aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/pleroma/helpers/auth_helper.ex17
-rw-r--r--lib/pleroma/web/plugs/admin_secret_authentication_plug.ex4
-rw-r--r--lib/pleroma/web/plugs/authentication_plug.ex63
-rw-r--r--lib/pleroma/web/plugs/basic_auth_decoder_plug.ex6
-rw-r--r--lib/pleroma/web/plugs/ensure_user_key_plug.ex5
-rw-r--r--lib/pleroma/web/plugs/legacy_authentication_plug.ex41
-rw-r--r--lib/pleroma/web/plugs/session_authentication_plug.ex10
-rw-r--r--lib/pleroma/web/plugs/set_user_session_id_plug.ex3
-rw-r--r--lib/pleroma/web/plugs/user_fetcher_plug.ex6
-rw-r--r--lib/pleroma/web/router.ex1
10 files changed, 73 insertions, 83 deletions
diff --git a/lib/pleroma/helpers/auth_helper.ex b/lib/pleroma/helpers/auth_helper.ex
new file mode 100644
index 000000000..6e29c006a
--- /dev/null
+++ b/lib/pleroma/helpers/auth_helper.ex
@@ -0,0 +1,17 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Helpers.AuthHelper do
+ alias Pleroma.Web.Plugs.OAuthScopesPlug
+
+ @doc """
+ Skips OAuth permissions (scopes) checks, assigns nil `:token`.
+ Intended to be used with explicit authentication and only when OAuth token cannot be determined.
+ """
+ def skip_oauth(conn) do
+ conn
+ |> Plug.Conn.assign(:token, nil)
+ |> OAuthScopesPlug.skip_plug()
+ end
+end
diff --git a/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex
index d7d4e4092..ff49801f4 100644
--- a/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex
+++ b/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex
@@ -5,8 +5,8 @@
defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do
import Plug.Conn
+ alias Pleroma.Helpers.AuthHelper
alias Pleroma.User
- alias Pleroma.Web.Plugs.OAuthScopesPlug
alias Pleroma.Web.Plugs.RateLimiter
def init(options) do
@@ -51,7 +51,7 @@ defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do
defp assign_admin_user(conn) do
conn
|> assign(:user, %User{is_admin: true})
- |> OAuthScopesPlug.skip_plug()
+ |> AuthHelper.skip_oauth()
end
defp handle_bad_token(conn) do
diff --git a/lib/pleroma/web/plugs/authentication_plug.ex b/lib/pleroma/web/plugs/authentication_plug.ex
index e2a8b1b69..a7b8a9bfe 100644
--- a/lib/pleroma/web/plugs/authentication_plug.ex
+++ b/lib/pleroma/web/plugs/authentication_plug.ex
@@ -3,6 +3,9 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.AuthenticationPlug do
+ @moduledoc "Password authentication plug."
+
+ alias Pleroma.Helpers.AuthHelper
alias Pleroma.User
import Plug.Conn
@@ -11,6 +14,30 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
def init(options), do: options
+ def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
+
+ def call(
+ %{
+ assigns: %{
+ auth_user: %{password_hash: password_hash} = auth_user,
+ auth_credentials: %{password: password}
+ }
+ } = conn,
+ _
+ ) do
+ if checkpw(password, password_hash) do
+ {:ok, auth_user} = maybe_update_password(auth_user, password)
+
+ conn
+ |> assign(:user, auth_user)
+ |> AuthHelper.skip_oauth()
+ else
+ conn
+ end
+ end
+
+ def call(conn, _), do: conn
+
def checkpw(password, "$6" <> _ = password_hash) do
:crypt.crypt(password, password_hash) == password_hash
end
@@ -40,40 +67,6 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
def maybe_update_password(user, _), do: {:ok, user}
defp do_update_password(user, password) do
- user
- |> User.password_update_changeset(%{
- "password" => password,
- "password_confirmation" => password
- })
- |> Pleroma.Repo.update()
+ User.reset_password(user, %{password: password, password_confirmation: password})
end
-
- def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
-
- def call(
- %{
- assigns: %{
- auth_user: %{password_hash: password_hash} = auth_user,
- auth_credentials: %{password: password}
- }
- } = conn,
- _
- ) do
- if checkpw(password, password_hash) do
- {:ok, auth_user} = maybe_update_password(auth_user, password)
-
- conn
- |> assign(:user, auth_user)
- |> Pleroma.Web.Plugs.OAuthScopesPlug.skip_plug()
- else
- conn
- end
- end
-
- def call(%{assigns: %{auth_credentials: %{password: _}}} = conn, _) do
- Pbkdf2.no_user_verify()
- conn
- end
-
- def call(conn, _), do: conn
end
diff --git a/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex b/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
index 4dadfb000..97529aedb 100644
--- a/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
+++ b/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
@@ -3,6 +3,12 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.BasicAuthDecoderPlug do
+ @moduledoc """
+ Decodes HTTP Basic Auth information and assigns `:auth_credentials`.
+
+ NOTE: no checks are performed at this step, auth_credentials/username could be easily faked.
