Introduce an environment variable to control user creation in OIDC authentication, closes #47

2026-05-23 17:19:37 +02:00 · 2025-06-24 00:51:45 +02:00
parent 58215da752
commit ad0b52dfda
4 changed files with 12 additions and 8 deletions
--- a/services/web/app/src/infrastructure/Features.mjs
+++ b/services/web/app/src/infrastructure/Features.mjs
@@ -53,7 +53,7 @@ const Features = {
      case 'registration-page':
        return (
          !Features.externalAuthenticationSystemUsed() ||
-          Boolean(Settings.overleaf)
+          Boolean(Settings.overleaf) || Settings.oidc?.disableJITAccountCreation
        )
      case 'registration':
        return Boolean(Settings.overleaf)
--- a/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs
@@ -42,7 +42,8 @@ const OIDCAuthenticationController = {
          }
        } else {
          if (info.redir != null) {
-            return res.json({ redir: info.redir })
+            await UserController.doLogout(req)
+            return res.redirect(info.redir)
          } else {
            res.status(info.status || 401)
            delete info.status
@@ -95,20 +96,19 @@ const OIDCAuthenticationController = {
        info: {
          type: 'error',
          text: error.message,
-          status: 401,
+          status: 500,
        },
      }
    }
    if (user) {
      return { user, info: undefined }
-    } else { // we cannot be here, something is terribly wrong
-      logger.debug({ email : profile.emails[0].value }, 'failed OIDC log in')
+    } else { // user account is not created
+      logger.debug({ email : profile.emails[0].value }, 'OIDC users JIT account creation is off')
      return {
        user: false,
        info: {
-          type: 'error',
-          text: 'Unknown error',
-          status: 500,
+          redir: '/register',
+          status: 401,
        },
      }
    }
--- a/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs
@@ -37,6 +37,9 @@ const OIDCAuthenticationManager = {
 // (Is it safe? Concider: If an account from the specified provider is already linked to this user, throw an error)
      user = await User.findOne({ 'email': email }).exec()
      if (!user) {
+        if (Settings.oidc.disableJITAccountCreation) {
+          return null
+        }
        user = await UserCreator.promises.createNewUser(
          {
            email: email,
--- a/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
@@ -17,6 +17,7 @@ const OIDCModuleManager = {
      attAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD,
      valAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD_VALUE,
      updateUserDetailsOnLogin: boolFromEnv(process.env.OVERLEAF_OIDC_UPDATE_USER_DETAILS_ON_LOGIN),
+      disableJITAccountCreation: boolFromEnv(process.env.OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION),
    }
  },
  passportSetup(passport, callback) {