chore: disable FB auth if secrets not defined

app/api/views/auth.py

@@ -10,7 +10,12 @@
 from app import email_utils
 from app.abuser_utils import check_if_abuser_email
 from app.api.base import api_bp
-from app.config import FLASK_SECRET, DISABLE_REGISTRATION, google_enabled
+from app.config import (
+    FLASK_SECRET,
+    DISABLE_REGISTRATION,
+    google_enabled,
+    facebook_enabled,
+)
 from app.dashboard.views.account_setting import send_reset_password_email
 from app.db import Session
 from app.email_utils import (
@@ -277,6 +282,9 @@ def auth_facebook():
         }
 
     """
+    if not facebook_enabled():
+        return jsonify(error="invalid login mechanism"), 400
+
     import facebook
 
     data = request.get_json()

app/auth/views/facebook.py

@@ -8,6 +8,7 @@
     URL,
     FACEBOOK_CLIENT_ID,
     FACEBOOK_CLIENT_SECRET,
+    facebook_enabled,
 )
 from app.db import Session
 from app.log import LOG
@@ -27,6 +28,9 @@
 
 @auth_bp.route("/facebook/login")
 def facebook_login():
+    if not facebook_enabled():
+        return redirect(url_for("auth.login"))
+
     # to avoid flask-login displaying the login error message
     session.pop("_flashes", None)
 
@@ -50,6 +54,9 @@ def facebook_login():
 
 @auth_bp.route("/facebook/callback")
 def facebook_callback():
+    if not facebook_enabled():
+        return redirect(url_for("auth.login"))
+
     # user clicks on cancel
     if "error" in request.args:
         flash("Please use another sign in method then", "warning")

app/config.py

@@ -301,6 +301,11 @@ def google_enabled():
 FACEBOOK_CLIENT_ID = os.environ.get("FACEBOOK_CLIENT_ID")
 FACEBOOK_CLIENT_SECRET = os.environ.get("FACEBOOK_CLIENT_SECRET")
 
+
+def facebook_enabled():
+    return FACEBOOK_CLIENT_ID and FACEBOOK_CLIENT_SECRET
+
+
 CONNECT_WITH_OIDC_ICON = os.environ.get("CONNECT_WITH_OIDC_ICON")
 OIDC_WELL_KNOWN_URL = os.environ.get("OIDC_WELL_KNOWN_URL")
 OIDC_CLIENT_ID = os.environ.get("OIDC_CLIENT_ID")