forked from AkkomaGang/akkoma
Merge branch 'moonman/pleroma-sha512-crypt' into 'develop'
auth overhaul and legacy GS auth See merge request pleroma/pleroma!331
This commit is contained in:
commit
045953225e
21 changed files with 598 additions and 243 deletions
|
@ -9,54 +9,34 @@ def init(options) do
|
||||||
|
|
||||||
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
|
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
|
||||||
|
|
||||||
def call(conn, opts) do
|
def call(
|
||||||
with {:ok, username, password} <- decode_header(conn),
|
%{
|
||||||
{:ok, user} <- opts[:fetcher].(username),
|
assigns: %{
|
||||||
false <- !!user.info["deactivated"],
|
auth_user: %{password_hash: password_hash} = auth_user,
|
||||||
saved_user_id <- get_session(conn, :user_id),
|
auth_credentials: %{password: password}
|
||||||
{:ok, verified_user} <- verify(user, password, saved_user_id) do
|
}
|
||||||
|
} = conn,
|
||||||
|
_
|
||||||
|
) do
|
||||||
|
if Pbkdf2.checkpw(password, password_hash) do
|
||||||
conn
|
conn
|
||||||
|> assign(:user, verified_user)
|
|> assign(:user, auth_user)
|
||||||
|> put_session(:user_id, verified_user.id)
|
|
||||||
else
|
else
|
||||||
_ -> conn |> halt_or_continue(opts)
|
conn
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Short-circuit if we have a cookie with the id for the given user.
|
def call(
|
||||||
defp verify(%{id: id} = user, _password, id) do
|
%{
|
||||||
{:ok, user}
|
assigns: %{
|
||||||
end
|
auth_credentials: %{password: password}
|
||||||
|
}
|
||||||
defp verify(nil, _password, _user_id) do
|
} = conn,
|
||||||
|
_
|
||||||
|
) do
|
||||||
Pbkdf2.dummy_checkpw()
|
Pbkdf2.dummy_checkpw()
|
||||||
:error
|
|
||||||
end
|
|
||||||
|
|
||||||
defp verify(user, password, _user_id) do
|
|
||||||
if Pbkdf2.checkpw(password, user.password_hash) do
|
|
||||||
{:ok, user}
|
|
||||||
else
|
|
||||||
:error
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp decode_header(conn) do
|
|
||||||
with ["Basic " <> header] <- get_req_header(conn, "authorization"),
|
|
||||||
{:ok, userinfo} <- Base.decode64(header),
|
|
||||||
[username, password] <- String.split(userinfo, ":", parts: 2) do
|
|
||||||
{:ok, username, password}
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp halt_or_continue(conn, %{optional: true}) do
|
|
||||||
conn |> assign(:user, nil)
|
|
||||||
end
|
|
||||||
|
|
||||||
defp halt_or_continue(conn, _) do
|
|
||||||
conn
|
conn
|
||||||
|> put_resp_content_type("application/json")
|
|
||||||
|> send_resp(403, Jason.encode!(%{error: "Invalid credentials."}))
|
|
||||||
|> halt
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def call(conn, _), do: conn
|
||||||
end
|
end
|
||||||
|
|
21
lib/pleroma/plugs/basic_auth_decoder_plug.ex
Normal file
21
lib/pleroma/plugs/basic_auth_decoder_plug.ex
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
defmodule Pleroma.Plugs.BasicAuthDecoderPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, opts) do
|
||||||
|
with ["Basic " <> header] <- get_req_header(conn, "authorization"),
|
||||||
|
{:ok, userinfo} <- Base.decode64(header),
|
||||||
|
[username, password] <- String.split(userinfo, ":", parts: 2) do
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{
|
||||||
|
username: username,
|
||||||
|
password: password
|
||||||
|
})
|
||||||
|
else
|
||||||
|
_ -> conn
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
19
lib/pleroma/plugs/ensure_authenticated_plug.ex
Normal file
19
lib/pleroma/plugs/ensure_authenticated_plug.ex
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
defmodule Pleroma.Plugs.EnsureAuthenticatedPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(%{assigns: %{user: %User{}}} = conn, _) do
|
||||||
|
conn
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, _) do
|
||||||
|
conn
|
||||||
|
|> put_resp_content_type("application/json")
|
||||||
|
|> send_resp(403, Jason.encode!(%{error: "Invalid credentials."}))
|
||||||
|
|> halt
|
||||||
|
end
|
||||||
|
end
|
14
lib/pleroma/plugs/ensure_user_key_plug.ex
Normal file
14
