Add a keepSsoRegistrationEnabled admin setting - Closes #317

app/Http/Controllers/Auth/SocialiteController.php

@@ -57,7 +57,7 @@ public function callback(Request $request, string $driver)
                 return redirect('/error?err=sso_email_already_used');
             } elseif (User::count() === 0) {
                 $user->promoteToAdministrator();
-            } elseif (Settings::get('disableRegistration')) {
+            } elseif (Settings::get('disableRegistration') && ! Settings::get('keepSsoRegistrationEnabled')) {
                 return redirect('/error?err=sso_no_register');
             }
             $user->password = bcrypt(Str::random());

config/2fauth.php

@@ -75,6 +75,7 @@
         'disableRegistration' => false,
         'enableSso' => true,
         'restrictRegistration' => false,
+        'keepSsoRegistrationEnabled' => false,
     ],
 
     /*

resources/js/views/admin/AppSetup.vue

@@ -29,6 +29,7 @@
         restrictList: appSettings.restrictList,
         restrictRule: appSettings.restrictRule,
         disableRegistration: appSettings.disableRegistration,
+        keepSsoRegistrationEnabled: appSettings.keepSsoRegistrationEnabled,
         enableSso: appSettings.enableSso,
     })
 
@@ -171,6 +172,8 @@
                     <!-- protect db -->
                     <FormCheckbox v-model="_settings.useEncryption" @update:model-value="val => saveSetting('useEncryption', val)" fieldName="useEncryption" label="admin.forms.use_encryption.label" help="admin.forms.use_encryption.help" />
                     <h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('admin.registrations') }}</h4>
+                    <!-- disable SSO registration -->
+                    <FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
                     <!-- restrict registration -->
                     <FormCheckbox v-model="_settings.restrictRegistration" @update:model-value="val => saveSetting('restrictRegistration', val)" fieldName="restrictRegistration" :isDisabled="appSettings.disableRegistration" label="admin.forms.restrict_registration.label" help="admin.forms.restrict_registration.help" />
                         <!-- restrict list -->
@@ -179,8 +182,8 @@
                         <FormField v-model="_settings.restrictRule" @change:model-value="val => saveOrDeleteSetting('restrictRule', val)" :fieldError="fieldErrors.restrictRule" fieldName="restrictRule" :isDisabled="!appSettings.restrictRegistration || appSettings.disableRegistration" label="admin.forms.restrict_rule.label" help="admin.forms.restrict_rule.help" :isIndented="true" leftIcon="slash" rightIcon="slash" />
                     <!-- disable registration -->
                     <FormCheckbox v-model="_settings.disableRegistration" @update:model-value="val => saveSetting('disableRegistration', val)" fieldName="disableRegistration" label="admin.forms.disable_registration.label" help="admin.forms.disable_registration.help" />
-                    <!-- disable SSO registration -->
-                    <FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
+                        <!-- keep sso registration -->
+                        <FormCheckbox v-model="_settings.keepSsoRegistrationEnabled" @change:model-value="val => saveOrDeleteSetting('keepSsoRegistrationEnabled', val)" :fieldError="fieldErrors.keepSsoRegistrationEnabled" fieldName="keepSsoRegistrationEnabled" :isDisabled="!appSettings.enableSso || !appSettings.disableRegistration" label="admin.forms.keep_sso_registration_enabled.label" help="admin.forms.keep_sso_registration_enabled.help" :isIndented="true" />
                 </form>
 
                 <h4 class="title is-4 pt-5 has-text-grey-light">{{ $t('commons.environment') }}</h4>

resources/lang/en/admin.php

@@ -76,7 +76,7 @@
         ],
         'restrict_registration' => [
             'label' => 'Restrict registration',
-            'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously.',
+            'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously. This has no effect on registration via SSO.',
         ],
         'restrict_list' => [
             'label' => 'Filtering list',
@@ -88,12 +88,16 @@
         ],
         'disable_registration' => [
             'label' => 'Disable registration',
-            'help' => 'Prevent new user registration. This affects SSO as well, so new SSO users won\'t be able to sign on',
+            'help' => 'Prevent new user registration. Unless overridden (see below), this affects SSO as well, so new users won\'t be able to sign in via SSO',
         ],
         'enable_sso' => [
             'label' => 'Enable Single Sign-On (SSO)',
             'help' => 'Allow visitors to authenticate using an external ID via the Single Sign-On scheme',
         ],
+        'keep_sso_registration_enabled' => [
+            'label' => 'Keep SSO registration enabled',
+            'help' => 'Allow new users to sign in for the first time via SSO whereas registration is disabled',
+        ],
         'is_admin' => [
             'label' => 'Is administrator',
             'help' => 'Give administrator rights to the user. Administrators have permissions to manage the whole app, i.e. settings and other users, but cannot generate password for a 2FA they don\'t own.'

tests/Feature/Http/Auth/SocialiteControllerTest.php

@@ -253,9 +253,10 @@ public function test_callback_returns_error_when_email_is_already_used()
     /**
      * @test
      */
-    public function test_callback_returns_error_when_registrations_are_closed()
+    public function test_callback_redirects_to_error_when_registrations_are_closed()
     {
         Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', false);
 
         $newSocialiteUser        = new \Laravel\Socialite\Two\User;
         $newSocialiteUser->id    = 'rejected_id';
@@ -273,9 +274,10 @@ public function test_callback_returns_error_when_registrations_are_closed()
     /**
      * @test
      */
-    public function test_callback_skips_registration_when_registrations_are_closed()
+    public function test_callback_skips_registration_when_all_registrations_are_closed()
     {
         Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', false);
 
         $newSocialiteUser        = new \Laravel\Socialite\Two\User;
         $newSocialiteUser->id    = 'rejected_id';
@@ -292,4 +294,30 @@ public function test_callback_skips_registration_when_registrations_are_closed()
             'oauth_provider' => self::USER_OAUTH_PROVIDER,
         ]);
     }
+
+    /**
+     * @test
+     */
+    public function test_callback_registers_new_user_when_sso_registrations_are_enabled()
+    {
+        Settings::set('disableRegistration', true);
+        Settings::set('keepSsoRegistrationEnabled', true);
+
+        $newSocialiteUser        = new \Laravel\Socialite\Two\User;
+        $newSocialiteUser->id    = 'new_id';
+        $newSocialiteUser->name  = 'jane';
+        $newSocialiteUser->email = 'jane@provider.com';
+
+        Socialite::shouldReceive('driver->user')
+            ->andReturn($newSocialiteUser);
+
+        $response = $this->get('/socialite/callback/github', ['driver' => 'github']);
+
+        $this->assertDatabaseHas('users', [
+            'oauth_id'       => 'new_id',
+            'oauth_provider' => self::USER_OAUTH_PROVIDER,
+            'email'          => 'jane@provider.com',
+            'is_admin'       => 0,
+        ]);
+    }
 }