auth overhaul and legacy GS auth See merge request pleroma/pleroma!331stable
commit
045953225e
@ -0,0 +1,21 @@
|
||||
defmodule Pleroma.Plugs.BasicAuthDecoderPlug do
|
||||
import Plug.Conn
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(conn, opts) do
|
||||
with ["Basic " <> header] <- get_req_header(conn, "authorization"),
|
||||
{:ok, userinfo} <- Base.decode64(header),
|
||||
[username, password] <- String.split(userinfo, ":", parts: 2) do
|
||||
conn
|
||||
|> assign(:auth_credentials, %{
|
||||
username: username,
|
||||
password: password
|
||||
})
|
||||
else
|
||||
_ -> conn
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,19 @@
|
||||
defmodule Pleroma.Plugs.EnsureAuthenticatedPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(%{assigns: %{user: %User{}}} = conn, _) do
|
||||
conn
|
||||
end
|
||||
|
||||
def call(conn, _) do
|
||||
conn
|
||||
|> put_resp_content_type("application/json")
|
||||
|> send_resp(403, Jason.encode!(%{error: "Invalid credentials."}))
|
||||
|> halt
|
||||
end
|
||||
end
|
@ -0,0 +1,14 @@
|
||||
defmodule Pleroma.Plugs.EnsureUserKeyPlug do
|
||||
import Plug.Conn
|
||||
|
||||
def init(opts) do
|
||||
opts
|
||||
end
|
||||
|
||||
def call(%{assigns: %{user: _}} = conn, _), do: conn
|
||||
|
||||
def call(conn, _) do
|
||||
conn
|
||||
|> assign(:user, nil)
|
||||
end
|
||||
end
|
@ -0,0 +1,35 @@
|
||||
defmodule Pleroma.Plugs.LegacyAuthenticationPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
|
||||
|
||||
def call(
|
||||
%{
|
||||
assigns: %{
|
||||
auth_user: %{password_hash: "$6$" <> _ = password_hash} = auth_user,
|
||||
auth_credentials: %{password: password}
|
||||
}
|
||||
} = conn,
|
||||
_
|
||||
) do
|
||||
with ^password_hash <- :crypt.crypt(password, password_hash),
|
||||
{:ok, user} <-
|
||||
User.reset_password(auth_user, %{password: password, password_confirmation: password}) do
|
||||
conn
|
||||
|> assign(:auth_user, user)
|
||||
|> assign(:user, user)
|
||||
else
|
||||
_ ->
|
||||
conn
|
||||
end
|
||||
end
|
||||
|
||||
def call(conn, _) do
|
||||
conn
|
||||
end
|
||||
end
|
@ -0,0 +1,18 @@
|
||||
defmodule Pleroma.Plugs.SessionAuthenticationPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(conn, _) do
|
||||
with saved_user_id <- get_session(conn, :user_id),
|
||||
%{auth_user: %{id: ^saved_user_id}} <- conn.assigns do
|
||||
conn
|
||||
|> assign(:user, conn.assigns.auth_user)
|
||||
else
|
||||
_ -> conn
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,15 @@
|
||||
defmodule Pleroma.Plugs.SetUserSessionIdPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.User
|
||||
|
||||
def init(opts) do
|
||||
opts
|
||||
end
|
||||
|
||||
def call(%{assigns: %{user: %User{id: id}}} = conn, _) do
|
||||
conn
|
||||
|> put_session(:user_id, id)
|
||||
end
|
||||
|
||||
def call(conn, _), do: conn
|
||||
end
|
@ -0,0 +1,17 @@
|
||||
defmodule Pleroma.Plugs.UserEnabledPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(%{assigns: %{user: %User{info: %{"deactivated" => true}}}} = conn, _) do
|
||||
conn
|
||||
|> assign(:user, nil)
|
||||
end
|
||||
|
||||
def call(conn, _) do
|
||||
conn
|
||||
end
|
||||
end
|
@ -0,0 +1,34 @@
|
||||
defmodule Pleroma.Plugs.UserFetcherPlug do
|
||||
import Plug.Conn
|
||||
alias Pleroma.Repo
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(conn, options) do
|
||||
with %{auth_credentials: %{username: username}} <- conn.assigns,
|
||||
{:ok, %User{} = user} <- user_fetcher(username) do
|
||||
conn
|
||||
|> assign(:auth_user, user)
|
||||
else
|
||||
_ -> conn
|
||||
end
|
||||
end
|
||||
|
||||
defp user_fetcher(username_or_email) do
|
||||
{
|
||||
:ok,
|
||||
cond do
|
||||
# First, try logging in as if it was a name
|
||||
user = Repo.get_by(User, %{nickname: username_or_email}) ->
|
||||
user
|
||||
|
||||
# If we get nil, we try using it as an email
|
||||
user = Repo.get_by(User, %{email: username_or_email}) ->
|
||||
user
|
||||
end
|
||||
}
|
||||
end
|
||||
end
|
@ -0,0 +1,31 @@
|
||||
defmodule Pleroma.Plugs.BasicAuthDecoderPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.BasicAuthDecoderPlug
|
||||
|
||||