lib/pleroma/plugs/ensure_user_key_plug.ex
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
defmodule Pleroma.Plugs.EnsureUserKeyPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
|
||||||
|
def init(opts) do
|
||||||
|
opts
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(%{assigns: %{user: _}} = conn, _), do: conn
|
||||||
|
|
||||||
|
def call(conn, _) do
|
||||||
|
conn
|
||||||
|
|> assign(:user, nil)
|
||||||
|
end
|
||||||
|
end
|
35
lib/pleroma/plugs/legacy_authentication_plug.ex
Normal file
35
lib/pleroma/plugs/legacy_authentication_plug.ex
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
defmodule Pleroma.Plugs.LegacyAuthenticationPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
|
||||||
|
|
||||||
|
def call(
|
||||||
|
%{
|
||||||
|
assigns: %{
|
||||||
|
auth_user: %{password_hash: "$6$" <> _ = password_hash} = auth_user,
|
||||||
|
auth_credentials: %{password: password}
|
||||||
|
}
|
||||||
|
} = conn,
|
||||||
|
_
|
||||||
|
) do
|
||||||
|
with ^password_hash <- :crypt.crypt(password, password_hash),
|
||||||
|
{:ok, user} <-
|
||||||
|
User.reset_password(auth_user, %{password: password, password_confirmation: password}) do
|
||||||
|
conn
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|> assign(:user, user)
|
||||||
|
else
|
||||||
|
_ ->
|
||||||
|
conn
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, _) do
|
||||||
|
conn
|
||||||
|
end
|
||||||
|
end
|
18
lib/pleroma/plugs/session_authentication_plug.ex
Normal file
18
lib/pleroma/plugs/session_authentication_plug.ex
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
defmodule Pleroma.Plugs.SessionAuthenticationPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, _) do
|
||||||
|
with saved_user_id <- get_session(conn, :user_id),
|
||||||
|
%{auth_user: %{id: ^saved_user_id}} <- conn.assigns do
|
||||||
|
conn
|
||||||
|
|> assign(:user, conn.assigns.auth_user)
|
||||||
|
else
|
||||||
|
_ -> conn
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
15
lib/pleroma/plugs/set_user_session_id_plug.ex
Normal file
15
lib/pleroma/plugs/set_user_session_id_plug.ex
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
defmodule Pleroma.Plugs.SetUserSessionIdPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(opts) do
|
||||||
|
opts
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(%{assigns: %{user: %User{id: id}}} = conn, _) do
|
||||||
|
conn
|
||||||
|
|> put_session(:user_id, id)
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, _), do: conn
|
||||||
|
end
|
17
lib/pleroma/plugs/user_enabled_plug.ex
Normal file
17
lib/pleroma/plugs/user_enabled_plug.ex
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
defmodule Pleroma.Plugs.UserEnabledPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(%{assigns: %{user: %User{info: %{"deactivated" => true}}}} = conn, _) do
|
||||||
|
conn
|
||||||
|
|> assign(:user, nil)
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, _) do
|
||||||
|
conn
|
||||||
|
end
|
||||||
|
end
|
34
lib/pleroma/plugs/user_fetcher_plug.ex
Normal file
34
lib/pleroma/plugs/user_fetcher_plug.ex
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
defmodule Pleroma.Plugs.UserFetcherPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
alias Pleroma.Repo
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
def init(options) do
|
||||||
|
options
|
||||||
|
end
|
||||||
|
|
||||||
|
def call(conn, options) do
|
||||||
|
with %{auth_credentials: %{username: username}} <- conn.assigns,
|
||||||
|
{:ok, %User{} = user} <- user_fetcher(username) do
|
||||||
|
conn
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
else
|
||||||
|
_ -> conn
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
defp user_fetcher(username_or_email) do
|
||||||
|
{
|
||||||
|
:ok,
|
||||||
|
cond do
|
||||||
|
# First, try logging in as if it was a name
|
||||||
|
user = Repo.get_by(User, %{nickname: username_or_email}) ->
|
||||||
|
user
|
||||||
|
|
||||||
|
# If we get nil, we try using it as an email
|
||||||
|
user = Repo.get_by(User, %{email: username_or_email}) ->
|
||||||
|
user
|
||||||
|
end
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
|
@ -9,47 +9,57 @@ defmodule Pleroma.Web.Router do
|
||||||
@public Keyword.get(@instance, :public)
|
@public Keyword.get(@instance, :public)
|
||||||
@registrations_open Keyword.get(@instance, :registrations_open)
|
@registrations_open Keyword.get(@instance, :registrations_open)
|
||||||
|
|
||||||
def user_fetcher(username_or_email) do
|
|
||||||
{
|
|
||||||
:ok,
|
|
||||||
cond do
|
|
||||||
# First, try logging in as if it was a name
|
|
||||||
user = Repo.get_by(User, %{nickname: username_or_email}) ->
|
|
||||||
user
|
|
||||||
|
|
||||||
# If we get nil, we try using it as an email
|
|
||||||
user = Repo.get_by(User, %{email: username_or_email}) ->
|
|
||||||
user
|
|
||||||
end
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
pipeline :api do
|
pipeline :api do
|
||||||
plug(:accepts, ["json"])
|
plug(:accepts, ["json"])
|
||||||
plug(:fetch_session)
|
plug(:fetch_session)
|
||||||
plug(Pleroma.Plugs.OAuthPlug)
|
plug(Pleroma.Plugs.OAuthPlug)
|
||||||
plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true})
|
plug(Pleroma.Plugs.BasicAuthDecoderPlug)
|
||||||
|
plug(Pleroma.Plugs.UserFetcherPlug)
|
||||||
|
plug(Pleroma.Plugs.SessionAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.LegacyAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.AuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.UserEnabledPlug)
|
||||||
|
plug(Pleroma.Plugs.SetUserSessionIdPlug)
|
||||||
|
plug(Pleroma.Plugs.EnsureUserKeyPlug)
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :authenticated_api do
|
pipeline :authenticated_api do
|
||||||
plug(:accepts, ["json"])
|
plug(:accepts, ["json"])
|
||||||
plug(:fetch_session)
|
plug(:fetch_session)
|
||||||
plug(Pleroma.Plugs.OAuthPlug)
|
plug(Pleroma.Plugs.OAuthPlug)
|
||||||
plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1})
|
plug(Pleroma.Plugs.BasicAuthDecoderPlug)
|
||||||
|
plug(Pleroma.Plugs.UserFetcherPlug)
|
||||||
|
plug(Pleroma.Plugs.SessionAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.LegacyAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.AuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.UserEnabledPlug)
|
||||||
|
plug(Pleroma.Plugs.SetUserSessionIdPlug)
|
||||||
|
plug(Pleroma.Plugs.EnsureAuthenticatedPlug)
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :mastodon_html do
|
pipeline :mastodon_html do
|
||||||
plug(:accepts, ["html"])
|
plug(:accepts, ["html"])
|
||||||
plug(:fetch_session)
|
plug(:fetch_session)
|
||||||
plug(Pleroma.Plugs.OAuthPlug)
|
plug(Pleroma.Plugs.OAuthPlug)
|
||||||
plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true})
|
plug(Pleroma.Plugs.BasicAuthDecoderPlug)
|
||||||
|
plug(Pleroma.Plugs.UserFetcherPlug)
|
||||||
|
plug(Pleroma.Plugs.SessionAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.LegacyAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.AuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.UserEnabledPlug)
|
||||||
|
plug(Pleroma.Plugs.SetUserSessionIdPlug)
|
||||||
|
plug(Pleroma.Plugs.EnsureUserKeyPlug)
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :pleroma_html do
|
pipeline :pleroma_html do
|
||||||
plug(:accepts, ["html"])
|
plug(:accepts, ["html"])
|
||||||
plug(:fetch_session)
|
plug(:fetch_session)
|
||||||
plug(Pleroma.Plugs.OAuthPlug)
|
plug(Pleroma.Plugs.OAuthPlug)
|
||||||
plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true})
|
plug(Pleroma.Plugs.BasicAuthDecoderPlug)
|
||||||
|
plug(Pleroma.Plugs.UserFetcherPlug)
|
||||||
|
plug(Pleroma.Plugs.SessionAuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.AuthenticationPlug)
|
||||||
|
plug(Pleroma.Plugs.EnsureUserKeyPlug)
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :well_known do
|
pipeline :well_known do
|
||||||
|
|
4
mix.exs
4
mix.exs
|
@ -50,7 +50,9 @@ defp deps do
|
||||||
{:ex_aws_s3, "~> 2.0"},
|
{:ex_aws_s3, "~> 2.0"},
|
||||||
{:ex_machina, "~> 2.2", only: :test},
|
{:ex_machina, "~> 2.2", only: :test},
|
||||||
