 
   logout() {
-    this.oauth2.logOut();
+    if (this.token) {
+      this.oauth2.logOut();
+    }
   }
 
   config() {

UI/Web/src/app/admin/_models/oidc-config.ts

@@ -6,10 +6,12 @@ export interface OidcConfig {
   requireVerifiedEmail: boolean;
   provisionUserSettings: boolean;
   autoLogin: boolean;
+  disablePasswordAuthentication: boolean;
 }
 
 export interface OidcPublicConfig {
   authority: string;
   clientId: string;
   autoLogin: boolean;
+  disablePasswordAuthentication: boolean;
 }

UI/Web/src/app/admin/manage-open-idconnect/manage-open-idconnect.component.html

@@ -112,6 +112,18 @@
         }
       </div>
 
+      <div class="row g-0 mt-4 mb-4">
+        @if(settingsForm.get('disablePasswordAuthentication'); as formControl) {
+          <app-setting-switch [title]="t('disablePasswordAuthentication')" [subtitle]="t('disablePasswordAuthentication-tooltip')">
+            <ng-template #switch>
+              <div class="form-check form-switch float-end">
+                <input id="disablePasswordAuthentication" type="checkbox" class="form-check-input" formControlName="disablePasswordAuthentication">
+              </div>
+            </ng-template>
+          </app-setting-switch>
+        }
+      </div>
+
     </ng-container>
 
   </form>

UI/Web/src/app/admin/manage-open-idconnect/manage-open-idconnect.component.ts

@@ -51,6 +51,7 @@ export class ManageOpenIDConnectComponent implements OnInit {
         this.settingsForm.addControl('requireVerifiedEmail', new FormControl(this.oidcSettings.requireVerifiedEmail, []));
         this.settingsForm.addControl('provisionUserSettings', new FormControl(this.oidcSettings.provisionUserSettings, []));
         this.settingsForm.addControl('autoLogin', new FormControl(this.oidcSettings.autoLogin, []));
+        this.settingsForm.addControl('disablePasswordAuthentication', new FormControl(this.oidcSettings.disablePasswordAuthentication, []));
         this.cdRef.markForCheck();
       }
     })

UI/Web/src/app/app.component.ts

@@ -103,7 +103,8 @@ export class AppComponent implements OnInit {
     // Login automatically when a token is available
     effect(() => {
       const ready = this.oidcService.ready();
-      if (!ready || !this.oidcService.token) return;
+      const user = this.accountService.currentUserSignal();
+      if (!ready || !this.oidcService.token || user) return;
 
       this.accountService.loginByToken(this.oidcService.token).subscribe({
         next: () => {

UI/Web/src/app/registration/user-login/user-login.component.html

@@ -1,37 +1,58 @@
-<ng-container *transloco="let t; read: 'login'">
+<ng-container *transloco="let t; prefix: 'login'">
   <app-splash-container>
     <ng-container title><h2>{{t('title')}}</h2></ng-container>
     <ng-container body>
-      <ng-container *ngIf="isLoaded()">
-        <form [formGroup]="loginForm" (ngSubmit)="login()" novalidate class="needs-validation" *ngIf="!firstTimeFlow()">
-          <div class="card-text">
-            <div class="mb-3">
-              <label for="username" class="form-label visually-hidden">{{t('username')}}</label>
-              <input class="form-control custom-input" formControlName="username" id="username" autocomplete="username"
-                     type="text" autofocus [placeholder]="t('username')">
-            </div>
 
-            <div class="mb-2">
+      @if (isLoaded()) {
-              <label for="password" class="form-label visually-hidden">{{t('password')}}</label>
+        @if (showPasswordLogin() && !firstTimeFlow()) {
-              <input class="form-control custom-input" formControlName="password" name="password" autocomplete="current-password"
+          <form [formGroup]="loginForm" (ngSubmit)="login()" novalidate class="needs-validation">
-                     id="password" type="password" [placeholder]="t('password')">
+            <div class="card-text">
-            </div>
+              <div class="mb-3">
+                <label for="username" class="form-label visually-hidden">{{t('username')}}</label>
+                <input class="form-control custom-input" formControlName="username" id="username" autocomplete="username"
+                       type="text" autofocus [placeholder]="t('username')">
+              </div>
 
