(core) Add account page option to allow Google login

Summary: Enabled by default, the new checkbox is only visible to users logged in with email/password, and controls whether it is possible to log in to the same account via a Google account (with matching email). When disabled, CognitoClient will refuse logins from Google if a Grist account with the same email exists. Test Plan: Server and browser tests for setting flag. Manual tests to verify Cognito doesn't allow signing in with Google when flag is disabled. Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3257
2026-03-02 04:09:24 +00:00 · 2022-02-14 13:26:21 -08:00
parent 99f3422217
commit e264094412
8 changed files with 115 additions and 10 deletions
--- a/app/gen-server/ApiServer.ts
+++ b/app/gen-server/ApiServer.ts
@@ -345,7 +345,7 @@ export class ApiServer {
    // Get user's profile
    this._app.get('/api/profile/user', expressWrap(async (req, res) => {
      const fullUser = await this._getFullUser(req);
-      return sendOkReply(req, res, fullUser);
+      return sendOkReply(req, res, fullUser, {allowedFields: new Set(['allowGoogleLogin'])});
    }));

    // POST /api/profile/user/name
@@ -361,6 +361,24 @@ export class ApiServer {
      res.sendStatus(200);
    }));

+    // POST /api/profile/allowGoogleLogin
+    // Update user's preference for allowing Google login.
+    this._app.post('/api/profile/allowGoogleLogin', expressWrap(async (req, res) => {
+      const userId = getAuthorizedUserId(req);
+      const fullUser = await this._getFullUser(req);
+      if (fullUser.loginMethod !== 'Email + Password') {
+        throw new ApiError('Only users signed in via email can enable/disable Google login', 401);
+      }
+
+      const allowGoogleLogin: boolean | undefined = req.body.allowGoogleLogin;
+      if (allowGoogleLogin === undefined) {
+        throw new ApiError('Missing body param: allowGoogleLogin', 400);
+      }
+
+      await this._dbManager.updateUserOptions(userId, {allowGoogleLogin});
+      res.sendStatus(200);
+    }));
+
    // GET /api/profile/apikey
    // Get user's apiKey
    this._app.get('/api/profile/apikey', expressWrap(async (req, res) => {
@@ -471,11 +489,15 @@ export class ApiServer {
  private async _getFullUser(req: Request): Promise<FullUser> {
    const mreq = req as RequestWithLogin;
    const userId = getUserId(mreq);
-    const fullUser = await this._dbManager.getFullUser(userId);
+    const user = await this._dbManager.getUser(userId);
+    if (!user) { throw new ApiError("unable to find user", 400); }
+
+    const fullUser = this._dbManager.makeFullUser(user);
    const domain = getOrgFromRequest(mreq);
    const sessionUser = getSessionUser(mreq.session, domain || '', fullUser.email);
    const loginMethod = sessionUser && sessionUser.profile ? sessionUser.profile.loginMethod : undefined;
-    return {...fullUser, loginMethod};
+    const allowGoogleLogin = user.options?.allowGoogleLogin ?? true;
+    return {...fullUser, loginMethod, allowGoogleLogin};
  }
 }