{:credo, "~> 0.9.3", only: [:dev, :test]},
|
{:credo, "~> 0.9.3", only: [:dev, :test]},
|
||||||
{:mock, "~> 0.3.1", only: :test}
|
{:mock, "~> 0.3.1", only: :test},
|
||||||
|
{:crypt,
|
||||||
|
git: "https://github.com/msantos/crypt", ref: "1f2b58927ab57e72910191a7ebaeff984382a1d3"}
|
||||||
]
|
]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
1
mix.lock
1
mix.lock
|
@ -8,6 +8,7 @@
|
||||||
"cowboy": {:hex, :cowboy, "1.1.2", "61ac29ea970389a88eca5a65601460162d370a70018afe6f949a29dca91f3bb0", [:rebar3], [{:cowlib, "~> 1.0.2", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3.2", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm"},
|
"cowboy": {:hex, :cowboy, "1.1.2", "61ac29ea970389a88eca5a65601460162d370a70018afe6f949a29dca91f3bb0", [:rebar3], [{:cowlib, "~> 1.0.2", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3.2", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm"},
|
||||||
"cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [:make], [], "hexpm"},
|
"cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [:make], [], "hexpm"},
|
||||||
"credo": {:hex, :credo, "0.9.3", "76fa3e9e497ab282e0cf64b98a624aa11da702854c52c82db1bf24e54ab7c97a", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:poison, ">= 0.0.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"},
|
"credo": {:hex, :credo, "0.9.3", "76fa3e9e497ab282e0cf64b98a624aa11da702854c52c82db1bf24e54ab7c97a", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:poison, ">= 0.0.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"},
|
||||||
|
"crypt": {:git, "https://github.com/msantos/crypt", "1f2b58927ab57e72910191a7ebaeff984382a1d3", [ref: "1f2b58927ab57e72910191a7ebaeff984382a1d3"]},
|
||||||
"db_connection": {:hex, :db_connection, "1.1.3", "89b30ca1ef0a3b469b1c779579590688561d586694a3ce8792985d4d7e575a61", [:mix], [{:connection, "~> 1.0.2", [hex: :connection, repo: "hexpm", optional: false]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"},
|
"db_connection": {:hex, :db_connection, "1.1.3", "89b30ca1ef0a3b469b1c779579590688561d586694a3ce8792985d4d7e575a61", [:mix], [{:connection, "~> 1.0.2", [hex: :connection, repo: "hexpm", optional: false]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"},
|
||||||
"decimal": {:hex, :decimal, "1.5.0", "b0433a36d0e2430e3d50291b1c65f53c37d56f83665b43d79963684865beab68", [:mix], [], "hexpm"},
|
"decimal": {:hex, :decimal, "1.5.0", "b0433a36d0e2430e3d50291b1c65f53c37d56f83665b43d79963684865beab68", [:mix], [], "hexpm"},
|
||||||
"ecto": {:hex, :ecto, "2.2.10", "e7366dc82f48f8dd78fcbf3ab50985ceeb11cb3dc93435147c6e13f2cda0992e", [:mix], [{:db_connection, "~> 1.1", [hex: :db_connection, repo: "hexpm", optional: true]}, {:decimal, "~> 1.2", [hex: :decimal, repo: "hexpm", optional: false]}, {:mariaex, "~> 0.8.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:poison, "~> 2.2 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: true]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"},
|
"ecto": {:hex, :ecto, "2.2.10", "e7366dc82f48f8dd78fcbf3ab50985ceeb11cb3dc93435147c6e13f2cda0992e", [:mix], [{:db_connection, "~> 1.1", [hex: :db_connection, repo: "hexpm", optional: true]}, {:decimal, "~> 1.2", [hex: :decimal, repo: "hexpm", optional: false]}, {:mariaex, "~> 0.8.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:poison, "~> 2.2 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: true]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"},
|
||||||
|
|
|
@ -4,196 +4,50 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
|
||||||
alias Pleroma.Plugs.AuthenticationPlug
|
alias Pleroma.Plugs.AuthenticationPlug
|
||||||
alias Pleroma.User
|
alias Pleroma.User
|
||||||
|
|
||||||
defp fetch_nil(_name) do
|
setup %{conn: conn} do
|
||||||
{:ok, nil}
|
user = %User{
|
||||||
|
id: 1,
|
||||||
|
name: "dude",
|
||||||
|
password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
|
||||||
|
}
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|
||||||
|
%{user: user, conn: conn}
|
||||||
end
|
end
|
||||||
|
|
||||||
@user %User{
|
