From c39e95c7cb1ad6e812aa3ce4000b4dfdf214e77e Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 15 Jul 2015 12:48:50 -0400 Subject: inital implementation of using GitLab OAuth2 provider for signup/login --- api/user.go | 150 +++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 104 insertions(+), 46 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 7035613ea..4765a5611 100644 --- a/api/user.go +++ b/api/user.go @@ -133,6 +133,10 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { user.EmailVerified = true } + if len(user.AuthData) > 0 && len(user.AuthService) > 0 { + user.EmailVerified = true + } + ruser := CreateUser(c, team, user) if c.Err != nil { return @@ -233,80 +237,71 @@ func FireAndForgetVerifyEmail(userId, name, email, teamDisplayName, teamURL stri }() } -func login(c *Context, w http.ResponseWriter, r *http.Request) { - props := model.MapFromJson(r.Body) - - extraInfo := "" - var result store.StoreResult - - if len(props["id"]) != 0 { - extraInfo = props["id"] - if result = <-Srv.Store.User().Get(props["id"]); result.Err != nil { - c.Err = result.Err - return +func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) { + if result := <-Srv.Store.User().Get(userId); result.Err != nil { + c.Err = result.Err + return + } else { + user := result.Data.(*model.User) + if checkUserPassword(c, user, password) { + Login(c, w, r, user, deviceId) } } +} +func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) { var team *model.Team - if result.Data == nil && len(props["email"]) != 0 && len(props["name"]) != 0 { - extraInfo = props["email"] + " in " + props["name"] - - if nr := <-Srv.Store.Team().GetByName(props["name"]); nr.Err != nil { - c.Err = nr.Err - return - } else { - team = nr.Data.(*model.Team) - if result = <-Srv.Store.User().GetByEmail(team.Id, props["email"]); result.Err != nil { - c.Err = result.Err - return - } - } - } - - if result.Data == nil { - c.Err = model.NewAppError("login", "Login failed because we couldn't find a valid account", extraInfo) - c.Err.StatusCode = http.StatusBadRequest + if result := <-Srv.Store.Team().GetByName(name); result.Err != nil { + c.Err = result.Err return + } else { + team = result.Data.(*model.Team) } - user := result.Data.(*model.User) + if result := <-Srv.Store.User().GetByEmail(team.Id, email); result.Err != nil { + c.Err = result.Err + return + } else { + user := result.Data.(*model.User) - if team == nil { - if tResult := <-Srv.Store.Team().Get(user.TeamId); tResult.Err != nil { - c.Err = tResult.Err - return - } else { - team = tResult.Data.(*model.Team) + if checkUserPassword(c, user, password) { + Login(c, w, r, user, deviceId) } } +} - c.LogAuditWithUserId(user.Id, "attempt") - - if !model.ComparePassword(user.Password, props["password"]) { +func checkUserPassword(c *Context, user *model.User, password string) bool { + if !model.ComparePassword(user.Password, password) { c.LogAuditWithUserId(user.Id, "fail") - c.Err = model.NewAppError("login", "Login failed because of invalid password", extraInfo) + c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden - return + return false } + return true +} + +// User MUST be validated before calling Login +func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) { + c.LogAuditWithUserId(user.Id, "attempt") if !user.EmailVerified && !utils.Cfg.EmailSettings.ByPassEmail { - c.Err = model.NewAppError("login", "Login failed because email address has not been verified", extraInfo) + c.Err = model.NewAppError("Login", "Login failed because email address has not been verified", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden return } if user.DeleteAt > 0 { - c.Err = model.NewAppError("login", "Login failed because your account has been set to inactive. Please contact an administrator.", extraInfo) + c.Err = model.NewAppError("Login", "Login failed because your account has been set to inactive. Please contact an administrator.", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden return } - session := &model.Session{UserId: user.Id, TeamId: team.Id, Roles: user.Roles, DeviceId: props["device_id"]} + session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId} maxAge := model.SESSION_TIME_WEB_IN_SECS - if len(props["device_id"]) > 0 { + if len(deviceId) > 0 { session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS) maxAge = model.SESSION_TIME_MOBILE_IN_SECS } else { @@ -361,8 +356,22 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { c.Session = *session c.LogAuditWithUserId(user.Id, "success") +} - w.Write([]byte(result.Data.