defp basic_auth_enc(username, password) do
|
||||
"Basic " <> Base.encode64("#{username}:#{password}")
|
||||
end
|
||||
|
||||
test "it puts the decoded credentials into the assigns", %{conn: conn} do
|
||||
header = basic_auth_enc("moonman", "iloverobek")
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> put_req_header("authorization", header)
|
||||
|> BasicAuthDecoderPlug.call(%{})
|
||||
|
||||
assert conn.assigns[:auth_credentials] == %{
|
||||
username: "moonman",
|
||||
password: "iloverobek"
|
||||
}
|
||||
end
|
||||
|
||||
test "without a authorization header it doesn't do anything", %{conn: conn} do
|
||||
ret_conn =
|
||||
conn
|
||||
|> BasicAuthDecoderPlug.call(%{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
end
|
@ -0,0 +1,27 @@
|
||||
defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.EnsureAuthenticatedPlug
|
||||
alias Pleroma.User
|
||||
|
||||
test "it halts if no user is assigned", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> EnsureAuthenticatedPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
assert conn.halted == true
|
||||
end
|
||||
|
||||
test "it continues if a user is assigned", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, %User{})
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> EnsureAuthenticatedPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
end
|
@ -0,0 +1,25 @@
|
||||
defmodule Pleroma.Plugs.EnsureUserKeyPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.EnsureUserKeyPlug
|
||||
|
||||
test "if the conn has a user key set, it does nothing", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, 1)
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> EnsureUserKeyPlug.call(%{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
|
||||
test "if the conn has no key set, it sets it to nil", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> EnsureUserKeyPlug.call(%{})
|
||||
|
||||
assert Map.has_key?(conn.assigns, :user)
|
||||
end
|
||||
end
|
@ -0,0 +1,82 @@
|
||||
defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.LegacyAuthenticationPlug
|
||||
alias Pleroma.User
|
||||
|
||||
import Mock
|
||||
|
||||
setup do
|
||||
# password is "password"
|
||||
user = %User{
|
||||
id: 1,
|
||||
name: "dude",
|
||||
password_hash:
|
||||
"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||
}
|
||||
|
||||
%{user: user}
|
||||
end
|
||||
|
||||
test "it does nothing if a user is assigned", %{conn: conn, user: user} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:auth_credentials, %{username: "dude", password: "password"})
|
||||
|> assign(:auth_user, user)
|
||||
|> assign(:user, %User{})
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> LegacyAuthenticationPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
|
||||
test "it authenticates the auth_user if present and password is correct and resets the password",
|
||||
%{
|
||||
conn: conn,
|
||||
user: user
|
||||
} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:auth_credentials, %{username: "dude", password: "password"})
|
||||
|> assign(:auth_user, user)
|
||||
|
||||
conn =
|
||||
with_mock User,
|
||||
reset_password: fn user, %{password: password, password_confirmation: password} ->
|
||||
send(self(), :reset_password)
|
||||
{:ok, user}
|
||||
end do
|
||||
conn
|
||||
|> LegacyAuthenticationPlug.call(%{})
|
||||
end
|
||||
|
||||
assert_received :reset_password
|
||||
assert conn.assigns.user == user
|
||||
end
|
||||
|
||||
test "it does nothing if the password is wrong", %{
|
||||
conn: conn,
|
||||
user: user
|
||||
} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:auth_credentials, %{username: "dude", password: "wrong_password"})
|
||||
|> assign(:auth_user, user)
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> LegacyAuthenticationPlug.call(%{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
|
||||
test "with no credentials or user it does nothing", %{conn: conn} do
|
||||
ret_conn =
|
||||
conn
|
||||
|> LegacyAuthenticationPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
end
|
@ -0,0 +1,59 @@
|
||||
defmodule Pleroma.Plugs.SessionAuthenticationPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.SessionAuthenticationPlug
