summaryrefslogtreecommitdiffstats
path: root/api/user.go
diff options
context:
space:
mode:
Diffstat (limited to 'api/user.go')
-rw-r--r--api/user.go264
1 files changed, 187 insertions, 77 deletions
diff --git a/api/user.go b/api/user.go
index 7035613ea..e1d5e83dd 100644
--- a/api/user.go
+++ b/api/user.go
@@ -20,6 +20,7 @@ import (
_ "image/gif"
_ "image/jpeg"
"image/png"
+ "io"
"net/http"
"net/url"
"strconv"
@@ -80,36 +81,7 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
hash := r.URL.Query().Get("h")
- shouldVerifyHash := true
-
- if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 {
- domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1))))
-
- matched := false
- for _, d := range domains {
- if strings.HasSuffix(user.Email, "@"+d) {
- matched = true
- break
- }
- }
-
- if matched {
- shouldVerifyHash = false
- } else {
- c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "allowed domains failed")
- return
- }
- }
-
- if team.Type == model.TEAM_OPEN {
- shouldVerifyHash = false
- }
-
- if len(hash) > 0 {
- shouldVerifyHash = true
- }
-
- if shouldVerifyHash {
+ if IsVerifyHashRequired(user, team, hash) {
data := r.URL.Query().Get("d")
props := model.MapFromJson(strings.NewReader(data))
@@ -133,6 +105,10 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
user.EmailVerified = true
}
+ if len(user.AuthData) > 0 && len(user.AuthService) > 0 {
+ user.EmailVerified = true
+ }
+
ruser := CreateUser(c, team, user)
if c.Err != nil {
return
@@ -142,6 +118,38 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
}
+func IsVerifyHashRequired(user *model.User, team *model.Team, hash string) bool {
+ shouldVerifyHash := true
+
+ if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 && user != nil {
+ domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1))))
+
+ matched := false
+ for _, d := range domains {
+ if strings.HasSuffix(user.Email, "@"+d) {
+ matched = true
+ break
+ }
+ }
+
+ if matched {
+ shouldVerifyHash = false
+ } else {
+ return true
+ }
+ }
+
+ if team.Type == model.TEAM_OPEN {
+ shouldVerifyHash = false
+ }
+
+ if len(hash) > 0 {
+ shouldVerifyHash = true
+ }
+
+ return shouldVerifyHash
+}
+
func CreateValet(c *Context, team *model.Team) *model.User {
valet := &model.User{}
valet.TeamId = team.Id
@@ -233,80 +241,77 @@ func FireAndForgetVerifyEmail(userId, name, email, teamDisplayName, teamURL stri
}()
}
-func login(c *Context, w http.ResponseWriter, r *http.Request) {
- props := model.MapFromJson(r.Body)
-
- extraInfo := ""
- var result store.StoreResult
-
- if len(props["id"]) != 0 {
- extraInfo = props["id"]
- if result = <-Srv.Store.User().Get(props["id"]); result.Err != nil {
- c.Err = result.Err
- return
+func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) *model.User {
+ if result := <-Srv.Store.User().Get(userId); result.Err != nil {
+ c.Err = result.Err
+ return nil
+ } else {
+ user := result.Data.(*model.User)
+ if checkUserPassword(c, user, password) {
+ Login(c, w, r, user, deviceId)
+ return user
}
}
- var team *model.Team
- if result.Data == nil && len(props["email"]) != 0 && len(props["name"]) != 0 {
- extraInfo = props["email"] + " in " + props["name"]
-
- if nr := <-Srv.Store.Team().GetByName(props["name"]); nr.Err != nil {
- c.Err = nr.Err
- return
- } else {
- team = nr.Data.(*model.Team)
+ return nil
+}
- if result = <-Srv.Store.User().GetByEmail(team.Id, props["email"]); result.Err != nil {
- c.Err = result.Err
- return
- }
- }
- }
+func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) *model.User {
+ var team *model.Team
- if result.Data == nil {
- c.Err = model.NewAppError("login", "Login failed because we couldn't find a valid account", extraInfo)
- c.Err.StatusCode = http.StatusBadRequest
- return
+ if result := <-Srv.Store.Team().GetByName(name); result.Err != nil {
+ c.Err = result.Err
+ return nil
+ } else {
+ team = result.Data.(*model.Team)
}
- user := result.Data.(*model.User)
+ if result := <-Srv.Store.User().GetByEmail(team.Id, email); result.Err != nil {
+ c.Err = result.Err
+ return nil
+ } else {
+ user := result.Data.(*model.User)
- if team == nil {
- if tResult := <-Srv.Store.Team().Get(user.TeamId); tResult.Err != nil {
- c.Err = tResult.Err
- return
- } else {
- team = tResult.Data.(*model.Team)
+ if checkUserPassword(c, user, password) {
+ Login(c, w, r, user, deviceId)
+ return user
}
}
- c.LogAuditWithUserId(user.Id, "attempt")
+ return nil
+}
- if !model.ComparePassword(user.Password, props["password"]) {
+func checkUserPassword(c *Context, user *model.User, password string) bool {
+ if !model.ComparePassword(user.Password, password) {
c.LogAuditWithUserId(user.Id, "fail")
- c.Err = model.NewAppError("login", "Login failed because of invalid password", extraInfo)
+ c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id)
c.Err.StatusCode = http.StatusForbidden
- return
+ return false
}
+ return true
+}
+
+// User MUST be validated before calling Login
+func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) {
+ c.LogAuditWithUserId(user.Id, "attempt")
if !user.EmailVerified && !utils.Cfg.EmailSettings.ByPassEmail {
- c.Err = model.NewAppError("login", "Login failed because email address has not been verified", extraInfo)
