Closes: #15842
Branched from #18145 by @tobiasge
Provides a new LOGIN_FORM_HIDDEN setting which allows the administrator to hide the local login form, intended only to be used when SSO is used exclusively for authentication. Note that this means local login will be impossible in the event of SSO provider issues, and can be remedied only through a change to the application config and a restart of the service.
* #15842 - Hide login form
This doesn't implement the full solution proposed in #15842 but enables
administrators to hide the login form when users should only login with a SSO
provider. To prevent a complete lockout when the SSO provider is having
issues the GET parameter `skipsso` can be added to the login URL to show
the form regardless.
* Remove skipsso backdoor
* Add warning
---------
Co-authored-by: Tobias Genannt <tobias.genannt@qbeyond.de>
* Added SECURE_HSTS_SECONDSm SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD to settings.py
* Addressed some PR comments.
* Apply suggestions from code review
---------
Co-authored-by: Jeremy Stretch <jstretch@netboxlabs.com>
* 8853 hide api token
* 8853 hide key on edit
* 8853 add key display
* 8853 cleanup html
* 8853 make token view accessible only once on POST
* Clean up display of tokens in views
* Honor ALLOW_TOKEN_RETRIEVAL in API serializer
* Add docs & tweak default setting
* Include token key when provisioning with user credentials
Co-authored-by: jeremystretch <jstretch@ns1.com>
