Separate create / update / delete config of Login IDs

ref DEV-1313
authgear · May 27, 2024 · 4683c25 · 4683c25
2 parents 7296a64 + 56641e7
commit 4683c25
Show file tree

Hide file tree

Showing 41 changed files with 529 additions and 198 deletions.
diff --git a/authui/src/tailwind-light-theme.css b/authui/src/tailwind-light-theme.css
@@ -295,6 +295,14 @@
     border-color: var(--color-text-shaded-2);
   }
 
+  .light-btn--destructive,
+  .light-btn--destructive:focus,
+  .light-btn--destructive:hover,
+  .light-btn--destructive:active {
+    color: var(--color-error-shaded-6);
+    border-color: var(--color-error-shaded-6);
+  }
+
   .action-btn {
     @apply border border-solid;
     color: var(--color-text-unshaded);

diff --git a/pkg/auth/handler/webapp/enter_login_id.go b/pkg/auth/handler/webapp/enter_login_id.go
@@ -8,6 +8,7 @@ import (
 	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
 	"github.com/authgear/authgear-server/pkg/auth/webapp"
 	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	"github.com/authgear/authgear-server/pkg/lib/config"
 	"github.com/authgear/authgear-server/pkg/lib/interaction"
 	"github.com/authgear/authgear-server/pkg/lib/interaction/intents"
 	"github.com/authgear/authgear-server/pkg/util/httproute"
@@ -26,25 +27,41 @@ type EnterLoginIDViewModel struct {
 	LoginIDInputType string
 	IdentityID       string
 	DisplayID        string
+	UpdateDisabled   bool
+	DeleteDisabled   bool
 }
 
 type EnterLoginIDService interface {
 	Get(id string) (*identity.Info, error)
 	ListCandidates(userID string) ([]identity.Candidate, error)
 }
 
-func NewEnterLoginIDViewModel(r *http.Request, displayID string) EnterLoginIDViewModel {
+func NewEnterLoginIDViewModel(r *http.Request, cfg *config.IdentityConfig, info *identity.Info) EnterLoginIDViewModel {
 	loginIDKey := r.Form.Get("q_login_id_key")
 	loginIDType := r.Form.Get("q_login_id_type")
 	loginIDInputType := r.Form.Get("q_login_id_input_type")
 	identityID := r.Form.Get("q_identity_id")
 
-	return EnterLoginIDViewModel{
-		LoginIDKey:       loginIDKey,
-		LoginIDType:      loginIDType,
-		LoginIDInputType: loginIDInputType,
-		IdentityID:       identityID,
-		DisplayID:        displayID,
+	if info == nil {
+		return EnterLoginIDViewModel{
+			LoginIDKey:       loginIDKey,
+			LoginIDType:      loginIDType,
+			LoginIDInputType: loginIDInputType,
+			IdentityID:       identityID,
+			DisplayID:        "",
+			UpdateDisabled:   true,
+			DeleteDisabled:   true,
+		}
+	} else {
+		return EnterLoginIDViewModel{
+			LoginIDKey:       loginIDKey,
+			LoginIDType:      loginIDType,
+			LoginIDInputType: loginIDInputType,
+			IdentityID:       identityID,
+			DisplayID:        info.DisplayID(),
+			UpdateDisabled:   info.UpdateDisabled(cfg),
+			DeleteDisabled:   info.DeleteDisabled(cfg),
+		}
 	}
 }
 
@@ -83,6 +100,7 @@ type EnterLoginIDHandler struct {
 	AuthenticationViewModel *viewmodels.AuthenticationViewModeler
 	Renderer                Renderer
 	Identities              EnterLoginIDService
+	IdentityConfig          *config.IdentityConfig
 }
 
 func (h *EnterLoginIDHandler) GetData(userID string, r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
@@ -98,9 +116,9 @@ func (h *EnterLoginIDHandler) GetData(userID string, r *http.Request, rw http.Re
 		} else if err != nil {
 			return nil, err
 		}
-		enterLoginIDViewModel = NewEnterLoginIDViewModel(r, idnInfo.DisplayID())
+		enterLoginIDViewModel = NewEnterLoginIDViewModel(r, h.IdentityConfig, idnInfo)
 	} else {
-		enterLoginIDViewModel = NewEnterLoginIDViewModel(r, "")
+		enterLoginIDViewModel = NewEnterLoginIDViewModel(r, h.IdentityConfig, nil)
 	}
 
 	candidates, err := h.Identities.ListCandidates(userID)

diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
diff --git a/pkg/lib/authn/identity/candidate.go b/pkg/lib/authn/identity/candidate.go
@@ -25,7 +25,9 @@ const (
 
 	CandidateKeyDisplayID = "display_id"
 
