2014-07-26 06:24:27 +02:00
// Copyright 2014 The Gogs Authors. All rights reserved.
2018-07-19 19:58:33 +02:00
// Copyright 2018 The Gitea Authors. All rights reserved.
2014-07-26 06:24:27 +02:00
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package user
import (
2017-01-16 03:14:29 +01:00
"errors"
2016-03-11 17:56:52 +01:00
"fmt"
2021-04-14 14:02:12 +02:00
"io"
2017-02-25 15:57:06 +01:00
"net/http"
"strings"
2014-07-31 23:25:34 +02:00
2021-09-19 13:49:59 +02:00
"code.gitea.io/gitea/models/db"
2021-09-24 13:32:56 +02:00
"code.gitea.io/gitea/models/login"
2021-11-11 08:03:30 +01:00
user_model "code.gitea.io/gitea/models/user"
2016-11-10 17:24:48 +01:00
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
2020-05-07 23:49:00 +02:00
"code.gitea.io/gitea/modules/eventsource"
2020-10-03 05:37:53 +02:00
"code.gitea.io/gitea/modules/hcaptcha"
2016-11-10 17:24:48 +01:00
"code.gitea.io/gitea/modules/log"
2019-10-14 17:24:26 +02:00
"code.gitea.io/gitea/modules/password"
2018-07-05 06:13:05 +02:00
"code.gitea.io/gitea/modules/recaptcha"
2016-11-10 17:24:48 +01:00
"code.gitea.io/gitea/modules/setting"
2019-08-15 16:46:21 +02:00
"code.gitea.io/gitea/modules/timeutil"
2021-01-26 16:36:53 +01:00
"code.gitea.io/gitea/modules/web"
2021-03-07 09:12:43 +01:00
"code.gitea.io/gitea/modules/web/middleware"
2020-08-11 22:05:34 +02:00
"code.gitea.io/gitea/routers/utils"
2021-07-24 12:16:34 +02:00
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
2019-10-14 08:10:42 +02:00
"code.gitea.io/gitea/services/externalaccount"
2021-04-06 21:44:05 +02:00
"code.gitea.io/gitea/services/forms"
2019-09-24 07:02:49 +02:00
"code.gitea.io/gitea/services/mailer"
2021-11-22 16:21:55 +01:00
user_service "code.gitea.io/gitea/services/user"
2017-02-25 15:57:06 +01:00
2017-02-22 08:14:37 +01:00
"github.com/markbates/goth"
2018-05-19 16:12:37 +02:00
"github.com/tstranex/u2f"
2014-07-26 06:24:27 +02:00
)
const (
2018-09-13 14:04:25 +02:00
// tplMustChangePassword template for updating a user's password
tplMustChangePassword = "user/auth/change_passwd"
2016-11-18 04:03:03 +01:00
// tplSignIn template for sign in page
tplSignIn base . TplName = "user/auth/signin"
// tplSignUp template path for sign up page
tplSignUp base . TplName = "user/auth/signup"
// TplActivate template path for activate user
TplActivate base . TplName = "user/auth/activate"
tplForgotPassword base . TplName = "user/auth/forgot_passwd"
tplResetPassword base . TplName = "user/auth/reset_passwd"
2017-01-16 03:14:29 +01:00
tplTwofa base . TplName = "user/auth/twofa"
tplTwofaScratch base . TplName = "user/auth/twofa_scratch"
2017-02-22 08:14:37 +01:00
tplLinkAccount base . TplName = "user/auth/link_account"
2018-05-19 16:12:37 +02:00
tplU2F base . TplName = "user/auth/u2f"
2014-07-26 06:24:27 +02:00
)
2016-03-11 17:56:52 +01:00
// AutoSignIn reads cookie and try to auto-login.
func AutoSignIn ( ctx * context . Context ) ( bool , error ) {
2021-09-19 13:49:59 +02:00
if ! db . HasEngine {
2016-03-11 17:56:52 +01:00
return false , nil
}
uname := ctx . GetCookie ( setting . CookieUserName )
if len ( uname ) == 0 {
return false , nil
}
isSucceed := false
defer func ( ) {
if ! isSucceed {
log . Trace ( "auto-login cookie cleared: %s" , uname )
2021-03-07 09:12:43 +01:00
ctx . DeleteCookie ( setting . CookieUserName )
ctx . DeleteCookie ( setting . CookieRememberName )
2016-03-11 17:56:52 +01:00
}
} ( )
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByName ( uname )
2016-03-11 17:56:52 +01:00
if err != nil {
2021-11-24 10:49:20 +01:00
if ! user_model . IsErrUserNotExist ( err ) {
2016-03-11 17:56:52 +01:00
return false , fmt . Errorf ( "GetUserByName: %v" , err )
}
return false , nil
}
2019-07-06 17:47:09 +02:00
if val , ok := ctx . GetSuperSecureCookie (
base . EncodeMD5 ( u . Rands + u . Passwd ) , setting . CookieRememberName ) ; ! ok || val != u . Name {
2016-03-11 17:56:52 +01:00
return false , nil
}
isSucceed = true
2020-05-17 14:43:29 +02:00
// Set session IDs
if err := ctx . Session . Set ( "uid" , u . ID ) ; err != nil {
2019-06-12 21:41:28 +02:00
return false , err
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "uname" , u . Name ) ; err != nil {
return false , err
}
if err := ctx . Session . Release ( ) ; err != nil {
2019-06-12 21:41:28 +02:00
return false , err
}
2020-05-17 14:43:29 +02:00
2021-12-19 14:31:43 +01:00
if err := resetLocale ( ctx , u ) ; err != nil {
return false , err
}
2021-03-07 09:12:43 +01:00
middleware . DeleteCSRFCookie ( ctx . Resp )
2016-03-11 17:56:52 +01:00
return true , nil
}
2021-12-19 14:31:43 +01:00
func resetLocale ( ctx * context . Context , u * user_model . User ) error {
// Language setting of the user overwrites the one previously set
// If the user does not have a locale set, we save the current one.
if len ( u . Language ) == 0 {
u . Language = ctx . Locale . Language ( )
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "language" ) ; err != nil {
return err
}
}
middleware . SetLocaleCookie ( ctx . Resp , u . Language , 0 )
if ctx . Locale . Language ( ) != u . Language {
ctx . Locale = middleware . Locale ( ctx . Resp , ctx . Req )
}
return nil
}
2017-01-16 03:14:29 +01:00
func checkAutoLogin ( ctx * context . Context ) bool {
2014-07-26 06:24:27 +02:00
// Check auto-login.
2016-03-11 17:56:52 +01:00
isSucceed , err := AutoSignIn ( ctx )
2014-07-26 06:24:27 +02:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "AutoSignIn" , err )
2017-01-16 03:14:29 +01:00
return true
2014-07-26 06:24:27 +02:00
}
2021-08-11 02:31:13 +02:00
redirectTo := ctx . FormString ( "redirect_to" )
2016-08-28 00:07:02 +02:00
if len ( redirectTo ) > 0 {
2021-03-07 09:12:43 +01:00
middleware . SetRedirectToCookie ( ctx . Resp , redirectTo )
2016-08-28 00:07:02 +02:00
} else {
2019-03-21 03:06:16 +01:00
redirectTo = ctx . GetCookie ( "redirect_to" )
2016-08-28 00:07:02 +02:00
}
2015-08-13 20:43:40 +02:00
if isSucceed {
2021-03-07 09:12:43 +01:00
middleware . DeleteRedirectToCookie ( ctx . Resp )
2018-03-15 22:13:34 +01:00
ctx . RedirectToFirst ( redirectTo , setting . AppSubURL + string ( setting . LandingPageURL ) )
2017-01-16 03:14:29 +01:00
return true
}
return false
}
// SignIn render sign in page
func SignIn ( ctx * context . Context ) {
2017-05-01 15:26:53 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_in" )
2017-01-16 03:14:29 +01:00
// Check auto-login.
if checkAutoLogin ( ctx ) {
2014-07-26 06:24:27 +02:00
return
}
2021-07-24 12:16:34 +02:00
orderedOAuth2Names , oauth2Providers , err := oauth2 . GetActiveOAuth2Providers ( )
2017-02-22 08:14:37 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-02-22 08:14:37 +01:00
return
}
2017-05-01 15:26:53 +02:00
ctx . Data [ "OrderedOAuth2Names" ] = orderedOAuth2Names
2017-02-22 08:14:37 +01:00
ctx . Data [ "OAuth2Providers" ] = oauth2Providers
2017-03-17 15:16:08 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_in" )
2017-03-07 11:47:56 +01:00
ctx . Data [ "SignInLink" ] = setting . AppSubURL + "/user/login"
2017-03-17 15:16:08 +01:00
ctx . Data [ "PageIsSignIn" ] = true
ctx . Data [ "PageIsLogin" ] = true
2021-09-24 13:32:56 +02:00
ctx . Data [ "EnableSSPI" ] = login . IsSSPIEnabled ( )
2017-02-22 08:14:37 +01:00
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplSignIn )
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// SignInPost response for sign in request
2021-01-26 16:36:53 +01:00
func SignInPost ( ctx * context . Context ) {
2017-05-01 15:26:53 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_in" )
2021-07-24 12:16:34 +02:00
orderedOAuth2Names , oauth2Providers , err := oauth2 . GetActiveOAuth2Providers ( )
2017-02-22 08:14:37 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-02-22 08:14:37 +01:00
return
}
2017-05-01 15:26:53 +02:00
ctx . Data [ "OrderedOAuth2Names" ] = orderedOAuth2Names
2017-02-22 08:14:37 +01:00
ctx . Data [ "OAuth2Providers" ] = oauth2Providers
2017-03-07 11:47:56 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_in" )
ctx . Data [ "SignInLink" ] = setting . AppSubURL + "/user/login"
ctx . Data [ "PageIsSignIn" ] = true
ctx . Data [ "PageIsLogin" ] = true
2021-09-24 13:32:56 +02:00
ctx . Data [ "EnableSSPI" ] = login . IsSSPIEnabled ( )
2017-02-22 08:14:37 +01:00
2014-07-26 06:24:27 +02:00
if ctx . HasError ( ) {
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplSignIn )
2014-07-26 06:24:27 +02:00
return
}
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . SignInForm )
2021-09-17 13:43:47 +02:00
u , source , err := auth . UserSignIn ( form . UserName , form . Password )
2014-07-26 06:24:27 +02:00
if err != nil {
2021-11-24 10:49:20 +01:00
if user_model . IsErrUserNotExist ( err ) {
2016-11-18 04:03:03 +01:00
ctx . RenderWithErr ( ctx . Tr ( "form.username_password_incorrect" ) , tplSignIn , & form )
2020-12-08 21:37:47 +01:00
log . Info ( "Failed authentication attempt for %s from %s: %v" , form . UserName , ctx . RemoteAddr ( ) , err )
2021-11-11 08:03:30 +01:00
} else if user_model . IsErrEmailAlreadyUsed ( err ) {
2017-02-25 15:57:06 +01:00
ctx . RenderWithErr ( ctx . Tr ( "form.email_been_used" ) , tplSignIn , & form )
2020-12-08 21:37:47 +01:00
log . Info ( "Failed authentication attempt for %s from %s: %v" , form . UserName , ctx . RemoteAddr ( ) , err )
2021-11-24 10:49:20 +01:00
} else if user_model . IsErrUserProhibitLogin ( err ) {
2020-12-08 21:37:47 +01:00
log . Info ( "Failed authentication attempt for %s from %s: %v" , form . UserName , ctx . RemoteAddr ( ) , err )
2019-02-19 08:19:28 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.prohibit_login" )
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , "user/auth/prohibit_login" )
2021-11-24 10:49:20 +01:00
} else if user_model . IsErrUserInactive ( err ) {
2019-02-19 08:19:28 +01:00
if setting . Service . RegisterEmailConfirm {
ctx . Data [ "Title" ] = ctx . Tr ( "auth.active_your_account" )
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2019-02-19 08:19:28 +01:00
} else {
2020-12-08 21:37:47 +01:00
log . Info ( "Failed authentication attempt for %s from %s: %v" , form . UserName , ctx . RemoteAddr ( ) , err )
2019-02-19 08:19:28 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.prohibit_login" )
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , "user/auth/prohibit_login" )
2019-02-19 08:19:28 +01:00
}
2014-08-10 06:02:00 +02:00
} else {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2014-07-26 06:24:27 +02:00
}
return
}
2021-09-17 13:43:47 +02:00
// Now handle 2FA:
// First of all if the source can skip local two fa we're done
if skipper , ok := source . Cfg . ( auth . LocalTwoFASkipper ) ; ok && skipper . IsSkipLocalTwoFA ( ) {
handleSignIn ( ctx , u , form . Remember )
return
}
2021-11-08 23:47:19 +01:00
// If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
2017-01-16 03:14:29 +01:00
// Instead, redirect them to the 2FA authentication page.
