[Bug]: Bypass Account Creation with Google SSO

[jkccpro]

The Problem

Expected behavior: SSO and autoCreateUser: false set to false blocks accounts that don't exist from connecting to the website.
Actual behavior: Accounts that don't exist, and haven't been created by the admin can log in with SSO, with a null/non-existant account.

Example: Try connection via Google SSO, with an account that does not exist, and you can access the website, (with autoCreateUser set to false).

Version of Stirling-PDF

0.26.1

Last Working Version of Stirling-PDF

No response

Page Where the Problem Occurred

No response

Docker Configuration

# Welcome to settings file
# Remove comment marker # if on start of line to enable the configuration
# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME

security:
  enableLogin: true # set to 'true' to enable login
  csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
  loginAttemptCount: 5 # lock user account after 5 tries
  loginResetTimeMinutes: 10 # lock account for 10 minutes after x attempts
  initialLogin:
    username: "****" # Initial username for the first login
    password: "****" # Initial password for the first login
  oauth2:
    enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
    issuer: "" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
    clientId: "" # Client ID from your provider
    clientSecret: "" # Client Secret from your provider
    autoCreateUser: false # set to 'true' to allow auto-creation of non-existing users
    useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
    scopes: "openid, profile, email" # Specify the scopes for which the application will request permissions
    provider: "google" # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
    client:
      google:
        clientId: "******" # Client ID for Google OAuth2
        clientSecret: "*******" # Client Secret for Google OAuth2
        scopes: "https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile" # Scopes for Google OAuth2
        useAsUsername: "email" # Field to use as the username for Google OAuth2
#      github:
#        clientId: "" # Client ID for GitHub OAuth2
#        clientSecret: "" # Client Secret for GitHub OAuth2
#        scopes: "read:user" # Scope for GitHub OAuth2
#        useAsUsername: "login" # Field to use as the username for GitHub OAuth2
#      keycloak:
#        issuer: "http://192.168.0.123:8888/realms/stirling-pdf" # URL of the Keycloak realm's OpenID Connect Discovery endpoint
#        clientId: "stirling-pdf" # Client ID for Keycloak OAuth2
#        clientSecret: "" # Client Secret for Keycloak OAuth2
#        scopes: "openid, profile, email" # Scopes for Keycloak OAuth2
#        useAsUsername: "email" # Field to use as the username for Keycloak OAuth2

system:
  defaultLocale: 'en-US' # Set the default language (e.g. 'de-DE', 'fr-FR', etc)
  googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow
  enableAlphaFunctionality: false # Set to enable functionality which might need more testing before it fully goes live (This feature might make no changes)
  showUpdate: false # see when a new update is available
  showUpdateOnlyAdmin: false # Only admins can see when a new update is available, depending on showUpdate it must be set to 'true'
  customHTMLFiles: true # enable to have files placed in /customFiles/templates override the existing template html files

ui:
  appName: 'AppName' # Application's visible name
  homeDescription: 'Babayaga' # Short description or tagline shown on homepage.
  appNameNavbar: 'Agayabab' # Name displayed on the navigation bar

endpoints:
  toRemove: []
  #toRemove: ["adjust-contrast", "auto-split-pdf", "crop", "extract-page", "merge-pdfs", "multi-page-layout", "pdf-organizer", "pdf-to-single-page", "remove-pages", "rotate-pdf", "scale-pages", "split-pdfs", "file-to-pdf", "img-to-pdf","html-to-pdf","pdf-to-html", "auto-redact", "pdf-to-csv", "split-pdf-by-sections", "overlay-pdf", "stamp", "pdf-to-img", "pdf-to-pdfa", "remove-annotations", "pipeline","url-to-pdf","markdown-to-pdf", "pdf-to-presentation", "pdf-to-text", "pdf-to-word", "pdf-to-xml", "xlsx-to-pdf", "add-password", "add-watermark", "cert-sign", "remove-cert-sign", "change-permissions", "remove-password", "sanitize-pdf", "add-image", "add-page-numbers", "auto-rename", "change-metadata", "compare", "compress-pdf", "extract-image-scans", "extract-images", "flatten", "get-info-on-pdf", "ocr-pdf", "remove-blanks", "repair", "show-javascript", "sign"] # List endpoints to disable (e.g. ['img-to-pdf', 'remove-pages'])
  groupsToRemove: [] # List groups to disable (e.g. ['LibreOffice'])

metrics:
  enabled: true # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable

# Automatically Generated Settings (Do Not Edit Directly)
AutomaticallyGenerated:
  key: example

Relevant Log Output

No log output

Additional Information

No response

Browsers Affected

No response

No Duplicate of the Issue

• I have verified that there are no existing issues raised related to my problem.