diff options
-rw-r--r-- | api/user.go | 79 | ||||
-rw-r--r-- | web/react/components/signup_user_complete.jsx | 2 | ||||
-rw-r--r-- | web/web.go | 56 |
3 files changed, 88 insertions, 49 deletions
diff --git a/api/user.go b/api/user.go index 68a4e6d56..40bac7bd5 100644 --- a/api/user.go +++ b/api/user.go @@ -81,36 +81,7 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { hash := r.URL.Query().Get("h") - shouldVerifyHash := true - - if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 { - domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1)))) - - matched := false - for _, d := range domains { - if strings.HasSuffix(user.Email, "@"+d) { - matched = true - break - } - } - - if matched { - shouldVerifyHash = false - } else { - c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "allowed domains failed") - return - } - } - - if team.Type == model.TEAM_OPEN { - shouldVerifyHash = false - } - - if len(hash) > 0 { - shouldVerifyHash = true - } - - if shouldVerifyHash { + if IsVerifyHashRequired(user, team, hash) { data := r.URL.Query().Get("d") props := model.MapFromJson(strings.NewReader(data)) @@ -147,6 +118,38 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { } +func IsVerifyHashRequired(user *model.User, team *model.Team, hash string) bool { + shouldVerifyHash := true + + if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 && user != nil { + domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1)))) + + matched := false + for _, d := range domains { + if strings.HasSuffix(user.Email, "@"+d) { + matched = true + break + } + } + + if matched { + shouldVerifyHash = false + } else { + return true + } + } + + if team.Type == model.TEAM_OPEN { + shouldVerifyHash = false + } + + if len(hash) > 0 { + shouldVerifyHash = true + } + + return shouldVerifyHash +} + func CreateValet(c *Context, team *model.Team) *model.User { valet := &model.User{} valet.TeamId = team.Id @@ -1223,21 +1226,7 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { } } -func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, service, redirectUri string) { - params := mux.Vars(r) - teamName := params["team"] - - if len(teamName) == 0 { - c.Err = model.NewAppError("GetAuthorizationCode", "Invalid team name", "team_name="+teamName) - c.Err.StatusCode = http.StatusBadRequest - return - } - - // Make sure team exists - if result := <-Srv.Store.Team().GetByName(teamName); result.Err != nil { - c.Err = result.Err - return - } +func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri string) { if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow { c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service) diff --git a/web/react/components/signup_user_complete.jsx b/web/react/components/signup_user_complete.jsx index 1b1fe15fb..577651b90 100644 --- a/web/react/components/signup_user_complete.jsx +++ b/web/react/components/signup_user_complete.jsx @@ -119,7 +119,7 @@ module.exports = React.createClass({ <div className="form-group form-group--small"> <span></span> </div> - <p>{"Choose your username and password for the " + this.props.teamDisplayName + " " + strings.Team} <a href={"/"+this.props.teamName+"/signup/gitlab"}>{"or sign up with GitLab."}</a></p> + <p>{"Choose your username and password for the " + this.props.teamDisplayName + " " + strings.Team} <a href={"/"+this.props.teamName+"/signup/gitlab"+window.location.search}>{"or sign up with GitLab."}</a></p> <p>Your username can be made of lowercase letters and numbers.</p> <label className="control-label">Username</label> <div className={ name_error ? "form-group has-error" : "form-group" }> diff --git a/web/web.go b/web/web.go index ef2bae624..975b65002 100644 --- a/web/web.go +++ b/web/web.go @@ -453,10 +453,48 @@ func resetPassword(c *api.Context, w http.ResponseWriter, r *http.Request) { func signupWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("signupWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + hash := r.URL.Query().Get("h") + + var team *model.Team + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } else { + team = result.Data.(*model.Team) + } + + if api.IsVerifyHashRequired(nil, team, hash) { + data := r.URL.Query().Get("d") + props := model.MapFromJson(strings.NewReader(data)) + + if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.ServiceSettings.InviteSalt)) { + c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "") + return + } + + t, err := strconv.ParseInt(props["time"], 10, 64) + if err != nil || model.GetMillis()-t > 1000*60*60*48 { // 48 hours + c.Err = model.NewAppError("createUser", "The signup link has expired", "") + return + } + + if team.Id != props["id"] { + c.Err = model.NewAppError("createUser", "Invalid team name", data) + return + } + } redirectUri := c.GetSiteURL() + "/signup/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { @@ -522,11 +560,23 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) func loginWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] - l4g.Debug(service) + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("loginWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + // Make sure team exists + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } redirectUri := c.GetSiteURL() + "/login/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { |