Closed eKristensen closed 2 years ago
This hides the login form, but the login mechanism itself still works, or at least with oauth generic. If i put in the form manually (e.g. via Inspect and edit HTML in Firefox) and send username and password it is still possible to log in like before.
I would have expected that single service not only visually removed the form, but also made sure that login with username and password would not work at all.
I've tried to determine how to change this, but I've not yet been able to follow the whole login flow in dokuwiki...
I think there should be a hook on https://www.dokuwiki.org/devel:event:auth_login_check that call $event->preventDefault()
if singleService is set.
Or maybe it would be enough to run preventDefault()
on https://www.dokuwiki.org/devel:event:action_act_preprocess that is handled by https://github.com/cosmocode/dokuwiki-plugin-oauth/blob/9b704d2cc66fbd237cffa33310db87517c15ad78/action/login.php#L148
Though I did try both the hooks I mentioned with the prevent default function and it did not have any effect... hmm...
As mentioned on the oauth page:
This plugin sits on top of the usual authplain authentication mechanism. Password based logins will continue to work.
I didn't see that. Though it also says
This plugin sits on top of the usual authplain authentication mechanism. Password based logins will continue to work and users can still register directly at your wiki, unless you configure it otherwise.
In any case. Is there any way to disable authplain ?
Currently not. You can open another issue.
When I enable plugin»oauth»singleService I expect the normal login form to be gone and oauth login enforced with normal username-password login no longer active, but it is not.
This is the result when I use https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric
Another unexpected behavior is that this login form still works. It redirects to oauth, but if you ignore this and go back it logs in if the username and password is correct.
If I add some code to this function: https://github.com/cosmocode/dokuwiki-plugin-oauth/blob/9b704d2cc66fbd237cffa33310db87517c15ad78/action/login.php#L79
The login form itself can be removed with e.g.
$form->_content = array();
before$html
.However I do not think this actually disables the login mechanism, and I think an upstream fix would be better. Besides this would include changes to a deprecated function....