From 4b31578f6c1ff62572dc41eaff2cbb198b970236 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 24 Feb 2026 15:07:41 +0100
Subject: [PATCH] Config: oidc_configured?/0, oidc_only?/0, OIDC_ONLY ENV and
 settings fallback

---
 lib/mv/config.ex | 57 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 56 insertions(+), 1 deletion(-)

diff --git a/lib/mv/config.ex b/lib/mv/config.ex
index f70a07e..ec69b18 100644
--- a/lib/mv/config.ex
+++ b/lib/mv/config.ex
@@ -262,6 +262,20 @@ defmodule Mv.Config do
     end
   end
 
+  defp env_or_setting_bool(env_key, setting_key) do
+    case System.get_env(env_key) do
+      nil ->
+        get_from_settings_bool(setting_key)
+
+      value when is_binary(value) ->
+        v = String.trim(value) |> String.downcase()
+        v in ["true", "1", "yes"]
+
+      _ ->
+        false
+    end
+  end
+
   defp get_vereinfacht_from_settings(key) do
     get_from_settings(key)
   end
@@ -273,6 +287,19 @@ defmodule Mv.Config do
     end
   end
 
+  defp get_from_settings_bool(key) do
+    case Mv.Membership.get_settings() do
+      {:ok, settings} ->
+        case Map.get(settings, key) do
+          true -> true
+          _ -> false
+        end
+
+      {:error, _} ->
+        false
+    end
+  end
+
   defp trim_nil(nil), do: nil
 
   defp trim_nil(s) when is_binary(s) do
@@ -366,7 +393,34 @@ defmodule Mv.Config do
   def oidc_env_configured? do
     oidc_client_id_env_set?() or oidc_base_url_env_set?() or
       oidc_redirect_uri_env_set?() or oidc_client_secret_env_set?() or
-      oidc_admin_group_name_env_set?() or oidc_groups_claim_env_set?()
+      oidc_admin_group_name_env_set?() or oidc_groups_claim_env_set?() or
+      oidc_only_env_set?()
+  end
+
+  @doc """
+  Returns true when OIDC is configured and can be used for sign-in (client ID, base URL,
+  redirect URI, and client secret must be set). Used to show or hide the Single Sign-On button on the
+  sign-in page. Without client secret, the OIDC flow fails with MissingSecret; without redirect_uri,
+  the OIDC Plug crashes with URI.new(nil).
+  """
+  @spec oidc_configured?() :: boolean()
+  def oidc_configured? do
+    id = oidc_client_id()
+    base = oidc_base_url()
+    secret = oidc_client_secret()
+    redirect = oidc_redirect_uri()
+    present = &(is_binary(&1) and String.trim(&1) != "")
+    present.(id) and present.(base) and present.(secret) and present.(redirect)
+  end
+
+  @doc """
+  Returns true when only OIDC sign-in should be shown (password login hidden).
+  ENV OIDC_ONLY first (true/1/yes vs false/0/no), then Settings.oidc_only.
+  Only has effect when OIDC is configured; when false or OIDC not configured, both password and OIDC are shown as usual.
+  """
+  @spec oidc_only?() :: boolean()
+  def oidc_only? do
+    env_or_setting_bool("OIDC_ONLY", :oidc_only)
   end
 
   def oidc_client_id_env_set?, do: env_set?("OIDC_CLIENT_ID")
@@ -375,4 +429,5 @@ defmodule Mv.Config do
   def oidc_client_secret_env_set?, do: env_set?("OIDC_CLIENT_SECRET")
   def oidc_admin_group_name_env_set?, do: env_set?("OIDC_ADMIN_GROUP_NAME")
   def oidc_groups_claim_env_set?, do: env_set?("OIDC_GROUPS_CLAIM")
+  def oidc_only_env_set?, do: env_set?("OIDC_ONLY")
 end