datamweb / shield-oauth

OAuth for CodeIgniter Shield
https://www.shield-oauth.codeigniter4.ir/
MIT License
61 stars 16 forks source link

Bug: Does not respect Shield !registration config #181

Open evansharp opened 1 day ago

evansharp commented 1 day ago

PHP Version

8.3.2

CodeIgniter4 Version

latest

Shield Version

latest

Shield OAuth Version?

dev-develop

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

11.5.2-MariaDB-ubu2204

Did you add customize OAuth?

No.

What happened?

Setting public bool $allowRegistration = false; in \App\Config\Auth does not prevent users from creating new accounts via an oauth login.

Steps to Reproduce

  1. Toggle registration in shield
  2. Login via Google oauth with a google account previously unregistered in the app.
  3. New account is created and user is redirected according to config.

Expected Output

Redirect back to login view with error message about no new registrations being allowed.

Anything else?

I was surprised to discover no easy hooks in oauth for modifying behaviour before and after certain actions. If there were some I would probably have patched this bug myself.

Seems like implementing a few hooks into the oauth flow would be extremely useful for customization and extension. For example, I would like to filter new user registrations by Google domain OU. A hook when the response is received from Google but before the new user is created would give me the opportunity to do this smoothly.

datamweb commented 1 day ago

Shield OAuth, there is a separate configuration file that allows you to enable or disable user registration. This setup gives you better control and management over enabling or disabling registration for various drivers(google,gthub,yahoo and ...).

https://github.com/datamweb/shield-oauth/blob/700760dccde62114117e4ead0d259afcb3192092/src/Config/ShieldOAuthConfig.php#L42-L47

Seems like implementing a few hooks into the oauth flow would be extremely useful for customization and extension. For example, I would like to filter new user registrations by Google domain OU. A hook when the response is received from Google but before the new user is created would give me the opportunity to do this smoothly.

If you think the explanation above doesn't fully address your question, there might have been a misunderstanding on my part. Please feel free to provide more details, or, if possible, consider submitting a PR. This would give me a clearer view of the context and help in addressing your needs more effectively.