(*model.User).ToJson())) +func login(c *Context, w http.ResponseWriter, r *http.Request) { + props := model.MapFromJson(r.Body) + + if len(props["id"]) != 0 { + LoginById(c, w, r, props["id"], props["password"], props["device_id"]) + } else if len(props["email"]) != 0 && len(props["name"]) != 0 { + LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"]) + } + + if c.Err != nil { + return + } + + w.Write([]byte("{}")) } func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { @@ -1212,3 +1221,52 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { return } } + +func AuthorizeGitLabUser(code, state, uri string) (*model.GitLabUser, *model.AppError) { + if !model.ComparePassword(state, utils.Cfg.SSOSettings.GitLabId) { + return nil, model.NewAppError("AuthorizeGitLabUser", "Invalid state", "") + } + + p := url.Values{} + p.Set("client_id", utils.Cfg.SSOSettings.GitLabId) + p.Set("client_secret", utils.Cfg.SSOSettings.GitLabSecret) + p.Set("code", code) + p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) + p.Set("redirect_uri", uri) + + client := &http.Client{} + req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings.GitLabUrl+"/oauth/token", strings.NewReader(p.Encode())) + + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Accept", "application/json") + + var ar *model.AccessResponse + if resp, err := client.Do(req); err != nil { + return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + } else { + ar = model.AccessResponseFromJson(resp.Body) + } + + if ar.TokenType != model.ACCESS_TOKEN_TYPE { + return nil, model.NewAppError("AuthorizeGitLabUser", "Bad token type", "token_type="+ar.TokenType) + } + + if len(ar.AccessToken) == 0 { + return nil, model.NewAppError("AuthorizeGitLabUser", "Missing access token", "") + } + + p = url.Values{} + p.Set("access_token", ar.AccessToken) + req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings.GitLabUrl+"/api/v3/user", strings.NewReader("")) + + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Accept", "application/json") + req.Header.Set("Authorization", "Bearer "+ar.AccessToken) + + if resp, err := client.Do(req); err != nil { + return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + } else { + return model.GitLabUserFromJson(resp.Body), nil + } + +} -- cgit v1.2.3-1-g7c22 From 03528b9619747b8bd184b852497dcf14ee1e0081 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Fri, 17 Jul 2015 09:47:25 -0400 Subject: made oauth architecture more generalized --- api/user.go | 61 ++++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 13 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 4765a5611..a9c8a0065 100644 --- a/api/user.go +++ b/api/user.go @@ -20,6 +20,7 @@ import ( _ "image/gif" _ "image/jpeg" "image/png" + "io" "net/http" "net/url" "strconv" @@ -1222,51 +1223,85 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { } } -func AuthorizeGitLabUser(code, state, uri string) (*model.GitLabUser, *model.AppError) { - if !model.ComparePassword(state, utils.Cfg.SSOSettings.GitLabId) { - return nil, model.NewAppError("AuthorizeGitLabUser", "Invalid state", "") +func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, service, redirectUri string) { + + teamId := r.FormValue("id") + + if len(teamId) != 26 { + c.Err = model.NewAppError("GetAuthorizationCode", "Invalid team id", "team_id="+teamId) + c.Err.StatusCode = http.StatusBadRequest + return + } + + // Make sure team exists + if result := <-Srv.Store.Team().Get(teamId); result.Err != nil { + c.Err = result.Err + return + } + + if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow { + c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service) + c.Err.StatusCode = http.StatusBadRequest + return + } + + clientId := utils.Cfg.SSOSettings[service].Id + endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint + state := model.HashPassword(clientId) + + authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?id="+teamId) + "&state=" + url.QueryEscape(state) + http.Redirect(w, r, authUrl, http.StatusFound) +} + +func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser, *model.AppError) { + if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow { + return nil, model.NewAppError("AuthorizeOAuthUser", "Unsupported OAuth service provider", "service="+service) + } + + if !model.ComparePassword(state, utils.Cfg.SSOSettings[service].Id) { + return nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", "") } p := url.Values{} - p.Set("client_id", utils.Cfg.SSOSettings.GitLabId) - p.Set("client_secret", utils.Cfg.SSOSettings.GitLabSecret) + p.Set("client_id", utils.Cfg.SSOSettings[service].Id) + p.Set("client_secret", utils.Cfg.SSOSettings[service].Secret) p.Set("code", code) p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) - p.Set("redirect_uri", uri) + p.Set("redirect_uri", redirectUri) client := &http.Client{} - req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings.GitLabUrl+"/oauth/token", strings.NewReader(p.Encode())) + req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings[service].TokenEndpoint, strings.NewReader(p.Encode())) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "application/json") var ar *model.AccessResponse if resp, err := client.Do(req); err != nil { - return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to GitLab failed", err.Error()) } else { ar = model.AccessResponseFromJson(resp.Body) } if ar.TokenType != model.ACCESS_TOKEN_TYPE { - return nil, model.NewAppError("AuthorizeGitLabUser", "Bad token type", "token_type="+ar.TokenType) + return nil, model.NewAppError("AuthorizeOAuthUser", "Bad token type", "token_type="+ar.TokenType) } if len(ar.AccessToken) == 0 { - return nil, model.NewAppError("AuthorizeGitLabUser", "Missing access token", "") + return nil, model.NewAppError("AuthorizeOAuthUser", "Missing access token", "") } p = url.Values{} p.Set("access_token", ar.AccessToken) - req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings.GitLabUrl+"/api/v3/user", strings.NewReader("")) + req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings[service].UserApiEndpoint, strings.NewReader("")) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "application/json") req.Header.Set("Authorization", "Bearer "+ar.AccessToken) if resp, err := client.Do(req); err != nil { - return nil, model.NewAppError("AuthorizeGitLabUser", "Token request to GitLab failed", err.Error()) + return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to "+service+" failed", err.Error()) } else { - return model.GitLabUserFromJson(resp.Body), nil + return resp.Body, nil } } -- cgit v1.2.3-1-g7c22 From 62c0603c50c7cc85003fb03ed55d1a585c32dc34 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 10:12:28 -0400 Subject: merged with new team domain changes and added signup/login links for gitlab --- api/user.