diff options
| author | Harrison Healey <harrisonmhealey@gmail.com> | 2016-05-03 14:10:36 -0400 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2016-05-03 14:10:36 -0400 |
| commit | 87989b8afd4666a72940389db716b6500d0a9ec3 (patch) | |
| tree | d4b0270eb4a9adbff0dd1b6f527ddcccbc9a83d9 /api/authentication.go | |
| parent | e76a30bca0690bad53a4cabd6c7c629e89c17268 (diff) | |
| download | chat-87989b8afd4666a72940389db716b6500d0a9ec3.tar.gz chat-87989b8afd4666a72940389db716b6500d0a9ec3.tar.bz2 chat-87989b8afd4666a72940389db716b6500d0a9ec3.zip | |
PLT-2258 Unified login screen and related APIs (#2820)
* Unified login screen and related APIs
* Refactored login API call to be less convoluted
* Removed LDAP login prompt from invite process
* Fixed existing LDAP users being able to log in if LDAP was configured, but disabled
* Gofmt
* Future proofed login API
* Updated login APIs based on feedback
* Added additional auditing to login API
* Actually removed loginById
Diffstat (limited to 'api/authentication.go')
| -rw-r--r-- | api/authentication.go | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/api/authentication.go b/api/authentication.go index bab83a720..10ed578e1 100644 --- a/api/authentication.go +++ b/api/authentication.go @@ -7,6 +7,8 @@ import ( "github.com/mattermost/platform/einterfaces" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" + + "net/http" ) func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError { @@ -37,6 +39,32 @@ func checkUserPassword(user *model.User, password string) *model.AppError { } } +func checkLdapUserPasswordAndAllCriteria(ldapId, password, mfaToken string) (*model.User, *model.AppError) { + ldapInterface := einterfaces.GetLdapInterface() + + if ldapInterface == nil { + err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "") + err.StatusCode = http.StatusNotImplemented + return nil, err + } + + var user *model.User + if ldapUser, err := ldapInterface.DoLogin(ldapId, password); err != nil { + err.StatusCode = http.StatusUnauthorized + return nil, err + } else { + user = ldapUser + } + + if err := checkUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } + + // user successfully authenticated + return user, nil +} + func checkUserAdditionalAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError { if err := checkUserMfa(user, mfaToken); err != nil { return err @@ -97,3 +125,32 @@ func checkUserNotDisabled(user *model.User) *model.AppError { } return nil } + +func authenticateUser(user *model.User, password, mfaToken string) (*model.User, *model.AppError) { + ldapAvailable := *utils.Cfg.LdapSettings.Enable && einterfaces.GetLdapInterface() != nil + + if user.AuthService == model.USER_AUTH_SERVICE_LDAP { + if !ldapAvailable { + err := model.NewLocAppError("login", "api.user.login_ldap.not_available.app_error", nil, "") + err.StatusCode = http.StatusNotImplemented + return user, err + } else if ldapUser, err := checkLdapUserPasswordAndAllCriteria(user.AuthData, password, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } else { + // slightly redundant to get the user again, but we need to get it from the LDAP server + return ldapUser, nil + } + } else if user.AuthService != "" { + err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "") + err.StatusCode = http.StatusBadRequest + return user, err + } else { + if err := checkPasswordAndAllCriteria(user, password, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } else { + return user, nil + } + } +} |