feat: add flag to disable password auth (#5991)

Adds a flag --disable-password-auth that prevents the password login endpoint from working unless the user has the "owner" (aka. site admin) role. Adds a subcommand `coder server create-admin-user` which creates a user directly in the database with the "owner" role, the "admin" role in every organization, and password auth. This is to avoid lock-out situations where all accounts have the login type set to an identity provider and nobody can login.
2025-07-08 11:39:50 +00:00 · 2023-02-07 01:58:21 +11:00
parent 968d7e4dc5
commit 4fe221a700
21 changed files with 1352 additions and 542 deletions
--- a/cli/testdata/coder_server_create-admin-user_--help.golden
+++ b/cli/testdata/coder_server_create-admin-user_--help.golden
@ -0,0 +1,36 @@
+Create a new admin user with the given username, email and password and adds it to every organization.
+
+Usage:
+  coder server create-admin-user [flags]
+
+Flags:
+      --email string                  The email of the new user. If not specified, you will be
+                                      prompted via stdin. Consumes $CODER_EMAIL.
+  -h, --help                          help for create-admin-user
+      --password string               The password of the new user. If not specified, you will
+                                      be prompted via stdin. Consumes $CODER_PASSWORD.
+      --postgres-url string           URL of a PostgreSQL database. If empty, the built-in
+                                      PostgreSQL deployment will be used (Coder must not be
+                                      already running in this case). Consumes $CODER_POSTGRES_URL.
+      --ssh-keygen-algorithm string   The algorithm to use for generating ssh keys. Accepted
+                                      values are "ed25519", "ecdsa", or "rsa4096". Consumes
+                                      $CODER_SSH_KEYGEN_ALGORITHM. (default "ed25519")
+      --username string               The username of the new user. If not specified, you will
+                                      be prompted via stdin. Consumes $CODER_USERNAME.
+
+Global Flags:
+      --global-config coder   Path to the global coder config directory.
+                              Consumes $CODER_CONFIG_DIR (default "~/.config/coderv2")
+      --header stringArray    HTTP headers added to all requests. Provide as "Key=Value".
+                              Consumes $CODER_HEADER
+      --no-feature-warning    Suppress warnings about unlicensed features.
+                              Consumes $CODER_NO_FEATURE_WARNING
+      --no-version-warning    Suppress warning when client and server versions do not match.
+                              Consumes $CODER_NO_VERSION_WARNING
+      --token string          Specify an authentication token. For security reasons setting
+                              CODER_SESSION_TOKEN is preferred.
+                              Consumes $CODER_SESSION_TOKEN
+      --url string            URL to a deployment.
+                              Consumes $CODER_URL
+  -v, --verbose               Enable verbose output.
+                              Consumes $CODER_VERBOSE