third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

In basic auth check for tokens before call UserSignIn (#5725)

Browse Source 
* Check first if user/password is a token

* In basic auth check if user/password is a token

* Remove unnecessary else statement

* Changes of fmt
tokarchuk/v1.17
manuelluis 6 years ago committed by Lauris BH
parent 48a9025346
commit fc038caa69
2 changed files with 83 additions and 42 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 51
      modules/auth/auth.go
  2. 74
      routers/repo/http.go

51
modules/auth/auth.go
Unescape View File

@ -135,15 +135,56 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
if len(baHead) > 0 { if len(baHead) > 0 {
auths := strings.Fields(baHead) auths := strings.Fields(baHead)
if len(auths) == 2 && auths[0] == "Basic" { if len(auths) == 2 && auths[0] == "Basic" {
var u *models.User
uname, passwd, _ := base.BasicAuthDecode(auths[1]) uname, passwd, _ := base.BasicAuthDecode(auths[1])
u, err := models.UserSignIn(uname, passwd) // Check if username or password is a token
if err != nil { isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
if !models.IsErrUserNotExist(err) { // Assume username is token
log.Error(4, "UserSignIn: %v", err) authToken := uname
if !isUsernameToken {
// Assume password is token
authToken = passwd
}
token, err := models.GetAccessTokenBySHA(authToken)
if err == nil {
if isUsernameToken {
u, err = models.GetUserByID(token.UID)
if err != nil {
log.Error(4, "GetUserByID: %v", err)
return nil, false
}
} else {
u, err = models.GetUserByName(uname)
if err != nil {
log.Error(4, "GetUserByID: %v", err)
return nil, false
}
if u.ID != token.UID {
return nil, false
}
}
token.UpdatedUnix = util.TimeStampNow()
if err = models.UpdateAccessToken(token); err != nil {
log.Error(4, "UpdateAccessToken: %v", err)
}
} else {
if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
log.Error(4, "GetAccessTokenBySha: %v", err)
} }
return nil, false
} }
if u == nil {
u, err = models.UserSignIn(uname, passwd)
if err != nil {
if !models.IsErrUserNotExist(err) {
log.Error(4, "UserSignIn: %v", err)
}
return nil, false
}
}
ctx.Data["IsApiToken"] = true ctx.Data["IsApiToken"] = true
return u, true return u, true
} }

74
routers/repo/http.go
Unescape View File

@ -143,24 +143,24 @@ func HTTP(ctx *context.Context) {
return return
} }
authUser, err = models.UserSignIn(authUsername, authPasswd) // Check if username or password is a token
if err != nil { isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
if !models.IsErrUserNotExist(err) { // Assume username is token
ctx.ServerError("UserSignIn error: %v", err) authToken := authUsername
return if !isUsernameToken {
} // Assume password is token
authToken = authPasswd
} }
// Assume password is a token.
if authUser == nil { token, err := models.GetAccessTokenBySHA(authToken)
isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic" if err == nil {
if isUsernameToken {
// Assume username is token authUser, err = models.GetUserByID(token.UID)
authToken := authUsername if err != nil {
ctx.ServerError("GetUserByID", err)
if !isUsernameToken { return
// Assume password is token }
authToken = authPasswd } else {
authUser, err = models.GetUserByName(authUsername) authUser, err = models.GetUserByName(authUsername)
if err != nil { if err != nil {
if models.IsErrUserNotExist(err) { if models.IsErrUserNotExist(err) {
@ -170,37 +170,37 @@ func HTTP(ctx *context.Context) {
} }
return return
} }
} if authUser.ID != token.UID {
// Assume password is a token.
token, err := models.GetAccessTokenBySHA(authToken)
if err != nil {
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
ctx.HandleText(http.StatusUnauthorized, "invalid credentials") ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
} else { return
ctx.ServerError("GetAccessTokenBySha", err)
} }
return
} }
token.UpdatedUnix = util.TimeStampNow()
if err = models.UpdateAccessToken(token); err != nil {
ctx.ServerError("UpdateAccessToken", err)
}
} else {
if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
log.Error(4, "GetAccessTokenBySha: %v", err)
}
}
if isUsernameToken { if authUser == nil {
authUser, err = models.GetUserByID(token.UID) // Check username and password
if err != nil { authUser, err = models.UserSignIn(authUsername, authPasswd)
ctx.ServerError("GetUserByID", err) if err != nil {
if !models.IsErrUserNotExist(err) {
ctx.ServerError("UserSignIn error: %v", err)
return return
} }
} else if authUser.ID != token.UID { }
if authUser == nil {
ctx.HandleText(http.StatusUnauthorized, "invalid credentials") ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
return return
} }
token.UpdatedUnix = util.TimeStampNow()
if err = models.UpdateAccessToken(token); err != nil {
ctx.ServerError("UpdateAccessToken", err)
}
} else {
_, err = models.GetTwoFactorByUID(authUser.ID) _, err = models.GetTwoFactorByUID(authUser.ID)
if err == nil { if err == nil {
// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented // TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page") ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")

Write Preview
Loading…
Cancel
Save