diff options
| author | lain <lain@soykaf.club> | 2020-04-28 09:18:59 +0000 |
|---|---|---|
| committer | lain <lain@soykaf.club> | 2020-04-28 09:18:59 +0000 |
| commit | 9994768312ede572c4ddd6beda7027b0a2baddce (patch) | |
| tree | 8326c8643175cf0147601e43f1a32f63e8bf7f63 | |
| parent | 01cc93b6873b5c50c0fc54774a3b004bf660e46b (diff) | |
| parent | 5ff20793e739daa962cdc1623c01dc6ec1ff8a61 (diff) | |
| download | pleroma-9994768312ede572c4ddd6beda7027b0a2baddce.tar.gz | |
Merge branch 'mongoose-secure' into 'develop'
mongoose auth endpoint worked for deactivated accounts
See merge request pleroma/pleroma!2432
| -rw-r--r-- | lib/pleroma/web/mongooseim/mongoose_im_controller.ex | 4 | ||||
| -rw-r--r-- | test/web/mongooseim/mongoose_im_controller_test.exs | 22 |
2 files changed, 24 insertions, 2 deletions
diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex index 04d823b36..1ed6ee521 100644 --- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex +++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex @@ -14,7 +14,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password) def user_exists(conn, %{"user" => username}) do - with %User{} <- Repo.get_by(User, nickname: username, local: true) do + with %User{} <- Repo.get_by(User, nickname: username, local: true, deactivated: false) do conn |> json(true) else @@ -26,7 +26,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do end def check_password(conn, %{"user" => username, "pass" => password}) do - with %User{password_hash: password_hash} <- + with %User{password_hash: password_hash, deactivated: false} <- Repo.get_by(User, nickname: username, local: true), true <- Pbkdf2.checkpw(password, password_hash) do conn diff --git a/test/web/mongooseim/mongoose_im_controller_test.exs b/test/web/mongooseim/mongoose_im_controller_test.exs index 291ae54fc..1ac2f2c27 100644 --- a/test/web/mongooseim/mongoose_im_controller_test.exs +++ b/test/web/mongooseim/mongoose_im_controller_test.exs @@ -9,6 +9,7 @@ defmodule Pleroma.Web.MongooseIMController do test "/user_exists", %{conn: conn} do _user = insert(:user, nickname: "lain") _remote_user = insert(:user, nickname: "alice", local: false) + _deactivated_user = insert(:user, nickname: "konata", deactivated: true) res = conn @@ -30,11 +31,25 @@ defmodule Pleroma.Web.MongooseIMController do |> json_response(404) assert res == false + + res = + conn + |> get(mongoose_im_path(conn, :user_exists), user: "konata") + |> json_response(404) + + assert res == false end test "/check_password", %{conn: conn} do user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool")) + _deactivated_user = + insert(:user, + nickname: "konata", + deactivated: true, + password_hash: Comeonin.Pbkdf2.hashpwsalt("cool") + ) + res = conn |> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool") @@ -51,6 +66,13 @@ defmodule Pleroma.Web.MongooseIMController do res = conn + |> get(mongoose_im_path(conn, :check_password), user: "konata", pass: "cool") + |> json_response(404) + + assert res == false + + res = + conn |> get(mongoose_im_path(conn, :check_password), user: "nobody", pass: "cool") |> json_response(404) |