From 114174ead12ce0f654cc1ad956ec82c028e64781 Mon Sep 17 00:00:00 2001
From: Daniel Graf <daniel@dedicatedcode.com>
Date: Sat, 6 Sep 2025 09:05:42 +0200
Subject: [PATCH] enhancement(#209): add switch to disable the local login form
 (#220)

---
 README.md                                              |  1 +
 .../controller/IllegalConfigurationException.java      | 10 ++++++++++
 .../reitti/controller/WebViewController.java           | 10 +++++++++-
 src/main/resources/application-docker.properties       |  2 ++
 src/main/resources/application.properties              |  2 ++
 src/main/resources/templates/login.html                |  5 ++---
 6 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/com/dedicatedcode/reitti/controller/IllegalConfigurationException.java

diff --git a/README.md b/README.md
index eea2d18f..c9df9f9e 100644
--- a/README.md
+++ b/README.md
@@ -206,6 +206,7 @@ The included `docker-compose.yml` provides a complete setup with:
 | `REDIS_USERNAME`           | Redis username (optional)                                                                                                                                                       |                | username                                  |
 | `REDIS_PASSWORD`           | Redis password (optional)                                                                                                                                                       |                | password                                  |
 | `ADVERTISE_URI`            | Routable URL of the instance. Used for federation of multiple instances. (optional)                                                                                             |                | https://reitti.lab                        |
+| `DISABLE_LOCAL_LOGIN`      | Whether to disable the local login form (username/password) This only works, if OIDC login is configured.                                                                       | false          | true                                      |
 | `OIDC_ENABLED`             | Whether to enable OIDC sign-ins                                                                                                                                                 | false          | true                                      |
 | `OIDC_CLIENT_ID`           | Your OpenID Connect Client ID (from your provider)                                                                                                                              |                | google                                    |
 | `OIDC_CLIENT_SECRET`       | Your OpenID Connect Client secret (from your provider)                                                                                                                          |                | F0oxfg8b2rp5X97YPS92C2ERxof1oike          |
diff --git a/src/main/java/com/dedicatedcode/reitti/controller/IllegalConfigurationException.java b/src/main/java/com/dedicatedcode/reitti/controller/IllegalConfigurationException.java
new file mode 100644
index 00000000..e6389a6a
--- /dev/null
+++ b/src/main/java/com/dedicatedcode/reitti/controller/IllegalConfigurationException.java
@@ -0,0 +1,10 @@
+package com.dedicatedcode.reitti.controller;
+
+import java.util.Arrays;
+
+public class IllegalConfigurationException extends RuntimeException {
+    public IllegalConfigurationException(String message, String ... suggestions) {
+        super("\n\nIllegal Configuration detected!\n\n" + message + "\nPossible solutions:\n- " + String.join("\n- ", Arrays.asList(suggestions)));
+        setStackTrace(new StackTraceElement[0]);
+    }
+}
diff --git a/src/main/java/com/dedicatedcode/reitti/controller/WebViewController.java b/src/main/java/com/dedicatedcode/reitti/controller/WebViewController.java
index 2e259c52..0595fe8b 100644
--- a/src/main/java/com/dedicatedcode/reitti/controller/WebViewController.java
+++ b/src/main/java/com/dedicatedcode/reitti/controller/WebViewController.java
@@ -10,11 +10,18 @@ import org.springframework.web.bind.annotation.GetMapping;
 public class WebViewController {
     private final boolean dataManagementEnabled;
     private final boolean oidcEnabled;
+    private final boolean localLoginEnabled;
 
     public WebViewController(@Value("${reitti.data-management.enabled:false}") boolean dataManagementEnabled,
-                             @Value("${reitti.security.oidc.enabled:false}") boolean oidcEnabled) {
+                             @Value("${reitti.security.oidc.enabled:false}") boolean oidcEnabled,
+                             @Value("${reitti.security.local-login.disable:false}") boolean localLoginDisabled) {
         this.dataManagementEnabled = dataManagementEnabled;
         this.oidcEnabled = oidcEnabled;
+        this.localLoginEnabled = !localLoginDisabled;
+
+        if (!oidcEnabled && localLoginDisabled) {
+            throw new IllegalConfigurationException("No login possible.", "enable and configured OIDC support", "Enable local-login via 'reitti.security.local-login.disable:false' or 'DISABLE_LOCAL_LOGIN=false'");
+        }
     }
 
     @GetMapping("/")
@@ -30,6 +37,7 @@ public class WebViewController {
     @GetMapping("/login")
     public String login(Model model) {
         model.addAttribute("oidcEnabled", oidcEnabled);
+        model.addAttribute("localLoginEnabled", localLoginEnabled);
         return "login";
     }
 
diff --git a/src/main/resources/application-docker.properties b/src/main/resources/application-docker.properties
index 6704b8e0..e4b01b2c 100644
--- a/src/main/resources/application-docker.properties
+++ b/src/main/resources/application-docker.properties
@@ -16,6 +16,8 @@ spring.data.redis.port=${REDIS_PORT:6379}
 spring.data.redis.username=${REDIS_USERNAME:}
 spring.data.redis.password=${REDIS_PASSWORD:}
 
+reitti.security.local-login.disable=${DISABLE_LOCAL_LOGIN:false}
+
 reitti.security.oidc.enabled=${OIDC_ENABLED:false}
 spring.security.oauth2.client.registration.oauth.client-id=${OIDC_CLIENT_ID:}
 spring.security.oauth2.client.registration.oauth.client-secret=${OIDC_CLIENT_SECRET:}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 8909225b..d3f05fb4 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -47,6 +47,8 @@ server.tomcat.max-part-count=100
 
 # Application specific settings
 reitti.server.advertise-uri=
+
+reitti.security.local-login.disable=false
 # OAuth configuration
 # For now, we only support having one OIDC provider. If you need multiple, create a ticket in the reitti github.
 reitti.security.oidc.enabled=false
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index c0e81888..0eb94047 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -118,7 +118,7 @@
             Invalid username or password
         </div>
         
-        <form th:action="@{/login}" method="post">
+        <form th:action="@{/login}" method="post" th:if="${localLoginEnabled}">
             <div class="form-group">
                 <label for="username" th:text="#{login.username}">Username</label>
                 <input type="text" id="username" name="username" required autofocus>
@@ -137,8 +137,7 @@
             <button type="submit" th:text="#{login.button}">Login</button>
         </form>
         <div th:if="${oidcEnabled}">
-            <hr style="margin: 30px 0; border: none; border-top: 1px solid var(--color-highlight);">
-
+            <hr th:if="${localLoginEnabled}" style="margin: 30px 0; border: none; border-top: 1px solid var(--color-highlight);">
             <a href="/oauth2/authorization/oauth" style="text-decoration: none;">
               <button type="button">Log in with OAuth</button>
             </a>