Merge branch 'mongoose-secure' into 'develop'

mongoose auth endpoint worked for deactivated accounts See merge request pleroma/pleroma!2432
2020-04-28 09:18:59 +00:00 · 2020-04-28 09:18:59 +00:00 · 9994768312
parent 01cc93b687 5ff20793e7
commit 9994768312
2 changed files with 24 additions and 2 deletions
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@ -14,7 +14,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
  plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)

  def user_exists(conn, %{"user" => username}) do
-    with %User{} <- Repo.get_by(User, nickname: username, local: true) do
+    with %User{} <- Repo.get_by(User, nickname: username, local: true, deactivated: false) do
      conn
      |> json(true)
    else
@ -26,7 +26,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
  end

  def check_password(conn, %{"user" => username, "pass" => password}) do
-    with %User{password_hash: password_hash} <-
+    with %User{password_hash: password_hash, deactivated: false} <-
           Repo.get_by(User, nickname: username, local: true),
         true <- Pbkdf2.checkpw(password, password_hash) do
      conn
--- a/test/web/mongooseim/mongoose_im_controller_test.exs
+++ b/test/web/mongooseim/mongoose_im_controller_test.exs
@ -9,6 +9,7 @@ defmodule Pleroma.Web.MongooseIMController do
  test "/user_exists", %{conn: conn} do
    _user = insert(:user, nickname: "lain")
    _remote_user = insert(:user, nickname: "alice", local: false)
+    _deactivated_user = insert(:user, nickname: "konata", deactivated: true)

    res =
      conn
@ -30,11 +31,25 @@ defmodule Pleroma.Web.MongooseIMController do
      |> json_response(404)

    assert res == false
+
+    res =
+      conn
+      |> get(mongoose_im_path(conn, :user_exists), user: "konata")
+      |> json_response(404)
+
+    assert res == false
  end

  test "/check_password", %{conn: conn} do
    user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"))

+    _deactivated_user =
+      insert(:user,
+        nickname: "konata",
+        deactivated: true,
+        password_hash: Comeonin.Pbkdf2.hashpwsalt("cool")
+      )
+
    res =
      conn
      |> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool")
@ -49,6 +64,13 @@ defmodule Pleroma.Web.MongooseIMController do

    assert res == false

+    res =
+      conn
+      |> get(mongoose_im_path(conn, :check_password), user: "konata", pass: "cool")
+      |> json_response(404)
+
+    assert res == false
+
    res =
      conn
      |> get(mongoose_im_path(conn, :check_password), user: "nobody", pass: "cool")