feat(graphQL): add is_sso_user and forbid update name, password for s…

…so users Signed-off-by: Wei Zhang <[email protected]>
TabbyML · Jan 20, 2025 · 1a4426b · 1a4426b
1 parent 9a3300a
commit 1a4426b
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 0 deletions.
diff --git a/ee/tabby-db/src/users.rs b/ee/tabby-db/src/users.rs
@@ -16,6 +16,9 @@ pub struct UserDAO {
     pub id: i64,
     pub email: String,
     pub name: Option<String>,
+
+    // when the user is created with password, this field is set and will never be changed to None
+    // when the user is created with SSO, this field is None and will never be set
     pub password_encrypted: Option<String>,
     pub is_admin: bool,
 

diff --git a/ee/tabby-schema/graphql/schema.graphql b/ee/tabby-schema/graphql/schema.graphql
@@ -965,6 +965,7 @@ type UserSecured implements User {
   active: Boolean!
   authToken: String!
   isPasswordSet: Boolean!
+  isSsoUser: Boolean!
 }
 
 type WebContextSource implements ContextSourceId & ContextSource {

diff --git a/ee/tabby-schema/src/schema/auth.rs b/ee/tabby-schema/src/schema/auth.rs
@@ -198,6 +198,11 @@ pub struct UserSecured {
     pub auth_token: String,
     pub is_password_set: bool,
 
+    // is_sso_user is used to indicate if the user is created by SSO
+    // and should not be able to change Name and Password
+    // e.g. LDAP, OAuth users
+    pub is_sso_user: bool,
+
     #[graphql(skip)]
     pub policy: AccessPolicy,
 }

diff --git a/ee/tabby-webserver/src/service/auth.rs b/ee/tabby-webserver/src/service/auth.rs
@@ -161,6 +161,11 @@ impl AuthenticationService for AuthenticationServiceImpl {
     }
 
     async fn generate_reset_password_url(&self, id: &ID) -> Result<String> {
+        let user = self.get_user(id).await?;
+        if user.is_sso_user {
+            bail!("Name cannot be changed for SSO users");
+        }
+
         let external_url = self.setting.read_network_setting().await?.external_url;
         let id = id.as_rowid()?;
         let user = self.db.get_user(id).await?.context("User doesn't exits")?;
@@ -179,6 +184,10 @@ impl AuthenticationService for AuthenticationServiceImpl {
             return Ok(None);
         };
 
+        if user.is_sso_user {
+            bail!("Name cannot be changed for SSO users");
+        }
+
         let id = user.id.as_rowid()?;
 
         // request_password_reset_email is invoked by the user, so we need to check for existing password reset requests to prevent spamming
@@ -227,6 +236,11 @@ impl AuthenticationService for AuthenticationServiceImpl {
             bail!("Changing passwords is disabled in demo mode");
         }
 
+        let user = self.get_user(id).await?;
+        if user.is_sso_user {
+            bail!("Name cannot be changed for SSO users");
+        }
+
         let user = self
             .db
             .get_user(id.as_rowid()?)
@@ -280,6 +294,12 @@ impl AuthenticationService for AuthenticationServiceImpl {
         if is_demo_mode() {
             bail!("Changing profile data is disabled in demo mode");
         }
+
+        let user = self.get_user(id).await?;
+        if user.is_sso_user {
+            bail!("Name cannot be changed for SSO users");
+        }
+
         let id = id.as_rowid()?;
         self.db.update_user_name(id, name).await?;
         Ok(())

diff --git a/ee/tabby-webserver/src/service/mod.rs b/ee/tabby-webserver/src/service/mod.rs
@@ -463,6 +463,11 @@ impl UserSecuredExt for tabby_schema::auth::UserSecured {
             created_at: val.created_at,
             active: val.active,
             is_password_set: val.password_encrypted.is_some(),
+
+            // when a user created by registration, password_encrypted is set
+            // when a user created by SSO, password_encrypted is not set
+            // so, we can determine if a user is SSO user by checking if password_encrypted is set
+            is_sso_user: val.password_encrypted.is_none(),
         }
     }
 }