From 81e67f8759aaa069117dadfcfec8819649f6590b Mon Sep 17 00:00:00 2001 From: Jesse Hallam Date: Mon, 5 Feb 2018 10:54:13 -0500 Subject: ABC-179: check email verification last (#8172) * ABC-179: check email verification last This change changes the authentication checks to be: * "preflight checks" ** mfa ** not disabled ** login attempts * password * "postflight checks" ** email verified Checking whether the email is verified or not last avoids the weird edge case where entering any bogus password for an account with an unverified email shows a message about verifying the email and offering to resend. * fix invalid unit test assertion Client.CreateUser returns a user whose password has been sanitized. Adopt the pattern in the previous assertions to use a new variable name and test the password on the original model.User object. This didn't expose any underlying broken behaviour, but the test wouldn't have caught it if it had regressed. Also fix a minor typo. --- app/authentication.go | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) (limited to 'app/authentication.go') diff --git a/app/authentication.go b/app/authentication.go index 140bffd5a..0b3659449 100644 --- a/app/authentication.go +++ b/app/authentication.go @@ -43,7 +43,7 @@ func (a *App) IsPasswordValid(password string) *model.AppError { } func (a *App) CheckPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError { - if err := a.CheckUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil { + if err := a.CheckUserPreflightAuthenticationCriteria(user, mfaToken); err != nil { return err } @@ -51,6 +51,10 @@ func (a *App) CheckPasswordAndAllCriteria(user *model.User, password string, mfa return err } + if err := a.CheckUserPostflightAuthenticationCriteria(user); err != nil { + return err + } + return nil } @@ -109,13 +113,21 @@ func (a *App) checkLdapUserPasswordAndAllCriteria(ldapId *string, password strin return user, nil } -func (a *App) CheckUserAdditionalAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError { - if err := a.CheckUserMfa(user, mfaToken); err != nil { +func (a *App) CheckUserAllAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError { + if err := a.CheckUserPreflightAuthenticationCriteria(user, mfaToken); err != nil { return err } - if !user.EmailVerified && a.Config().EmailSettings.RequireEmailVerification { - return model.NewAppError("Login", "api.user.login.not_verified.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized) + if err := a.CheckUserPostflightAuthenticationCriteria(user); err != nil { + return err + } + + return nil +} + +func (a *App) CheckUserPreflightAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError { + if err := a.CheckUserMfa(user, mfaToken); err != nil { + return err } if err := checkUserNotDisabled(user); err != nil { @@ -129,6 +141,14 @@ func (a *App) CheckUserAdditionalAuthenticationCriteria(user *model.User, mfaTok return nil } +func (a *App) CheckUserPostflightAuthenticationCriteria(user *model.User) *model.AppError { + if !user.EmailVerified && a.Config().EmailSettings.RequireEmailVerification { + return model.NewAppError("Login", "api.user.login.not_verified.app_error", nil, "user_id="+user.Id, http.StatusUnauthorized) + } + + return nil +} + func (a *App) CheckUserMfa(user *model.User, token string) *model.AppError { if !user.MfaActive || !utils.IsLicensed() || !*utils.License().Features.MFA || !*a.Config().ServiceSettings.EnableMultifactorAuthentication { return nil -- cgit v1.2.3-1-g7c22