diff options
author | JoramWilander <jwawilander@gmail.com> | 2015-07-22 12:13:45 -0400 |
---|---|---|
committer | JoramWilander <jwawilander@gmail.com> | 2015-07-22 12:13:45 -0400 |
commit | 4f0364d87656138d5e262b53373706ff122f3f4c (patch) | |
tree | 6c38a8db5b4d17caf8a7ae0b03e305b77f858664 /web/web.go | |
parent | a2bd8b8676701ee5ccf5d84a2f4fe6afb0dae4b1 (diff) | |
download | chat-4f0364d87656138d5e262b53373706ff122f3f4c.tar.gz chat-4f0364d87656138d5e262b53373706ff122f3f4c.tar.bz2 chat-4f0364d87656138d5e262b53373706ff122f3f4c.zip |
added signup link verification to oauth signup flow
Diffstat (limited to 'web/web.go')
-rw-r--r-- | web/web.go | 56 |
1 files changed, 53 insertions, 3 deletions
diff --git a/web/web.go b/web/web.go index ef2bae624..975b65002 100644 --- a/web/web.go +++ b/web/web.go @@ -453,10 +453,48 @@ func resetPassword(c *api.Context, w http.ResponseWriter, r *http.Request) { func signupWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("signupWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + hash := r.URL.Query().Get("h") + + var team *model.Team + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } else { + team = result.Data.(*model.Team) + } + + if api.IsVerifyHashRequired(nil, team, hash) { + data := r.URL.Query().Get("d") + props := model.MapFromJson(strings.NewReader(data)) + + if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.ServiceSettings.InviteSalt)) { + c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "") + return + } + + t, err := strconv.ParseInt(props["time"], 10, 64) + if err != nil || model.GetMillis()-t > 1000*60*60*48 { // 48 hours + c.Err = model.NewAppError("createUser", "The signup link has expired", "") + return + } + + if team.Id != props["id"] { + c.Err = model.NewAppError("createUser", "Invalid team name", data) + return + } + } redirectUri := c.GetSiteURL() + "/signup/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { @@ -522,11 +560,23 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) func loginWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] - l4g.Debug(service) + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("loginWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + // Make sure team exists + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } redirectUri := c.GetSiteURL() + "/login/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { |