Proposal: Option to disable internal auth/register and only allow external authClient

[Kiina]

I'd like to suggest a new option to only let users login via one of the identity providers defined in authClientCollection.

Why?

Easier and more secure management. When I force my users to login via gitlab only for example, I can force all gitlab users to use 2FA or other things, increasing the overall security. Also it makes it easier to restrict access and eases password management.
When someone leaves my project I don't have to remove the account in 20 different places. I can just restrict his Gitlab login and oauth to all connected sites won't work anymore. Instead of running the risk someone reuses his password, I can make sure only a strong password + 2FA is used in my identity provider.

Possible Issues

The plugins might not work well with oauth. I haven't tested this yet, so maybe it's not a problem. The API allows oauth so it shouldn't be too much of an issue.

[ganigeorgiev]

Thanks for submitting the proposal.

Your request seems reasonable and I think it could be implemented without breaking the current behavior and without introducing too much changes. I'll consider it for v2.11.0.

About the plugins - the current implementation for both AdobeXD and Figma doesn't support oauth2 authorization, but I think it could be added. For Figma I expect things to be easier because the plugin's api is closer to the browser env, but that may not be the case for AdobeXD (there is require("uxp").shell.openExternal('...') method that I think should allow opening the default client browser, but I haven't tested it yet).

[ganigeorgiev]

A new emailPasswordAuth parameter (default to true) was added in v2.11.0.

To disable the default Email/Password authorization flow, add 'emailPasswordAuth' => false, in your params-local.php

---

Unfortunately the oauth2 support for the plugins ended more troublesome than I initially thought.
I couldn't found an easy way to send data from the browser back to the plugin.
As a workaround, I've tried to use window.opener but that partially works only with Figma in the browser (for the desktop app window.opener cannot be set).
I've also tried opening the oauth2 url directly within the plugin's popup but that wont work because most providers doesn't allow embedding (usually 'X-Frame-Options' is set to 'deny' for security reasons).

So, the only proper way I think there is to make the plugins to work with oauth2 is to temporary store the oauth2 response access token on the server (aka. implement some sort of sessions) until it is "pool"-ed from the plugin (eg. with interval/websockets/server-sent-events).

This solution requires major changes to the api and the database and currently I want to avoid that, because I'm planning to implement a new backend for v3, I just have to find the time to start working on it along with everything else...

For now, I've added a note about the limitation in the plugins readme, but if anyone thinks that there is an easier way to implement it, please let me know.

[Kiina]

Can you push the current release to dockerhub? The latest there is still v2.10.1

[ganigeorgiev]

Yes, I'm aware, sorry for the inconvenience.

Recently Docker Hub has disabled Automated builds for their free plans and I'm waiting a response from their team whether Presentator will be allowed to participate in their Open Source program.

I'll wait for their answer up until this Friday and if they decline or need more time I'll push the tagged images manually during the weekend.

[ganigeorgiev]

@Kiina The latest image tags should be now available in Docker Hub.