-	CandidateKeyModifyDisabled = "modify_disabled"
+	CandidateKeyCreateDisabled = "create_disabled"
+	CandidateKeyUpdateDisabled = "update_disabled"
+	CandidateKeyDeleteDisabled = "delete_disabled"
 )
 
 func NewOAuthCandidate(cfg oauthrelyingparty.ProviderConfig) Candidate {
@@ -37,7 +39,9 @@ func NewOAuthCandidate(cfg oauthrelyingparty.ProviderConfig) Candidate {
 		CandidateKeyProviderSubjectID: "",
 		CandidateKeyProviderAppType:   string(wechat.ProviderConfig(cfg).AppType()),
 		CandidateKeyDisplayID:         "",
-		CandidateKeyModifyDisabled:    cfg.ModifyDisabled(),
+		CandidateKeyCreateDisabled:    cfg.ModifyDisabled(),
+		CandidateKeyUpdateDisabled:    cfg.ModifyDisabled(),
+		CandidateKeyDeleteDisabled:    cfg.ModifyDisabled(),
 	}
 }
 
@@ -49,7 +53,9 @@ func NewLoginIDCandidate(c *config.LoginIDKeyConfig) Candidate {
 		CandidateKeyLoginIDKey:     c.Key,
 		CandidateKeyLoginIDValue:   "",
 		CandidateKeyDisplayID:      "",
-		CandidateKeyModifyDisabled: *c.ModifyDisabled,
+		CandidateKeyCreateDisabled: *c.CreateDisabled,
+		CandidateKeyUpdateDisabled: *c.UpdateDisabled,
+		CandidateKeyDeleteDisabled: *c.DeleteDisabled,
 	}
 }
 

diff --git a/pkg/lib/authn/identity/info.go b/pkg/lib/authn/identity/info.go
@@ -267,49 +267,118 @@ func (i *Info) PrimaryAuthenticatorTypes() []model.AuthenticatorType {
 	return i.Type.PrimaryAuthenticatorTypes(loginIDKeyType)
 }
 
-func (i *Info) ModifyDisabled(c *config.IdentityConfig) bool {
+func (i *Info) findLoginIDConfig(c *config.IdentityConfig) (*config.LoginIDKeyConfig, bool) {
+	loginIDKey := i.LoginID.LoginIDKey
+	var keyConfig *config.LoginIDKeyConfig
+	var ok bool = false
+	for _, kc := range c.LoginID.Keys {
+		if kc.Key == loginIDKey {
+			kcc := kc
+			keyConfig = &kcc
+			ok = true
+		}
+	}
+	return keyConfig, ok
+}
+
+func (i *Info) findOAuthConfig(c *config.IdentityConfig) (oauthrelyingparty.ProviderConfig, bool) {
+	alias := i.OAuth.ProviderAlias
+	var providerConfig oauthrelyingparty.ProviderConfig
+	var ok bool = false
+	for _, pc := range c.OAuth.Providers {
+		pcAlias := pc.Alias()
+		if pcAlias == alias {
+			pcc := pc
+			providerConfig = pcc
+			ok = true
+		}
+	}
+	return providerConfig, ok
+}
+
+func (i *Info) CreateDisabled(c *config.IdentityConfig) bool {
 	switch i.Type {
 	case model.IdentityTypeLoginID:
-		loginIDKey := i.LoginID.LoginIDKey
-		var keyConfig *config.LoginIDKeyConfig
-		for _, kc := range c.LoginID.Keys {
-			if kc.Key == loginIDKey {
-				kcc := kc
-				keyConfig = &kcc
-			}
-		}
-		if keyConfig == nil {
+		keyConfig, ok := i.findLoginIDConfig(c)
+		if !ok {
 			return true
 		}
-		return *keyConfig.ModifyDisabled
+		return *keyConfig.CreateDisabled
 	case model.IdentityTypeOAuth:
-		alias := i.OAuth.ProviderAlias
-		var providerConfig oauthrelyingparty.ProviderConfig
-		for _, pc := range c.OAuth.Providers {
-			pcAlias := pc.Alias()
-			if pcAlias == alias {
-				pcc := pc
-				providerConfig = pcc
-			}
-		}
-		if providerConfig == nil {
+		providerConfig, ok := i.findOAuthConfig(c)
+		if !ok {
 			return true
 		}
+		// TODO(tung): Change to use create_disabled
 		return providerConfig.ModifyDisabled()
 	case model.IdentityTypeAnonymous:
-		// modify_disabled is only applicable to login_id and oauth.
-		// So we return false here.
-		return false
+		fallthrough
 	case model.IdentityTypeBiometric:
-		// modify_disabled is only applicable to login_id and oauth.
+		fallthrough
+	case model.IdentityTypePasskey:
+		fallthrough
+	case model.IdentityTypeSIWE:
+		// create_disabled is only applicable to login_id and oauth.
 		// So we return false here.
 		return false
+	default:
+		panic(fmt.Sprintf("identity: unexpected identity type: %s", i.Type))
+	}
+}
+
+func (i *Info) DeleteDisabled(c *config.IdentityConfig) bool {
+	switch i.Type {
+	case model.IdentityTypeLoginID:
+		keyConfig, ok := i.findLoginIDConfig(c)
+		if !ok {
+			return true
+		}
+		return *keyConfig.DeleteDisabled
+	case model.IdentityTypeOAuth:
+		providerConfig, ok := i.findOAuthConfig(c)
+		if !ok {
+			return true
+		}
+		// TODO(tung): Change to use delete_disabled
+		return providerConfig.ModifyDisabled()
+	case model.IdentityTypeAnonymous:
+		fallthrough
+	case model.IdentityTypeBiometric:
+		fallthrough
 	case model.IdentityTypePasskey:
-		// modify_disabled is only applicable to login_id and oauth.
+		fallthrough
+	case model.IdentityTypeSIWE:
+		// delete_disabled is only applicable to login_id and oauth.
 		// So we return false here.
 		return false
+	default:
+		panic(fmt.Sprintf("identity: unexpected identity type: %s", i.Type))
+	}
+}
+
+func (i *Info) UpdateDisabled(c *config.IdentityConfig) bool {
+	switch i.Type {
+	case model.IdentityTypeLoginID:
+		keyConfig, ok := i.findLoginIDConfig(c)
+		if !ok {
+			return true
+		}
+		return *keyConfig.UpdateDisabled
+	case model.IdentityTypeOAuth:
+		providerConfig, ok := i.findOAuthConfig(c)
+		if !ok {
+			return true
+		}
+		// TODO(tung): Change to use update_disabled
+		return providerConfig.ModifyDisabled()
+	case model.IdentityTypeAnonymous:
+		fallthrough
+	case model.IdentityTypeBiometric:
+		fallthrough
+	case model.IdentityTypePasskey:
+		fallthrough
 	case model.IdentityTypeSIWE:
-		// modify_disabled is only applicable to login_id and oauth.
+		// update_disabled is only applicable to login_id and oauth.
 		// So we return false here.
 		return false
 	default:

