Fix SEMAPHORE_PASSWORD_LOGIN_DISABLED to properly disable login forms #3270
+30,777
−30,773
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ED issue Co-authored-by: fiftin <[email protected]>
- Add login_with_email field to login metadata API response - Update frontend to check both password and email authentication settings - Only show email form when explicitly enabled via SEMAPHORE_EMAIL_2TP_ENABLED - Show no login forms when both password and email auth are disabled - Fix divider display logic to only show when login forms are present Co-authored-by: fiftin <[email protected]>
Copilot
AI
changed the title
Copilot finished work on behalf of
fiftin
September 2, 2025 20:41
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
SEMAPHORE_PASSWORD_LOGIN_DISABLED=trueenvironment variable was not working as expected - instead of disabling the login form entirely, it was showing an email-based login form as a fallback.Problem
When users set
SEMAPHORE_PASSWORD_LOGIN_DISABLED=true(typically for OIDC/LDAP-only environments), they expected the login form to be completely disabled. However, the frontend was showing an email login form instead:Before (incorrect behavior):
SEMAPHORE_PASSWORD_LOGIN_DISABLED=true→ Shows email login formRoot Cause
The frontend logic assumed that when password login is disabled, email login should be shown as a fallback. However, email authentication is controlled by a separate configuration (
SEMAPHORE_EMAIL_2TP_ENABLED) that wasn't being exposed to the frontend.Solution
Backend changes:
login_with_emailfield to the/api/auth/loginresponseutil.Config.Auth.Email.EnabledstatusFrontend changes:
Auth.vueto check bothloginWithPasswordandloginWithEmailsettingsloginWithEmailis explicitlytrueBehavior After Fix
SEMAPHORE_PASSWORD_LOGIN_DISABLED=trueSEMAPHORE_PASSWORD_LOGIN_DISABLED=true+SEMAPHORE_EMAIL_2TP_ENABLED=trueAPI Changes
The fix adds one field to the login metadata response:
{ "oidc_providers": [], "login_with_password": false, "login_with_email": false, "auth_methods": {} }This change is backward compatible - existing clients will ignore the new field.
Screenshots
Fixed behavior - Password login disabled:
Email authentication when explicitly enabled:
Fixes #3225.
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.