-            <div class="mb-3 forgot-password">
+              <div class="mb-2">
-              <a routerLink="/registration/reset-password">{{t('forgot-password')}}</a>
+                <label for="password" class="form-label visually-hidden">{{t('password')}}</label>
-            </div>
+                <input class="form-control custom-input" formControlName="password" name="password" autocomplete="current-password"
+                       id="password" type="password" [placeholder]="t('password')">
+              </div>
 
-            <div class="sign-in">
+              <div class="mb-3 forgot-password">
-              <button class="btn btn-outline-primary" type="submit" [disabled]="isSubmitting()">{{t('submit')}}</button>
+                <a routerLink="/registration/reset-password">{{t('forgot-password')}}</a>
-            </div>
+              </div>
-          </div>
-        </form>
 
-        @if (oidcService.ready()) {
+              <div class="sign-in">
-          <button [ngbTooltip]="t('oidc-tooltip')" class="btn btn-outline-primary mt-2" (click)="oidcService.login()">{{t('oidc')}}</button>
+                <button class="btn btn-outline-primary" type="submit" [disabled]="isSubmitting()">{{t('submit')}}</button>
+              </div>
+            </div>
+          </form>
         }
 
-      </ng-container>
+        @if (oidcService.ready()) {
+          <button
+            class="btn btn-outline-primary mt-2 d-flex align-items-center gap-2"
+            (click)="oidcService.login()">
+            <img
+              ngSrc="assets/icons/open-id-connect-logo.svg"
+              alt="OIDC"
+              width="36"
+              height="36"
+              class="d-inline-block"
+              style="object-fit: contain;"
+            />
+            {{t('oidc')}}
+          </button>
+        }
+
+        @if (!showPasswordLogin()) {
+          <div class="text-muted mt-2">
+            {{t('bypass')}}
+            <span class="text-muted clickable" (click)="forceShowPasswordLogin.set(true)">{{t('here')}}</span>
+          </div>
+        }
+      }
     </ng-container>
   </app-splash-container>
 </ng-container>

UI/Web/src/app/registration/user-login/user-login.component.scss

@@ -45,4 +45,8 @@ a {
     .btn {
         font-family: var(--login-input-font-family);
     }
-}
+}
+
+.text-muted {
+  font-size: 0.8rem;
+}

UI/Web/src/app/registration/user-login/user-login.component.ts

@@ -1,27 +1,24 @@
 import {
-  AfterViewInit,
   ChangeDetectionStrategy,
   ChangeDetectorRef,
   Component, computed,
-  DestroyRef, effect, inject,
+  effect, inject,
   OnInit,
   signal
 } from '@angular/core';
 import { FormGroup, FormControl, Validators, ReactiveFormsModule } from '@angular/forms';
 import {ActivatedRoute, Router, RouterLink} from '@angular/router';
-import {NgbModal, NgbTooltip} from '@ng-bootstrap/ng-bootstrap';
+import {NgbTooltip} from '@ng-bootstrap/ng-bootstrap';
 import { ToastrService } from 'ngx-toastr';
 import { take } from 'rxjs/operators';
 import { AccountService } from '../../_services/account.service';
 import { MemberService } from '../../_services/member.service';
 import { NavService } from '../../_services/nav.service';
-import { NgIf } from '@angular/common';
+import {NgOptimizedImage} from '@angular/common';
 import { SplashContainerComponent } from '../_components/splash-container/splash-container.component';
-import {TRANSLOCO_SCOPE, TranslocoDirective} from "@jsverse/transloco";
+import {TranslocoDirective} from "@jsverse/transloco";
 import {environment} from "../../../environments/environment";
 import {OidcService} from "../../_services/oidc.service";
-import {forkJoin} from "rxjs";
-import {takeUntilDestroyed, toSignal} from "@angular/core/rxjs-interop";
 
