Account linking does not work if only external registration is allowed

[PKizzle]

• Gitea version (or commit ref): 1.9.4
• Git version: 2.22.0
• Operating system: GNU/Linux Debian 9
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No (ALLOW_ONLY_EXTERNAL_REGISTRATION not set to true)
  • Not relevant
• Log gist:

Description

The password input is disabled if only external registration is enabled.
However the form can not be successfully submitted because Gitea requires an input to the password text field.

The following code snippet states, that this is a feature for "second factor"-enabled accounts.

gitea/routers/user/auth.go

Lines 894 to 898 in 280f4be

	// In models.User an empty password is classed as not set, so we set form.Password to empty.
	// Eventually the database should be changed to indicate "Second Factor"-enabled accounts
	// (accounts that do not introduce the security vulnerabilities of a password).
	// If a user decides to circumvent second-factor security, and purposefully create a password,
	// they can still do so using the "Recover Account" option.

However if the existing user has set a password already, the password field needs to be shown. Otherwise he is unable to authenticate and link the account.

Maybe there should be an additional setting specifically for "second factor"-enabled accounts instead of using ALLOW_ONLY_EXTERNAL_REGISTRATION?

Screenshots

[jkocot]

I encountered a similar issue, but I don't think it is related to the ALLOW_ONLY_EXTERNAL_REGISTRATION (we didn't have this option set on our server).
How this looks like:
Prerequisite: I already have an existing Gitea account, and I'm not logged in

1. I use the "Sign in with Open ID Connect" option and log in with my Open ID Connect authentication server
2. I get two options now - to register a new account or to link to an existing account, I choose the second one (the "Link to Existing Account" tab), but the tab has only place for username or email (there is no place for the password)
3. I type e-mail (or username, it doesn't matter - the behavior is the same for the two options) and accept
4. I am now redirected again to the "Register New Account" tag, but now my e-mails/username is filled in (but I cannot create such a user as it already existed)
5. Presumably, the problem is the lack of the password, so I check the "Link to Existing Account" tab again - now it looks different: apart from the username/e-mail field it now shows a password field marked in read as if I had forgot to fill it (but it wasn't there at the start)

Here are the screen-shots showing p. 1, 4 and 5

We use version 1.9.3 of Gitea Server. I tried to reproduce it on https://try.gitea.io/ by logging in with GitHub, but there it works correctly (however, once I got a 500 error).

[PKizzle]

In your case ALLOW_ONLY_EXTERNAL_REGISTRATION is not set, but are you using the REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA option?
The visibility of the password field is dependent on these options:
!setting.Service.RequireExternalRegistrationCaptcha || setting.Service.AllowOnlyExternalRegistration

[hsiejkowski]

I answer on behalf of @jkocot. We set: ALLOW_ONLY_EXTERNAL_REGISTRATION = false and REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA is not set, but I believe it inherits the value from ENABLE_CAPTCHA, which in our case is set to false. So this results in a hidden password field.

If I set ENABLE_CAPTCHA = true the password field shows up, so this works as expected.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[PKizzle]

I don't think this issue has been resolved yet. Any further comments @hsiejkowski, @jkocot ?

[hsiejkowski]

I don't think this issue has been resolved yet. Any further comments @hsiejkowski, @jkocot ?

For us this works as expected, so we have no further comments.

[PKizzle]

If I understand correctly you enabled the Captcha option and the password field is shown?
Well shouldn't the password field also be visible without Captcha being enabled?

[hsiejkowski]

To test it once again I disabled captcha on gitea 1.10.2 and the password field is visible. Regardless if ALLOW_ONLY_EXTERNAL_REGISTRATION is set to false or true.

[PKizzle]

I found pull request #9150, which deals with this issue. So I will comment again once I've done the update.

[PKizzle]

Okay, so after the update from 1.10 to 1.10.2 everything is working as expected. I'll close the issue.