Skip to content

Commit fc038ca

Browse files
manuelluislafriks
manuelluis
authored and
lafriks
committed
In basic auth check for tokens before call UserSignIn (#5725)
* Check first if user/password is a token * In basic auth check if user/password is a token * Remove unnecessary else statement * Changes of fmt
1 parent 48a9025 commit fc038ca

File tree

2 files changed

+83
-42
lines changed

2 files changed

+83
-42
lines changed

modules/auth/auth.go

Lines changed: 46 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -135,15 +135,56 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
135135
if len(baHead) > 0 {
136136
auths := strings.Fields(baHead)
137137
if len(auths) == 2 && auths[0] == "Basic" {
138+
var u *models.User
139+
138140
uname, passwd, _ := base.BasicAuthDecode(auths[1])
139141

140-
u, err := models.UserSignIn(uname, passwd)
141-
if err != nil {
142-
if !models.IsErrUserNotExist(err) {
143-
log.Error(4, "UserSignIn: %v", err)
142+
// Check if username or password is a token
143+
isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
144+
// Assume username is token
145+
authToken := uname
146+
if !isUsernameToken {
147+
// Assume password is token
148+
authToken = passwd
149+
}
150+
token, err := models.GetAccessTokenBySHA(authToken)
151+
if err == nil {
152+
if isUsernameToken {
153+
u, err = models.GetUserByID(token.UID)
154+
if err != nil {
155+
log.Error(4, "GetUserByID: %v", err)
156+
return nil, false
157+
}
158+
} else {
159+
u, err = models.GetUserByName(uname)
160+
if err != nil {
161+
log.Error(4, "GetUserByID: %v", err)
162+
return nil, false
163+
}
164+
if u.ID != token.UID {
165+
return nil, false
166+
}
167+
}
168+
token.UpdatedUnix = util.TimeStampNow()
169+
if err = models.UpdateAccessToken(token); err != nil {
170+
log.Error(4, "UpdateAccessToken: %v", err)
171+
}
172+
} else {
173+
if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
174+
log.Error(4, "GetAccessTokenBySha: %v", err)
144175
}
145-
return nil, false
146176
}
177+
178+
if u == nil {
179+
u, err = models.UserSignIn(uname, passwd)
180+
if err != nil {
181+
if !models.IsErrUserNotExist(err) {
182+
log.Error(4, "UserSignIn: %v", err)
183+
}
184+
return nil, false
185+
}
186+
}
187+
147188
ctx.Data["IsApiToken"] = true
148189
return u, true
149190
}

routers/repo/http.go

Lines changed: 37 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -143,24 +143,24 @@ func HTTP(ctx *context.Context) {
143143
return
144144
}
145145

146-
authUser, err = models.UserSignIn(authUsername, authPasswd)
147-
if err != nil {
148-
if !models.IsErrUserNotExist(err) {
149-
ctx.ServerError("UserSignIn error: %v", err)
150-
return
151-
}
146+
// Check if username or password is a token
147+
isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
148+
// Assume username is token
149+
authToken := authUsername
150+
if !isUsernameToken {
151+
// Assume password is token
152+
authToken = authPasswd
152153
}
153-
154-
if authUser == nil {
155-
isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
156-
157-
// Assume username is token
158-
authToken := authUsername
159-
160-
if !isUsernameToken {
161-
// Assume password is token
162-
authToken = authPasswd
163-
154+
// Assume password is a token.
155+
token, err := models.GetAccessTokenBySHA(authToken)
156+
if err == nil {
157+
if isUsernameToken {
158+
authUser, err = models.GetUserByID(token.UID)
159+
if err != nil {
160+
ctx.ServerError("GetUserByID", err)
161+
return
162+
}
163+
} else {
164164
authUser, err = models.GetUserByName(authUsername)
165165
if err != nil {
166166
if models.IsErrUserNotExist(err) {
@@ -170,37 +170,37 @@ func HTTP(ctx *context.Context) {
170170
}
171171
return
172172
}
173-
}
174-
175-
// Assume password is a token.
176-
token, err := models.GetAccessTokenBySHA(authToken)
177-
if err != nil {
178-
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
173+
if authUser.ID != token.UID {
179174
ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
180-
} else {
181-
ctx.ServerError("GetAccessTokenBySha", err)
175+
return
182176
}
183-
return
184177
}
178+
token.UpdatedUnix = util.TimeStampNow()
179+
if err = models.UpdateAccessToken(token); err != nil {
180+
ctx.ServerError("UpdateAccessToken", err)
181+
}
182+
} else {
183+
if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
184+
log.Error(4, "GetAccessTokenBySha: %v", err)
185+
}
186+
}
185187

186-
if isUsernameToken {
187-
authUser, err = models.GetUserByID(token.UID)
188-
if err != nil {
189-
ctx.ServerError("GetUserByID", err)
188+
if authUser == nil {
189+
// Check username and password
190+
authUser, err = models.UserSignIn(authUsername, authPasswd)
191+
if err != nil {
192+
if !models.IsErrUserNotExist(err) {
193+
ctx.ServerError("UserSignIn error: %v", err)
190194
return
191195
}
192-
} else if authUser.ID != token.UID {
196+
}
197+
198+
if authUser == nil {
193199
ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
194200
return
195201
}
196202

197-
token.UpdatedUnix = util.TimeStampNow()
198-
if err = models.UpdateAccessToken(token); err != nil {
199-
ctx.ServerError("UpdateAccessToken", err)
200-
}
201-
} else {
202203
_, err = models.GetTwoFactorByUID(authUser.ID)
203-
204204
if err == nil {
205205
// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
206206
ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")

0 commit comments

Comments
 (0)