diff --git a/pkg/lib/authn/identity/service/service.go b/pkg/lib/authn/identity/service/service.go
@@ -886,7 +886,7 @@ func (s *Service) listLoginIDCandidates(loginIDs []*identity.LoginID) []identity
 			}
 		}
 		canAppend := true
-		if *loginIDKeyConfig.ModifyDisabled && !matched {
+		if *loginIDKeyConfig.DeleteDisabled && *loginIDKeyConfig.UpdateDisabled && !matched {
 			canAppend = false
 		}
 		if canAppend {

diff --git a/pkg/lib/authn/identity/service/service_test.go b/pkg/lib/authn/identity/service/service_test.go
@@ -75,7 +75,9 @@ func TestProviderListCandidates(t *testing.T) {
 					"provider_alias":      "google",
 					"provider_subject_id": "",
 					"provider_app_type":   "",
-					"modify_disabled":     false,
+					"create_disabled":     false,
+					"update_disabled":     false,
+					"delete_disabled":     false,
 				},
 			})
 		})
@@ -86,7 +88,9 @@ func TestProviderListCandidates(t *testing.T) {
 				{
 					Type:           "email",
 					Key:            "email",
-					ModifyDisabled: newBool(false),
+					UpdateDisabled: newBool(false),
+					DeleteDisabled: newBool(false),
+					CreateDisabled: newBool(false),
 				},
 			}
 
@@ -100,7 +104,9 @@ func TestProviderListCandidates(t *testing.T) {
 					"login_id_type":   "email",
 					"login_id_key":    "email",
 					"login_id_value":  "",
-					"modify_disabled": false,
+					"create_disabled": false,
+					"update_disabled": false,
+					"delete_disabled": false,
 				},
 			})
 		})
@@ -117,7 +123,9 @@ func TestProviderListCandidates(t *testing.T) {
 				{
 					Type:           "email",
 					Key:            "email",
-					ModifyDisabled: newBool(false),
+					UpdateDisabled: newBool(false),
+					DeleteDisabled: newBool(false),
+					CreateDisabled: newBool(false),
 				},
 			}
 
@@ -134,7 +142,9 @@ func TestProviderListCandidates(t *testing.T) {
 				{
 					Type:           "email",
 					Key:            "email",
-					ModifyDisabled: newBool(false),
+					UpdateDisabled: newBool(false),
+					DeleteDisabled: newBool(false),
+					CreateDisabled: newBool(false),
 				},
 			}
 
@@ -161,7 +171,9 @@ func TestProviderListCandidates(t *testing.T) {
 					"login_id_type":   "email",
 					"login_id_key":    "email",
 					"login_id_value":  "[email protected]",
-					"modify_disabled": false,
+					"create_disabled": false,
+					"update_disabled": false,
+					"delete_disabled": false,
 				},
 			})
 		})
@@ -204,7 +216,9 @@ func TestProviderListCandidates(t *testing.T) {
 					"provider_alias":      "google",
 					"provider_subject_id": "[email protected]",
 					"provider_app_type":   "",
-					"modify_disabled":     false,
+					"create_disabled":     false,
+					"update_disabled":     false,
+					"delete_disabled":     false,
 				},
 			})
 		})