forked from AkkomaGang/akkoma
Merge branch 'mongoose-secure' into 'develop'
mongoose auth endpoint worked for deactivated accounts See merge request pleroma/pleroma!2432
This commit is contained in:
lain
commit
9994768312
2 changed files with 24 additions and 2 deletions
|
|
@ -14,7 +14,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
|
||||||
plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)
|
plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)
|
||||||
|
|
||||||
def user_exists(conn, %{"user" => username}) do
|
def user_exists(conn, %{"user" => username}) do
|
||||||
with %User{} <- Repo.get_by(User, nickname: username, local: true) do
|
with %User{} <- Repo.get_by(User, nickname: username, local: true, deactivated: false) do
|
||||||
conn
|
conn
|
||||||
|> json(true)
|
|> json(true)
|
||||||
else
|
else
|
||||||
|
|
@ -26,7 +26,7 @@ def user_exists(conn, %{"user" => username}) do
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_password(conn, %{"user" => username, "pass" => password}) do
|
def check_password(conn, %{"user" => username, "pass" => password}) do
|
||||||
with %User{password_hash: password_hash} <-
|
with %User{password_hash: password_hash, deactivated: false} <-
|
||||||
Repo.get_by(User, nickname: username, local: true),
|
Repo.get_by(User, nickname: username, local: true),
|
||||||
true <- Pbkdf2.checkpw(password, password_hash) do
|
true <- Pbkdf2.checkpw(password, password_hash) do
|
||||||
conn
|
conn
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ defmodule Pleroma.Web.MongooseIMController do
|
||||||
test "/user_exists", %{conn: conn} do
|
test "/user_exists", %{conn: conn} do
|
||||||
_user = insert(:user, nickname: "lain")
|
_user = insert(:user, nickname: "lain")
|
||||||
_remote_user = insert(:user, nickname: "alice", local: false)
|
_remote_user = insert(:user, nickname: "alice", local: false)
|
||||||
|
_deactivated_user = insert(:user, nickname: "konata", deactivated: true)
|
||||||
|
|
||||||
res =
|
res =
|
||||||
conn
|
conn
|
||||||
|
|
@ -30,11 +31,25 @@ test "/user_exists", %{conn: conn} do
|
||||||
|> json_response(404)
|
|> json_response(404)
|
||||||
|
|
||||||
assert res == false
|
assert res == false
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> get(mongoose_im_path(conn, :user_exists), user: "konata")
|
||||||
|
|> json_response(404)
|
||||||
|
|
||||||
|
assert res == false
|
||||||
end
|
end
|
||||||
|
|
||||||
test "/check_password", %{conn: conn} do
|
test "/check_password", %{conn: conn} do
|
||||||
user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"))
|
user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"))
|
||||||
|
|
||||||
|
_deactivated_user =
|
||||||
|
insert(:user,
|
||||||
|
nickname: "konata",
|
||||||
|
deactivated: true,
|
||||||
|
password_hash: Comeonin.Pbkdf2.hashpwsalt("cool")
|
||||||
|
)
|
||||||
|
|
||||||
res =
|
res =
|
||||||
conn
|
conn
|
||||||
|> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool")
|
|> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool")
|
||||||
|
|
@ -49,6 +64,13 @@ test "/check_password", %{conn: conn} do
|
||||||
|
|
||||||
assert res == false
|
assert res == false
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> get(mongoose_im_path(conn, :check_password), user: "konata", pass: "cool")
|
||||||
|
|> json_response(404)
|
||||||
|
|
||||||
|
assert res == false
|
||||||
|
|
||||||
res =
|
res =
|
||||||
conn
|
conn
|
||||||
|> get(mongoose_im_path(conn, :check_password), user: "nobody", pass: "cool")
|
|> get(mongoose_im_path(conn, :check_password), user: "nobody", pass: "cool")
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue