Skip to content

Commit

Permalink
Prevent disabled User from SSO login
Browse files Browse the repository at this point in the history
  • Loading branch information
Timshel committed Dec 17, 2024
1 parent 02a9ab5 commit 28146e2
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 6 deletions.
49 changes: 43 additions & 6 deletions src/api/identity.rs
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,12 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
crate::ratelimit::check_limit_login(&ip.ip)?;

let code = match data.code.as_ref() {
None => err!("Got no code in OIDC data"),
None => err!(
"Got no code in OIDC data",
ErrorEvent {
event: EventType::UserFailedLogIn
}
),
Some(code) => code,
};

Expand All @@ -166,14 +171,33 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
user_infos.identifier, user.uuid, user.email
);
err_silent!("Existing non SSO user with same email")
err_silent!(
"Existing non SSO user with same email",
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => {
error!(
"Login failure ({}), existing SSO user ({}) with same email ({})",
user_infos.identifier, user.uuid, user.email
);
err_silent!("Existing SSO user with same email")
err_silent!(
"Existing SSO user with same email",
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
Some((user, _)) if !user.enabled => {
err!(
"This user has been disabled",
format!("IP: {}. Username: {}.", ip.ip, user.name),
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
Some((user, sso_user)) => {
let (mut device, new_device) = get_device(&data, conn, &user).await?;
Expand All @@ -190,15 +214,28 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
let (user, mut device, new_device, twofactor_token, sso_user) = match user_data {
None => {
if !CONFIG.is_email_domain_allowed(&user_infos.email) {
err!("Email domain not allowed");
err!(
"Email domain not allowed",
ErrorEvent {
event: EventType::UserFailedLogIn
}
);
}

match user_infos.email_verified {
None if !CONFIG.sso_allow_unknown_email_verification() => err!(
"Your provider does not send email verification status.\n\
You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in."
You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in.",
ErrorEvent {
event: EventType::UserFailedLogIn
}
),
Some(false) => err!(
"You need to verify your email with your provider before you can log in",
ErrorEvent {
event: EventType::UserFailedLogIn
}
),
Some(false) => err!("You need to verify your email with your provider before you can log in"),
_ => (),
}

Expand Down
6 changes: 6 additions & 0 deletions src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -255,9 +255,15 @@ macro_rules! err_silent {
($msg:expr) => {{
return Err($crate::error::Error::new($msg, $msg));
}};
($msg:expr, ErrorEvent $err_event:tt) => {{
return Err($crate::error::Error::new($msg, $msg).with_event($crate::error::ErrorEvent $err_event));
}};
($usr_msg:expr, $log_value:expr) => {{
return Err($crate::error::Error::new($usr_msg, $log_value));
}};
($usr_msg:expr, $log_value:expr, ErrorEvent $err_event:tt) => {{
return Err($crate::error::Error::new($usr_msg, $log_value).with_event($crate::error::ErrorEvent $err_event));
}};
}

#[macro_export]
Expand Down

0 comments on commit 28146e2

Please sign in to comment.