+ """
+
import Plug.Conn
def init(options) do
diff --git a/lib/pleroma/web/plugs/ensure_user_key_plug.ex b/lib/pleroma/web/plugs/ensure_user_key_plug.ex
index 70d3091f0..31608dbbf 100644
--- a/lib/pleroma/web/plugs/ensure_user_key_plug.ex
+++ b/lib/pleroma/web/plugs/ensure_user_key_plug.ex
@@ -5,6 +5,8 @@
defmodule Pleroma.Web.Plugs.EnsureUserKeyPlug do
import Plug.Conn
+ @moduledoc "Ensures `conn.assigns.user` is initialized."
+
def init(opts) do
opts
end
@@ -12,7 +14,6 @@ defmodule Pleroma.Web.Plugs.EnsureUserKeyPlug do
def call(%{assigns: %{user: _}} = conn, _), do: conn
def call(conn, _) do
- conn
- |> assign(:user, nil)
+ assign(conn, :user, nil)
end
end
diff --git a/lib/pleroma/web/plugs/legacy_authentication_plug.ex b/lib/pleroma/web/plugs/legacy_authentication_plug.ex
deleted file mode 100644
index 2a54d0b59..000000000
--- a/lib/pleroma/web/plugs/legacy_authentication_plug.ex
+++ /dev/null
@@ -1,41 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Web.Plugs.LegacyAuthenticationPlug do
- import Plug.Conn
-
- alias Pleroma.User
-
- def init(options) do
- options
- end
-
- def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
-
- def call(
- %{
- assigns: %{
- auth_user: %{password_hash: "$6$" <> _ = password_hash} = auth_user,
- auth_credentials: %{password: password}
- }
- } = conn,
- _
- ) do
- with ^password_hash <- :crypt.crypt(password, password_hash),
- {:ok, user} <-
- User.reset_password(auth_user, %{password: password, password_confirmation: password}) do
- conn
- |> assign(:auth_user, user)
- |> assign(:user, user)
- |> Pleroma.Web.Plugs.OAuthScopesPlug.skip_plug()
- else
- _ ->
- conn
- end
- end
-
- def call(conn, _) do
- conn
- end
-end
diff --git a/lib/pleroma/web/plugs/session_authentication_plug.ex b/lib/pleroma/web/plugs/session_authentication_plug.ex
index 6e176d553..51704e273 100644
--- a/lib/pleroma/web/plugs/session_authentication_plug.ex
+++ b/lib/pleroma/web/plugs/session_authentication_plug.ex
@@ -3,17 +3,27 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.SessionAuthenticationPlug do
+ @moduledoc """
+ Authenticates user by session-stored `:user_id` and request-contained username.
+ Username can be provided via HTTP Basic Auth (the password is not checked and can be anything).
+ """
+
import Plug.Conn
+ alias Pleroma.Helpers.AuthHelper
+
def init(options) do
options
end
+ def call(%{assigns: %{user: %Pleroma.User{}}} = conn, _), do: conn
+
def call(conn, _) do
with saved_user_id <- get_session(conn, :user_id),
%{auth_user: %{id: ^saved_user_id}} <- conn.assigns do
conn
|> assign(:user, conn.assigns.auth_user)
+ |> AuthHelper.skip_oauth()
else
_ -> conn
end
diff --git a/lib/pleroma/web/plugs/set_user_session_id_plug.ex b/lib/pleroma/web/plugs/set_user_session_id_plug.ex
index e520159e4..6ddb6b5e5 100644
--- a/lib/pleroma/web/plugs/set_user_session_id_plug.ex
+++ b/lib/pleroma/web/plugs/set_user_session_id_plug.ex
@@ -11,8 +11,7 @@ defmodule Pleroma.Web.Plugs.SetUserSessionIdPlug do
end
def call(%{assigns: %{user: %User{id: id}}} = conn, _) do
- conn
- |> put_session(:user_id, id)
+ put_session(conn, :user_id, id)
end
def call(conn, _), do: conn
diff --git a/lib/pleroma/web/plugs/user_fetcher_plug.ex b/lib/pleroma/web/plugs/user_fetcher_plug.ex
index 4039600da..89e16b49f 100644
--- a/lib/pleroma/web/plugs/user_fetcher_plug.ex
+++ b/lib/pleroma/web/plugs/user_fetcher_plug.ex
@@ -3,6 +3,12 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.UserFetcherPlug do
+ @moduledoc """
+ Assigns `:auth_user` basing on `:auth_credentials`.
+
+ NOTE: no checks are performed at this step, auth_credentials/username could be easily faked.
+ """
+
alias Pleroma.User
import Plug.Conn
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 76ca2c9b5..9da10f1e5 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -49,7 +49,6 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.BasicAuthDecoderPlug)
plug(Pleroma.Web.Plugs.UserFetcherPlug)
plug(Pleroma.Web.Plugs.SessionAuthenticationPlug)
- plug(Pleroma.Web.Plugs.LegacyAuthenticationPlug)
plug(Pleroma.Web.Plugs.AuthenticationPlug)
end
generated by cgit v1.2.3 (git 2.26.2) at 2025-04-24 23:00:46 +0000