2021-11-08 23:47:19 +01:00
hasTOTPtwofa , err := login . HasTwoFactorByUID ( u . ID )
2017-01-16 03:14:29 +01:00
if err != nil {
2021-11-08 23:47:19 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
2021-11-08 23:47:19 +01:00
// Check if the user has u2f registration
hasU2Ftwofa , err := login . HasU2FRegistrationsByUID ( u . ID )
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
if ! hasTOTPtwofa && ! hasU2Ftwofa {
// No two factor auth configured we can sign in the user
handleSignIn ( ctx , u , form . Remember )
return
}
// User will need to use 2FA TOTP or U2F, save data
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "twofaUid" , u . ID ) ; err != nil {
ctx . ServerError ( "UserSignIn: Unable to set twofaUid in session" , err )
2019-06-12 21:41:28 +02:00
return
}
2021-11-08 23:47:19 +01:00
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "twofaRemember" , form . Remember ) ; err != nil {
ctx . ServerError ( "UserSignIn: Unable to set twofaRemember in session" , err )
return
}
2021-11-08 23:47:19 +01:00
if hasTOTPtwofa {
// User will need to use U2F, save data
if err := ctx . Session . Set ( "totpEnrolled" , u . ID ) ; err != nil {
ctx . ServerError ( "UserSignIn: Unable to set u2fEnrolled in session" , err )
return
}
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Release ( ) ; err != nil {
ctx . ServerError ( "UserSignIn: Unable to save session" , err )
2019-06-12 21:41:28 +02:00
return
}
2018-05-19 16:12:37 +02:00
2021-11-08 23:47:19 +01:00
// If we have U2F redirect there first
if hasU2Ftwofa {
2018-05-19 16:12:37 +02:00
ctx . Redirect ( setting . AppSubURL + "/user/u2f" )
return
}
2021-11-08 23:47:19 +01:00
// Fallback to 2FA
2017-01-16 03:14:29 +01:00
ctx . Redirect ( setting . AppSubURL + "/user/two_factor" )
}
// TwoFactor shows the user a two-factor authentication page.
func TwoFactor ( ctx * context . Context ) {
ctx . Data [ "Title" ] = ctx . Tr ( "twofa" )
// Check auto-login.
if checkAutoLogin ( ctx ) {
return
}
// Ensure user is in a 2FA session.
if ctx . Session . Get ( "twofaUid" ) == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in 2FA session" ) )
2017-01-16 03:14:29 +01:00
return
}
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplTwofa )
2017-01-16 03:14:29 +01:00
}
// TwoFactorPost validates a user's two-factor authentication token.
2021-01-26 16:36:53 +01:00
func TwoFactorPost ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . TwoFactorAuthForm )
2017-01-16 03:14:29 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "twofa" )
// Ensure user is in a 2FA session.
idSess := ctx . Session . Get ( "twofaUid" )
if idSess == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in 2FA session" ) )
2017-01-16 03:14:29 +01:00
return
}
id := idSess . ( int64 )
2021-09-25 15:00:12 +02:00
twofa , err := login . GetTwoFactorByUID ( id )
2017-01-16 03:14:29 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
// Validate the passcode with the stored TOTP secret.
ok , err := twofa . ValidateTOTP ( form . Passcode )
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
2018-05-02 17:02:02 +02:00
if ok && twofa . LastUsedPasscode != form . Passcode {
2017-01-16 03:14:29 +01:00
remember := ctx . Session . Get ( "twofaRemember" ) . ( bool )
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByID ( id )
2017-01-16 03:14:29 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
2017-02-27 11:10:26 +01:00
if ctx . Session . Get ( "linkAccount" ) != nil {
2021-12-14 09:37:11 +01:00
if err := externalaccount . LinkAccountFromStore ( ctx . Session , u ) ; err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-02-27 11:10:26 +01:00
}
}
2018-05-02 17:02:02 +02:00
twofa . LastUsedPasscode = form . Passcode
2021-09-25 15:00:12 +02:00
if err = login . UpdateTwoFactor ( twofa ) ; err != nil {
2018-05-02 17:02:02 +02:00
ctx . ServerError ( "UserSignIn" , err )
return
}
2017-01-16 03:14:29 +01:00
handleSignIn ( ctx , u , remember )
return
}
2021-04-06 21:44:05 +02:00
ctx . RenderWithErr ( ctx . Tr ( "auth.twofa_passcode_incorrect" ) , tplTwofa , forms . TwoFactorAuthForm { } )
2017-01-16 03:14:29 +01:00
}
// TwoFactorScratch shows the scratch code form for two-factor authentication.
func TwoFactorScratch ( ctx * context . Context ) {
ctx . Data [ "Title" ] = ctx . Tr ( "twofa_scratch" )
// Check auto-login.
if checkAutoLogin ( ctx ) {
return
}
// Ensure user is in a 2FA session.
if ctx . Session . Get ( "twofaUid" ) == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in 2FA session" ) )
2017-01-16 03:14:29 +01:00
return
}
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplTwofaScratch )
2017-01-16 03:14:29 +01:00
}
// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
2021-01-26 16:36:53 +01:00
func TwoFactorScratchPost ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . TwoFactorScratchAuthForm )
2017-01-16 03:14:29 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "twofa_scratch" )
// Ensure user is in a 2FA session.
idSess := ctx . Session . Get ( "twofaUid" )
if idSess == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in 2FA session" ) )
2017-01-16 03:14:29 +01:00
return
}
id := idSess . ( int64 )
2021-09-25 15:00:12 +02:00
twofa , err := login . GetTwoFactorByUID ( id )
2017-01-16 03:14:29 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
// Validate the passcode with the stored TOTP secret.
if twofa . VerifyScratchToken ( form . Token ) {
// Invalidate the scratch token.
2018-07-27 14:54:50 +02:00
_ , err = twofa . GenerateScratchToken ( )
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
2021-09-25 15:00:12 +02:00
if err = login . UpdateTwoFactor ( twofa ) ; err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
remember := ctx . Session . Get ( "twofaRemember" ) . ( bool )
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByID ( id )
2017-01-16 03:14:29 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-01-16 03:14:29 +01:00
return
}
handleSignInFull ( ctx , u , remember , false )
ctx . Flash . Info ( ctx . Tr ( "auth.twofa_scratch_used" ) )
2018-07-19 19:58:33 +02:00
ctx . Redirect ( setting . AppSubURL + "/user/settings/security" )
2017-01-16 03:14:29 +01:00
return
}
2021-04-06 21:44:05 +02:00
ctx . RenderWithErr ( ctx . Tr ( "auth.twofa_scratch_token_incorrect" ) , tplTwofaScratch , forms . TwoFactorScratchAuthForm { } )
2017-01-16 03:14:29 +01:00
}
2018-05-19 16:12:37 +02:00
// U2F shows the U2F login page
func U2F ( ctx * context . Context ) {
ctx . Data [ "Title" ] = ctx . Tr ( "twofa" )
ctx . Data [ "RequireU2F" ] = true
// Check auto-login.
if checkAutoLogin ( ctx ) {
return
}
// Ensure user is in a 2FA session.
if ctx . Session . Get ( "twofaUid" ) == nil {
ctx . ServerError ( "UserSignIn" , errors . New ( "not in U2F session" ) )
return
}
2021-11-08 23:47:19 +01:00
// See whether TOTP is also available.
if ctx . Session . Get ( "totpEnrolled" ) != nil {
ctx . Data [ "TOTPEnrolled" ] = true
}
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplU2F )
2018-05-19 16:12:37 +02:00
}
// U2FChallenge submits a sign challenge to the browser
func U2FChallenge ( ctx * context . Context ) {
// Ensure user is in a U2F session.
idSess := ctx . Session . Get ( "twofaUid" )
if idSess == nil {
ctx . ServerError ( "UserSignIn" , errors . New ( "not in U2F session" ) )
return
}
id := idSess . ( int64 )
2021-09-25 15:00:12 +02:00
regs , err := login . GetU2FRegistrationsByUID ( id )
2018-05-19 16:12:37 +02:00
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
if len ( regs ) == 0 {
ctx . ServerError ( "UserSignIn" , errors . New ( "no device registered" ) )
return
}
challenge , err := u2f . NewChallenge ( setting . U2F . AppID , setting . U2F . TrustedFacets )
2019-06-12 21:41:28 +02:00
if err != nil {
ctx . ServerError ( "u2f.NewChallenge" , err )
return
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "u2fChallenge" , challenge ) ; err != nil {
ctx . ServerError ( "UserSignIn: unable to set u2fChallenge in session" , err )
2018-05-19 16:12:37 +02:00
return
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Release ( ) ; err != nil {
ctx . ServerError ( "UserSignIn: unable to store session" , err )
}
2021-04-05 17:30:52 +02:00
ctx . JSON ( http . StatusOK , challenge . SignRequest ( regs . ToRegistrations ( ) ) )
2018-05-19 16:12:37 +02:00
}
// U2FSign authenticates the user by signResp
2021-01-26 16:36:53 +01:00
func U2FSign ( ctx * context . Context ) {
signResp := web . GetForm ( ctx ) . ( * u2f . SignResponse )
2018-05-19 16:12:37 +02:00
challSess := ctx . Session . Get ( "u2fChallenge" )
idSess := ctx . Session . Get ( "twofaUid" )
if challSess == nil || idSess == nil {
ctx . ServerError ( "UserSignIn" , errors . New ( "not in U2F session" ) )
return
}
challenge := challSess . ( * u2f . Challenge )
id := idSess . ( int64 )
2021-09-25 15:00:12 +02:00
regs , err := login . GetU2FRegistrationsByUID ( id )
2018-05-19 16:12:37 +02:00
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
for _ , reg := range regs {
r , err := reg . Parse ( )
if err != nil {
2021-10-14 18:37:35 +02:00
log . Error ( "parsing u2f registration: %v" , err )
2018-05-19 16:12:37 +02:00
continue
}
2021-01-26 16:36:53 +01:00
newCounter , authErr := r . Authenticate ( * signResp , * challenge , reg . Counter )
2018-05-19 16:12:37 +02:00
if authErr == nil {
reg . Counter = newCounter
2021-11-24 10:49:20 +01:00
user , err := user_model . GetUserByID ( id )
2018-05-19 16:12:37 +02:00
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
remember := ctx . Session . Get ( "twofaRemember" ) . ( bool )
if err := reg . UpdateCounter ( ) ; err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
if ctx . Session . Get ( "linkAccount" ) != nil {
2021-12-14 09:37:11 +01:00
if err := externalaccount . LinkAccountFromStore ( ctx . Session , user ) ; err != nil {
2018-05-19 16:12:37 +02:00
ctx . ServerError ( "UserSignIn" , err )
}
}
redirect := handleSignInFull ( ctx , user , remember , false )
if redirect == "" {
redirect = setting . AppSubURL + "/"
}
2021-12-15 07:59:57 +01:00
ctx . PlainText ( http . StatusOK , redirect )
2018-05-19 16:12:37 +02:00
return
}
}
2021-04-05 17:30:52 +02:00
ctx . Error ( http . StatusUnauthorized )
2018-05-19 16:12:37 +02:00
}
2017-01-16 03:14:29 +01:00
// This handles the final part of the sign-in process of the user.
