[GIT-66] improvement: prevent disabling last enabled authentication method

[prateekshourya29]

Description

Adds validation to ensure at least one authentication method remains enabled. This prevents users from being locked out of the system by disabling all authentication options.

• Add canDisableAuthMethod helper to validate auth method state
• Update admin UI to disable toggle when only one method is active
• Add noAuthMethodsAvailable check in auth-root component

Type of Change

• Improvement (change that would cause existing functionality to not work as expected)

Screenshots and Media (if applicable)

• Disabling last authentication method

• Only OAuth options

• Only email based auth options

• No authentication options

Summary by CodeRabbit

• New Features

  • Display message when no authentication methods are available.

• Bug Fixes

  • Implemented validation to prevent disabling the last active authentication method.
  • Enhanced error feedback for authentication configuration changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This change set implements validation and UI improvements for authentication method management. A new helper validates whether authentication methods can be disabled (ensuring at least one remains enabled), type definitions are restructured to include enabledConfigKey mappings, and the admin authentication page now validates disabling actions with user feedback before proceeding with API calls.

Changes

Cohort / File(s)	Summary
Authentication validation and admin logic apps/admin/app/(all)/(dashboard)/authentication/page.tsx, apps/admin/core/helpers/authentication.ts	Introduced canDisableAuthMethod validation helper that prevents disabling the last active authentication method. Admin page now uses useCallback and useRef to manage validation state, displays error toasts when disabling is blocked, and integrates loading/success/error feedback via setPromiseToast.
Type definitions and auth mode mappings packages/types/src/instance/auth.ts, apps/admin/core/hooks/oauth/core.tsx	Added enabledConfigKey property to TInstanceAuthenticationModes type and introduced new types for auth method and configuration keys (TInstanceAuthenticationMethodKeys, TInstanceGoogleAuthenticationConfigurationKeys, etc.). Core auth modes map now exposes enabledConfigKey strings mapping each method to its feature flag.
Auth UI components and helpers apps/admin/app/(all)/(home)/auth-helpers.tsx, apps/web/core/components/account/auth-forms/auth-root.tsx, packages/ui/src/oauth/oauth-options.tsx	Removed getBaseAuthenticationModes function and related imports from auth-helpers, added new error alert types. Auth-root now guards against missing auth methods with simplified UI fallback and uses new AuthContainer wrapper. OAuthOptions component accepts optional showDivider prop (defaults to true) for conditional divider rendering.

Sequence Diagram

sequenceDiagram
    participant User
    participant AdminUI as Admin Authentication Page
    participant Validation as canDisableAuthMethod
    participant API as API Service
    participant Toast as Toast Notification

    User->>AdminUI: Click to disable auth method
    AdminUI->>Validation: Validate disabling (configKey, authModes, config)
    
    alt At least 2 methods enabled
        Validation-->>AdminUI: Allowed (true)
        AdminUI->>AdminUI: Set submitting state
        AdminUI->>API: Call updateInstanceConfigurations
        API-->>AdminUI: Success response
        AdminUI->>Toast: Show success toast
        AdminUI->>AdminUI: Clear submitting state
    else Only 1 method enabled
        Validation-->>AdminUI: Not allowed (false)
        AdminUI->>Toast: Show error toast
        AdminUI->>AdminUI: Abort update
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 With whiskers twitched and validation tight,
We've guarded auth so nothing falls from sight.
One method stays, the rest may go or stay,
A rabbit's logic keeps the system's way! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: preventing disabling of the last enabled authentication method, which is the core improvement made across multiple files.
Description check	✅ Passed	The description includes a clear explanation of changes, the correct type of change (Improvement), relevant screenshots showing different authentication states, and references the issue ticket.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• [GIT-66] Prevent disabling only authentication method that is enabled on God Mode

This comment was auto-generated by Plane

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/web/core/components/account/auth-forms/auth-root.tsx (1)

43-108: Guard “no auth methods” state until config is available.

If config is still undefined during load, noAuthMethodsAvailable can briefly flip true and show the empty-state message. Consider gating the check on config availability.

✅ Suggested guard

-  const isEmailBasedAuthEnabled = config?.is_email_password_enabled || config?.is_magic_login_enabled;
-  const noAuthMethodsAvailable = !isOAuthEnabled && !isEmailBasedAuthEnabled;
+  const isEmailBasedAuthEnabled = config?.is_email_password_enabled || config?.is_magic_login_enabled;
+  const hasAuthConfig = config !== undefined;
+  const noAuthMethodsAvailable = hasAuthConfig && !isOAuthEnabled && !isEmailBasedAuthEnabled;

[dattamlong]

Left some comments