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index a9c8a0065..5aba21e79 100644 --- a/api/user.go +++ b/api/user.go @@ -1224,17 +1224,17 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { } func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, service, redirectUri string) { + params := mux.Vars(r) + teamName := params["team"] - teamId := r.FormValue("id") - - if len(teamId) != 26 { - c.Err = model.NewAppError("GetAuthorizationCode", "Invalid team id", "team_id="+teamId) + if len(teamName) == 0 { + c.Err = model.NewAppError("GetAuthorizationCode", "Invalid team name", "team_name="+teamName) c.Err.StatusCode = http.StatusBadRequest return } // Make sure team exists - if result := <-Srv.Store.Team().Get(teamId); result.Err != nil { + if result := <-Srv.Store.Team().GetByName(teamName); result.Err != nil { c.Err = result.Err return } @@ -1249,7 +1249,7 @@ func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, se endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint state := model.HashPassword(clientId) - authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?id="+teamId) + "&state=" + url.QueryEscape(state) + authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?team="+teamName) + "&state=" + url.QueryEscape(state) http.Redirect(w, r, authUrl, http.StatusFound) } -- cgit v1.2.3-1-g7c22 From a2bd8b8676701ee5ccf5d84a2f4fe6afb0dae4b1 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 11:26:55 -0400 Subject: add error for trying to sign up with the same oauth account twice --- api/user.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 5aba21e79..68a4e6d56 100644 --- a/api/user.go +++ b/api/user.go @@ -1277,7 +1277,7 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser var ar *model.AccessResponse if resp, err := client.Do(req); err != nil { - return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to GitLab failed", err.Error()) + return nil, model.NewAppError("AuthorizeOAuthUser", "Token request failed", err.Error()) } else { ar = model.AccessResponseFromJson(resp.Body) } -- cgit v1.2.3-1-g7c22 From 4f0364d87656138d5e262b53373706ff122f3f4c Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 12:13:45 -0400 Subject: added signup link verification to oauth signup flow --- api/user.go | 79 ++++++++++++++++++++++++++----------------------------------- 1 file changed, 34 insertions(+), 45 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 68a4e6d56..40bac7bd5 100644 --- a/api/user.go +++ b/api/user.go @@ -81,36 +81,7 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { hash := r.URL.Query().Get("h") - shouldVerifyHash := true - - if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 { - domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1)))) - - matched := false - for _, d := range domains { - if strings.HasSuffix(user.Email, "@"+d) { - matched = true - break - } - } - - if matched { - shouldVerifyHash = false - } else { - c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "allowed domains failed") - return - } - } - - if team.Type == model.TEAM_OPEN { - shouldVerifyHash = false - } - - if len(hash) > 0 { - shouldVerifyHash = true - } - - if shouldVerifyHash { + if IsVerifyHashRequired(user, team, hash) { data := r.URL.Query().Get("d") props := model.MapFromJson(strings.NewReader(data)) @@ -147,6 +118,38 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) { } +func IsVerifyHashRequired(user *model.User, team *model.Team, hash string) bool { + shouldVerifyHash := true + + if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 && user != nil { + domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1)))) + + matched := false + for _, d := range domains { + if strings.HasSuffix(user.Email, "@"+d) { + matched = true + break + } + } + + if matched { + shouldVerifyHash = false + } else { + return true + } + } + + if team.Type == model.TEAM_OPEN { + shouldVerifyHash = false + } + + if len(hash) > 0 { + shouldVerifyHash = true + } + + return shouldVerifyHash +} + func CreateValet(c *Context, team *model.Team) *model.User { valet := &model.User{} valet.TeamId = team.Id @@ -1223,21 +1226,7 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) { } } -func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, service, redirectUri string) { - params := mux.Vars(r) - teamName := params["team"] - - if len(teamName) == 0 { - c.Err = model.NewAppError("GetAuthorizationCode", "Invalid team name", "team_name="+teamName) - c.Err.StatusCode = http.StatusBadRequest - return - } - - // Make sure team exists - if result := <-Srv.Store.Team().GetByName(teamName); result.Err != nil { - c.Err = result.Err - return - } +func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri string) { if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow { c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service) -- cgit v1.2.3-1-g7c22 From 44cfa364fd3c328523054d8ee2221d6019ad6de1 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 12:42:03 -0400 Subject: added error case for login and removed authdata + authservice unique constraint in users table --- api/user.go | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 40bac7bd5..d16ad300a 100644 --- a/api/user.go +++ b/api/user.go @@ -241,38 +241,44 @@ func FireAndForgetVerifyEmail(userId, name, email, teamDisplayName, teamURL stri }() } -func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) { +func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) *model.User { if result := <-Srv.Store.User().Get(userId); result.Err != nil { c.Err = result.Err - return + return nil } else { user := result.Data.(*model.User) if checkUserPassword(c, user, password) { Login(c, w, r, user, deviceId) + return user } } + + return nil } -func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) { +func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) *model.User { var team *model.Team if result := <-Srv.Store.Team().GetByName(name); result.Err != nil { c.Err = result.Err - return + return nil } else { team = result.Data.(*model.Team) } if result := <-Srv.Store.User().GetByEmail(team.Id, email); result.Err != nil { c.Err = result.Err - return + return nil } else { user := result.Data.(*model.User) if checkUserPassword(c, user, password) { Login(c, w, r, user, deviceId) + return user } } + + return nil } func checkUserPassword(c *Context, user *model.User, password string) bool { @@ -356,7 +362,6 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, } http.SetCookie(w, sessionCookie) - user.Sanitize(map[string]bool{}) c.Session = *session c.LogAuditWithUserId(user.Id, "success") @@ -365,17 +370,26 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, func login(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) + var user *model.User if len(props["id"]) != 0 { - LoginById(c, w, r, props["id"], props["password"], props["device_id"]) + user = LoginById(c, w, r, props["id"], props["password"], props["device_id"]) } else if len(props["email"]) != 0 && len(props["name"]) != 0 { - LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"]) + user = LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"]) + } else { + c.Err = model.NewAppError("login", "Either user id or team name and user email must be provided", "") + return } if c.Err != nil { return } - w.Write([]byte("{}")) + if user != nil { + user.Sanitize(map[string]bool{}) + } else { + user = &model.User{} + } + w.Write([]byte(user.ToJson())) } func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { -- cgit v1.2.3-1-g7c22 From 41bbbbf4462205348c978a2cce5162f73e35f6b7 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 15:05:20 -0400 Subject: add changes from team review --- api/user.go | 1 + 1 file changed, 1 insertion(+) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index d16ad300a..7a688f28b 100644 --- a/api/user.go +++ b/api/user.go @@ -377,6 +377,7 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { user = LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"]) } else { c.Err = model.NewAppError("login", "Either user id or team name and user email must be provided", "") + c.Err.StatusCode = http.StatusForbidden return } -- cgit v1.2.3-1-g7c22 From dd970604d1790aa8b35a42862bace300c601f325 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Wed, 22 Jul 2015 15:36:58 -0400 Subject: add check on server to prevent password updating for users who log in through oauth --- api/user.go | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 7a688f28b..03f8b9e3e 100644 --- a/api/user.go +++ b/api/user.go @@ -821,6 +821,13 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { tchan := Srv.Store.Team().Get(user.TeamId) + if user.AuthData != "" { + c.LogAudit("failed - tried to update user password who was logged in through oauth") + c.Err = model.NewAppError("updatePassword", "Update password failed because the user is logged in through an OAuth service", "auth_service="+user.AuthService) + c.Err.StatusCode = http.StatusForbidden + return + } + if !model.ComparePassword(user.Password, currentPassword) { c.Err = model.NewAppError("updatePassword", "Update password failed because of invalid password", "") c.Err.StatusCode = http.StatusForbidden -- cgit v1.2.3-1-g7c22 From d42d0e3467c8eec38fdca429ba9ba5ac2af68db8 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Thu, 23 Jul 2015 08:19:51 -0400 Subject: added store unit test for user.GetByAuth and added password length checking in api.login --- api/user.go | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 03f8b9e3e..e1d5e83dd 100644 --- a/api/user.go +++ b/api/user.go @@ -370,6 +370,12 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, func login(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) + if len(props["password"]) == 0 { + c.Err = model.NewAppError("login", "Password field must not be blank", "") + c.Err.StatusCode = http.StatusForbidden + return + } + var user *model.User if len(props["id"]) != 0 { user = LoginById(c, w, r, props["id"], props["password"], props["device_id"]) -- cgit v1.2.3-1-g7c22