Skip to content

feat: option to disable password login [closes #478]#479

Merged
zxh326 merged 4 commits intokite-org:mainfrom
CoolShades:feat/disable-password-login
Apr 19, 2026
Merged

feat: option to disable password login [closes #478]#479
zxh326 merged 4 commits intokite-org:mainfrom
CoolShades:feat/disable-password-login

Conversation

@CoolShades
Copy link
Copy Markdown
Contributor

@CoolShades CoolShades commented Apr 9, 2026
edited
Loading

Summary

  • Add a Password Login toggle to Settings > Authentication that hides the password form from the login page and returns 403 on /api/auth/login/password when disabled
  • Show an amber lockout warning when the toggle is switched off, reminding admins to verify their OAuth/LDAP provider works first
  • Add a Skip login page toggle to OAuth Provider Management (only visible when password login is disabled and exactly one OAuth provider is configured) that auto-redirects users straight to the OAuth provider
  • Both settings are persisted in GeneralSetting and survive restarts

Changes

Backend:

  • pkg/model/general_setting.go — add PasswordLoginDisabled and SkipLoginPage fields
  • pkg/auth/login_handler.go — exclude password from providers when disabled, return 403 on password login, expose skipLoginPage in providers response
  • pkg/ai/handler.go — include both fields in general settings GET/PUT

Frontend:

  • authentication-management.tsx — Password Login toggle with warning, tied to existing Save button
  • oauth-provider-management.tsx — Skip login page toggle (instant save)
  • auth-context.tsx — thread skipLoginPage through context
  • login.tsx — auto-redirect to OAuth when skip is enabled
  • admin.ts / auth.ts — type updates
Screenshot 2026-04-09 at 16 41 53 Screenshot 2026-04-09 at 16 42 20

Test plan

  • Default state: password login enabled, login page shows password form
  • Disable password login → save → password form hidden, direct POST returns 403
  • Re-enable password login → save → password form returns
  • Disabling password login does not affect LDAP, OAuth, or API key auth
  • Disabling password login does not reset other general settings (AI key, kubectl, analytics)
  • Amber warning appears when toggle is off (before saving)
  • "Skip login page" toggle only appears when password disabled + 1 OAuth provider
  • With skip enabled, visiting /login auto-redirects to OAuth provider
  • With skip enabled, OAuth callback error shows login page (no redirect loop)
  • Setting persists across container restarts

Closes #478

@CoolShades
feat: add option to disable password login and skip login page
7121ca3 
Add a "Password Login" toggle to the Authentication settings page.
When disabled, the password login form is hidden from the login page
and the /api/auth/login/password endpoint returns 403. An amber
warning alerts admins about potential lockout before saving.

Add a "Skip login page" toggle to OAuth Provider Management, visible
when password login is disabled and exactly one OAuth provider is
configured. When enabled, users are redirected straight to the OAuth
provider instead of seeing the login page.

Closes kite-org#478
@CoolShades
Copy link
Copy Markdown
Contributor Author

CoolShades commented Apr 9, 2026
edited
Loading

This project is way better than headlamp.
I was more than happy to put in the hours for you to further improve your ODIC implementation.

Ran locally and tested with Pocket ID (OAuth Provider). Works perfectly.

@CoolShades CoolShades changed the title feat: option to disable password login when OAuth is configured feat: option to disable password login when OAuth is configured. [closes #478] Apr 9, 2026
zxh326
zxh326 requested changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zxh326 zxh326 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution

We do not want to introduce a skip login page feature here.

Please remove the skipLoginPage backend/frontend changes from this PR and keep it focused on disable password login only.

@CoolShades
Copy link
Copy Markdown
Contributor Author

CoolShades commented Apr 10, 2026
edited
Loading

@zxh326 Done in 9c878e0skipLoginPage removed, PR now focused on disable password login only.

The rebuild has been deployed and verified to be working perfectly.

Login page skip (it's actually a redirect) is standard functionality in many similar applications, but I can understand the concern given it opens doors to redirect loops, etc. I've removed this now. If you ever want to implement this, you have the code in 7121ca3 to work off of.

Proposed docs addition for docs/config/user-management.md (please mirror in
docs/zh/config/user-management.md) [I dont speak/write chinese]

Disabling Password Login

Administrators can disable password login from Settings → Authentication.
When disabled, the password form is hidden from the login page and POST /api/auth/login/password returns 403. LDAP, OAuth, and API key authentication are unaffected.

::: warning
Verify that LDAP or OAuth is working before disabling password login. Without a working alternative, you will be locked out and can only recover by resetting the database.
:::

@CoolShades CoolShades requested a review from zxh326 April 10, 2026 17:45
@zxh326
format code & fix zero value issue
3b2b1f3 
Signed-off-by: Zzde <zhangxh1997@gmail.com>
@zxh326 zxh326 enabled auto-merge (squash) April 19, 2026 13:19
zxh326
zxh326 approved these changes Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zxh326 zxh326 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thx

@zxh326 zxh326 changed the title feat: option to disable password login when OAuth is configured. [closes #478] feat: option to disable password login [closes #478] Apr 19, 2026
@zxh326
fix e2e
c7e47bc 
Signed-off-by: Zzde <zhangxh1997@gmail.com>
@zxh326 zxh326 merged commit c7e8c45 into kite-org:main Apr 19, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zxh326 zxh326 zxh326 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Option to disable password login when OAuth is configured

2 participants

@CoolShades @zxh326