Add option to disable password login#2318
Open
karaolidis wants to merge 1 commit into
Open
Conversation
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
📝 WalkthroughWalkthroughThe authentication system now supports disabling password-based login entirely. A new config flag controls whether users can authenticate with username and password. When disabled, the login form shows only OAuth options, hides standard login fields and actions, and rejects password authentication attempts with a user-facing message. ChangesPassword Login Disabling Feature
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
app/Filament/Pages/Auth/Login.php (1)
36-36: ⚡ Quick winExtract repeated config check to a named helper method.
config('auth.disable_password_login', false)is called four times across different methods. A single protected helper both eliminates the repetition and makes the intent self-documenting at every call site.♻️ Suggested refactor
+ protected function isPasswordLoginDisabled(): bool + { + return (bool) config('auth.disable_password_login', false); + } + public function form(Schema $schema): Schema { - if (config('auth.disable_password_login', false)) { + if ($this->isPasswordLoginDisabled()) {- if (config('auth.disable_password_login', false)) { + if ($this->isPasswordLoginDisabled()) { $component->alignment(Alignment::Center); }protected function getFormActions(): array { - if (config('auth.disable_password_login', false)) { + if ($this->isPasswordLoginDisabled()) { return []; }protected function getCredentialsFromFormData(array $data): array { - if (config('auth.disable_password_login', false)) { + if ($this->isPasswordLoginDisabled()) {Also applies to: 124-125, 133-133, 142-142
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/Filament/Pages/Auth/Login.php` at line 36, Extract the repeated config check into a single protected helper on the Login Filament page: add a protected method (e.g., isPasswordLoginDisabled()) on the App\Filament\Pages\Auth\Login class that returns config('auth.disable_password_login', false), then replace each direct call to config('auth.disable_password_login', false) in methods such as render(), mount(), authenticate(), and any other usages (the occurrences around lines referenced) with a call to this helper to remove duplication and make intent explicit.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@config/auth.php`:
- Line 5: The config key disable_password_login in config/auth.php reads
AUTH_DISABLE_PASSWORD_LOGIN from env but that variable is not documented in
.env.example; add a new line AUTH_DISABLE_PASSWORD_LOGIN=false (or
AUTH_DISABLE_PASSWORD_LOGIN=true if you prefer the non-default) to .env.example
with a short comment describing that it disables password-based login so new
developers and deploys see the default and purpose.
---
Nitpick comments:
In `@app/Filament/Pages/Auth/Login.php`:
- Line 36: Extract the repeated config check into a single protected helper on
the Login Filament page: add a protected method (e.g.,
isPasswordLoginDisabled()) on the App\Filament\Pages\Auth\Login class that
returns config('auth.disable_password_login', false), then replace each direct
call to config('auth.disable_password_login', false) in methods such as
render(), mount(), authenticate(), and any other usages (the occurrences around
lines referenced) with a call to this helper to remove duplication and make
intent explicit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 1940a29b-1eb8-498e-b69e-a25f8e184a9a
📒 Files selected for processing (3)
app/Filament/Pages/Auth/Login.phpconfig/auth.phplang/en/auth.php
Boy132
requested changes
May 13, 2026
Comment on lines
+37
to
+41
| $components = [ | ||
| $this->getOAuthFormComponent(), | ||
| ]; | ||
|
|
||
| return $schema->components($components); |
Member
There was a problem hiding this comment.
Can be simplified:
Suggested change
| $components = [ | |
| $this->getOAuthFormComponent(), | |
| ]; | |
| return $schema->components($components); | |
| return $schema->components([ | |
| $this->getOAuthFormComponent(), | |
| ]); |
| } | ||
|
|
||
| $actions[] = Action::make("oauth_$id") | ||
| $action = Action::make("oauth_$id") |
| ->color($color) | ||
| ->url(route('auth.oauth.redirect', ['driver' => $id], false)); | ||
|
|
||
| $actions[] = $action; |
| } | ||
|
|
||
| return Actions::make($actions); | ||
| return $component; |
Member
There was a problem hiding this comment.
I'm pretty sure alignment() can also take a closure, so this whole return can be simplified:
Suggested change
| return $component; | |
| return Actions::make($actions)->alignment(fn () => config('auth.disable_password_login', false) ? Alignment::Center : null); |
Comment on lines
+133
to
+137
| if (config('auth.disable_password_login', false)) { | ||
| return []; | ||
| } | ||
|
|
||
| return parent::getFormActions(); |
Member
There was a problem hiding this comment.
Can be simplified:
Suggested change
| if (config('auth.disable_password_login', false)) { | |
| return []; | |
| } | |
| return parent::getFormActions(); | |
| return config('auth.disable_password_login', false) ? [] : parent::getFormActions(); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is step 1 (of many) in a series of PRs to allow Pelican Panel and https://github.com/pelican-dev/plugins/tree/main/generic-oidc-providers to be operational fully declaratively, using just external OIDC authentication.
This PR adds support to optionally hide the password log in fields.