From 28146e292db0e096b76f4b52916cbbab8317835e Mon Sep 17 00:00:00 2001 From: Timshel Date: Thu, 28 Nov 2024 16:44:37 +0100 Subject: [PATCH] Prevent disabled User from SSO login --- src/api/identity.rs | 49 +++++++++++++++++++++++++++++++++++++++------ src/error.rs | 6 ++++++ 2 files changed, 49 insertions(+), 6 deletions(-) diff --git a/src/api/identity.rs b/src/api/identity.rs index 306d4aa7aa..8428506322 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -152,7 +152,12 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option, conn: &mu crate::ratelimit::check_limit_login(&ip.ip)?; let code = match data.code.as_ref() { - None => err!("Got no code in OIDC data"), + None => err!( + "Got no code in OIDC data", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ), Some(code) => code, }; @@ -166,14 +171,33 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option, conn: &mu "Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled", user_infos.identifier, user.uuid, user.email ); - err_silent!("Existing non SSO user with same email") + err_silent!( + "Existing non SSO user with same email", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ) } Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => { error!( "Login failure ({}), existing SSO user ({}) with same email ({})", user_infos.identifier, user.uuid, user.email ); - err_silent!("Existing SSO user with same email") + err_silent!( + "Existing SSO user with same email", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ) + } + Some((user, _)) if !user.enabled => { + err!( + "This user has been disabled", + format!("IP: {}. Username: {}.", ip.ip, user.name), + ErrorEvent { + event: EventType::UserFailedLogIn + } + ) } Some((user, sso_user)) => { let (mut device, new_device) = get_device(&data, conn, &user).await?; @@ -190,15 +214,28 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option, conn: &mu let (user, mut device, new_device, twofactor_token, sso_user) = match user_data { None => { if !CONFIG.is_email_domain_allowed(&user_infos.email) { - err!("Email domain not allowed"); + err!( + "Email domain not allowed", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ); } match user_infos.email_verified { None if !CONFIG.sso_allow_unknown_email_verification() => err!( "Your provider does not send email verification status.\n\ - You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in." + You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in.", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ), + Some(false) => err!( + "You need to verify your email with your provider before you can log in", + ErrorEvent { + event: EventType::UserFailedLogIn + } ), - Some(false) => err!("You need to verify your email with your provider before you can log in"), _ => (), } diff --git a/src/error.rs b/src/error.rs index bf9f2cf405..d0048b0c78 100644 --- a/src/error.rs +++ b/src/error.rs @@ -255,9 +255,15 @@ macro_rules! err_silent { ($msg:expr) => {{ return Err($crate::error::Error::new($msg, $msg)); }}; + ($msg:expr, ErrorEvent $err_event:tt) => {{ + return Err($crate::error::Error::new($msg, $msg).with_event($crate::error::ErrorEvent $err_event)); + }}; ($usr_msg:expr, $log_value:expr) => {{ return Err($crate::error::Error::new($usr_msg, $log_value)); }}; + ($usr_msg:expr, $log_value:expr, ErrorEvent $err_event:tt) => {{ + return Err($crate::error::Error::new($usr_msg, $log_value).with_event($crate::error::ErrorEvent $err_event)); + }}; } #[macro_export]