test "it does nothing if a user is assigned", %{conn: conn} do
|
||||||
id: 1,
|
conn =
|
||||||
name: "dude",
|
conn
|
||||||
password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
|
|> assign(:user, %User{})
|
||||||
}
|
|
||||||
|
|
||||||
@deactivated %User{
|
ret_conn =
|
||||||
id: 1,
|
conn
|
||||||
name: "dude",
|
|> AuthenticationPlug.call(%{})
|
||||||
password_hash: Comeonin.Pbkdf2.hashpwsalt("guy"),
|
|
||||||
info: %{"deactivated" => true}
|
|
||||||
}
|
|
||||||
|
|
||||||
@session_opts [
|
assert ret_conn == conn
|
||||||
store: :cookie,
|
|
||||||
key: "_test",
|
|
||||||
signing_salt: "cooldude"
|
|
||||||
]
|
|
||||||
|
|
||||||
defp fetch_user(_name) do
|
|
||||||
{:ok, @user}
|
|
||||||
end
|
end
|
||||||
|
|
||||||
defp basic_auth_enc(username, password) do
|
test "with a correct password in the credentials, it assigns the auth_user", %{conn: conn} do
|
||||||
"Basic " <> Base.encode64("#{username}:#{password}")
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{password: "guy"})
|
||||||
|
|> AuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns.user == conn.assigns.auth_user
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "without an authorization header" do
|
test "with a wrong password in the credentials, it does nothing", %{conn: conn} do
|
||||||
test "it halts the application" do
|
conn =
|
||||||
conn =
|
conn
|
||||||
build_conn()
|
|> assign(:auth_credentials, %{password: "wrong"})
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> AuthenticationPlug.call(%{})
|
|
||||||
|
|
||||||
assert conn.status == 403
|
ret_conn =
|
||||||
assert conn.halted == true
|
conn
|
||||||
end
|
|> AuthenticationPlug.call(%{})
|
||||||
|
|
||||||
test "it assigns a nil user if the 'optional' option is used" do
|
assert conn == ret_conn
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> AuthenticationPlug.call(%{optional: true})
|
|
||||||
|
|
||||||
assert %{user: nil} == conn.assigns
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with an authorization header for a nonexisting user" do
|
|
||||||
test "it halts the application" do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> AuthenticationPlug.call(%{fetcher: &fetch_nil/1})
|
|
||||||
|
|
||||||
assert conn.status == 403
|
|
||||||
assert conn.halted == true
|
|
||||||
end
|
|
||||||
|
|
||||||
test "it assigns a nil user if the 'optional' option is used" do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> AuthenticationPlug.call(%{optional: true, fetcher: &fetch_nil/1})
|
|
||||||
|
|
||||||
assert %{user: nil} == conn.assigns
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with an incorrect authorization header for a enxisting user" do
|
|
||||||
test "it halts the application" do
|
|
||||||
opts = %{
|
|
||||||
fetcher: &fetch_user/1
|
|
||||||
}
|
|
||||||
|
|
||||||
header = basic_auth_enc("dude", "man")
|
|
||||||
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> put_req_header("authorization", header)
|
|
||||||
|> AuthenticationPlug.call(opts)
|
|
||||||
|
|
||||||
assert conn.status == 403
|
|
||||||
assert conn.halted == true
|
|
||||||
end
|
|
||||||
|
|
||||||
test "it assigns a nil user if the 'optional' option is used" do
|
|
||||||
opts = %{
|
|
||||||
optional: true,
|
|
||||||
fetcher: &fetch_user/1
|
|
||||||
}
|
|
||||||
|
|
||||||
header = basic_auth_enc("dude", "man")
|
|
||||||
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> put_req_header("authorization", header)
|
|
||||||
|> AuthenticationPlug.call(opts)
|
|
||||||
|
|
||||||
assert %{user: nil} == conn.assigns
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with a correct authorization header for an existing user" do
|
|
||||||
test "it assigns the user", %{conn: conn} do
|
|
||||||
opts = %{
|
|
||||||
optional: true,
|
|
||||||
fetcher: &fetch_user/1
|
|
||||||
}
|
|
||||||
|
|
||||||
header = basic_auth_enc("dude", "guy")
|
|
||||||
|
|
||||||
conn =
|
|
||||||
conn
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> put_req_header("authorization", header)
|
|
||||||
|> AuthenticationPlug.call(opts)