2021-11-24 10:49:20 +01:00
func handleSignIn ( ctx * context . Context , u * user_model . User , remember bool ) {
2017-01-16 03:14:29 +01:00
handleSignInFull ( ctx , u , remember , true )
}
2021-12-20 05:41:31 +01:00
func handleSignInFull ( ctx * context . Context , u * user_model . User , remember , obeyRedirect bool ) string {
2017-01-16 03:14:29 +01:00
if remember {
2014-07-26 06:24:27 +02:00
days := 86400 * setting . LogInRememberDays
2021-03-07 09:12:43 +01:00
ctx . SetCookie ( setting . CookieUserName , u . Name , days )
2017-02-25 15:57:06 +01:00
ctx . SetSuperSecureCookie ( base . EncodeMD5 ( u . Rands + u . Passwd ) ,
2021-03-07 09:12:43 +01:00
setting . CookieRememberName , u . Name , days )
2014-07-26 06:24:27 +02:00
}
2019-06-12 21:41:28 +02:00
_ = ctx . Session . Delete ( "openid_verified_uri" )
_ = ctx . Session . Delete ( "openid_signin_remember" )
_ = ctx . Session . Delete ( "openid_determined_email" )
_ = ctx . Session . Delete ( "openid_determined_username" )
_ = ctx . Session . Delete ( "twofaUid" )
_ = ctx . Session . Delete ( "twofaRemember" )
_ = ctx . Session . Delete ( "u2fChallenge" )
_ = ctx . Session . Delete ( "linkAccount" )
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "uid" , u . ID ) ; err != nil {
log . Error ( "Error setting uid %d in session: %v" , u . ID , err )
2019-06-12 21:41:28 +02:00
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "uname" , u . Name ) ; err != nil {
log . Error ( "Error setting uname %s session: %v" , u . Name , err )
}
if err := ctx . Session . Release ( ) ; err != nil {
log . Error ( "Unable to store session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2016-03-13 02:56:03 +01:00
2018-05-05 02:28:30 +02:00
// Language setting of the user overwrites the one previously set
// If the user does not have a locale set, we save the current one.
if len ( u . Language ) == 0 {
u . Language = ctx . Locale . Language ( )
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "language" ) ; err != nil {
2019-04-02 09:48:31 +02:00
log . Error ( fmt . Sprintf ( "Error updating user language [user: %d, locale: %s]" , u . ID , u . Language ) )
2018-05-19 16:12:37 +02:00
return setting . AppSubURL + "/"
2018-05-05 02:28:30 +02:00
}
}
2021-03-07 09:12:43 +01:00
middleware . SetLocaleCookie ( ctx . Resp , u . Language , 0 )
2018-05-05 02:28:30 +02:00
2021-11-20 22:32:37 +01:00
if ctx . Locale . Language ( ) != u . Language {
ctx . Locale = middleware . Locale ( ctx . Resp , ctx . Req )
}
2016-03-13 02:56:03 +01:00
// Clear whatever CSRF has right now, force to generate a new one
2021-03-07 09:12:43 +01:00
middleware . DeleteCSRFCookie ( ctx . Resp )
2016-03-13 02:56:03 +01:00
2016-11-09 11:53:45 +01:00
// Register last login
u . SetLastLogin ( )
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "last_login_unix" ) ; err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UpdateUserCols" , err )
2018-05-19 16:12:37 +02:00
return setting . AppSubURL + "/"
2016-11-09 11:53:45 +01:00
}
2020-08-11 22:05:34 +02:00
if redirectTo := ctx . GetCookie ( "redirect_to" ) ; len ( redirectTo ) > 0 && ! utils . IsExternalURL ( redirectTo ) {
2021-03-07 09:12:43 +01:00
middleware . DeleteRedirectToCookie ( ctx . Resp )
2017-01-16 03:14:29 +01:00
if obeyRedirect {
2018-03-15 22:13:34 +01:00
ctx . RedirectToFirst ( redirectTo )
2017-01-16 03:14:29 +01:00
}
2018-05-19 16:12:37 +02:00
return redirectTo
2014-07-26 06:24:27 +02:00
}
2017-01-16 03:14:29 +01:00
if obeyRedirect {
ctx . Redirect ( setting . AppSubURL + "/" )
}
2018-05-19 16:12:37 +02:00
return setting . AppSubURL + "/"
2014-07-26 06:24:27 +02:00
}
2017-02-22 08:14:37 +01:00
// SignInOAuth handles the OAuth2 login buttons
func SignInOAuth ( ctx * context . Context ) {
provider := ctx . Params ( ":provider" )
2021-09-24 13:32:56 +02:00
loginSource , err := login . GetActiveOAuth2LoginSourceByName ( provider )
2017-02-22 08:14:37 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "SignIn" , err )
2017-02-22 08:14:37 +01:00
return
}
// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
2021-01-26 16:36:53 +01:00
user , gothUser , err := oAuth2UserLoginCallback ( loginSource , ctx . Req , ctx . Resp )
2017-02-22 08:14:37 +01:00
if err == nil && user != nil {
// we got the user without going through the whole OAuth2 authentication flow again
2021-09-10 18:37:57 +02:00
handleOAuth2SignIn ( ctx , loginSource , user , gothUser )
2017-02-22 08:14:37 +01:00
return
}
2021-07-24 12:16:34 +02:00
if err = loginSource . Cfg . ( * oauth2 . Source ) . Callout ( ctx . Req , ctx . Resp ) ; err != nil {
2020-12-24 20:47:17 +01:00
if strings . Contains ( err . Error ( ) , "no provider for " ) {
2021-07-24 12:16:34 +02:00
if err = oauth2 . ResetOAuth2 ( ) ; err != nil {
2020-12-24 20:47:17 +01:00
ctx . ServerError ( "SignIn" , err )
return
}
2021-07-24 12:16:34 +02:00
if err = loginSource . Cfg . ( * oauth2 . Source ) . Callout ( ctx . Req , ctx . Resp ) ; err != nil {
2020-12-24 20:47:17 +01:00
ctx . ServerError ( "SignIn" , err )
}
return
}
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "SignIn" , err )
2017-02-22 08:14:37 +01:00
}
// redirect is done in oauth2.Auth
}
// SignInOAuthCallback handles the callback from the given provider
func SignInOAuthCallback ( ctx * context . Context ) {
provider := ctx . Params ( ":provider" )
// first look if the provider is still active
2021-09-24 13:32:56 +02:00
loginSource , err := login . GetActiveOAuth2LoginSourceByName ( provider )
2017-02-22 08:14:37 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "SignIn" , err )
2017-02-22 08:14:37 +01:00
return
}
if loginSource == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "SignIn" , errors . New ( "No valid provider found, check configured callback url in provider" ) )
2017-02-22 08:14:37 +01:00
return
}
2021-01-26 16:36:53 +01:00
u , gothUser , err := oAuth2UserLoginCallback ( loginSource , ctx . Req , ctx . Resp )
2017-02-22 08:14:37 +01:00
if err != nil {
2021-12-14 09:37:11 +01:00
if user_model . IsErrUserProhibitLogin ( err ) {
uplerr := err . ( * user_model . ErrUserProhibitLogin )
log . Info ( "Failed authentication attempt for %s from %s: %v" , uplerr . Name , ctx . RemoteAddr ( ) , err )
ctx . Data [ "Title" ] = ctx . Tr ( "auth.prohibit_login" )
ctx . HTML ( http . StatusOK , "user/auth/prohibit_login" )
return
}
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , err )
2017-02-22 08:14:37 +01:00
return
}
if u == nil {
2021-10-11 18:23:59 +02:00
if ! setting . Service . AllowOnlyInternalRegistration && setting . OAuth2Client . EnableAutoRegistration {
2021-04-14 14:02:12 +02:00
// create new user with details from oauth2 provider
var missingFields [ ] string
if gothUser . UserID == "" {
missingFields = append ( missingFields , "sub" )
}
if gothUser . Email == "" {
missingFields = append ( missingFields , "email" )
}
if setting . OAuth2Client . Username == setting . OAuth2UsernameNickname && gothUser . NickName == "" {
missingFields = append ( missingFields , "nickname" )
}
if len ( missingFields ) > 0 {
log . Error ( "OAuth2 Provider %s returned empty or missing fields: %s" , loginSource . Name , missingFields )
2021-07-24 12:16:34 +02:00
if loginSource . IsOAuth2 ( ) && loginSource . Cfg . ( * oauth2 . Source ) . Provider == "openidConnect" {
2021-04-14 14:02:12 +02:00
log . Error ( "You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields" )
}
err = fmt . Errorf ( "OAuth2 Provider %s returned empty or missing fields: %s" , loginSource . Name , missingFields )
ctx . ServerError ( "CreateUser" , err )
return
}
2021-11-24 10:49:20 +01:00
u = & user_model . User {
2021-11-28 04:27:48 +01:00
Name : getUserName ( & gothUser ) ,
FullName : gothUser . Name ,
Email : gothUser . Email ,
IsActive : ! setting . OAuth2Client . RegisterEmailConfirm ,
LoginType : login . OAuth2 ,
LoginSource : loginSource . ID ,
LoginName : gothUser . UserID ,
IsRestricted : setting . Service . DefaultUserIsRestricted ,
2021-04-14 14:02:12 +02:00
}
2021-12-14 09:37:11 +01:00
setUserGroupClaims ( loginSource , u , & gothUser )
2021-04-14 14:02:12 +02:00
if ! createAndHandleCreatedUser ( ctx , base . TplName ( "" ) , nil , u , & gothUser , setting . OAuth2Client . AccountLinking != setting . OAuth2AccountLinkingDisabled ) {
// error already handled
return
}
} else {
// no existing user is found, request attach or new account
showLinkingLogin ( ctx , gothUser )
return
2020-05-17 14:43:29 +02:00
}
2021-04-14 14:02:12 +02:00
}
2021-09-10 18:37:57 +02:00
handleOAuth2SignIn ( ctx , loginSource , u , gothUser )
2021-04-14 14:02:12 +02:00
}
2021-12-14 09:37:11 +01:00
func claimValueToStringSlice ( claimValue interface { } ) [ ] string {
var groups [ ] string
switch rawGroup := claimValue . ( type ) {
case [ ] string :
groups = rawGroup
default :
str := fmt . Sprintf ( "%s" , rawGroup )
groups = strings . Split ( str , "," )
}
return groups
}
func setUserGroupClaims ( loginSource * login . Source , u * user_model . User , gothUser * goth . User ) bool {
source := loginSource . Cfg . ( * oauth2 . Source )
if source . GroupClaimName == "" || ( source . AdminGroup == "" && source . RestrictedGroup == "" ) {
return false
}
groupClaims , has := gothUser . RawData [ source . GroupClaimName ]
if ! has {
return false
}
groups := claimValueToStringSlice ( groupClaims )
wasAdmin , wasRestricted := u . IsAdmin , u . IsRestricted
if source . AdminGroup != "" {
u . IsAdmin = false
}
if source . RestrictedGroup != "" {
u . IsRestricted = false
}
for _ , g := range groups {
if source . AdminGroup != "" && g == source . AdminGroup {
u . IsAdmin = true
} else if source . RestrictedGroup != "" && g == source . RestrictedGroup {
u . IsRestricted = true
}
}
return wasAdmin != u . IsAdmin || wasRestricted != u . IsRestricted
}
2021-04-14 14:02:12 +02:00
func getUserName ( gothUser * goth . User ) string {
switch setting . OAuth2Client . Username {
case setting . OAuth2UsernameEmail :
return strings . Split ( gothUser . Email , "@" ) [ 0 ]
case setting . OAuth2UsernameNickname :
return gothUser . NickName
default : // OAuth2UsernameUserid
return gothUser . UserID
}
}
func showLinkingLogin ( ctx * context . Context , gothUser goth . User ) {
if err := ctx . Session . Set ( "linkAccountGothUser" , gothUser ) ; err != nil {
log . Error ( "Error setting linkAccountGothUser in session: %v" , err )
}
if err := ctx . Session . Release ( ) ; err != nil {
log . Error ( "Error storing session: %v" , err )
}
ctx . Redirect ( setting . AppSubURL + "/user/link_account" )
}
2021-11-24 10:49:20 +01:00
func updateAvatarIfNeed ( url string , u * user_model . User ) {
2021-04-14 14:02:12 +02:00
if setting . OAuth2Client . UpdateAvatar && len ( url ) > 0 {
resp , err := http . Get ( url )
if err == nil {
defer func ( ) {
_ = resp . Body . Close ( )
} ( )
}
// ignore any error
if err == nil && resp . StatusCode == http . StatusOK {
2021-09-22 07:38:34 +02:00
data , err := io . ReadAll ( io . LimitReader ( resp . Body , setting . Avatar . MaxFileSize + 1 ) )
2021-04-14 14:02:12 +02:00
if err == nil && int64 ( len ( data ) ) <= setting . Avatar . MaxFileSize {
2021-11-22 16:21:55 +01:00
_ = user_service . UploadAvatar ( u , data )
2021-04-14 14:02:12 +02:00
}
2019-06-12 21:41:28 +02:00
}
2017-02-22 08:14:37 +01:00
}
2021-04-14 14:02:12 +02:00
}
2021-11-24 10:49:20 +01:00
func handleOAuth2SignIn ( ctx * context . Context , source * login . Source , u * user_model . User , gothUser goth . User ) {
2021-04-14 14:02:12 +02:00
updateAvatarIfNeed ( gothUser . AvatarURL , u )
2017-02-22 08:14:37 +01:00
2021-09-10 18:37:57 +02:00
needs2FA := false
if ! source . Cfg . ( * oauth2 . Source ) . SkipLocalTwoFA {
2021-09-25 15:00:12 +02:00
_ , err := login . GetTwoFactorByUID ( u . ID )
if err != nil && ! login . IsErrTwoFactorNotEnrolled ( err ) {
2019-10-14 08:10:42 +02:00
ctx . ServerError ( "UserSignIn" , err )
return
}
2021-09-10 18:37:57 +02:00
needs2FA = err == nil
}
2017-02-22 08:14:37 +01:00
2021-09-10 18:37:57 +02:00
// If this user is enrolled in 2FA and this source doesn't override it,
// we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
if ! needs2FA {
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "uid" , u . ID ) ; err != nil {
log . Error ( "Error setting uid in session: %v" , err )
2019-10-14 08:10:42 +02:00
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "uname" , u . Name ) ; err != nil {
log . Error ( "Error setting uname in session: %v" , err )
}
if err := ctx . Session . Release ( ) ; err != nil {
log . Error ( "Error storing session: %v" , err )
2019-10-14 08:10:42 +02:00
}
2017-02-22 08:14:37 +01:00
2019-10-14 08:10:42 +02:00
// Clear whatever CSRF has right now, force to generate a new one
2021-03-07 09:12:43 +01:00
middleware . DeleteCSRFCookie ( ctx . Resp )
2017-02-22 08:14:37 +01:00
2019-10-14 08:10:42 +02:00
// Register last login
u . SetLastLogin ( )
2021-12-14 09:37:11 +01:00
// Update GroupClaims
changed := setUserGroupClaims ( source , u , & gothUser )
cols := [ ] string { "last_login_unix" }
if changed {
cols = append ( cols , "is_admin" , "is_restricted" )
}
if err := user_model . UpdateUserCols ( db . DefaultContext , u , cols ... ) ; err != nil {
2019-10-14 08:10:42 +02:00
ctx . ServerError ( "UpdateUserCols" , err )
return
}
2017-02-22 08:14:37 +01:00
2019-10-14 08:10:42 +02:00
// update external user information
2021-12-14 09:37:11 +01:00
if err := externalaccount . UpdateExternalUser ( u , gothUser ) ; err != nil {
2019-10-14 08:10:42 +02:00
log . Error ( "UpdateExternalUser failed: %v" , err )
}
2021-12-19 14:31:43 +01:00
if err := resetLocale ( ctx , u ) ; err != nil {
ctx . ServerError ( "resetLocale" , err )
return
}
2019-10-14 08:10:42 +02:00
if redirectTo := ctx . GetCookie ( "redirect_to" ) ; len ( redirectTo ) > 0 {
2021-03-07 09:12:43 +01:00
middleware . DeleteRedirectToCookie ( ctx . Resp )
2019-10-14 08:10:42 +02:00
ctx . RedirectToFirst ( redirectTo )
return
2017-02-22 08:14:37 +01:00
}
2019-10-14 08:10:42 +02:00
ctx . Redirect ( setting . AppSubURL + "/" )
2017-02-22 08:14:37 +01:00
return
}
2021-12-14 09:37:11 +01:00
changed := setUserGroupClaims ( source , u , & gothUser )
if changed {
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "is_admin" , "is_restricted" ) ; err != nil {
ctx . ServerError ( "UpdateUserCols" , err )
return
}
}
2017-02-22 08:14:37 +01:00
// User needs to use 2FA, save data and redirect to 2FA page.