+ c.Err = model.NewAppError("Login", "Login failed because email address has not been verified", "user_id="+user.Id)
c.Err.StatusCode = http.StatusForbidden
return
}
if user.DeleteAt > 0 {
- c.Err = model.NewAppError("login", "Login failed because your account has been set to inactive. Please contact an administrator.", extraInfo)
+ c.Err = model.NewAppError("Login", "Login failed because your account has been set to inactive. Please contact an administrator.", "user_id="+user.Id)
c.Err.StatusCode = http.StatusForbidden
return
}
- session := &model.Session{UserId: user.Id, TeamId: team.Id, Roles: user.Roles, DeviceId: props["device_id"]}
+ session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId}
maxAge := model.SESSION_TIME_WEB_IN_SECS
- if len(props["device_id"]) > 0 {
+ if len(deviceId) > 0 {
session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS)
maxAge = model.SESSION_TIME_MOBILE_IN_SECS
} else {
@@ -357,12 +362,41 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
}
http.SetCookie(w, sessionCookie)
- user.Sanitize(map[string]bool{})
c.Session = *session
c.LogAuditWithUserId(user.Id, "success")
+}
+
+func login(c *Context, w http.ResponseWriter, r *http.Request) {
+ props := model.MapFromJson(r.Body)
+
+ if len(props["password"]) == 0 {
+ c.Err = model.NewAppError("login", "Password field must not be blank", "")
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ }
+
+ var user *model.User
+ if len(props["id"]) != 0 {
+ user = LoginById(c, w, r, props["id"], props["password"], props["device_id"])
+ } else if len(props["email"]) != 0 && len(props["name"]) != 0 {
+ user = LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"])
+ } else {
+ c.Err = model.NewAppError("login", "Either user id or team name and user email must be provided", "")
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ }
- w.Write([]byte(result.Data.(*model.User).ToJson()))
+ if c.Err != nil {
+ return
+ }
+
+ if user != nil {
+ user.Sanitize(map[string]bool{})
+ } else {
+ user = &model.User{}
+ }
+ w.Write([]byte(user.ToJson()))
}
func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -793,6 +827,13 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
tchan := Srv.Store.Team().Get(user.TeamId)
+ if user.AuthData != "" {
+ c.LogAudit("failed - tried to update user password who was logged in through oauth")
+ c.Err = model.NewAppError("updatePassword", "Update password failed because the user is logged in through an OAuth service", "auth_service="+user.AuthService)
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ }
+
if !model.ComparePassword(user.Password, currentPassword) {
c.Err = model.NewAppError("updatePassword", "Update password failed because of invalid password", "")
c.Err.StatusCode = http.StatusForbidden
@@ -1212,3 +1253,72 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
}
+
+func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri string) {
+
+ if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
+ c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service)
+ c.Err.StatusCode = http.StatusBadRequest
+ return
+ }
+
+ clientId := utils.Cfg.SSOSettings[service].Id
+ endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint
+ state := model.HashPassword(clientId)
+
+ authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?team="+teamName) + "&state=" + url.QueryEscape(state)
+ http.Redirect(w, r, authUrl, http.StatusFound)
+}
+
+func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser, *model.AppError) {
+ if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Unsupported OAuth service provider", "service="+service)
+ }
+
+ if !model.ComparePassword(state, utils.Cfg.SSOSettings[service].Id) {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", "")
+ }
+
+ p := url.Values{}
+ p.Set("client_id", utils.Cfg.SSOSettings[service].Id)
+ p.Set("client_secret", utils.Cfg.SSOSettings[service].Secret)
+ p.Set("code", code)
+ p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
+ p.Set("redirect_uri", redirectUri)
+
+ client := &http.Client{}
+ req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings[service].TokenEndpoint, strings.NewReader(p.Encode()))
+
+ req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+ req.Header.Set("Accept", "application/json")
+
+ var ar *model.AccessResponse
+ if resp, err := client.Do(req); err != nil {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Token request failed", err.Error())
+ } else {
+ ar = model.AccessResponseFromJson(resp.Body)
+ }
+
+ if ar.TokenType != model.ACCESS_TOKEN_TYPE {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Bad token type", "token_type="+ar.TokenType)
+ }
+
+ if len(ar.AccessToken) == 0 {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Missing access token", "")
+ }
+
+ p = url.Values{}
+ p.Set("access_token", ar.AccessToken)
+ req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings[service].UserApiEndpoint, strings.NewReader(""))
+
+ req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+ req.Header.Set("Accept", "application/json")
+ req.Header.Set("Authorization", "Bearer "+ar.AccessToken)
+
+ if resp, err := client.Do(req); err != nil {
+ return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to "+service+" failed", err.Error())
+ } else {
+ return resp.Body, nil
+ }
+
+}