secure mongoose auth endpoint

2020-04-27 17:55:33 +02:00 · 2020-04-27 17:55:33 +02:00 · a626cb682c
commit a626cb682c
parent dd4d10b275
1 changed files with 26 additions and 11 deletions
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@ -26,21 +26,36 @@ def user_exists(conn, %{"user" => username}) do
  end

  def check_password(conn, %{"user" => username, "pass" => password}) do
-    with %User{password_hash: password_hash} <-
-           Repo.get_by(User, nickname: username, local: true),
-         true <- Pbkdf2.checkpw(password, password_hash) do
-      conn
-      |> json(true)
-    else
-      false ->
-        conn
-        |> put_status(:forbidden)
-        |> json(false)
+    user = Repo.get_by(User, nickname: username, local: true)

-      _ ->
+    case User.account_status(user) do
+      :deactivated ->
        conn
        |> put_status(:not_found)
        |> json(false)
+
+      :confirmation_pending ->
+        conn
+        |> put_status(:not_found)
+        |> json(false)
+
+      _ ->
+        with %User{password_hash: password_hash} <-
+               user,
+             true <- Pbkdf2.checkpw(password, password_hash) do
+          conn
+          |> json(true)
+        else
+          false ->
+            conn
+            |> put_status(:forbidden)
+            |> json(false)
+
+          _ ->
+            conn
+            |> put_status(:not_found)
+            |> json(false)
+        end
    end
  end
 end