From ef2fbc6093adf918a986ea139e42926c55dca815 Mon Sep 17 00:00:00 2001
From: davrot <davrot@noreply.codeberg.org>
Date: Fri, 14 Feb 2025 12:54:18 +0000
Subject: [PATCH] fix: disable forgotten password for external signin only
 (#6680)

- Make it such that `[service].ENABLE_INTERNAL_SIGNIN = false` disables the forgotten password prompt on the login page.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6680
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: davrot <davrot@noreply.codeberg.org>
Co-committed-by: davrot <davrot@noreply.codeberg.org>
---
 routers/web/auth/auth.go                      |  3 ++
 templates/user/auth/signin_inner.tmpl         |  3 ++
 .../disable_forgotten_password_test.go        | 39 +++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 tests/integration/disable_forgotten_password_test.go

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index ca8f06bdb1..92305ad26a 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -171,6 +171,8 @@ func SignIn(ctx *context.Context) {
 		context.SetCaptchaData(ctx)
 	}
 
+	ctx.Data["DisablePassword"] = !setting.Service.EnableInternalSignIn
+
 	ctx.HTML(http.StatusOK, tplSignIn)
 }
 
@@ -190,6 +192,7 @@ func SignInPost(ctx *context.Context) {
 	ctx.Data["PageIsLogin"] = true
 	ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled(ctx)
 	ctx.Data["EnableInternalSignIn"] = setting.Service.EnableInternalSignIn
+	ctx.Data["DisablePassword"] = !setting.Service.EnableInternalSignIn
 
 	// Permission denied if EnableInternalSignIn is false
 	if !setting.Service.EnableInternalSignIn {
diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
index ddef34f35d..4abb4646d1 100644
--- a/templates/user/auth/signin_inner.tmpl
+++ b/templates/user/auth/signin_inner.tmpl
@@ -50,6 +50,7 @@
 	</div>
 </div>
 
+{{if not .DisablePassword}}
 <div class="ui container fluid">
 	{{template "user/auth/webauthn_error" .}}
 
@@ -65,3 +66,5 @@
 			</div>
 		</div>
 </div>
+{{end}}
+
diff --git a/tests/integration/disable_forgotten_password_test.go b/tests/integration/disable_forgotten_password_test.go
new file mode 100644
index 0000000000..8a50c8d409
--- /dev/null
+++ b/tests/integration/disable_forgotten_password_test.go
@@ -0,0 +1,39 @@
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/tests"
+)
+
+func TestDisableForgottenPasswordFalse(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Service.EnableInternalSignIn, true)()
+
+	req := NewRequest(t, "GET", "/user/login/")
+	resp := MakeRequest(t, req, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	htmlDoc.AssertElement(t, "a[href='/user/forgot_password']", true)
+}
+
+func TestDisableForgottenPasswordTrue(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Service.EnableInternalSignIn, false)()
+
+	req := NewRequest(t, "GET", "/user/login/")
+	resp := MakeRequest(t, req, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	htmlDoc.AssertElement(t, "a[href='/user/forgot_password']", false)
+}
+
+func TestDisableForgottenPasswordDefault(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	req := NewRequest(t, "GET", "/user/login/")
+	resp := MakeRequest(t, req, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	htmlDoc.AssertElement(t, "a[href='/user/forgot_password']", true)
+}