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "twofaUid" , u . ID ) ; err != nil {
log . Error ( "Error setting twofaUid in session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "twofaRemember" , false ) ; err != nil {
log . Error ( "Error setting twofaRemember in session: %v" , err )
}
if err := ctx . Session . Release ( ) ; err != nil {
log . Error ( "Error storing session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2018-05-19 16:12:37 +02:00
// If U2F is enrolled -> Redirect to U2F instead
2021-09-25 15:00:12 +02:00
regs , err := login . GetU2FRegistrationsByUID ( u . ID )
2018-05-19 16:12:37 +02:00
if err == nil && len ( regs ) > 0 {
ctx . Redirect ( setting . AppSubURL + "/user/u2f" )
return
}
2017-02-22 08:14:37 +01:00
ctx . Redirect ( setting . AppSubURL + "/user/two_factor" )
}
// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
// login the user
2021-11-24 10:49:20 +01:00
func oAuth2UserLoginCallback ( loginSource * login . Source , request * http . Request , response http . ResponseWriter ) ( * user_model . User , goth . User , error ) {
2021-12-14 09:37:11 +01:00
oauth2Source := loginSource . Cfg . ( * oauth2 . Source )
gothUser , err := oauth2Source . Callback ( request , response )
2017-02-22 08:14:37 +01:00
if err != nil {
2021-11-03 01:33:54 +01:00
if err . Error ( ) == "securecookie: the value is too long" || strings . Contains ( err . Error ( ) , "Data too long" ) {
2020-04-23 00:47:23 +02:00
log . Error ( "OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider" , loginSource . Name , setting . OAuth2 . MaxTokenLength )
err = fmt . Errorf ( "OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider" , loginSource . Name , setting . OAuth2 . MaxTokenLength )
}
2017-02-22 08:14:37 +01:00
return nil , goth . User { } , err
}
2021-12-14 09:37:11 +01:00
if oauth2Source . RequiredClaimName != "" {
claimInterface , has := gothUser . RawData [ oauth2Source . RequiredClaimName ]
if ! has {
return nil , goth . User { } , user_model . ErrUserProhibitLogin { Name : gothUser . UserID }
}
if oauth2Source . RequiredClaimValue != "" {
groups := claimValueToStringSlice ( claimInterface )
found := false
for _ , group := range groups {
if group == oauth2Source . RequiredClaimValue {
found = true
break
}
}
if ! found {
return nil , goth . User { } , user_model . ErrUserProhibitLogin { Name : gothUser . UserID }
}
}
}
2021-11-24 10:49:20 +01:00
user := & user_model . User {
2017-02-22 08:14:37 +01:00
LoginName : gothUser . UserID ,
2021-09-24 13:32:56 +02:00
LoginType : login . OAuth2 ,
2017-02-22 08:14:37 +01:00
LoginSource : loginSource . ID ,
}
2021-11-24 10:49:20 +01:00
hasUser , err := user_model . GetUser ( user )
2017-02-22 08:14:37 +01:00
if err != nil {
return nil , goth . User { } , err
}
if hasUser {
2019-10-14 08:10:42 +02:00
return user , gothUser , nil
2017-02-22 08:14:37 +01:00
}
// search in external linked users
2021-11-28 15:11:58 +01:00
externalLoginUser := & user_model . ExternalLoginUser {
2017-02-22 08:14:37 +01:00
ExternalID : gothUser . UserID ,
LoginSourceID : loginSource . ID ,
}
2021-11-28 15:11:58 +01:00
hasUser , err = user_model . GetExternalLogin ( externalLoginUser )
2017-02-22 08:14:37 +01:00
if err != nil {
return nil , goth . User { } , err
}
if hasUser {
2021-11-24 10:49:20 +01:00
user , err = user_model . GetUserByID ( externalLoginUser . UserID )
2019-10-14 08:10:42 +02:00
return user , gothUser , err
2017-02-22 08:14:37 +01:00
}
// no user found to login
return nil , gothUser , nil
}
// LinkAccount shows the page where the user can decide to login or create a new account
func LinkAccount ( ctx * context . Context ) {
2019-11-09 10:42:34 +01:00
ctx . Data [ "DisablePassword" ] = ! setting . Service . RequireExternalRegistrationPassword || setting . Service . AllowOnlyExternalRegistration
2017-02-22 08:14:37 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "link_account" )
ctx . Data [ "LinkAccountMode" ] = true
2019-07-06 21:48:02 +02:00
ctx . Data [ "EnableCaptcha" ] = setting . Service . EnableCaptcha && setting . Service . RequireExternalRegistrationCaptcha
2021-01-27 15:56:54 +01:00
ctx . Data [ "Captcha" ] = context . GetImageCaptcha ( )
2018-07-05 06:13:05 +02:00
ctx . Data [ "CaptchaType" ] = setting . Service . CaptchaType
2019-05-02 15:09:39 +02:00
ctx . Data [ "RecaptchaURL" ] = setting . Service . RecaptchaURL
2018-07-05 06:13:05 +02:00
ctx . Data [ "RecaptchaSitekey" ] = setting . Service . RecaptchaSitekey
2021-02-28 23:04:15 +01:00
ctx . Data [ "HcaptchaSitekey" ] = setting . Service . HcaptchaSitekey
2017-02-22 08:14:37 +01:00
ctx . Data [ "DisableRegistration" ] = setting . Service . DisableRegistration
2021-05-09 16:13:35 +02:00
ctx . Data [ "AllowOnlyInternalRegistration" ] = setting . Service . AllowOnlyInternalRegistration
2017-02-22 08:14:37 +01:00
ctx . Data [ "ShowRegistrationButton" ] = false
// use this to set the right link into the signIn and signUp templates in the link_account template
ctx . Data [ "SignInLink" ] = setting . AppSubURL + "/user/link_account_signin"
ctx . Data [ "SignUpLink" ] = setting . AppSubURL + "/user/link_account_signup"
gothUser := ctx . Session . Get ( "linkAccountGothUser" )
if gothUser == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in LinkAccount session" ) )
2017-02-22 08:14:37 +01:00
return
}
2021-04-14 14:02:12 +02:00
gu , _ := gothUser . ( goth . User )
uname := getUserName ( & gu )
email := gu . Email
2018-10-28 23:46:16 +01:00
ctx . Data [ "user_name" ] = uname
ctx . Data [ "email" ] = email
if len ( email ) != 0 {
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByEmail ( email )
if err != nil && ! user_model . IsErrUserNotExist ( err ) {
2018-10-28 23:46:16 +01:00
ctx . ServerError ( "UserSignIn" , err )
return
}
if u != nil {
ctx . Data [ "user_exists" ] = true
}
} else if len ( uname ) != 0 {
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByName ( uname )
if err != nil && ! user_model . IsErrUserNotExist ( err ) {
2018-10-28 23:46:16 +01:00
ctx . ServerError ( "UserSignIn" , err )
return
}
if u != nil {
ctx . Data [ "user_exists" ] = true
}
}
2017-02-22 08:14:37 +01:00
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplLinkAccount )
2017-02-22 08:14:37 +01:00
}
// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
2021-01-26 16:36:53 +01:00
func LinkAccountPostSignIn ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
signInForm := web . GetForm ( ctx ) . ( * forms . SignInForm )
2019-11-09 10:42:34 +01:00
ctx . Data [ "DisablePassword" ] = ! setting . Service . RequireExternalRegistrationPassword || setting . Service . AllowOnlyExternalRegistration
2017-02-22 08:14:37 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "link_account" )
ctx . Data [ "LinkAccountMode" ] = true
ctx . Data [ "LinkAccountModeSignIn" ] = true
2019-07-06 21:48:02 +02:00
ctx . Data [ "EnableCaptcha" ] = setting . Service . EnableCaptcha && setting . Service . RequireExternalRegistrationCaptcha
2019-05-02 15:09:39 +02:00
ctx . Data [ "RecaptchaURL" ] = setting . Service . RecaptchaURL
2021-01-27 15:56:54 +01:00
ctx . Data [ "Captcha" ] = context . GetImageCaptcha ( )
2018-07-05 06:13:05 +02:00
ctx . Data [ "CaptchaType" ] = setting . Service . CaptchaType
ctx . Data [ "RecaptchaSitekey" ] = setting . Service . RecaptchaSitekey
2021-02-28 23:04:15 +01:00
ctx . Data [ "HcaptchaSitekey" ] = setting . Service . HcaptchaSitekey
2017-02-22 08:14:37 +01:00
ctx . Data [ "DisableRegistration" ] = setting . Service . DisableRegistration
ctx . Data [ "ShowRegistrationButton" ] = false
// use this to set the right link into the signIn and signUp templates in the link_account template
ctx . Data [ "SignInLink" ] = setting . AppSubURL + "/user/link_account_signin"
ctx . Data [ "SignUpLink" ] = setting . AppSubURL + "/user/link_account_signup"
gothUser := ctx . Session . Get ( "linkAccountGothUser" )
if gothUser == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignIn" , errors . New ( "not in LinkAccount session" ) )
2017-02-22 08:14:37 +01:00
return
}
if ctx . HasError ( ) {
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplLinkAccount )
2017-02-22 08:14:37 +01:00
return
}
2021-09-17 13:43:47 +02:00
u , _ , err := auth . UserSignIn ( signInForm . UserName , signInForm . Password )
2017-02-22 08:14:37 +01:00
if err != nil {
2021-11-24 10:49:20 +01:00
if user_model . IsErrUserNotExist ( err ) {
2019-11-24 21:17:53 +01:00
ctx . Data [ "user_exists" ] = true
2017-02-22 08:14:37 +01:00
ctx . RenderWithErr ( ctx . Tr ( "form.username_password_incorrect" ) , tplLinkAccount , & signInForm )
} else {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserLinkAccount" , err )
2017-02-22 08:14:37 +01:00
}
return
}
2021-04-14 14:02:12 +02:00
linkAccount ( ctx , u , gothUser . ( goth . User ) , signInForm . Remember )
}
2021-11-24 10:49:20 +01:00
func linkAccount ( ctx * context . Context , u * user_model . User , gothUser goth . User , remember bool ) {
2021-04-14 14:02:12 +02:00
updateAvatarIfNeed ( gothUser . AvatarURL , u )
2017-02-22 08:14:37 +01:00
// If this user is enrolled in 2FA, we can't sign the user in just yet.
