Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
AUTO_CREATE_USERS
option for Google, GitHub, and Facebook authRelated issues
(N/A)
Checklist
Further comments
Hello! This is currently an untested draft pull request, as I'm still exploring and understanding the codebase.
This PR adds a configurable option to control the auto-creation of users from providers (Google, GitHub, Facebook). It sets this option to "true" by default, which will retain backwards compatibility with the existing behavior.
I see in the code and documentation that "providers are trusted" and users are automatically created. This means that if you enable Google Authentication, anyone with a Google account can log in. There is an option to restrict to specific email domains, which is great, but more granularity would be nice.
For example, I may want to use Google Authentication but only authorize users I've explicitly added to the platform. Google is the strategy I am personally testing, but this would probably apply to GitHub and Facebook auth as well.
With this new option, setting
PROVIDERS__GOOGLE__CONFIG__AUTO_CREATE_USERS
to false would mean that users could log in with Google Auth, but only if that user has an account already created on the server. This would allow an admin to have strict control over who logs in, even from their own Google domain.A further iteration would be to allow only auto user creation from specific existing Google groups. I may look at that in the future.
Thank you for this great open source product.