refactor login
first step toward ldap should have no functionnal change
This commit is contained in:
parent
003dcf861a
commit
b24f195e10
@ -292,11 +292,47 @@ impl User {
|
|||||||
bcrypt::hash(pass, 10).map_err(Error::from)
|
bcrypt::hash(pass, 10).map_err(Error::from)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn auth(&self, pass: &str) -> bool {
|
fn ldap_register() -> Result<User> {
|
||||||
self.hashed_password
|
return Err(Error::NotFound);
|
||||||
.clone()
|
unimplemented!()
|
||||||
.map(|hashed| bcrypt::verify(pass, hashed.as_ref()).unwrap_or(false))
|
}
|
||||||
.unwrap_or(false)
|
|
||||||
|
fn ldap_login(&self) -> bool {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn login(conn: &Connection, ident: &str, password: &str) -> Result<User> {
|
||||||
|
let local_id = Instance::get_local()?.id;
|
||||||
|
let user = User::find_by_email(conn, ident)
|
||||||
|
.or_else(|_| User::find_by_name(conn, ident, local_id))
|
||||||
|
.or_else(|_| User::ldap_register())
|
||||||
|
.and_then(|u| if u.instance_id == local_id {
|
||||||
|
Ok(u)
|
||||||
|
} else {
|
||||||
|
Err(Error::NotFound)
|
||||||
|
});
|
||||||
|
|
||||||
|
match user {
|
||||||
|
Ok(user) if user.hashed_password.is_some() => {
|
||||||
|
if bcrypt::verify(password, user.hashed_password.as_ref().unwrap()).unwrap_or(false) {
|
||||||
|
Ok(user)
|
||||||
|
} else {
|
||||||
|
Err(Error::NotFound)
|
||||||
|
}
|
||||||
|
},
|
||||||
|
Ok(user) => {
|
||||||
|
if user.ldap_login() {
|
||||||
|
Ok(user)
|
||||||
|
} else {
|
||||||
|
Err(Error::NotFound)
|
||||||
|
}
|
||||||
|
},
|
||||||
|
e => {
|
||||||
|
let other = User::get(&*conn, 1).expect("No user is registered").hashed_password;
|
||||||
|
other.map(|pass| bcrypt::verify(password, &pass));
|
||||||
|
e
|
||||||
|
},
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn reset_password(&self, conn: &Connection, pass: &str) -> Result<()> {
|
pub fn reset_password(&self, conn: &Connection, pass: &str) -> Result<()> {
|
||||||
|
@ -62,8 +62,7 @@ pub fn oauth(
|
|||||||
let conn = &*rockets.conn;
|
let conn = &*rockets.conn;
|
||||||
let app = App::find_by_client_id(conn, &query.client_id)?;
|
let app = App::find_by_client_id(conn, &query.client_id)?;
|
||||||
if app.client_secret == query.client_secret {
|
if app.client_secret == query.client_secret {
|
||||||
if let Ok(user) = User::find_by_fqn(&rockets, &query.username) {
|
if let Ok(user) = User::login(conn, &query.username, &query.password) {
|
||||||
if user.auth(&query.password) {
|
|
||||||
let token = ApiToken::insert(
|
let token = ApiToken::insert(
|
||||||
conn,
|
conn,
|
||||||
NewApiToken {
|
NewApiToken {
|
||||||
@ -81,15 +80,6 @@ pub fn oauth(
|
|||||||
"error": "Invalid credentials"
|
"error": "Invalid credentials"
|
||||||
})))
|
})))
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
// Making fake password verification to avoid different
|
|
||||||
// response times that would make it possible to know
|
|
||||||
// if a username is registered or not.
|
|
||||||
User::get(conn, 1)?.auth(&query.password);
|
|
||||||
Ok(Json(json!({
|
|
||||||
"error": "Invalid credentials"
|
|
||||||
})))
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
Ok(Json(json!({
|
Ok(Json(json!({
|
||||||
"error": "Invalid client_secret"
|
"error": "Invalid client_secret"
|
||||||
|
@ -48,38 +48,19 @@ pub fn create(
|
|||||||
rockets: PlumeRocket,
|
rockets: PlumeRocket,
|
||||||
) -> RespondOrRedirect {
|
) -> RespondOrRedirect {
|
||||||
let conn = &*rockets.conn;
|
let conn = &*rockets.conn;
|
||||||
let user = User::find_by_email(&*conn, &form.email_or_name)
|
|
||||||
.or_else(|_| User::find_by_fqn(&rockets, &form.email_or_name));
|
|
||||||
let mut errors = match form.validate() {
|
let mut errors = match form.validate() {
|
||||||
Ok(_) => ValidationErrors::new(),
|
Ok(_) => ValidationErrors::new(),
|
||||||
Err(e) => e,
|
Err(e) => e,
|
||||||
};
|
};
|
||||||
|
let user = User::login(conn, &form.email_or_name, &form.password);
|
||||||
let user_id = if let Ok(user) = user {
|
let user_id = if let Ok(user) = user {
|
||||||
if !user.auth(&form.password) {
|
|
||||||
let mut err = ValidationError::new("invalid_login");
|
|
||||||
err.message = Some(Cow::from("Invalid username, or password"));
|
|
||||||
errors.add("email_or_name", err);
|
|
||||||
String::new()
|
|
||||||
} else {
|
|
||||||
user.id.to_string()
|
user.id.to_string()
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
// Fake password verification, only to avoid different login times
|
|
||||||
// that could be used to see if an email adress is registered or not
|
|
||||||
User::get(&*conn, 1)
|
|
||||||
.map(|u| u.auth(&form.password))
|
|
||||||
.expect("No user is registered");
|
|
||||||
|
|
||||||
let mut err = ValidationError::new("invalid_login");
|
let mut err = ValidationError::new("invalid_login");
|
||||||
err.message = Some(Cow::from("Invalid username, or password"));
|
err.message = Some(Cow::from("Invalid username, or password"));
|
||||||
errors.add("email_or_name", err);
|
errors.add("email_or_name", err);
|
||||||
String::new()
|
|
||||||
};
|
|
||||||
|
|
||||||
if !errors.is_empty() {
|
|
||||||
return render!(session::login(&rockets.to_context(), None, &*form, errors)).into();
|
return render!(session::login(&rockets.to_context(), None, &*form, errors)).into();
|
||||||
}
|
};
|
||||||
|
|
||||||
cookies.add_private(
|
cookies.add_private(
|
||||||
Cookie::build(AUTH_COOKIE, user_id)
|
Cookie::build(AUTH_COOKIE, user_id)
|
||||||
|
Loading…
Reference in New Issue
Block a user