// Instead, redirect them to the 2FA authentication page.
2021-09-17 13:43:47 +02:00
// We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
2021-09-25 15:00:12 +02:00
_ , err := login . GetTwoFactorByUID ( u . ID )
2017-02-22 08:14:37 +01:00
if err != nil {
2021-09-25 15:00:12 +02:00
if ! login . IsErrTwoFactorNotEnrolled ( err ) {
2019-10-14 08:10:42 +02:00
ctx . ServerError ( "UserLinkAccount" , err )
return
}
2021-04-14 14:02:12 +02:00
err = externalaccount . LinkAccountToUser ( u , gothUser )
2019-10-14 08:10:42 +02:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserLinkAccount" , err )
2019-10-14 08:10:42 +02:00
return
2017-02-22 08:14:37 +01:00
}
2019-10-14 08:10:42 +02:00
2021-04-14 14:02:12 +02:00
handleSignIn ( ctx , u , remember )
2017-02-22 08:14:37 +01:00
return
}
// User needs to use 2FA, save data and redirect to 2FA page.
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "twofaUid" , u . ID ) ; err != nil {
log . Error ( "Error setting twofaUid in session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2021-04-14 14:02:12 +02:00
if err := ctx . Session . Set ( "twofaRemember" , remember ) ; err != nil {
2020-05-17 14:43:29 +02:00
log . Error ( "Error setting twofaRemember in session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2020-05-17 14:43:29 +02:00
if err := ctx . Session . Set ( "linkAccount" , true ) ; err != nil {
log . Error ( "Error setting linkAccount in session: %v" , err )
}
if err := ctx . Session . Release ( ) ; err != nil {
log . Error ( "Error storing session: %v" , err )
2019-06-12 21:41:28 +02:00
}
2017-02-22 08:14:37 +01:00
2018-05-19 16:12:37 +02:00
// If U2F is enrolled -> Redirect to U2F instead
2021-09-25 15:00:12 +02:00
regs , err := login . GetU2FRegistrationsByUID ( u . ID )
2018-05-19 16:12:37 +02:00
if err == nil && len ( regs ) > 0 {
ctx . Redirect ( setting . AppSubURL + "/user/u2f" )
return
}
2017-02-22 08:14:37 +01:00
ctx . Redirect ( setting . AppSubURL + "/user/two_factor" )
}
// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
2021-01-26 16:36:53 +01:00
func LinkAccountPostRegister ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . RegisterForm )
2019-07-06 21:48:02 +02:00
// TODO Make insecure passwords optional for local accounts also,
// once email-based Second-Factor Auth is available
2019-11-09 10:42:34 +01:00
ctx . Data [ "DisablePassword" ] = ! setting . Service . RequireExternalRegistrationPassword || setting . Service . AllowOnlyExternalRegistration
2017-02-22 08:14:37 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "link_account" )
ctx . Data [ "LinkAccountMode" ] = true
ctx . Data [ "LinkAccountModeRegister" ] = true
2019-07-06 21:48:02 +02:00
ctx . Data [ "EnableCaptcha" ] = setting . Service . EnableCaptcha && setting . Service . RequireExternalRegistrationCaptcha
2019-05-02 15:09:39 +02:00
ctx . Data [ "RecaptchaURL" ] = setting . Service . RecaptchaURL
2021-01-27 15:56:54 +01:00
ctx . Data [ "Captcha" ] = context . GetImageCaptcha ( )
2018-07-05 06:13:05 +02:00
ctx . Data [ "CaptchaType" ] = setting . Service . CaptchaType
ctx . Data [ "RecaptchaSitekey" ] = setting . Service . RecaptchaSitekey
2021-02-28 23:04:15 +01:00
ctx . Data [ "HcaptchaSitekey" ] = setting . Service . HcaptchaSitekey
2017-02-22 08:14:37 +01:00
ctx . Data [ "DisableRegistration" ] = setting . Service . DisableRegistration
ctx . Data [ "ShowRegistrationButton" ] = false
// use this to set the right link into the signIn and signUp templates in the link_account template
ctx . Data [ "SignInLink" ] = setting . AppSubURL + "/user/link_account_signin"
ctx . Data [ "SignUpLink" ] = setting . AppSubURL + "/user/link_account_signup"
2021-05-10 17:31:32 +02:00
gothUserInterface := ctx . Session . Get ( "linkAccountGothUser" )
if gothUserInterface == nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UserSignUp" , errors . New ( "not in LinkAccount session" ) )
2017-02-22 08:14:37 +01:00
return
}
2021-05-10 17:31:32 +02:00
gothUser , ok := gothUserInterface . ( goth . User )
if ! ok {
ctx . ServerError ( "UserSignUp" , fmt . Errorf ( "session linkAccountGothUser type is %t but not goth.User" , gothUserInterface ) )
return
}
2017-02-22 08:14:37 +01:00
if ctx . HasError ( ) {
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplLinkAccount )
2017-02-22 08:14:37 +01:00
return
}
2021-05-09 16:13:35 +02:00
if setting . Service . DisableRegistration || setting . Service . AllowOnlyInternalRegistration {
2021-04-05 17:30:52 +02:00
ctx . Error ( http . StatusForbidden )
2017-02-22 08:14:37 +01:00
return
}
2019-07-06 21:48:02 +02:00
if setting . Service . EnableCaptcha && setting . Service . RequireExternalRegistrationCaptcha {
var valid bool
2020-10-03 05:37:53 +02:00
var err error
2019-07-06 21:48:02 +02:00
switch setting . Service . CaptchaType {
case setting . ImageCaptcha :
2021-01-26 16:36:53 +01:00
valid = context . GetImageCaptcha ( ) . VerifyReq ( ctx . Req )
2019-07-06 21:48:02 +02:00
case setting . ReCaptcha :
2021-05-31 08:18:11 +02:00
valid , err = recaptcha . Verify ( ctx , form . GRecaptchaResponse )
2020-10-03 05:37:53 +02:00
case setting . HCaptcha :
2021-05-31 08:18:11 +02:00
valid , err = hcaptcha . Verify ( ctx , form . HcaptchaResponse )
2019-07-06 21:48:02 +02:00
default :
ctx . ServerError ( "Unknown Captcha Type" , fmt . Errorf ( "Unknown Captcha Type: %s" , setting . Service . CaptchaType ) )
return
}
2020-10-03 05:37:53 +02:00
if err != nil {
log . Debug ( "%s" , err . Error ( ) )
}
2017-02-22 08:14:37 +01:00
2018-07-05 06:13:05 +02:00
if ! valid {
ctx . Data [ "Err_Captcha" ] = true
ctx . RenderWithErr ( ctx . Tr ( "form.captcha_incorrect" ) , tplLinkAccount , & form )
return
}
}
2021-03-17 04:54:02 +01:00
if ! form . IsEmailDomainAllowed ( ) {
ctx . RenderWithErr ( ctx . Tr ( "auth.email_domain_blacklisted" ) , tplLinkAccount , & form )
return
}
2019-07-06 21:48:02 +02:00
if setting . Service . AllowOnlyExternalRegistration || ! setting . Service . RequireExternalRegistrationPassword {
2021-11-24 10:49:20 +01:00
// In user_model.User an empty password is classed as not set, so we set form.Password to empty.
2019-07-06 21:48:02 +02:00
// Eventually the database should be changed to indicate "Second Factor"-enabled accounts
// (accounts that do not introduce the security vulnerabilities of a password).
// If a user decides to circumvent second-factor security, and purposefully create a password,
// they can still do so using the "Recover Account" option.
