From 44af5be30f7d9bf3e18612c8a321b220e702ee63 Mon Sep 17 00:00:00 2001
From: Misha Bragin <bangvalo@gmail.com>
Date: Thu, 16 Feb 2023 13:03:53 +0100
Subject: [PATCH] Reject peer login expiration update when no SSO login (#693)

---
 management/server/peer.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/management/server/peer.go b/management/server/peer.go
index 28204d1a1..5e3f5e69b 100644
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -69,6 +69,11 @@ type Peer struct {
 	LastLogin time.Time
 }
 
+// AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
+func (p *Peer) AddedWithSSOLogin() bool {
+	return p.UserID != ""
+}
+
 // Copy copies Peer object
 func (p *Peer) Copy() *Peer {
 	return &Peer{
@@ -290,6 +295,11 @@ func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Pe
 	}
 
 	if peer.LoginExpirationEnabled != update.LoginExpirationEnabled {
+
+		if !peer.AddedWithSSOLogin() {
+			return nil, status.Errorf(status.PreconditionFailed, "this peer hasn't been added with the SSO login, therefore the login expiration can't be updated")
+		}
+
 		peer.LoginExpirationEnabled = update.LoginExpirationEnabled
 
 		event := activity.PeerLoginExpirationEnabled