add Config::DISABLE_LOGIN_FORM to allow limiting logins to SSO providers

classes/Config.php

@@ -189,6 +189,9 @@ class Config {
 	/** delay updates for this feed if received HTTP 429 (Too Many Requests) for this amount of seconds (base value, actual delay is base...base*2) */
 	const HTTP_429_THROTTLE_INTERVAL = "HTTP_429_THROTTLE_INTERVAL";
 
+	/** disables login form controls except HOOK_LOGINFORM_ADDITIONAL_BUTTONS (for SSO providers), also prevents logging in through auth_internal */
+	const DISABLE_LOGIN_FORM = "DISABLE_LOGIN_FORM";
+
 	/** default values for all global configuration options */
 	private const _DEFAULTS = [
 		Config::DB_TYPE => [ "pgsql", 									Config::T_STRING ],
@@ -245,7 +248,8 @@ class Config {
 		Config::AUTH_MIN_INTERVAL => [ 5,								Config::T_INT ],
 		Config::HTTP_USER_AGENT => [ 'Tiny Tiny RSS/%s (https://tt-rss.org/)',
 																					Config::T_STRING ],
-		Config::HTTP_429_THROTTLE_INTERVAL => [ 3600,				Config::T_INT ]
+		Config::HTTP_429_THROTTLE_INTERVAL => [ 3600,				Config::T_INT ],
+		Config::DISABLE_LOGIN_FORM => [ "",								Config::T_BOOL ]
 	];
 
 	private static ?Config $instance = null;

classes/Handler_Public.php

@@ -431,6 +431,13 @@ class Handler_Public extends Handler {
 	}
 
 	function forgotpass(): void {
+		if (Config::get(Config::DISABLE_LOGIN_FORM) || !str_contains(Config::get(Config::PLUGINS), "auth_internal")) {
+			header($_SERVER["SERVER_PROTOCOL"]." 403 Forbidden");
+			echo "Forbidden.";
+
+			return;
+		}
+
 		startup_gettext();
 		session_start();
 

include/login_form.php

@@ -124,6 +124,7 @@
 					onchange="UtilityApp.fetchProfiles()"
 					onfocus="UtilityApp.fetchProfiles()"
 					onblur="UtilityApp.fetchProfiles()"
+					<?= Config::get(Config::DISABLE_LOGIN_FORM) ? 'disabled="disabled"' : '' ?>
 					required="1" value="<?= $_SESSION["fake_login"] ?? "" ?>" />
 			</fieldset>
 
@@ -136,14 +137,16 @@
 					onchange="UtilityApp.fetchProfiles()"
 					onfocus="UtilityApp.fetchProfiles()"
 					onblur="UtilityApp.fetchProfiles()"
+					<?= Config::get(Config::DISABLE_LOGIN_FORM) ? 'disabled="disabled"' : '' ?>
 					value="<?= $_SESSION["fake_password"] ?? "" ?>"/>
 			</fieldset>
-			<?php if (str_contains(Config::get(Config::PLUGINS), "auth_internal")) { ?>
+			<?php if (!Config::get(Config::DISABLE_LOGIN_FORM) && str_contains(Config::get(Config::PLUGINS), "auth_internal")) { ?>
 				<fieldset class="align-right">
 					<a href="public.php?op=forgotpass"><?= __("I forgot my password") ?></a>
 				</fieldset>
 			<?php } ?>
 
+			<?php if (!Config::get(Config::DISABLE_LOGIN_FORM)) { ?>
 				<fieldset>
 					<label><?= __("Profile:") ?></label>
 
@@ -177,8 +180,8 @@
 				<div dojoType="dijit.Tooltip" connectId="safe_mode_label" position="below" style="display:none">
 					<?= __("Uses default theme and prevents all plugins from loading."); ?>
 				</div>
-			<?php if (Config::get(Config::SESSION_COOKIE_LIFETIME) > 0) { ?>
 
+				<?php if (Config::get(Config::SESSION_COOKIE_LIFETIME) > 0) { ?>
 					<fieldset class="narrow">
 						<label> </label>
 						<label>
@@ -186,14 +189,16 @@
 							<?= __("Remember me") ?>
 						</label>
 					</fieldset>
-
+				<?php } ?>
 			<?php } ?>
 
 			<hr/>
 
 			<fieldset class="align-right">
 				<label> </label>
+				<?php if (!Config::get(Config::DISABLE_LOGIN_FORM)) { ?>
 				<?= \Controls\submit_tag(__('Log in')) ?>
+				<?php } ?>
 				<?php PluginHost::getInstance()->run_hooks(PluginHost::HOOK_LOGINFORM_ADDITIONAL_BUTTONS) ?>
 			</fieldset>
 

plugins/auth_internal/init.php

@@ -15,6 +15,9 @@ class Auth_Internal extends Auth_Base implements IAuthModule2 {
 	/** @param string $service */
 	function authenticate($login, $password, $service = '') {
 
+		if (Config::get(Config::DISABLE_LOGIN_FORM))
+			return false;
+
 		$otp = (int) ($_REQUEST["otp"] ?? 0);
 
 		// don't bother with null/null logins for auth_external etc