xxorax
commented
1 year ago I believe there is still a way to login using the ?u=user&p=pass way, which is describe in the syndication/RSS doc (and probably at other places?)
I'm on an older version of the plugin, but I'm able to bypass the Oauth way using these params.
A user always has a password set, even for Oauth-created users (random in this case).
Feature request:
Option to prevent authplain in singleService mode
Motivation: Enforce oauth login even for creative visitors/bots/etc in order to prevent exposure of the simple username and password login mechanism.
I've deployed for two reasons: Single Sign On (SSO) so users only have a single password and login entry point and also to improve security by making the SSO portal the only place usernames and passwords can be entered.
Currently the singleService open only hides the HTML form, but the login mechanism itself still works.
If I figure out how to do this, I will try to put up a Pull request :)
Thanks for your work with this plugin. It is really helpful.