 
 @Component({
@@ -29,7 +26,7 @@ import {takeUntilDestroyed, toSignal} from "@angular/core/rxjs-interop";
     templateUrl: './user-login.component.html',
     styleUrls: ['./user-login.component.scss'],
     changeDetection: ChangeDetectionStrategy.OnPush,
-  imports: [SplashContainerComponent, NgIf, ReactiveFormsModule, RouterLink, TranslocoDirective, NgbTooltip]
+  imports: [SplashContainerComponent, ReactiveFormsModule, RouterLink, TranslocoDirective, NgbTooltip, NgOptimizedImage]
 })
 export class UserLoginComponent implements OnInit {
 
@@ -61,7 +58,23 @@ export class UserLoginComponent implements OnInit {
   /**
    * undefined until query params are read
    */
-  skipAutoLogin = signal<boolean | undefined>(undefined)
+  skipAutoLogin = signal<boolean | undefined>(undefined);
+
+  /**
+   * Display the login form, regardless if the password authentication is disabled (admins can still log in)
+   */
+  forceShowPasswordLogin = signal(false);
+  /**
+   * Display the login form
+   */
+  showPasswordLogin = computed(() => {
+    const loaded = this.isLoaded();
+    const config = this.oidcService.settings();
+    const force = this.forceShowPasswordLogin();
+    if (force) return true;
+
+    return loaded && config && !config.disablePasswordAuthentication;
+  });
 
   constructor() {
     this.navService.hideNavBar();

UI/Web/src/assets/icons/open-id-connect-logo.svg

@@ -0,0 +1 @@
+<?xml version="1.0"?><!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'><svg height="512px" style="enable-background:new 0 0 512 512;" version="1.1" viewBox="0 0 512 512" width="512px" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g id="_x32_39-openid"><g><path d="M234.849,419v6.623c-79.268-9.958-139.334-53.393-139.334-105.757    c0-39.313,33.873-73.595,84.485-92.511L178.023,180C88.892,202.497,26.001,256.607,26.001,319.866    c0,76.288,90.871,139.128,208.95,149.705l0.018-0.009V419H234.849z" style="fill:#B2B2B2;"/><polygon points="304.772,436.713 304.67,436.713 304.67,221.667 304.67,213.667 304.67,42.429     234.849,78.25 234.849,221.667 234.969,221.667 234.969,469.563   " style="fill:#F7931E;"/><path d="M485.999,291.938l-9.446-100.114l-35.938,20.331C415.087,196.649,382.5,177.5,340,177.261    l0.002,36.406v7.498c3.502,0.968,6.923,2.024,10.301,3.125c14.145,4.611,27.176,10.352,38.666,17.128l-37.786,21.254    L485.999,291.938z" style="fill:#B2B2B2;"/></g></g><g id="Layer_1"/></svg>

UI/Web/src/assets/langs/en.json

@@ -7,7 +7,8 @@
         "forgot-password": "Forgot Password?",
         "submit": "Sign in",
         "oidc": "Log in with OpenID Connect",
-        "oidc-tooltip": "This will connect you to an external site"
+        "bypass": "Password login has been disabled. Bypass ",
+        "here": "here"
     },
 
     "oidc": {
@@ -34,7 +35,9 @@
             "provisionUserSettings": "Provision user settings",
             "provisionUserSettings-tooltip": "Synchronise Kavita user settings (roles, libraries, age rating) with those provided by the OIDC. See documentation for more information",
             "autoLogin": "Auto login",
-            "autoLogin-tooltip": "Auto redirect to OpenID Connect provider when opening the login screen"
+            "autoLogin-tooltip": "Auto redirect to OpenID Connect provider when opening the login screen",
+            "disablePasswordAuthentication": "Disable password authentication",
+            "disablePasswordAuthentication-tooltip": "Users with the admin role can bypass this restriction"
         }
     },