fix(auth): filter web approval auth method only if there are other authentication methods available (#1390)

2025-09-06 06:34:32 +08:00 · 2025-06-27 20:16:13 +02:00 · 2025-06-27 20:16:13 +02:00 · 834ae138e1
commit 834ae138e1
parent 09140a36b8
1 changed files with 11 additions and 9 deletions
--- a/warpgate-core/src/config_providers/db.rs
+++ b/warpgate-core/src/config_providers/db.rs
@ -124,16 +124,18 @@ impl ConfigProvider for DatabaseConfigProvider {
            .copied()
            .collect::<HashSet<_>>();

+        // "Any single credential" policy should not include WebUserApproval
+        // if other authentication methods are available because it could lead to user confusion
        let default_policy = Box::new(AnySingleCredentialPolicy {
-            // "Any single credential" policy does not include WebUserApproval
-            // as it can be confusing to the users to see
-            // (or not see depending on the postgres client)
-            // the approval prompt in response to all authentication methods failing
-            supported_credential_types: supported_credential_types
-                .iter()
-                .cloned()
-                .filter(|x| x != &CredentialKind::WebUserApproval)
-                .collect(),
+            supported_credential_types: if supported_credential_types.len() > 1 {
+                supported_credential_types
+                    .iter()
+                    .cloned()
+                    .filter(|x| x != &CredentialKind::WebUserApproval)
+                    .collect()
+            } else {
+                supported_credential_types.clone()
+            },
        }) as Box<dyn CredentialPolicy + Sync + Send>;

        if let Some(req) = user.credential_policy.clone() {