Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create passwordless user, even though passwords are disabled #13274

Closed
1 of 3 tasks
Thinkscape opened this issue Oct 8, 2024 · 4 comments · Fixed by #13517
Closed
1 of 3 tasks

Cannot create passwordless user, even though passwords are disabled #13274

Thinkscape opened this issue Oct 8, 2024 · 4 comments · Fixed by #13517
Labels
🖥️web

Comments

@Thinkscape
Copy link

The bug

Unable to create accounts without providing a password, even though I have password logins disabled and I'm using OAuth2 (working)

The OS that Immich Server is running on

Debian

Version of Immich Server

v1.117.0

Version of Immich Mobile App

N/A

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

N/A

Your .env content

N/A

Reproduction steps

Steps

  1. Go to Administration
  2. Settings
  3. Auth settings
  4. Oauth -> enabled and working
  5. Password Login -> disabled
  6. Go to Users
  7. Create user
  8. Provide Email, disable Require user to change password on first login
  9. Click Create

Expected

User gets created and can auth with OAuth2, assuming user has account with matching email with the OAuth2 provider.

Actual

Error Please fill in this field appears at the password field.

Relevant log output

N/A

Additional information

No response
@C-Otto
Copy link
Contributor

C-Otto commented Oct 8, 2024

I can confirm. The "required" attribute for "PasswordField" is left at the default "true". We might want to change this, if OAuth is enabled.

immich/web/src/lib/components/forms/create-user-form.svelte

Lines 91 to 94 in a11d454

<div class="my-4 flex flex-col gap-2">
<label class="immich-form-label" for="password">{$t('password')}</label>
<PasswordField id="password" bind:password autocomplete="new-password" />
</div>

https://github.com/immich-app/immich/blob/main/web/src/lib/components/shared-components/password-field.svelte

@jedi04
Copy link
Contributor

jedi04 commented Oct 8, 2024
edited
Loading

Hello @C-Otto , I looked up code for this also when we accept body for creating user there also we are validating for empty password.

If User switches to normal login flow at that time what should we do for the user created for OAuth?

@Thinkscape
Copy link
Author

If User switches to normal login flow at that time what should we do for the user created for OAuth?

Empty passwords would fail bcrypt hash validation, so those users would be unable to log in until admin created a password for them.

@jedi04
Copy link
Contributor

jedi04 commented Oct 9, 2024

I was looking up to solve this issue. I tried to solve it in my local environment with following approach

For web :- The user creation form will allow empty password if OAuth is enabled in System Config

For Server :- When creating user there will be check for OAuth and if only it is enabled then we would allow request without any password and user will be created.

Is this right approach to solve this issue?

Thank you.

@jedi04 jedi04 mentioned this issue Oct 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🖥️web
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(server): Allow passwordless users when oauth enabled jedi04/immich
3 participants
@Thinkscape @C-Otto @jedi04