hide login if login type disabled (#5438)

# Description of Changes  --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.
2026-03-04 02:20:19 +01:00 · 2026-01-12 19:38:02 +00:00
parent d2677e64dd
commit d4d4538630
3 changed files with 39 additions and 13 deletions
--- a/app/proprietary/src/main/java/stirling/software/proprietary/controller/api/ProprietaryUIDataController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/controller/api/ProprietaryUIDataController.java
@@ -169,7 +169,10 @@ public class ProprietaryUIDataController {

        OAUTH2 oauth = securityProps.getOauth2();

-        if (oauth != null && oauth.getEnabled()) {
+        // Only add OAuth2 providers if loginMethod allows it
+        if (oauth != null
+                && oauth.getEnabled()
+                && securityProps.isOauth2Active()) { // This checks loginMethod
            if (oauth.isSettingsValid()) {
                String firstChar = String.valueOf(oauth.getProvider().charAt(0));
                String clientName =
@@ -201,6 +204,7 @@ public class ProprietaryUIDataController {
        }

        SAML2 saml2 = securityProps.getSaml2();
+        // Only add SAML2 providers if loginMethod allows it
        if (securityProps.isSaml2Active() && applicationProperties.getPremium().isEnabled()) {
            String samlIdp = saml2.getProvider();
            String saml2AuthenticationPath = "/saml2/authenticate/" + saml2.getRegistrationId();
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AuthController.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/AuthController.java
@@ -21,6 +21,7 @@ import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;

+import stirling.software.common.model.ApplicationProperties;
 import stirling.software.proprietary.audit.AuditEventType;
 import stirling.software.proprietary.audit.AuditLevel;
 import stirling.software.proprietary.audit.Audited;
@@ -44,6 +45,7 @@ public class AuthController {
    private final JwtServiceInterface jwtService;
    private final CustomUserDetailsService userDetailsService;
    private final LoginAttemptService loginAttemptService;
+    private final ApplicationProperties.Security securityProperties;

    /**
     * Login endpoint - replaces Supabase signInWithPassword
@@ -60,6 +62,17 @@ public class AuthController {
            HttpServletRequest httpRequest,
            HttpServletResponse response) {
        try {
+            // Check if username/password authentication is allowed
+            if (!securityProperties.isUserPass()) {
+                log.warn(
+                        "Username/password login attempted but not allowed by current login method configuration");
+                return ResponseEntity.status(HttpStatus.FORBIDDEN)
+                        .body(
+                                Map.of(
+                                        "error",
+                                        "Username/password authentication is not enabled. Please use the configured authentication method."));
+            }
+
            // Validate input parameters
            if (request.getUsername() == null || request.getUsername().trim().isEmpty()) {
                log.warn("Login attempt with null or empty username");