From 59bdc0ce0ddc741eda283ed8b0f69ac29767fe29 Mon Sep 17 00:00:00 2001
From: Henry Dollman <hank@henrygd.me>
Date: Wed, 4 Dec 2024 17:36:36 -0500
Subject: [PATCH] add USER_CREATION env var and update migrations

---
 beszel/internal/hub/hub.go                    | 15 ++++--
 .../1732489917_collections_snapshot.go        | 54 -------------------
 2 files changed, 11 insertions(+), 58 deletions(-)

diff --git a/beszel/internal/hub/hub.go b/beszel/internal/hub/hub.go
index fdb9125..b69c8f6 100644
--- a/beszel/internal/hub/hub.go
+++ b/beszel/internal/hub/hub.go
@@ -80,11 +80,18 @@ func (h *Hub) Run() {
 			return err
 		}
 		// disable email auth if DISABLE_PASSWORD_AUTH env var is set
-		if os.Getenv("DISABLE_PASSWORD_AUTH") == "true" {
-			usersCollection.PasswordAuth.Enabled = false
+		usersCollection.PasswordAuth.Enabled = os.Getenv("DISABLE_PASSWORD_AUTH") != "true"
+		usersCollection.PasswordAuth.IdentityFields = []string{"email"}
+		// disable oauth if no providers are configured (todo: remove this in post 0.9.0 release)
+		if usersCollection.OAuth2.Enabled {
+			usersCollection.OAuth2.Enabled = len(usersCollection.OAuth2.Providers) > 0
+		}
+		// allow oauth user creation if USER_CREATION is set
+		if os.Getenv("USER_CREATION") == "true" {
+			cr := "@request.context = 'oauth2'"
+			usersCollection.CreateRule = &cr
 		} else {
-			usersCollection.PasswordAuth.Enabled = true
-			usersCollection.PasswordAuth.IdentityFields = []string{"email"}
+			usersCollection.CreateRule = nil
 		}
 		if err := h.app.Save(usersCollection); err != nil {
 			return err
diff --git a/beszel/migrations/1732489917_collections_snapshot.go b/beszel/migrations/1732489917_collections_snapshot.go
index d9375a9..b32c970 100644
--- a/beszel/migrations/1732489917_collections_snapshot.go
+++ b/beszel/migrations/1732489917_collections_snapshot.go
@@ -317,20 +317,12 @@ func init() {
 			},
 			{
 				"authAlert": {
-					"emailTemplate": {
-						"body": "<p>Hello,</p>\n<p>We noticed a login to your {APP_NAME} account from a new location.</p>\n<p>If this was you, you may disregard this email.</p>\n<p><strong>If this wasn't you, you should immediately change your {APP_NAME} account password to revoke access from all other locations.</strong></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-						"subject": "Login from a new location"
-					},
 					"enabled": true
 				},
 				"authRule": "verified=true",
 				"authToken": {
 					"duration": 1209600
 				},
-				"confirmEmailChangeTemplate": {
-					"body": "<p>Hello,</p>\n<p>Click on the button below to confirm your new email address.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Confirm new email</a>\n</p>\n<p><i>If you didn't ask to change your email address, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Confirm your {APP_NAME} new email address"
-				},
 				"createRule": null,
 				"deleteRule": null,
 				"emailChangeToken": {
@@ -494,24 +486,6 @@ func init() {
 					"rule": ""
 				},
 				"name": "users",
-				"oauth2": {
-					"enabled": true,
-					"mappedFields": {
-						"avatarURL": "",
-						"id": "",
-						"name": "",
-						"username": "username"
-					}
-				},
-				"otp": {
-					"duration": 180,
-					"emailTemplate": {
-						"body": "<p>Hello,</p>\n<p>Your one-time password is: <strong>{OTP}</strong></p>\n<p><i>If you didn't ask for the one-time password, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-						"subject": "OTP for {APP_NAME}"
-					},
-					"enabled": false,
-					"length": 8
-				},
 				"passwordAuth": {
 					"enabled": true,
 					"identityFields": [
@@ -521,17 +495,9 @@ func init() {
 				"passwordResetToken": {
 					"duration": 1800
 				},
-				"resetPasswordTemplate": {
-					"body": "<p>Hello,</p>\n<p>Click on the button below to reset your password.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Reset password</a>\n</p>\n<p><i>If you didn't ask to reset your password, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Reset your {APP_NAME} password"
-				},
 				"system": false,
 				"type": "auth",
 				"updateRule": null,
-				"verificationTemplate": {
-					"body": "<p>Hello,</p>\n<p>Thank you for joining us at {APP_NAME}.</p>\n<p>Click on the button below to verify your email address.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Verify</a>\n</p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Verify your {APP_NAME} email"
-				},
 				"verificationToken": {
 					"duration": 604800
 				},
@@ -737,20 +703,12 @@ func init() {
 			},
 			{
 				"authAlert": {
-					"emailTemplate": {
-						"body": "<p>Hello,</p>\n<p>We noticed a login to your {APP_NAME} account from a new location.</p>\n<p>If this was you, you may disregard this email.</p>\n<p><strong>If this wasn't you, you should immediately change your {APP_NAME} account password to revoke access from all other locations.</strong></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-						"subject": "Login from a new location"
-					},
 					"enabled": true
 				},
 				"authRule": "",
 				"authToken": {
 					"duration": 1209600
 				},
-				"confirmEmailChangeTemplate": {
-					"body": "<p>Hello,</p>\n<p>Click on the button below to confirm your new email address.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Confirm new email</a>\n</p>\n<p><i>If you didn't ask to change your email address, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Confirm your {APP_NAME} new email address"
-				},
 				"createRule": null,
 				"deleteRule": null,
 				"emailChangeToken": {
@@ -875,10 +833,6 @@ func init() {
 				},
 				"otp": {
 					"duration": 180,
-					"emailTemplate": {
-						"body": "<p>Hello,</p>\n<p>Your one-time password is: <strong>{OTP}</strong></p>\n<p><i>If you didn't ask for the one-time password, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-						"subject": "OTP for {APP_NAME}"
-					},
 					"enabled": false,
 					"length": 8
 				},
@@ -891,17 +845,9 @@ func init() {
 				"passwordResetToken": {
 					"duration": 1800
 				},
-				"resetPasswordTemplate": {
-					"body": "<p>Hello,</p>\n<p>Click on the button below to reset your password.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Reset password</a>\n</p>\n<p><i>If you didn't ask to reset your password, you can ignore this email.</i></p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Reset your {APP_NAME} password"
-				},
 				"system": true,
 				"type": "auth",
 				"updateRule": null,
-				"verificationTemplate": {
-					"body": "<p>Hello,</p>\n<p>Thank you for joining us at {APP_NAME}.</p>\n<p>Click on the button below to verify your email address.</p>\n<p>\n  <a class=\"btn\" href=\"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}\" target=\"_blank\" rel=\"noopener\">Verify</a>\n</p>\n<p>\n  Thanks,<br/>\n  {APP_NAME} team\n</p>",
-					"subject": "Verify your {APP_NAME} email"
-				},
 				"verificationToken": {
 					"duration": 259200
 				},