Allow configuring required password restore input fields

manisandro · manisandro · commit b5e5242aa836 · 2025-04-29T18:47:44.000+02:00
diff --git a/schemas/qwc-db-auth.json b/schemas/qwc-db-auth.json
@@ -135,6 +135,13 @@
         "force_password_change_first_login": {
           "description": "Whether to force users to change the password on first login (regardless of user force_password_change setting). Default: `false`",
           "type": "boolean"
+        },
+        "required_restore_input": {
+          "description": "Input required in password restore form. Can be one or both of `username` and `email`. Default: `['username', 'email']`",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       },
       "required": [
diff --git a/src/db_auth.py b/src/db_auth.py
@@ -98,6 +98,7 @@ def __init__(self, tenant, mail, app):
         self.ip_blacklist_duration = config.get('ip_blacklist_duration', 300)
         self.ip_blacklist_max_attempt_count = config.get('ip_blacklist_max_attempt_count', 10)
         self.force_password_change_first_login = config.get('force_password_change_first_login', False)
+        self.required_restore_input = config.get('required_restore_input', ['username', 'email'])
 
         db_engine = DatabaseEngine()
         self.config_models = ConfigModels(
@@ -462,8 +463,12 @@ def new_password(self):
                 'new_password_contact_admin.html', form=form, i18n=i18n,
                 title=i18n.t("auth.new_password_page_title")
             )
-
         form = NewPasswordForm(meta=wft_locales())
+        if 'username' not in self.required_restore_input:
+            form.user.validators = []
+        if 'email' not in self.required_restore_input:
+            form.email.validators = []
+
         form.logo = self.login_logo
         form.background = self.login_background
         form.customstylesheet = self.customstylesheet
@@ -472,9 +477,18 @@ def new_password(self):
             # create session for ConfigDB
             with self.db_session() as db_session, db_session.begin():
 
-                entered_user = form.user.data
-                user = self.find_user(db_session, email=form.email.data)
-                if user and user.name == entered_user:
+                user_valid = False
+                if 'username' in self.required_restore_input and 'email' in self.required_restore_input:
+                    user = self.find_user(db_session, email=form.email.data)
+                    user_valid = user and user.name == form.user.data
+                elif 'username' in self.required_restore_input:
+                    user = self.find_user(db_session, name=form.user.data)
+                    user_valid = bool(user)
+                elif 'email' in self.required_restore_input:
+                    user = self.find_user(db_session, email=form.email.data)
+                    user_valid = bool(user)
+
+                if user_valid:
                     # generate and save reset token
                     user.reset_password_token = self.generate_token()
 
@@ -489,7 +503,9 @@ def new_password(self):
                         flash(i18n.t("auth.reset_mail_failed"))
                         return render_template(
                             'new_password.html', form=form, i18n=i18n,
-                            title=i18n.t("auth.new_password_page_title")
+                            title=i18n.t("auth.new_password_page_title"),
+                            show_username='username' in self.required_restore_input,
+                            show_email='email' in self.required_restore_input
                         )
                 else:
                     self.logger.info("User lookup failed")
@@ -500,7 +516,9 @@ def new_password(self):
 
         return render_template(
             'new_password.html', form=form, i18n=i18n,
-            title=i18n.t("auth.new_password_page_title")
+            title=i18n.t("auth.new_password_page_title"),
+            show_username='username' in self.required_restore_input,
+            show_email='email' in self.required_restore_input
         )
 
     def edit_password(self, token, identity=None):
diff --git a/src/templates/new_password.html b/src/templates/new_password.html
@@ -8,15 +8,19 @@ <h1>{{ i18n.t('auth.new_password_form_title') }}</h1>
         </div>
 
         <div class="login-form-fields">
+            {% if show_username %}
             <div class="control-group">
                 {{ form.user(placeholder=i18n.t('auth.username_placeholder'), type='text', autofocus=True, class_='login-field') }}
             </div>
+            {% endif %}
+            {% if show_email %}
             <div class="control-group">
                 {{ form.email(placeholder=i18n.t('auth.email_placeholder'), type='email', autofocus=False, class_='login-field') }}
                 {% for error in form.email.errors %}
                 <span style="color: red;">[{{ error }}]</span>
                 {% endfor %}
             </div>
+            {% endif %}
 
             <button class="button" type="submit">{{ i18n.t('auth.new_password_button') }}</button>
         </div>