|
|
||||||
|
|
||||||
assert %{user: @user} == conn.assigns
|
|
||||||
assert get_session(conn, :user_id) == @user.id
|
|
||||||
assert conn.halted == false
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with a correct authorization header for an deactiviated user" do
|
|
||||||
test "it halts the appication", %{conn: conn} do
|
|
||||||
opts = %{
|
|
||||||
optional: false,
|
|
||||||
fetcher: fn _ -> @deactivated end
|
|
||||||
}
|
|
||||||
|
|
||||||
header = basic_auth_enc("dude", "guy")
|
|
||||||
|
|
||||||
conn =
|
|
||||||
conn
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> put_req_header("authorization", header)
|
|
||||||
|> AuthenticationPlug.call(opts)
|
|
||||||
|
|
||||||
assert conn.status == 403
|
|
||||||
assert conn.halted == true
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with a user_id in the session for an existing user" do
|
|
||||||
test "it assigns the user", %{conn: conn} do
|
|
||||||
opts = %{
|
|
||||||
optional: true,
|
|
||||||
fetcher: &fetch_user/1
|
|
||||||
}
|
|
||||||
|
|
||||||
header = basic_auth_enc("dude", "THIS IS WRONG")
|
|
||||||
|
|
||||||
conn =
|
|
||||||
conn
|
|
||||||
|> Plug.Session.call(Plug.Session.init(@session_opts))
|
|
||||||
|> fetch_session
|
|
||||||
|> put_session(:user_id, @user.id)
|
|
||||||
|> put_req_header("authorization", header)
|
|
||||||
|> AuthenticationPlug.call(opts)
|
|
||||||
|
|
||||||
assert %{user: @user} == conn.assigns
|
|
||||||
assert get_session(conn, :user_id) == @user.id
|
|
||||||
assert conn.halted == false
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "with an assigned user" do
|
|
||||||
test "it does nothing, returning the incoming conn", %{conn: conn} do
|
|
||||||
conn =
|
|
||||||
conn
|
|
||||||
|> assign(:user, @user)
|
|
||||||
|
|
||||||
conn_result = AuthenticationPlug.call(conn, %{})
|
|
||||||
|
|
||||||
assert conn == conn_result
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
31
test/plugs/basic_auth_decoder_plug_test.exs
Normal file
31
test/plugs/basic_auth_decoder_plug_test.exs
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
defmodule Pleroma.Plugs.BasicAuthDecoderPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.BasicAuthDecoderPlug
|
||||||
|
|
||||||
|
defp basic_auth_enc(username, password) do
|
||||||
|
"Basic " <> Base.encode64("#{username}:#{password}")
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it puts the decoded credentials into the assigns", %{conn: conn} do
|
||||||
|
header = basic_auth_enc("moonman", "iloverobek")
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_req_header("authorization", header)
|
||||||
|
|> BasicAuthDecoderPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns[:auth_credentials] == %{
|
||||||
|
username: "moonman",
|
||||||
|
password: "iloverobek"
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "without a authorization header it doesn't do anything", %{conn: conn} do
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> BasicAuthDecoderPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn == ret_conn
|
||||||
|
end
|
||||||
|
end
|
27
test/plugs/ensure_authenticated_plug_test.exs
Normal file
27
test/plugs/ensure_authenticated_plug_test.exs
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.EnsureAuthenticatedPlug
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
test "it halts if no user is assigned", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> EnsureAuthenticatedPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.status == 403
|
||||||
|
assert conn.halted == true
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it continues if a user is assigned", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, %User{})
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> EnsureAuthenticatedPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
end
|
25
test/plugs/ensure_user_key_plug_test.exs
Normal file
25
test/plugs/ensure_user_key_plug_test.exs
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
