add Config::DISABLE_LOGIN_FORM to allow limiting logins to SSO providers

2025-03-14 11:32:46 +03:00
parent 1fc4eed6cd
commit d373c1f978
4 changed files with 67 additions and 48 deletions
--- a/classes/Config.php
+++ b/classes/Config.php
@@ -189,6 +189,9 @@ class Config {
 	/** delay updates for this feed if received HTTP 429 (Too Many Requests) for this amount of seconds (base value, actual delay is base...base*2) */
 	const HTTP_429_THROTTLE_INTERVAL = "HTTP_429_THROTTLE_INTERVAL";

+	/** disables login form controls except HOOK_LOGINFORM_ADDITIONAL_BUTTONS (for SSO providers), also prevents logging in through auth_internal */
+	const DISABLE_LOGIN_FORM = "DISABLE_LOGIN_FORM";
+
 	/** default values for all global configuration options */
 	private const _DEFAULTS = [
 		Config::DB_TYPE => [ "pgsql", 									Config::T_STRING ],
@@ -245,7 +248,8 @@ class Config {
 		Config::AUTH_MIN_INTERVAL => [ 5,								Config::T_INT ],
 		Config::HTTP_USER_AGENT => [ 'Tiny Tiny RSS/%s (https://tt-rss.org/)',
 																					Config::T_STRING ],
-		Config::HTTP_429_THROTTLE_INTERVAL => [ 3600,				Config::T_INT ]
+		Config::HTTP_429_THROTTLE_INTERVAL => [ 3600,				Config::T_INT ],
+		Config::DISABLE_LOGIN_FORM => [ "",								Config::T_BOOL ]
 	];

 	private static ?Config $instance = null;
--- a/classes/Handler_Public.php
+++ b/classes/Handler_Public.php
@@ -431,6 +431,13 @@ class Handler_Public extends Handler {
 	}

 	function forgotpass(): void {
+		if (Config::get(Config::DISABLE_LOGIN_FORM) || !str_contains(Config::get(Config::PLUGINS), "auth_internal")) {
+			header($_SERVER["SERVER_PROTOCOL"]." 403 Forbidden");
+			echo "Forbidden.";
+
+			return;
+		}
+
 		startup_gettext();
 		session_start();