form . Password = ""
} else {
if ( len ( strings . TrimSpace ( form . Password ) ) > 0 || len ( strings . TrimSpace ( form . Retype ) ) > 0 ) && form . Password != form . Retype {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "form.password_not_match" ) , tplLinkAccount , & form )
return
}
if len ( strings . TrimSpace ( form . Password ) ) > 0 && len ( form . Password ) < setting . MinPasswordLength {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.password_too_short" , setting . MinPasswordLength ) , tplLinkAccount , & form )
return
}
2017-02-22 08:14:37 +01:00
}
2021-09-24 13:32:56 +02:00
loginSource , err := login . GetActiveOAuth2LoginSourceByName ( gothUser . Provider )
2017-02-22 08:14:37 +01:00
if err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "CreateUser" , err )
2017-02-22 08:14:37 +01:00
}
2021-11-24 10:49:20 +01:00
u := & user_model . User {
2017-02-22 08:14:37 +01:00
Name : form . UserName ,
Email : form . Email ,
Passwd : form . Password ,
2020-12-20 02:31:06 +01:00
IsActive : ! ( setting . Service . RegisterEmailConfirm || setting . Service . RegisterManualConfirm ) ,
2021-09-24 13:32:56 +02:00
LoginType : login . OAuth2 ,
2017-02-22 08:14:37 +01:00
LoginSource : loginSource . ID ,
2021-05-10 17:31:32 +02:00
LoginName : gothUser . UserID ,
2017-02-22 08:14:37 +01:00
}
2021-05-10 17:31:32 +02:00
if ! createAndHandleCreatedUser ( ctx , tplLinkAccount , form , u , & gothUser , false ) {
2021-04-14 14:02:12 +02:00
// error already handled
2017-02-22 08:14:37 +01:00
return
}
ctx . Redirect ( setting . AppSubURL + "/user/login" )
}
2020-05-07 23:49:00 +02:00
// HandleSignOut resets the session and sets the cookies
func HandleSignOut ( ctx * context . Context ) {
2020-05-17 08:05:11 +02:00
_ = ctx . Session . Flush ( )
2021-01-26 16:36:53 +01:00
_ = ctx . Session . Destroy ( ctx . Resp , ctx . Req )
2021-03-07 09:12:43 +01:00
ctx . DeleteCookie ( setting . CookieUserName )
ctx . DeleteCookie ( setting . CookieRememberName )
middleware . DeleteCSRFCookie ( ctx . Resp )
middleware . DeleteLocaleCookie ( ctx . Resp )
middleware . DeleteRedirectToCookie ( ctx . Resp )
2019-04-18 09:23:59 +02:00
}
// SignOut sign out from login status
func SignOut ( ctx * context . Context ) {
2020-05-07 23:49:00 +02:00
if ctx . User != nil {
eventsource . GetManager ( ) . SendMessageBlocking ( ctx . User . ID , & eventsource . Event {
Name : "logout" ,
Data : ctx . Session . ID ( ) ,
} )
}
HandleSignOut ( ctx )
2016-11-27 11:14:25 +01:00
ctx . Redirect ( setting . AppSubURL + "/" )
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// SignUp render the register page
2016-03-11 17:56:52 +01:00
func SignUp ( ctx * context . Context ) {
2014-07-26 06:24:27 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_up" )
2017-03-07 11:47:56 +01:00
ctx . Data [ "SignUpLink" ] = setting . AppSubURL + "/user/sign_up"
2015-09-13 17:07:21 +02:00
ctx . Data [ "EnableCaptcha" ] = setting . Service . EnableCaptcha
2019-05-02 15:09:39 +02:00
ctx . Data [ "RecaptchaURL" ] = setting . Service . RecaptchaURL
2021-01-27 15:56:54 +01:00
ctx . Data [ "Captcha" ] = context . GetImageCaptcha ( )
2018-07-05 06:13:05 +02:00
ctx . Data [ "CaptchaType" ] = setting . Service . CaptchaType
ctx . Data [ "RecaptchaSitekey" ] = setting . Service . RecaptchaSitekey
2020-10-03 05:37:53 +02:00
ctx . Data [ "HcaptchaSitekey" ] = setting . Service . HcaptchaSitekey
2020-05-12 20:01:15 +02:00
ctx . Data [ "PageIsSignUp" ] = true
2018-07-05 06:13:05 +02:00
2020-04-29 23:46:43 +02:00
//Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true
ctx . Data [ "DisableRegistration" ] = setting . Service . DisableRegistration || setting . Service . AllowOnlyExternalRegistration
2014-07-26 06:24:27 +02:00
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplSignUp )
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// SignUpPost response for sign up information submission
2021-01-26 16:36:53 +01:00
func SignUpPost ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . RegisterForm )
2014-07-26 06:24:27 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "sign_up" )
2017-03-07 11:47:56 +01:00
ctx . Data [ "SignUpLink" ] = setting . AppSubURL + "/user/sign_up"
2015-09-13 17:07:21 +02:00
ctx . Data [ "EnableCaptcha" ] = setting . Service . EnableCaptcha
2019-05-02 15:09:39 +02:00
ctx . Data [ "RecaptchaURL" ] = setting . Service . RecaptchaURL
2021-01-27 15:56:54 +01:00
ctx . Data [ "Captcha" ] = context . GetImageCaptcha ( )
2018-07-05 06:13:05 +02:00
ctx . Data [ "CaptchaType" ] = setting . Service . CaptchaType
ctx . Data [ "RecaptchaSitekey" ] = setting . Service . RecaptchaSitekey
2020-10-03 05:37:53 +02:00
ctx . Data [ "HcaptchaSitekey" ] = setting . Service . HcaptchaSitekey
2020-05-12 20:01:15 +02:00
ctx . Data [ "PageIsSignUp" ] = true
2018-07-05 06:13:05 +02:00
2018-05-13 09:51:16 +02:00
//Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
2020-04-29 23:46:43 +02:00
if setting . Service . DisableRegistration || setting . Service . AllowOnlyExternalRegistration {
2021-04-05 17:30:52 +02:00
ctx . Error ( http . StatusForbidden )
2014-07-26 06:24:27 +02:00
return
}
if ctx . HasError ( ) {
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplSignUp )
2014-07-26 06:24:27 +02:00
return
}
2019-07-06 21:48:02 +02:00
if setting . Service . EnableCaptcha {
var valid bool
2020-10-03 05:37:53 +02:00
var err error
2019-07-06 21:48:02 +02:00
switch setting . Service . CaptchaType {
case setting . ImageCaptcha :
2021-01-26 16:36:53 +01:00
valid = context . GetImageCaptcha ( ) . VerifyReq ( ctx . Req )
2019-07-06 21:48:02 +02:00
case setting . ReCaptcha :
2021-05-31 08:18:11 +02:00
valid , err = recaptcha . Verify ( ctx , form . GRecaptchaResponse )
2020-10-03 05:37:53 +02:00
case setting . HCaptcha :
2021-05-31 08:18:11 +02:00
valid , err = hcaptcha . Verify ( ctx , form . HcaptchaResponse )
2019-07-06 21:48:02 +02:00
default :
ctx . ServerError ( "Unknown Captcha Type" , fmt . Errorf ( "Unknown Captcha Type: %s" , setting . Service . CaptchaType ) )
return
}
2020-10-03 05:37:53 +02:00
if err != nil {
log . Debug ( "%s" , err . Error ( ) )
}
2015-09-13 15:51:51 +02:00
2018-07-05 06:13:05 +02:00
if ! valid {
ctx . Data [ "Err_Captcha" ] = true
ctx . RenderWithErr ( ctx . Tr ( "form.captcha_incorrect" ) , tplSignUp , & form )
return
}
}
2021-02-15 00:31:29 +01:00
if ! form . IsEmailDomainAllowed ( ) {
2018-11-15 02:00:04 +01:00
ctx . RenderWithErr ( ctx . Tr ( "auth.email_domain_blacklisted" ) , tplSignUp , & form )
return
}
2015-09-13 15:51:51 +02:00
if form . Password != form . Retype {
2014-07-26 06:24:27 +02:00
ctx . Data [ "Err_Password" ] = true
2016-11-18 04:03:03 +01:00
ctx . RenderWithErr ( ctx . Tr ( "form.password_not_match" ) , tplSignUp , & form )
2014-07-26 06:24:27 +02:00
return
}
2016-12-24 14:40:44 +01:00
if len ( form . Password ) < setting . MinPasswordLength {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.password_too_short" , setting . MinPasswordLength ) , tplSignUp , & form )
return
}
2019-11-09 04:40:37 +01:00
if ! password . IsComplexEnough ( form . Password ) {
ctx . Data [ "Err_Password" ] = true
2019-11-19 23:44:58 +01:00
ctx . RenderWithErr ( password . BuildComplexityError ( ctx ) , tplSignUp , & form )
2019-11-09 04:40:37 +01:00
return
}
2021-05-31 08:18:11 +02:00
pwned , err := password . IsPwned ( ctx , form . Password )
2020-09-09 00:06:39 +02:00
if pwned {
errMsg := ctx . Tr ( "auth.password_pwned" )
if err != nil {
log . Error ( err . Error ( ) )
errMsg = ctx . Tr ( "auth.password_pwned_err" )
}
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( errMsg , tplSignUp , & form )
return
}
2014-07-26 06:24:27 +02:00
2021-11-24 10:49:20 +01:00
u := & user_model . User {
2021-07-15 21:19:48 +02:00
Name : form . UserName ,
Email : form . Email ,
Passwd : form . Password ,
IsActive : ! ( setting . Service . RegisterEmailConfirm || setting . Service . RegisterManualConfirm ) ,
IsRestricted : setting . Service . DefaultUserIsRestricted ,
2014-07-26 06:24:27 +02:00
}
2021-04-14 14:02:12 +02:00
if ! createAndHandleCreatedUser ( ctx , tplSignUp , form , u , nil , false ) {
// error already handled
return
}
ctx . Flash . Success ( ctx . Tr ( "auth.sign_up_successful" ) )
handleSignInFull ( ctx , u , false , true )
}
// createAndHandleCreatedUser calls createUserInContext and
// then handleUserCreated.
2021-11-24 10:49:20 +01:00
func createAndHandleCreatedUser ( ctx * context . Context , tpl base . TplName , form interface { } , u * user_model . User , gothUser * goth . User , allowLink bool ) bool {
2021-04-14 14:02:12 +02:00
if ! createUserInContext ( ctx , tpl , form , u , gothUser , allowLink ) {
return false
}
return handleUserCreated ( ctx , u , gothUser )
}
// createUserInContext creates a user and handles errors within a given context.
// Optionally a template can be specified.
2021-11-24 10:49:20 +01:00
func createUserInContext ( ctx * context . Context , tpl base . TplName , form interface { } , u * user_model . User , gothUser * goth . User , allowLink bool ) ( ok bool ) {
if err := user_model . CreateUser ( u ) ; err != nil {
if allowLink && ( user_model . IsErrUserAlreadyExist ( err ) || user_model . IsErrEmailAlreadyUsed ( err ) ) {
2021-04-14 14:02:12 +02:00
if setting . OAuth2Client . AccountLinking == setting . OAuth2AccountLinkingAuto {
2021-11-24 10:49:20 +01:00
var user * user_model . User
user = & user_model . User { Name : u . Name }
hasUser , err := user_model . GetUser ( user )
2021-04-14 14:02:12 +02:00
if ! hasUser || err != nil {
2021-11-24 10:49:20 +01:00
user = & user_model . User { Email : u . Email }
hasUser , err = user_model . GetUser ( user )
2021-04-14 14:02:12 +02:00
if ! hasUser || err != nil {
ctx . ServerError ( "UserLinkAccount" , err )
return
}
}
2021-04-30 22:21:33 +02:00
// TODO: probably we should respect 'remember' user's choice...
2021-04-14 14:02:12 +02:00
linkAccount ( ctx , user , * gothUser , true )
return // user is already created here, all redirects are handled
} else if setting . OAuth2Client . AccountLinking == setting . OAuth2AccountLinkingLogin {
showLinkingLogin ( ctx , * gothUser )
return // user will be created only after linking login
}
}
// handle error without template
if len ( tpl ) == 0 {
ctx . ServerError ( "CreateUser" , err )
return
}
// handle error with template
2015-03-26 22:11:47 +01:00
switch {
2021-11-24 10:49:20 +01:00
case user_model . IsErrUserAlreadyExist ( err ) :
2014-07-26 06:24:27 +02:00
ctx . Data [ "Err_UserName" ] = true
2021-04-14 14:02:12 +02:00
ctx . RenderWithErr ( ctx . Tr ( "form.username_been_taken" ) , tpl , form )
2021-11-11 08:03:30 +01:00
case user_model . IsErrEmailAlreadyUsed ( err ) :
2014-07-26 06:24:27 +02:00
ctx . Data [ "Err_Email" ] = true
2021-04-14 14:02:12 +02:00
ctx . RenderWithErr ( ctx . Tr ( "form.email_been_used" ) , tpl , form )
2021-11-11 08:03:30 +01:00
case user_model . IsErrEmailInvalid ( err ) :
2020-11-14 17:53:43 +01:00
ctx . Data [ "Err_Email" ] = true
2021-04-14 14:02:12 +02:00
ctx . RenderWithErr ( ctx . Tr ( "form.email_invalid" ) , tpl , form )
2021-11-24 10:49:20 +01:00
case db . IsErrNameReserved ( err ) :
2014-07-26 06:24:27 +02:00
ctx . Data [ "Err_UserName" ] = true
2021-11-24 10:49:20 +01:00
ctx . RenderWithErr ( ctx . Tr ( "user.form.name_reserved" , err . ( db . ErrNameReserved ) . Name ) , tpl , form )
case db . IsErrNamePatternNotAllowed ( err ) :
2015-03-26 22:11:47 +01:00
ctx . Data [ "Err_UserName" ] = true
2021-11-24 10:49:20 +01:00
ctx . RenderWithErr ( ctx . Tr ( "user.form.name_pattern_not_allowed" , err . ( db . ErrNamePatternNotAllowed ) . Pattern ) , tpl , form )
case db . IsErrNameCharsNotAllowed ( err ) :
2021-04-14 14:02:12 +02:00
ctx . Data [ "Err_UserName" ] = true
2021-11-24 10:49:20 +01:00
ctx . RenderWithErr ( ctx . Tr ( "user.form.name_chars_not_allowed" , err . ( db . ErrNameCharsNotAllowed ) . Name ) , tpl , form )
2014-07-26 06:24:27 +02:00
default :
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "CreateUser" , err )
2014-07-26 06:24:27 +02:00
}
return
}
log . Trace ( "Account created: %s" , u . Name )
2021-04-14 14:02:12 +02:00
return true
}
2014-07-26 06:24:27 +02:00
2021-04-14 14:02:12 +02:00
// handleUserCreated does additional steps after a new user is created.
// It auto-sets admin for the only user, updates the optional external user and
// sends a confirmation email if required.
2021-11-24 10:49:20 +01:00
func handleUserCreated ( ctx * context . Context , u * user_model . User , gothUser * goth . User ) ( ok bool ) {
2015-08-18 22:58:45 +02:00
// Auto-set admin for the only user.
