WebDAV: Re-enable authentication with account password #782 #808

Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer 2024-01-29 14:48:15 +01:00
parent 2243f92fd6
commit 70f8c3be6c

View file

@ -77,39 +77,39 @@ func AuthLocal(user *User, f form.Login, m *Session, c *gin.Context) (authn.Prov
// Get username from login form. // Get username from login form.
userName := f.Username() userName := f.Username()
// Check if a session has been created.
if m == nil {
event.AuditErr([]string{clientIp, "login as %s", "invalid session"}, clean.LogQuote(userName))
return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
}
// Check if user account exists. // Check if user account exists.
if user == nil { if user == nil {
message := "account not found" message := "account not found"
limiter.Login.Reserve(clientIp) limiter.Login.Reserve(clientIp)
if m != nil {
event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName)) event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName))
event.LoginError(clientIp, "api", userName, m.UserAgent, message) event.LoginError(clientIp, "api", userName, m.UserAgent, message)
m.Status = http.StatusUnauthorized m.Status = http.StatusUnauthorized
}
return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials) return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
} }
// Login allowed? // Login allowed?
if !user.Provider().IsDefault() && !user.Provider().IsLocal() { if !user.Provider().IsDefault() && !user.Provider().IsLocal() {
message := fmt.Sprintf("%s authentication disabled", authn.ProviderLocal.String()) message := fmt.Sprintf("%s authentication disabled", authn.ProviderLocal.String())
if m != nil {
event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName)) event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName))
event.LoginError(clientIp, "api", userName, m.UserAgent, message) event.LoginError(clientIp, "api", userName, m.UserAgent, message)
m.Status = http.StatusUnauthorized m.Status = http.StatusUnauthorized
}
return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials) return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
} else if !user.CanLogIn() { } else if !user.CanLogIn() {
message := "account disabled" message := "account disabled"
if m != nil {
event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName)) event.AuditWarn([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName))
event.LoginError(clientIp, "api", userName, m.UserAgent, message) event.LoginError(clientIp, "api", userName, m.UserAgent, message)
m.Status = http.StatusUnauthorized m.Status = http.StatusUnauthorized
}
return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials) return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
} }
// Authentication with personal access token if a valid secret has been provided as password. // Authentication with personal access token if a valid secret has been provided as password.
if authSess, authUser, err := AuthSession(f, c); err == nil { if authSess, authUser, err := AuthSession(f, c); authSess != nil && authUser != nil && err == nil {
if !authUser.IsRegistered() || authUser.UserUID != user.UserUID { if !authUser.IsRegistered() || authUser.UserUID != user.UserUID {
message := "incorrect user" message := "incorrect user"
limiter.Login.Reserve(clientIp) limiter.Login.Reserve(clientIp)
@ -139,9 +139,11 @@ func AuthLocal(user *User, f form.Login, m *Session, c *gin.Context) (authn.Prov
if user.WrongPassword(f.Password) { if user.WrongPassword(f.Password) {
message := "incorrect password" message := "incorrect password"
limiter.Login.Reserve(clientIp) limiter.Login.Reserve(clientIp)
if m != nil {
event.AuditErr([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName)) event.AuditErr([]string{clientIp, "session %s", "login as %s", message}, m.RefID, clean.LogQuote(userName))
event.LoginError(clientIp, "api", userName, m.UserAgent, message) event.LoginError(clientIp, "api", userName, m.UserAgent, message)
m.Status = http.StatusUnauthorized m.Status = http.StatusUnauthorized
}
return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials) return authn.ProviderNone, i18n.Error(i18n.ErrInvalidCredentials)
} else if m != nil { } else if m != nil {
event.AuditInfo([]string{clientIp, "session %s", "login as %s", "succeeded"}, m.RefID, clean.LogQuote(userName)) event.AuditInfo([]string{clientIp, "session %s", "login as %s", "succeeded"}, m.RefID, clean.LogQuote(userName))