feat: openid connect support (#2873)

app/models/concerns/has_authentication.rb

@@ -5,15 +5,20 @@ module HasAuthentication
   extend ActiveSupport::Concern
 
   included do
-    has_secure_password
+    has_secure_password validations: false
 
     validates :password, length: { minimum: 8, allow_blank: true }
+    validates :password, confirmation: { allow_blank: true }
+    validate :validate_password_presence
+
     before_save :clear_password_reset_token_on_password_change
+
+    scope :with_password, -> { where.not(password_digest: nil) }
   end
 
   class_methods do
     def authenticate(email_address, password)
-      user = where(email_address: email_address).first
+      user = find_by(email_address: email_address)
       raise Postal::Errors::AuthenticationError, "InvalidEmailAddress" if user.nil?
       raise Postal::Errors::AuthenticationError, "InvalidPassword" unless user.authenticate(password)
 
@@ -30,6 +35,10 @@ module HasAuthentication
   end
 
   def begin_password_reset(return_to = nil)
+    if Postal::Config.oidc.enabled? && (oidc_uid.present? || password_digest.blank?)
+      raise Postal::Error, "User has OIDC enabled, password resets are not supported"
+    end
+
     self.password_reset_token = SecureRandom.alphanumeric(24)
     self.password_reset_token_valid_until = 1.day.from_now
     save!
@@ -45,6 +54,12 @@ module HasAuthentication
     self.password_reset_token_valid_until = nil
   end
 
+  def validate_password_presence
+    return if password_digest.present? || Postal::Config.oidc.enabled?
+
+    errors.add :password, :blank
+  end
+
 end
 
 # -*- SkipSchemaAnnotations