Add option to restrict login (only allow admins)

Author: NicoBiernat

config/config.go

@@ -47,6 +47,7 @@ var (
 	ApiTokenExpirationTime time.Duration = getDuration("API_TOKEN_EXPIRATION_TIME", 3*24*time.Hour)
 	MinPasswordLength      int           = getInt("MIN_PASSWORD_LENGTH", 12)
 	InternalIPs            []net.IP      = parseIPs(getString("INTERNAL_IPS", ""))
+	RestrictLoginToAdmins  bool          = getBool("RESTRICT_LOGIN_TO_ADMINS", false)
 
 	UseTestDatabase bool = getBool("USE_TEST_DATABASE", false) // TODO: remove in prod - this function deletes the whole database
 )

service/user.go

@@ -1,8 +1,10 @@
 package service
 
 import (
+	"slices"
 	"time"
 
+	"github.com/ProjectLighthouseCAU/heimdall/config"
 	"github.com/ProjectLighthouseCAU/heimdall/crypto"
 	"github.com/ProjectLighthouseCAU/heimdall/model"
 	"github.com/ProjectLighthouseCAU/heimdall/repository"
@@ -62,6 +64,11 @@ func (s *UserService) Login(username, password string, session *session.Session)
 	if !crypto.PasswordMatchesHash(password, user.Password) {
 		return nil, model.UnauthorizedError{Message: "Invalid credentials", Err: nil}
 	}
+	if config.RestrictLoginToAdmins {
+		if slices.ContainsFunc(user.Roles, func(role model.Role) bool { return role.Name == config.AdminRoleName }) {
+			return nil, model.ForbiddenError{Message: "Login is currently restricted to admins only"}
+		}
+	}
 
 	session.Set("userid", user.ID)
 	session.Set("username", user.Username)