2021-11-24 10:49:20 +01:00
if user_model . CountUsers ( ) == 1 {
2015-08-18 22:58:45 +02:00
u . IsAdmin = true
u . IsActive = true
2017-08-12 16:18:44 +02:00
u . SetLastLogin ( )
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "is_admin" , "is_active" , "last_login_unix" ) ; err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "UpdateUser" , err )
2015-08-18 22:58:45 +02:00
return
}
}
2021-04-14 14:02:12 +02:00
// update external user information
if gothUser != nil {
2021-12-14 09:37:11 +01:00
if err := externalaccount . UpdateExternalUser ( u , * gothUser ) ; err != nil {
2021-04-14 14:02:12 +02:00
log . Error ( "UpdateExternalUser failed: %v" , err )
}
}
// Send confirmation email
if ! u . IsActive && u . ID > 1 {
2019-09-24 07:02:49 +02:00
mailer . SendActivateAccountMail ( ctx . Locale , u )
2014-08-10 02:25:02 +02:00
ctx . Data [ "IsSendRegisterMail" ] = true
ctx . Data [ "Email" ] = u . Email
2019-08-15 16:46:21 +02:00
ctx . Data [ "ActiveCodeLives" ] = timeutil . MinutesToFriendly ( setting . Service . ActiveCodeLives , ctx . Locale . Language ( ) )
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2014-08-10 02:25:02 +02:00
if err := ctx . Cache . Put ( "MailResendLimit_" + u . LowerName , u . LowerName , 180 ) ; err != nil {
2019-04-02 09:48:31 +02:00
log . Error ( "Set cache(MailResendLimit) fail: %v" , err )
2014-08-10 02:25:02 +02:00
}
return
}
2014-07-26 06:24:27 +02:00
2021-04-14 14:02:12 +02:00
return true
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// Activate render activate user page
2016-03-11 17:56:52 +01:00
func Activate ( ctx * context . Context ) {
2021-08-11 02:31:13 +02:00
code := ctx . FormString ( "code" )
2020-11-28 23:41:06 +01:00
2014-08-10 06:02:00 +02:00
if len ( code ) == 0 {
ctx . Data [ "IsActivatePage" ] = true
2021-04-30 22:21:33 +02:00
if ctx . User == nil || ctx . User . IsActive {
ctx . NotFound ( "invalid user" , nil )
2014-08-10 06:02:00 +02:00
return
}
2016-07-15 18:36:39 +02:00
// Resend confirmation email.
2014-08-10 06:02:00 +02:00
if setting . Service . RegisterEmailConfirm {
if ctx . Cache . IsExist ( "MailResendLimit_" + ctx . User . LowerName ) {
ctx . Data [ "ResendLimited" ] = true
} else {
2019-08-15 16:46:21 +02:00
ctx . Data [ "ActiveCodeLives" ] = timeutil . MinutesToFriendly ( setting . Service . ActiveCodeLives , ctx . Locale . Language ( ) )
2019-09-24 07:02:49 +02:00
mailer . SendActivateAccountMail ( ctx . Locale , ctx . User )
2014-08-10 06:02:00 +02:00
if err := ctx . Cache . Put ( "MailResendLimit_" + ctx . User . LowerName , ctx . User . LowerName , 180 ) ; err != nil {
2019-04-02 09:48:31 +02:00
log . Error ( "Set cache(MailResendLimit) fail: %v" , err )
2014-08-10 06:02:00 +02:00
}
}
} else {
ctx . Data [ "ServiceNotEnabled" ] = true
}
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2014-08-10 06:02:00 +02:00
return
}
2021-11-24 10:49:20 +01:00
user := user_model . VerifyUserActiveCode ( code )
2020-11-28 23:41:06 +01:00
// if code is wrong
if user == nil {
ctx . Data [ "IsActivateFailed" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2020-11-28 23:41:06 +01:00
return
}
// if account is local account, verify password
if user . LoginSource == 0 {
2021-04-30 22:21:33 +02:00
ctx . Data [ "Code" ] = code
ctx . Data [ "NeedsPassword" ] = true
ctx . HTML ( http . StatusOK , TplActivate )
return
}
handleAccountActivation ( ctx , user )
}
// ActivatePost handles account activation with password check
func ActivatePost ( ctx * context . Context ) {
2021-08-11 02:31:13 +02:00
code := ctx . FormString ( "code" )
2021-04-30 22:21:33 +02:00
if len ( code ) == 0 {
ctx . Redirect ( setting . AppSubURL + "/user/activate" )
return
}
2021-11-24 10:49:20 +01:00
user := user_model . VerifyUserActiveCode ( code )
2021-04-30 22:21:33 +02:00
// if code is wrong
if user == nil {
ctx . Data [ "IsActivateFailed" ] = true
ctx . HTML ( http . StatusOK , TplActivate )
return
}
// if account is local account, verify password
if user . LoginSource == 0 {
2021-08-11 02:31:13 +02:00
password := ctx . FormString ( "password" )
2020-11-28 23:41:06 +01:00
if len ( password ) == 0 {
ctx . Data [ "Code" ] = code
ctx . Data [ "NeedsPassword" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2016-12-20 13:32:02 +01:00
return
}
2020-11-28 23:41:06 +01:00
if ! user . ValidatePassword ( password ) {
ctx . Data [ "IsActivateFailed" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , TplActivate )
2014-08-10 06:02:00 +02:00
return
}
2020-11-28 23:41:06 +01:00
}
2014-08-10 06:02:00 +02:00
2021-04-30 22:21:33 +02:00
handleAccountActivation ( ctx , user )
}
2021-11-24 10:49:20 +01:00
func handleAccountActivation ( ctx * context . Context , user * user_model . User ) {
2020-11-28 23:41:06 +01:00
user . IsActive = true
var err error
2021-11-24 10:49:20 +01:00
if user . Rands , err = user_model . GetUserSalt ( ) ; err != nil {
2020-11-28 23:41:06 +01:00
ctx . ServerError ( "UpdateUser" , err )
return
}
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , user , "is_active" , "rands" ) ; err != nil {
if user_model . IsErrUserNotExist ( err ) {
2021-04-30 22:21:33 +02:00
ctx . NotFound ( "UpdateUserCols" , err )
2020-11-28 23:41:06 +01:00
} else {
ctx . ServerError ( "UpdateUser" , err )
2020-05-17 14:43:29 +02:00
}
2014-08-10 06:02:00 +02:00
return
}
2021-11-28 15:11:58 +01:00
if err := user_model . ActivateUserEmail ( user . ID , user . Email , true ) ; err != nil {
2021-07-13 22:59:27 +02:00
log . Error ( "Unable to activate email for user: %-v with email: %s: %v" , user , user . Email , err )
ctx . ServerError ( "ActivateUserEmail" , err )
return
}
2020-11-28 23:41:06 +01:00
log . Trace ( "User activated: %s" , user . Name )
if err := ctx . Session . Set ( "uid" , user . ID ) ; err != nil {
2021-07-13 22:59:27 +02:00
log . Error ( "Error setting uid in session[%s]: %v" , ctx . Session . ID ( ) , err )
2020-11-28 23:41:06 +01:00
}
if err := ctx . Session . Set ( "uname" , user . Name ) ; err != nil {
2021-07-13 22:59:27 +02:00
log . Error ( "Error setting uname in session[%s]: %v" , ctx . Session . ID ( ) , err )
2020-11-28 23:41:06 +01:00
}
if err := ctx . Session . Release ( ) ; err != nil {
2021-07-13 22:59:27 +02:00
log . Error ( "Error storing session[%s]: %v" , ctx . Session . ID ( ) , err )
2020-11-28 23:41:06 +01:00
}
2021-12-19 14:31:43 +01:00
if err := resetLocale ( ctx , user ) ; err != nil {
ctx . ServerError ( "resetLocale" , err )
return
}
2020-11-28 23:41:06 +01:00
ctx . Flash . Success ( ctx . Tr ( "auth.account_activated" ) )
ctx . Redirect ( setting . AppSubURL + "/" )
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// ActivateEmail render the activate email page
2016-03-11 17:56:52 +01:00
func ActivateEmail ( ctx * context . Context ) {
2021-08-11 02:31:13 +02:00
code := ctx . FormString ( "code" )
emailStr := ctx . FormString ( "email" )
2014-12-17 16:41:49 +01:00
// Verify code.
2021-11-28 15:11:58 +01:00
if email := user_model . VerifyActiveEmailCode ( code , emailStr ) ; email != nil {
if err := user_model . ActivateEmail ( email ) ; err != nil {
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "ActivateEmail" , err )
2014-12-17 16:41:49 +01:00
}
log . Trace ( "Email activated: %s" , email . Email )
2015-11-19 17:52:39 +01:00
ctx . Flash . Success ( ctx . Tr ( "settings.add_email_success" ) )
2020-03-02 19:25:36 +01:00
2021-11-24 10:49:20 +01:00
if u , err := user_model . GetUserByID ( email . UID ) ; err != nil {
2020-03-02 19:25:36 +01:00
log . Warn ( "GetUserByID: %d" , email . UID )
} else {
// Allow user to validate more emails
_ = ctx . Cache . Delete ( "MailResendLimit_" + u . LowerName )
}
2014-12-17 16:41:49 +01:00
}
2020-03-02 19:25:36 +01:00
// FIXME: e-mail verification does not require the user to be logged in,
// so this could be redirecting to the login page.
// Should users be logged in automatically here? (consider 2FA requirements, etc.)
2020-03-01 00:46:20 +01:00
ctx . Redirect ( setting . AppSubURL + "/user/settings/account" )
2014-12-17 16:41:49 +01:00
}
2021-07-08 13:38:13 +02:00
// ForgotPasswd render the forget password page
2016-03-11 17:56:52 +01:00
func ForgotPasswd ( ctx * context . Context ) {
2017-02-20 19:27:20 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.forgot_password_title" )
2014-07-26 06:24:27 +02:00
if setting . MailService == nil {
2021-06-26 06:16:36 +02:00
log . Warn ( ctx . Tr ( "auth.disable_forgot_password_mail_admin" ) )
2014-07-26 06:24:27 +02:00
ctx . Data [ "IsResetDisable" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplForgotPassword )
2014-07-26 06:24:27 +02:00
return
}
2021-08-11 17:08:52 +02:00
ctx . Data [ "Email" ] = ctx . FormString ( "email" )
2017-03-11 10:11:54 +01:00
2014-07-26 06:24:27 +02:00
ctx . Data [ "IsResetRequest" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplForgotPassword )
2014-07-26 06:24:27 +02:00
}
2016-11-18 04:03:03 +01:00
// ForgotPasswdPost response for forget password request
2016-03-11 17:56:52 +01:00
func ForgotPasswdPost ( ctx * context . Context ) {
2017-02-20 19:27:20 +01:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.forgot_password_title" )
2014-08-10 06:02:00 +02:00
if setting . MailService == nil {
2018-01-10 22:34:17 +01:00
ctx . NotFound ( "ForgotPasswdPost" , nil )
2014-08-10 06:02:00 +02:00
return
}
ctx . Data [ "IsResetRequest" ] = true
2021-08-11 02:31:13 +02:00
email := ctx . FormString ( "email" )
2015-09-17 20:57:24 +02:00
ctx . Data [ "Email" ] = email
2021-11-24 10:49:20 +01:00
u , err := user_model . GetUserByEmail ( email )
2014-08-10 06:02:00 +02:00
if err != nil {
2021-11-24 10:49:20 +01:00
if user_model . IsErrUserNotExist ( err ) {
2019-08-15 16:46:21 +02:00
ctx . Data [ "ResetPwdCodeLives" ] = timeutil . MinutesToFriendly ( setting . Service . ResetPwdCodeLives , ctx . Locale . Language ( ) )
2016-10-17 04:08:40 +02:00
ctx . Data [ "IsResetSent" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplForgotPassword )
2016-10-17 04:08:40 +02:00
return
2014-08-10 06:02:00 +02:00
}
2016-11-18 04:03:03 +01:00
2018-01-10 22:34:17 +01:00
ctx . ServerError ( "user.ResetPasswd(check existence)" , err )
2014-08-10 06:02:00 +02:00
return
}
2017-02-22 08:14:37 +01:00
if ! u . IsLocal ( ) && ! u . IsOAuth2 ( ) {
2016-03-14 15:40:16 +01:00
ctx . Data [ "Err_Email" ] = true
2016-11-18 04:03:03 +01:00
ctx . RenderWithErr ( ctx . Tr ( "auth.non_local_account" ) , tplForgotPassword , nil )
2016-03-14 15:40:16 +01:00
return
}
2014-08-10 06:02:00 +02:00
if ctx . Cache . IsExist ( "MailResendLimit_" + u . LowerName ) {
ctx . Data [ "ResendLimited" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplForgotPassword )
2014-08-10 06:02:00 +02:00
return
}
2021-04-02 12:25:13 +02:00
mailer . SendResetPasswordMail ( u )
2019-09-24 07:02:49 +02:00
2014-08-10 06:02:00 +02:00
if err = ctx . Cache . Put ( "MailResendLimit_" + u . LowerName , u . LowerName , 180 ) ; err != nil {
2019-04-02 09:48:31 +02:00
log . Error ( "Set cache(MailResendLimit) fail: %v" , err )
2014-08-10 06:02:00 +02:00
}
2019-08-15 16:46:21 +02:00
ctx . Data [ "ResetPwdCodeLives" ] = timeutil . MinutesToFriendly ( setting . Service . ResetPwdCodeLives , ctx . Locale . Language ( ) )
2014-08-10 06:02:00 +02:00
ctx . Data [ "IsResetSent" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplForgotPassword )
2014-07-26 06:24:27 +02:00
}
2021-11-24 10:49:20 +01:00
func commonResetPassword ( ctx * context . Context ) ( * user_model . User , * login . TwoFactor ) {
2021-08-11 02:31:13 +02:00
code := ctx . FormString ( "code" )
2019-04-18 09:23:59 +02:00
2014-08-10 06:02:00 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.reset_password" )
2019-04-18 09:23:59 +02:00
ctx . Data [ "Code" ] = code
if nil != ctx . User {
ctx . Data [ "user_signed_in" ] = true
}
2014-07-26 06:24:27 +02:00
if len ( code ) == 0 {
2019-04-18 09:23:59 +02:00
ctx . Flash . Error ( ctx . Tr ( "auth.invalid_code" ) )
2020-01-19 21:17:12 +01:00
return nil , nil
2014-07-26 06:24:27 +02:00
}
2019-02-20 00:09:47 +01:00
2019-04-18 09:23:59 +02:00
// Fail early, don't frustrate the user
2021-11-24 10:49:20 +01:00
u := user_model . VerifyUserActiveCode ( code )
2019-04-18 09:23:59 +02:00
if u == nil {
ctx . Flash . Error ( ctx . Tr ( "auth.invalid_code" ) )
2020-01-19 21:17:12 +01:00
return nil , nil
}
2021-09-25 15:00:12 +02:00
twofa , err := login . GetTwoFactorByUID ( u . ID )
2020-01-19 21:17:12 +01:00
if err != nil {
2021-09-25 15:00:12 +02:00
if ! login . IsErrTwoFactorNotEnrolled ( err ) {
2020-01-19 21:17:12 +01:00
ctx . Error ( http . StatusInternalServerError , "CommonResetPassword" , err . Error ( ) )
return nil , nil
}
} else {
ctx . Data [ "has_two_factor" ] = true
2021-07-29 03:42:15 +02:00
ctx . Data [ "scratch_code" ] = ctx . FormBool ( "scratch_code" )
2019-02-20 00:09:47 +01:00
}
2019-04-18 09:23:59 +02:00
// Show the user that they are affecting the account that they intended to
ctx . Data [ "user_email" ] = u . Email
if nil != ctx . User && u . ID != ctx . User . ID {
ctx . Flash . Error ( ctx . Tr ( "auth.reset_password_wrong_user" , ctx . User . Email , u . Email ) )
2020-01-19 21:17:12 +01:00
return nil , nil
2019-04-18 09:23:59 +02:00
}
2020-01-19 21:17:12 +01:00
return u , twofa
2019-04-18 09:23:59 +02:00
}
// ResetPasswd render the account recovery page
func ResetPasswd ( ctx * context . Context ) {
ctx . Data [ "IsResetForm" ] = true
commonResetPassword ( ctx )
2020-01-19 21:17:12 +01:00
if ctx . Written ( ) {
return
}
2019-04-18 09:23:59 +02:00
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplResetPassword )
2014-07-26 06:24:27 +02:00
}
2019-04-18 09:23:59 +02:00
// ResetPasswdPost response from account recovery request
2016-03-11 17:56:52 +01:00
func ResetPasswdPost ( ctx * context . Context ) {
2020-01-19 21:17:12 +01:00
u , twofa := commonResetPassword ( ctx )
if ctx . Written ( ) {
return
}
2014-08-10 06:02:00 +02:00
2019-04-18 09:23:59 +02:00
if u == nil {
// Flash error has been set
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplResetPassword )
2014-08-10 06:02:00 +02:00
return
}
2019-04-18 09:23:59 +02:00
// Validate password length.
2021-08-11 02:31:13 +02:00
passwd := ctx . FormString ( "password" )
2019-04-18 09:23:59 +02:00
if len ( passwd ) < setting . MinPasswordLength {
ctx . Data [ "IsResetForm" ] = true
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.password_too_short" , setting . MinPasswordLength ) , tplResetPassword , nil )
return
2019-10-14 17:24:26 +02:00
} else if ! password . IsComplexEnough ( passwd ) {
ctx . Data [ "IsResetForm" ] = true
ctx . Data [ "Err_Password" ] = true
2019-11-19 23:44:58 +01:00
ctx . RenderWithErr ( password . BuildComplexityError ( ctx ) , tplResetPassword , nil )
2019-10-14 17:24:26 +02:00
return
2021-05-31 08:18:11 +02:00
} else if pwned , err := password . IsPwned ( ctx , passwd ) ; pwned || err != nil {
2020-09-09 00:06:39 +02:00
errMsg := ctx . Tr ( "auth.password_pwned" )
if err != nil {
log . Error ( err . Error ( ) )
errMsg = ctx . Tr ( "auth.password_pwned_err" )
}
ctx . Data [ "IsResetForm" ] = true
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( errMsg , tplResetPassword , nil )
return
2019-04-18 09:23:59 +02:00
}
2014-08-10 06:02:00 +02:00
2020-01-19 21:17:12 +01:00
// Handle two-factor
regenerateScratchToken := false
if twofa != nil {
2021-07-29 03:42:15 +02:00
if ctx . FormBool ( "scratch_code" ) {
2021-08-11 02:31:13 +02:00
if ! twofa . VerifyScratchToken ( ctx . FormString ( "token" ) ) {
2020-01-19 21:17:12 +01:00
ctx . Data [ "IsResetForm" ] = true
ctx . Data [ "Err_Token" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.twofa_scratch_token_incorrect" ) , tplResetPassword , nil )
return
}
regenerateScratchToken = true
} else {
2021-08-11 02:31:13 +02:00
passcode := ctx . FormString ( "passcode" )
2020-01-19 21:17:12 +01:00
ok , err := twofa . ValidateTOTP ( passcode )
if err != nil {
ctx . Error ( http . StatusInternalServerError , "ValidateTOTP" , err . Error ( ) )
return
}
if ! ok || twofa . LastUsedPasscode == passcode {
ctx . Data [ "IsResetForm" ] = true
ctx . Data [ "Err_Passcode" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.twofa_passcode_incorrect" ) , tplResetPassword , nil )
return
}
twofa . LastUsedPasscode = passcode
2021-09-25 15:00:12 +02:00
if err = login . UpdateTwoFactor ( twofa ) ; err != nil {
2020-01-19 21:17:12 +01:00
ctx . ServerError ( "ResetPasswdPost: UpdateTwoFactor" , err )
return
}
}
}
2019-04-18 09:23:59 +02:00
var err error
2021-11-24 10:49:20 +01:00
if u . Rands , err = user_model . GetUserSalt ( ) ; err != nil {
2019-04-18 09:23:59 +02:00
ctx . ServerError ( "UpdateUser" , err )
return
}
2021-01-10 19:05:18 +01:00
if err = u . SetPassword ( passwd ) ; err != nil {
2019-04-18 09:23:59 +02:00
ctx . ServerError ( "UpdateUser" , err )
return
}
u . MustChangePassword = false
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "must_change_password" , "passwd" , "passwd_hash_algo" , "rands" , "salt" ) ; err != nil {
2019-04-18 09:23:59 +02:00
ctx . ServerError ( "UpdateUser" , err )
2014-08-10 06:02:00 +02:00
return
}
2019-04-18 09:23:59 +02:00
log . Trace ( "User password reset: %s" , u . Name )
2014-08-10 06:02:00 +02:00
ctx . Data [ "IsResetFailed" ] = true
2021-08-11 02:31:13 +02:00
remember := len ( ctx . FormString ( "remember" ) ) != 0
2020-01-19 21:17:12 +01:00
if regenerateScratchToken {
// Invalidate the scratch token.
_ , err = twofa . GenerateScratchToken ( )
if err != nil {
ctx . ServerError ( "UserSignIn" , err )
return
}
2021-09-25 15:00:12 +02:00
if err = login . UpdateTwoFactor ( twofa ) ; err != nil {
2020-01-19 21:17:12 +01:00
ctx . ServerError ( "UserSignIn" , err )
return
}
handleSignInFull ( ctx , u , remember , false )
ctx . Flash . Info ( ctx . Tr ( "auth.twofa_scratch_used" ) )
ctx . Redirect ( setting . AppSubURL + "/user/settings/security" )
return
}
2019-04-18 09:23:59 +02:00
handleSignInFull ( ctx , u , remember , true )
2014-07-26 06:24:27 +02:00
}
2018-09-13 14:04:25 +02:00
// MustChangePassword renders the page to change a user's password
func MustChangePassword ( ctx * context . Context ) {
ctx . Data [ "Title" ] = ctx . Tr ( "auth.must_change_password" )
ctx . Data [ "ChangePasscodeLink" ] = setting . AppSubURL + "/user/settings/change_password"
2020-05-27 00:39:39 +02:00
ctx . Data [ "MustChangePassword" ] = true
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplMustChangePassword )
2018-09-13 14:04:25 +02:00
}
// MustChangePasswordPost response for updating a user's password after his/her
// account was created by an admin
2021-01-26 16:36:53 +01:00
func MustChangePasswordPost ( ctx * context . Context ) {
2021-04-06 21:44:05 +02:00
form := web . GetForm ( ctx ) . ( * forms . MustChangePasswordForm )
2018-09-13 14:04:25 +02:00
ctx . Data [ "Title" ] = ctx . Tr ( "auth.must_change_password" )
ctx . Data [ "ChangePasscodeLink" ] = setting . AppSubURL + "/user/settings/change_password"
if ctx . HasError ( ) {
2021-04-05 17:30:52 +02:00
ctx . HTML ( http . StatusOK , tplMustChangePassword )
2018-09-13 14:04:25 +02:00
return
}
u := ctx . User
// Make sure only requests for users who are eligible to change their password via
// this method passes through
if ! u . MustChangePassword {
ctx . ServerError ( "MustUpdatePassword" , errors . New ( "cannot update password.. Please visit the settings page" ) )
return
}
if form . Password != form . Retype {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "form.password_not_match" ) , tplMustChangePassword , & form )
return
}
if len ( form . Password ) < setting . MinPasswordLength {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( ctx . Tr ( "auth.password_too_short" , setting . MinPasswordLength ) , tplMustChangePassword , & form )
return
}
2021-12-17 03:03:39 +01:00
if ! password . IsComplexEnough ( form . Password ) {
ctx . Data [ "Err_Password" ] = true
ctx . RenderWithErr ( password . BuildComplexityError ( ctx ) , tplMustChangePassword , & form )
return
}
pwned , err := password . IsPwned ( ctx , form . Password )
if pwned {
ctx . Data [ "Err_Password" ] = true
errMsg := ctx . Tr ( "auth.password_pwned" )
if err != nil {
log . Error ( err . Error ( ) )
errMsg = ctx . Tr ( "auth.password_pwned_err" )
}
ctx . RenderWithErr ( errMsg , tplMustChangePassword , & form )
return
}
2018-09-13 14:04:25 +02:00
2021-01-10 19:05:18 +01:00
if err = u . SetPassword ( form . Password ) ; err != nil {
2018-09-13 14:04:25 +02:00
ctx . ServerError ( "UpdateUser" , err )
return
}
u . MustChangePassword = false
2021-11-24 10:49:20 +01:00
if err := user_model . UpdateUserCols ( db . DefaultContext , u , "must_change_password" , "passwd" , "passwd_hash_algo" , "salt" ) ; err != nil {
2018-09-13 14:04:25 +02:00
ctx . ServerError ( "UpdateUser" , err )
return
}
ctx . Flash . Success ( ctx . Tr ( "settings.change_password_success" ) )
log . Trace ( "User updated password: %s" , u . Name )
2020-08-11 22:05:34 +02:00
if redirectTo := ctx . GetCookie ( "redirect_to" ) ; len ( redirectTo ) > 0 && ! utils . IsExternalURL ( redirectTo ) {
2021-03-07 09:12:43 +01:00
middleware . DeleteRedirectToCookie ( ctx . Resp )
2018-09-13 14:04:25 +02:00
ctx . RedirectToFirst ( redirectTo )
return
}
ctx . Redirect ( setting . AppSubURL + "/" )
}