|
||||
alias Pleroma.User
|
||||
|
||||
setup %{conn: conn} do
|
||||
session_opts = [
|
||||
store: :cookie,
|
||||
key: "_test",
|
||||
signing_salt: "cooldude"
|
||||
]
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> Plug.Session.call(Plug.Session.init(session_opts))
|
||||
|> fetch_session
|
||||
|> assign(:auth_user, %User{id: 1})
|
||||
|
||||
%{conn: conn}
|
||||
end
|
||||
|
||||
test "it does nothing if a user is assigned", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, %User{})
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> SessionAuthenticationPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
|
||||
test "if the auth_user has the same id as the user_id in the session, it assigns the user", %{
|
||||
conn: conn
|
||||
} do
|
||||
conn =
|
||||
conn
|
||||
|> put_session(:user_id, conn.assigns.auth_user.id)
|
||||
|> SessionAuthenticationPlug.call(%{})
|
||||
|
||||
assert conn.assigns.user == conn.assigns.auth_user
|
||||
end
|
||||
|
||||
test "if the auth_user has a different id as the user_id in the session, it does nothing", %{
|
||||
conn: conn
|
||||
} do
|
||||
conn =
|
||||
conn
|
||||
|> put_session(:user_id, -1)
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> SessionAuthenticationPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
end
|
@ -0,0 +1,39 @@
|
||||
defmodule Pleroma.Plugs.SetUserSessionIdPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.SetUserSessionIdPlug
|
||||
alias Pleroma.User
|
||||
|
||||
setup %{conn: conn} do
|
||||
session_opts = [
|
||||
store: :cookie,
|
||||
key: "_test",
|
||||
signing_salt: "cooldude"
|
||||
]
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> Plug.Session.call(Plug.Session.init(session_opts))
|
||||
|> fetch_session
|
||||
|
||||
%{conn: conn}
|
||||
end
|
||||
|
||||
test "doesn't do anything if the user isn't set", %{conn: conn} do
|
||||
ret_conn =
|
||||
conn
|
||||
|> SetUserSessionIdPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
|
||||
test "sets the user_id in the session to the user id of the user assign", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, %User{id: 1})
|
||||
|> SetUserSessionIdPlug.call(%{})
|
||||
|
||||
id = get_session(conn, :user_id)
|
||||
assert id == 1
|
||||
end
|
||||
end
|
@ -0,0 +1,35 @@
|
||||
defmodule Pleroma.Plugs.UserEnabledPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.UserEnabledPlug
|
||||
alias Pleroma.User
|
||||
|
||||
test "doesn't do anything if the user isn't set", %{conn: conn} do
|
||||
ret_conn =
|
||||
conn
|
||||
|> UserEnabledPlug.call(%{})
|
||||
|
||||
assert ret_conn == conn
|
||||
end
|
||||
|
||||
test "with a user that is deactivated, it removes that user", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, %User{info: %{"deactivated" => true}})
|
||||
|> UserEnabledPlug.call(%{})
|
||||
|
||||
assert conn.assigns.user == nil
|
||||
end
|
||||
|
||||
test "with a user that is not deactivated, it does nothing", %{conn: conn} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, %User{})
|
||||
|
||||
ret_conn =
|
||||
conn
|
||||
|> UserEnabledPlug.call(%{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
end
|
@ -0,0 +1,37 @@
|
||||
defmodule Pleroma.Plugs.UserFetcherPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
alias Pleroma.Plugs.UserFetcherPlug
|
||||
import Pleroma.Factory
|
||||
|
||||
setup do
|
||||
user = insert(:user)
|
||||
%{user: user}
|
||||
end
|
||||
|
||||
test "if an auth_credentials assign is present, it tries to fetch the user and assigns it", %{
|
||||
conn: conn,
|
||||
user: user
|
||||
} do
|
||||
conn =
|
||||
conn
|
||||
|> assign(:auth_credentials, %{
|
||||
username: user.nickname,
|
||||
password: nil
|
||||
})
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> UserFetcherPlug.call(%{})
|
||||
|
||||
assert conn.assigns[:auth_user] == user
|
||||
end
|
||||
|
||||
test "without a credential assign it doesn't do anything", %{conn: conn} do
|
||||
ret_conn =
|
||||
conn
|
||||
|> UserFetcherPlug.call(%{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
end
|
Loading…
Reference in new issue