From 834ae138e1d5f604327da6a6be2b575f47f2f6f1 Mon Sep 17 00:00:00 2001 From: Jose Luis Gonzalez Calvo <90149790+joseluisgonzalezca@users.noreply.github.com> Date: Fri, 27 Jun 2025 20:16:13 +0200 Subject: [PATCH] fix(auth): filter web approval auth method only if there are other authentication methods available (#1390) --- warpgate-core/src/config_providers/db.rs | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/warpgate-core/src/config_providers/db.rs b/warpgate-core/src/config_providers/db.rs index 1711d825..1b67c289 100644 --- a/warpgate-core/src/config_providers/db.rs +++ b/warpgate-core/src/config_providers/db.rs @@ -124,16 +124,18 @@ impl ConfigProvider for DatabaseConfigProvider { .copied() .collect::>(); + // "Any single credential" policy should not include WebUserApproval + // if other authentication methods are available because it could lead to user confusion let default_policy = Box::new(AnySingleCredentialPolicy { - // "Any single credential" policy does not include WebUserApproval - // as it can be confusing to the users to see - // (or not see depending on the postgres client) - // the approval prompt in response to all authentication methods failing - supported_credential_types: supported_credential_types - .iter() - .cloned() - .filter(|x| x != &CredentialKind::WebUserApproval) - .collect(), + supported_credential_types: if supported_credential_types.len() > 1 { + supported_credential_types + .iter() + .cloned() + .filter(|x| x != &CredentialKind::WebUserApproval) + .collect() + } else { + supported_credential_types.clone() + }, }) as Box; if let Some(req) = user.credential_policy.clone() {