defmodule Pleroma.Plugs.EnsureUserKeyPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.EnsureUserKeyPlug
|
||||||
|
|
||||||
|
test "if the conn has a user key set, it does nothing", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, 1)
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> EnsureUserKeyPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn == ret_conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "if the conn has no key set, it sets it to nil", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> EnsureUserKeyPlug.call(%{})
|
||||||
|
|
||||||
|
assert Map.has_key?(conn.assigns, :user)
|
||||||
|
end
|
||||||
|
end
|
82
test/plugs/legacy_authentication_plug_test.exs
Normal file
82
test/plugs/legacy_authentication_plug_test.exs
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.LegacyAuthenticationPlug
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
import Mock
|
||||||
|
|
||||||
|
setup do
|
||||||
|
# password is "password"
|
||||||
|
user = %User{
|
||||||
|
id: 1,
|
||||||
|
name: "dude",
|
||||||
|
password_hash:
|
||||||
|
"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||||
|
}
|
||||||
|
|
||||||
|
%{user: user}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it does nothing if a user is assigned", %{conn: conn, user: user} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{username: "dude", password: "password"})
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|> assign(:user, %User{})
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> LegacyAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it authenticates the auth_user if present and password is correct and resets the password",
|
||||||
|
%{
|
||||||
|
conn: conn,
|
||||||
|
user: user
|
||||||
|
} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{username: "dude", password: "password"})
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
with_mock User,
|
||||||
|
reset_password: fn user, %{password: password, password_confirmation: password} ->
|
||||||
|
send(self(), :reset_password)
|
||||||
|
{:ok, user}
|
||||||
|
end do
|
||||||
|
conn
|
||||||
|
|> LegacyAuthenticationPlug.call(%{})
|
||||||
|
end
|
||||||
|
|
||||||
|
assert_received :reset_password
|
||||||
|
assert conn.assigns.user == user
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it does nothing if the password is wrong", %{
|
||||||
|
conn: conn,
|
||||||
|
user: user
|
||||||
|
} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{username: "dude", password: "wrong_password"})
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> LegacyAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn == ret_conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with no credentials or user it does nothing", %{conn: conn} do
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> LegacyAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
end
|
59
test/plugs/session_authentication_plug_test.exs
Normal file
59
test/plugs/session_authentication_plug_test.exs
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
defmodule Pleroma.Plugs.SessionAuthenticationPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.SessionAuthenticationPlug
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
setup %{conn: conn} do
|
||||||
|
session_opts = [
|
||||||
|
store: :cookie,
|
||||||
|
key: "_test",
|
||||||
|
signing_salt: "cooldude"
|
||||||
|
]
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> Plug.Session.call(Plug.Session.init(session_opts))
|
||||||
|
|> fetch_session
|
||||||
|
|> assign(:auth_user, %User{id: 1})
|
||||||
|
|
||||||
|
%{conn: conn}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it does nothing if a user is assigned", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, %User{})
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> SessionAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "if the auth_user has the same id as the user_id in the session, it assigns the user", %{
|
||||||
|
conn: conn
|
||||||
|
} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_session(:user_id, conn.assigns.auth_user.id)
