display email login_hint when login_with_email_allowed is activated

Author: mcalinghee

Cargo.lock

@@ -28,3 +28,5 @@ ruma-common.workspace = true
 mas-iana.workspace = true
 mas-jose.workspace = true
 oauth2-types.workspace = true
+# Emails
+lettre.workspace = true

crates/data-model/Cargo.toml

@@ -4,6 +4,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
+use std::str::FromStr as _;
+
 use chrono::{DateTime, Utc};
 use mas_iana::oauth::PkceCodeChallengeMethod;
 use oauth2_types::{
@@ -142,6 +144,7 @@ impl AuthorizationGrantStage {
 
 pub enum LoginHint<'a> {
     MXID(&'a UserId),
+    EMAIL(&'a str),
     None,
 }
 
@@ -173,7 +176,7 @@ impl std::ops::Deref for AuthorizationGrant {
 
 impl AuthorizationGrant {
     #[must_use]
-    pub fn parse_login_hint(&self, homeserver: &str) -> LoginHint {
+    pub fn parse_login_hint(&self, homeserver: &str, login_with_email_allowed: bool) -> LoginHint {
         let Some(login_hint) = &self.login_hint else {
             return LoginHint::None;
         };
@@ -197,6 +200,17 @@ impl AuthorizationGrant {
 
                 LoginHint::MXID(mxid)
             }
+            "email" => {
+                if !login_with_email_allowed {
+                    return LoginHint::None;
+                }
+                // Validate the email
+                if lettre::Address::from_str(value).is_err() {
+                    return LoginHint::None;
+                }
+
+                LoginHint::EMAIL(value)
+            }
             // Unknown hint type, treat as none
             _ => LoginHint::None,
         }
@@ -288,7 +302,7 @@ mod tests {
             ..AuthorizationGrant::sample(now, &mut rng)
         };
 
-        let hint = grant.parse_login_hint("example.com");
+        let hint = grant.parse_login_hint("example.com", false);
 
         assert!(matches!(hint, LoginHint::None));
     }
@@ -306,11 +320,47 @@ mod tests {
             ..AuthorizationGrant::sample(now, &mut rng)
         };
 
-        let hint = grant.parse_login_hint("example.com");
+        let hint = grant.parse_login_hint("example.com", false);
 
         assert!(matches!(hint, LoginHint::MXID(mxid) if mxid.localpart() == "example-user"));
     }
 
+    #[test]
+    fn valid_login_hint_with_email() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("email:example@user")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com", true);
+
+        assert!(matches!(hint, LoginHint::EMAIL(email) if email == "example@user"));
+    }
+
+    #[test]
+    fn valid_login_hint_with_email_when_login_with_email_not_allowed() {
+        #[allow(clippy::disallowed_methods)]
+        let mut rng = thread_rng();
+
+        #[allow(clippy::disallowed_methods)]
+        let now = Utc::now();
+
+        let grant = AuthorizationGrant {
+            login_hint: Some(String::from("email:example@user")),
+            ..AuthorizationGrant::sample(now, &mut rng)
+        };
+
+        let hint = grant.parse_login_hint("example.com", false);
+
+        assert!(matches!(hint, LoginHint::None));
+    }
+
     #[test]
     fn invalid_login_hint() {
         #[allow(clippy::disallowed_methods)]
@@ -324,7 +374,7 @@ mod tests {
             ..AuthorizationGrant::sample(now, &mut rng)
         };
 
-        let hint = grant.parse_login_hint("example.com");
+        let hint = grant.parse_login_hint("example.com", false);
 
         assert!(matches!(hint, LoginHint::None));
     }
@@ -342,7 +392,7 @@ mod tests {
             ..AuthorizationGrant::sample(now, &mut rng)
         };
 
-        let hint = grant.parse_login_hint("example.com");
+        let hint = grant.parse_login_hint("example.com", false);
 
         assert!(matches!(hint, LoginHint::None));
     }
@@ -360,7 +410,7 @@ mod tests {
             ..AuthorizationGrant::sample(now, &mut rng)
         };
 
-        let hint = grant.parse_login_hint("example.com");
+        let hint = grant.parse_login_hint("example.com", false);
 
         assert!(matches!(hint, LoginHint::None));
     }

crates/data-model/src/oauth2/authorization_grant.rs

@@ -123,6 +123,7 @@ pub(crate) async fn get(
         &mut rng,
         &templates,
         &homeserver,
+        &site_config,
     )
     .await
 }
@@ -177,6 +178,7 @@ pub(crate) async fn post(
             &mut rng,
             &templates,
             &homeserver,
+            &site_config,
         )
         .await;
     }
@@ -187,7 +189,7 @@ pub(crate) async fn post(
         .unwrap_or(&form.username);
 
     // First, lookup the user
-    let Some(user) = get_user_by_email_or_by_username(site_config, &mut repo, username).await?
+    let Some(user) = get_user_by_email_or_by_username(&site_config, &mut repo, username).await?
     else {
         let form_state = form_state.with_error_on_form(FormError::InvalidCredentials);
         PASSWORD_LOGIN_COUNTER.add(1, &[KeyValue::new(RESULT, "error")]);
@@ -201,6 +203,7 @@ pub(crate) async fn post(
             &mut rng,
             &templates,
             &homeserver,
+            &site_config,
         )
         .await;
     };
@@ -220,6 +223,7 @@ pub(crate) async fn post(
             &mut rng,
             &templates,
             &homeserver,
+            &site_config,
         )
         .await;
     }
@@ -240,6 +244,7 @@ pub(crate) async fn post(
             &mut rng,
             &templates,
             &homeserver,
+            &site_config,
         )
         .await;
     };
@@ -283,6 +288,7 @@ pub(crate) async fn post(
                 &mut rng,
                 &templates,
                 &homeserver,
+                &site_config,
             )
             .await;
         }
@@ -339,7 +345,7 @@ pub(crate) async fn post(
 }
 
 async fn get_user_by_email_or_by_username<R: RepositoryAccess>(
-    site_config: SiteConfig,
+    site_config: &SiteConfig,
     repo: &mut R,
     username_or_email: &str,
 ) -> Result<Option<mas_data_model::User>, R::Error> {
@@ -364,6 +370,7 @@ fn handle_login_hint(
     mut ctx: LoginContext,
     next: &PostAuthContext,
     homeserver: &dyn HomeserverConnection,
+    site_config: &SiteConfig,
 ) -> LoginContext {
     let form_state = ctx.form_state_mut();
 
@@ -373,8 +380,12 @@ fn handle_login_hint(
     }
 
     if let PostAuthContextInner::ContinueAuthorizationGrant { ref grant } = next.ctx {
-        let value = match grant.parse_login_hint(homeserver.homeserver()) {
+        let value = match grant.parse_login_hint(
+            homeserver.homeserver(),
+            site_config.login_with_email_allowed,
+        ) {
             LoginHint::MXID(mxid) => Some(mxid.localpart().to_owned()),
+            LoginHint::EMAIL(email) => Some(email.to_owned()),
             LoginHint::None => None,
         };
         form_state.set_value(LoginFormField::Username, value);
@@ -393,6 +404,7 @@ async fn render(
     rng: impl Rng,
     templates: &Templates,
     homeserver: &dyn HomeserverConnection,
+    site_config: &SiteConfig,
 ) -> Result<Response, InternalError> {
     let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock, rng);
     let providers = repo.upstream_oauth_provider().all_enabled().await?;
@@ -406,7 +418,7 @@ async fn render(
         .await
         .map_err(InternalError::from_anyhow)?;
     let ctx = if let Some(next) = next {
-        let ctx = handle_login_hint(ctx, &next, homeserver);
+        let ctx = handle_login_hint(ctx, &next, homeserver, site_config);
         ctx.with_post_action(next)
     } else {
         ctx