From cb5f281720a2a189fd57cf9defb09dfbbedf70c9 Mon Sep 17 00:00:00 2001 From: Lyle Keeton Date: Thu, 16 Oct 2025 10:31:48 -0500 Subject: [PATCH 1/4] allow ACCOUNT_LINKING=auto to work without ENABLE_AUTO_REGISTRATION. --- routers/web/auth/oauth.go | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index f1c155e78f..888250cccc 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -206,6 +206,42 @@ func SignInOAuthCallback(ctx *context.Context) { ctx.ServerError("SyncGroupsToTeams", err) return } + } else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto { + // allow ACCOUNT_LINKING=auto to work without ENABLE_AUTO_REGISTRATION. + var user *user_model.User + user = &user_model.User{Email: gothUser.Email} + hasUser, err := user_model.GetUser(ctx, user) + if err != nil { + ctx.ServerError("UserLinkAccount", err) + return + } + + if hasUser { + if err := externalaccount.LinkAccountToUser(ctx, user, &gothUser); err != nil { + ctx.ServerError("LinkAccountToUser", err) + return + } + + userHasTwoFactorAuth, err := auth.HasTwoFactorOrWebAuthn(ctx, user.ID) + if err != nil { + ctx.ServerError("HasTwoFactorOrWebAuthn", err) + return + } + if err := updateSession(ctx, nil, map[string]any{ + session.KeyUID: user.ID, + session.KeyUname: user.Name, + session.KeyUserHasTwoFactorAuth: userHasTwoFactorAuth, + }); err != nil { + ctx.ServerError("updateSession", err) + return + } + ctx.Csrf.PrepareForSessionUser(ctx) + ctx.Redirect(setting.AppSubURL + "/") + return + } + + showLinkingLogin(ctx, authSource.ID, gothUser) + return } else { // no existing user is found, request attach or new account showLinkingLogin(ctx, authSource.ID, gothUser) From 82c51e08b2ef4f1996f536ed8aea18cee7202597 Mon Sep 17 00:00:00 2001 From: Lyle Keeton Date: Thu, 16 Oct 2025 15:53:40 -0500 Subject: [PATCH 2/4] fix method signature --- routers/web/auth/oauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 888250cccc..3c712640e8 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -217,7 +217,7 @@ func SignInOAuthCallback(ctx *context.Context) { } if hasUser { - if err := externalaccount.LinkAccountToUser(ctx, user, &gothUser); err != nil { + if err := externalaccount.LinkAccountToUser(ctx, authSource.ID, user, gothUser); err != nil { ctx.ServerError("LinkAccountToUser", err) return } From 970865df06988ee35f00bc97f2c8b3853551f053 Mon Sep 17 00:00:00 2001 From: Lyle Keeton Date: Fri, 17 Oct 2025 00:54:21 -0500 Subject: [PATCH 3/4] prevent linking if account disabled --- routers/web/auth/oauth.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 3c712640e8..dc00bee45d 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -217,6 +217,12 @@ func SignInOAuthCallback(ctx *context.Context) { } if hasUser { + if user.ProhibitLogin || !user.IsActive { + log.Info("Failed authentication attempt for %s from %s: user has disabled sign-in", user.Name, ctx.RemoteAddr()) + ctx.Flash.Error(ctx.Tr("auth.prohibit_login")) + ctx.Redirect(setting.AppSubURL + "/user/login") + return + } if err := externalaccount.LinkAccountToUser(ctx, authSource.ID, user, gothUser); err != nil { ctx.ServerError("LinkAccountToUser", err) return From c026cf0bd57d9c1575620215093161560f902672 Mon Sep 17 00:00:00 2001 From: Lyle Keeton Date: Fri, 17 Oct 2025 01:15:57 -0500 Subject: [PATCH 4/4] fix lint --- routers/web/auth/oauth.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index dc00bee45d..0e495790cf 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -208,8 +208,7 @@ func SignInOAuthCallback(ctx *context.Context) { } } else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto { // allow ACCOUNT_LINKING=auto to work without ENABLE_AUTO_REGISTRATION. - var user *user_model.User - user = &user_model.User{Email: gothUser.Email} + user := &user_model.User{Email: gothUser.Email} hasUser, err := user_model.GetUser(ctx, user) if err != nil { ctx.ServerError("UserLinkAccount", err)