|
||||||
|
|> SessionAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns.user == conn.assigns.auth_user
|
||||||
|
end
|
||||||
|
|
||||||
|
test "if the auth_user has a different id as the user_id in the session, it does nothing", %{
|
||||||
|
conn: conn
|
||||||
|
} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_session(:user_id, -1)
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> SessionAuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
end
|
39
test/plugs/set_user_session_id_plug_test.exs
Normal file
39
test/plugs/set_user_session_id_plug_test.exs
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
defmodule Pleroma.Plugs.SetUserSessionIdPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.SetUserSessionIdPlug
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
setup %{conn: conn} do
|
||||||
|
session_opts = [
|
||||||
|
store: :cookie,
|
||||||
|
key: "_test",
|
||||||
|
signing_salt: "cooldude"
|
||||||
|
]
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> Plug.Session.call(Plug.Session.init(session_opts))
|
||||||
|
|> fetch_session
|
||||||
|
|
||||||
|
%{conn: conn}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "doesn't do anything if the user isn't set", %{conn: conn} do
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> SetUserSessionIdPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "sets the user_id in the session to the user id of the user assign", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, %User{id: 1})
|
||||||
|
|> SetUserSessionIdPlug.call(%{})
|
||||||
|
|
||||||
|
id = get_session(conn, :user_id)
|
||||||
|
assert id == 1
|
||||||
|
end
|
||||||
|
end
|
35
test/plugs/user_enabled_plug_test.exs
Normal file
35
test/plugs/user_enabled_plug_test.exs
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
defmodule Pleroma.Plugs.UserEnabledPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.UserEnabledPlug
|
||||||
|
alias Pleroma.User
|
||||||
|
|
||||||
|
test "doesn't do anything if the user isn't set", %{conn: conn} do
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> UserEnabledPlug.call(%{})
|
||||||
|
|
||||||
|
assert ret_conn == conn
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with a user that is deactivated, it removes that user", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, %User{info: %{"deactivated" => true}})
|
||||||
|
|> UserEnabledPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns.user == nil
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with a user that is not deactivated, it does nothing", %{conn: conn} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:user, %User{})
|
||||||
|
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> UserEnabledPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn == ret_conn
|
||||||
|
end
|
||||||
|
end
|
37
test/plugs/user_fetcher_plug_test.exs
Normal file
37
test/plugs/user_fetcher_plug_test.exs
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
defmodule Pleroma.Plugs.UserFetcherPlugTest do
|
||||||
|
use Pleroma.Web.ConnCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Plugs.UserFetcherPlug
|
||||||
|
import Pleroma.Factory
|
||||||
|
|
||||||
|
setup do
|
||||||
|
user = insert(:user)
|
||||||
|
%{user: user}
|
||||||
|
end
|
||||||
|
|
||||||
|
test "if an auth_credentials assign is present, it tries to fetch the user and assigns it", %{
|
||||||
|
conn: conn,
|
||||||
|
user: user
|
||||||
|
} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_credentials, %{
|
||||||
|
username: user.nickname,
|
||||||
|
password: nil
|
||||||
|
})
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> UserFetcherPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns[:auth_user] == user
|
||||||
|
end
|
||||||
|
|
||||||
|
test "without a credential assign it doesn't do anything", %{conn: conn} do
|
||||||
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> UserFetcherPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn == ret_conn
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue