feat: improve oidc only mode

2026-03-16 17:14:54 +01:00 · 2026-03-16 17:14:54 +01:00 · 9b4f3b140c
commit 9b4f3b140c
parent a8d9fe6121
19 changed files with 330 additions and 43 deletions
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -362,6 +362,12 @@ defmodule Mv.Accounts.User do
  # Authorization Policies
  # Order matters: Most specific policies first, then general permission check
  policies do
+    # When OIDC-only is active, password sign-in is forbidden (SSO only).
+    policy action(:sign_in_with_password) do
+      forbid_if Mv.Authorization.Checks.OidcOnlyActive
+      authorize_if always()
+    end
+
    # AshAuthentication bypass (registration/login without actor)
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      description "Allow AshAuthentication internal operations (registration, login)"
@ -409,6 +415,10 @@ defmodule Mv.Accounts.User do
    validate {Mv.Accounts.User.Validations.RegistrationEnabled, []},
      where: [action_is(:register_with_password)]

+    # Block password registration when OIDC-only mode is active
+    validate {Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration, []},
+      where: [action_is(:register_with_password)]
+
    # Email uniqueness check for all actions that change the email attribute
    # Validates that user email is not already used by another (unlinked) member
    validate Mv.Accounts.User.Validations.EmailNotUsedByOtherMember
--- a/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex
+++ b/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex
@ -0,0 +1,27 @@
+defmodule Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration do
+  @moduledoc """
+  Validation that blocks direct registration (register_with_password) when
+  OIDC-only mode is active. In OIDC-only mode, sign-in and registration are
+  only allowed via OIDC (SSO).
+  """
+  use Ash.Resource.Validation
+
+  @impl true
+  def init(opts), do: {:ok, opts}
+
+  @impl true
+  def validate(_changeset, _opts, _context) do
+    if Mv.Config.oidc_only?() do
+      {:error,
+       field: :base,
+       message:
+         Gettext.dgettext(
+           MvWeb.Gettext,
+           "default",
+           "Registration with password is disabled when only OIDC sign-in is active."
+         )}
+    else
+      :ok
+    end
+  end
+end