summaryrefslogtreecommitdiffstats
path: root/api/authentication.go
diff options
context:
space:
mode:
authorCorey Hulen <corey@hulen.com>2016-04-21 22:37:01 -0700
committerCorey Hulen <corey@hulen.com>2016-04-21 22:37:01 -0700
commit2e5617c29be69637acd384e85f795a0b343bec8d (patch)
tree6b8bdae1e664013b97c2dda94985375abda91aa5 /api/authentication.go
parent5c755463ed3a4c74a383fb4460b5be02d8868481 (diff)
downloadchat-2e5617c29be69637acd384e85f795a0b343bec8d.tar.gz
chat-2e5617c29be69637acd384e85f795a0b343bec8d.tar.bz2
chat-2e5617c29be69637acd384e85f795a0b343bec8d.zip
PLT-2057 User as a first class object (#2648)
* Adding TeamMember to system * Fixing all unit tests on the backend * Fixing merge conflicts * Fixing merge conflict * Adding javascript unit tests * Adding TeamMember to system * Fixing all unit tests on the backend * Fixing merge conflicts * Fixing merge conflict * Adding javascript unit tests * Adding client side unit test * Cleaning up the clint side tests * Fixing msg * Adding more client side unit tests * Adding more using tests * Adding last bit of client side unit tests and adding make cmd * Fixing bad merge * Fixing libraries * Updating to new client side API * Fixing borken unit test * Fixing unit tests * ugg...trying to beat gofmt * ugg...trying to beat gofmt * Cleaning up remainder of the server side routes * Adding inital load api * Increased coverage of webhook unit tests (#2660) * Adding loading ... to root html * Fixing bad merge * Removing explicit content type so superagent will guess corectly (#2685) * Fixing merge and unit tests * Adding create team UI * Fixing signup flows * Adding LDAP unit tests and enterprise unit test helper (#2702) * Add the ability to reset MFA from the commandline (#2706) * Fixing compliance unit tests * Fixing client side tests * Adding open server to system console * Moving websocket connection * Fixing unit test * Fixing unit tests * Fixing unit tests * Adding nickname and more LDAP unit tests (#2717) * Adding join open teams * Cleaning up all TODOs in the code * Fixing web sockets * Removing unused webockets file * PLT-2533 Add the ability to reset a user's MFA from the system console (#2715) * Add the ability to reset a user's MFA from the system console * Add client side unit test for adminResetMfa * Reorganizing authentication to fix LDAP error message (#2723) * Fixing failing unit test * Initial upgrade db code * Adding upgrade script * Fixing upgrade script after running on core * Update OAuth and Claim routes to work with user model changes (#2739) * Fixing perminant deletion. Adding ability to delete all user and the entire database (#2740) * Fixing team invite ldap login call (#2741) * Fixing bluebar and some img stuff * Fix all the different file upload web utils (#2743) * Fixing invalid session redirect (#2744) * Redirect on bad channel name (#2746) * Fixing a bunch of issue and removing dead code * Patch to fix error message on leave channel (#2747) * Setting EnableOpenServer to false by default * Fixing config * Fixing upgrade * Fixing reported bugs * Bug fixes for PLT-2057 * PLT-2563 Redo password recovery to use a database table (#2745) * Redo password recovery to use a database table * Update reset password audits * Split out admin and user reset password APIs to be separate * Delete password recovery when user is permanently deleted * Consolidate password resetting into a single function * Removed private channels as an option for outgoing webhooks (#2752) * PLT-2577/PLT-2552 Fixes for backstage (#2753) * Added URL to incoming webhook list * Fixed client functions for adding/removing integrations * Disallowed slash commands without trigger words * Fixed clientside handling of errors on AddCommand page * Minor auth cleanup (#2758) * Changed EditPostModal to just close if you save without making any changes (#2759) * Renamed client -> Client in async_client.jsx and fixed eslint warnings (#2756) * Fixed url in channel info modal (#2755) * Fixing reported issues * Moving to version 3 of the apis * Fixing command unit tests (#2760) * Adding team admins * Fixing DM issue * Fixing eslint error * Properly set EditPostModal's originalText state in all cases (#2762) * Update client config check to assume features is defined if server is licensed (#2772) * Fixing url link * Fixing issue with websocket crashing when sending messages to different teams
Diffstat (limited to 'api/authentication.go')
-rw-r--r--api/authentication.go99
1 files changed, 99 insertions, 0 deletions
diff --git a/api/authentication.go b/api/authentication.go
new file mode 100644
index 000000000..bab83a720
--- /dev/null
+++ b/api/authentication.go
@@ -0,0 +1,99 @@
+// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api
+
+import (
+ "github.com/mattermost/platform/einterfaces"
+ "github.com/mattermost/platform/model"
+ "github.com/mattermost/platform/utils"
+)
+
+func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError {
+ if err := checkUserPassword(user, password); err != nil {
+ return err
+ }
+
+ if err := checkUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func checkUserPassword(user *model.User, password string) *model.AppError {
+ if !model.ComparePassword(user.Password, password) {
+ if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); result.Err != nil {
+ return result.Err
+ }
+
+ return model.NewLocAppError("checkUserPassword", "api.user.check_user_password.invalid.app_error", nil, "user_id="+user.Id)
+ } else {
+ if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, 0); result.Err != nil {
+ return result.Err
+ }
+
+ return nil
+ }
+}
+
+func checkUserAdditionalAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError {
+ if err := checkUserMfa(user, mfaToken); err != nil {
+ return err
+ }
+
+ if err := checkEmailVerified(user); err != nil {
+ return err
+ }
+
+ if err := checkUserNotDisabled(user); err != nil {
+ return err
+ }
+
+ if err := checkUserLoginAttempts(user); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func checkUserMfa(user *model.User, token string) *model.AppError {
+ if !user.MfaActive || !utils.IsLicensed || !*utils.License.Features.MFA || !*utils.Cfg.ServiceSettings.EnableMultifactorAuthentication {
+ return nil
+ }
+
+ mfaInterface := einterfaces.GetMfaInterface()
+ if mfaInterface == nil {
+ return model.NewLocAppError("checkUserMfa", "api.user.check_user_mfa.not_available.app_error", nil, "")
+ }
+
+ if ok, err := mfaInterface.ValidateToken(user.MfaSecret, token); err != nil {
+ return err
+ } else if !ok {
+ return model.NewLocAppError("checkUserMfa", "api.user.check_user_mfa.bad_code.app_error", nil, "")
+ }
+
+ return nil
+}
+
+func checkUserLoginAttempts(user *model.User) *model.AppError {
+ if user.FailedAttempts >= utils.Cfg.ServiceSettings.MaximumLoginAttempts {
+ return model.NewLocAppError("checkUserLoginAttempts", "api.user.check_user_login_attempts.too_many.app_error", nil, "user_id="+user.Id)
+ }
+
+ return nil
+}
+
+func checkEmailVerified(user *model.User) *model.AppError {
+ if !user.EmailVerified && utils.Cfg.EmailSettings.RequireEmailVerification {
+ return model.NewLocAppError("Login", "api.user.login.not_verified.app_error", nil, "user_id="+user.Id)
+ }
+ return nil
+}
+
+func checkUserNotDisabled(user *model.User) *model.AppError {
+ if user.DeleteAt > 0 {
+ return model.NewLocAppError("Login", "api.user.login.inactive.app_error", nil, "user_id="+user.Id)
+ }
+ return nil
+}