D5074.1775300690.diff
No OneTemporary
Actions

Authored By

Unknown

Size

2 KB

Referenced Files

None

Subscribers

None

D5074.1775300690.diff
View Options

	diff --git a/src/app/Http/Controllers/API/V4/NGINXController.php b/src/app/Http/Controllers/API/V4/NGINXController.php
	--- a/src/app/Http/Controllers/API/V4/NGINXController.php
	+++ b/src/app/Http/Controllers/API/V4/NGINXController.php
	@@ -76,15 +76,6 @@
	throw new \Exception("No client ip");
	}

	- if ($userid = AuthUtils::tokenValidate($password)) {
	- $user = User::find($userid);
	- if ($user && $user->email == $login) {
	- return $user;
	- }
	-
	- throw new \Exception("Password mismatch");
	- }
	-
	$result = User::findAndAuthenticate($login, $password, $clientIP);

	if (empty($result['user'])) {
	diff --git a/src/app/User.php b/src/app/User.php
	--- a/src/app/User.php
	+++ b/src/app/User.php
	@@ -3,6 +3,7 @@
	namespace App;

	use App\AuthAttempt;
	+use App\Auth\Utils as AuthUtils;
	use App\Traits\AliasesTrait;
	use App\Traits\BelongsToTenantTrait;
	use App\Traits\EntitleableTrait;
	@@ -815,11 +816,19 @@

	if (!$user) {
	$error = AuthAttempt::REASON_NOTFOUND;
	- }
	-
	- // Check user password
	- if (!$error && !$user->validateCredentials($username, $password)) {
	- $error = AuthAttempt::REASON_PASSWORD;
	+ } else {
	+ if ($userid = AuthUtils::tokenValidate($password)) {
	+ if ($user->id == $userid) {
	+ $verifyMFA = false;
	+ } else {
	+ $error = AuthAttempt::REASON_PASSWORD;
	+ }
	+ } else {
	+ // Check user password
	+ if (!$user->validateCredentials($username, $password)) {
	+ $error = AuthAttempt::REASON_PASSWORD;
	+ }
	+ }
	}

	if ($verifyMFA) {
	diff --git a/src/tests/Feature/UserTest.php b/src/tests/Feature/UserTest.php
	--- a/src/tests/Feature/UserTest.php
	+++ b/src/tests/Feature/UserTest.php
	@@ -9,6 +9,7 @@
	use App\PackageSku;
	use App\Sku;
	use App\User;
	+use App\Auth\Utils as AuthUtils;
	use Carbon\Carbon;
	use Illuminate\Support\Facades\Queue;
	use Tests\TestCase;
	@@ -1575,4 +1576,21 @@
	$this->assertCount(1, $ned->wallets);
	$this->assertInstanceOf(\App\Wallet::class, $ned->wallets->first());
	}
	+
	+ /**
	+ * Tests for User::findAndAuthenticate()
	+ */
	+ public function testFindAndAuthenticate(): void
	+ {
	+ $user = $this->getTestUser('john@kolab.org');
	+
	+ // Ensure we validate a token for the user:
	+ $token = AuthUtils::tokenCreate($user->id);
	+ $this->assertTrue(isset(User::findAndAuthenticate($user->email, $token)['user']));
	+
	+ // Ensure we don't validate a token for another user:
	+ $token = AuthUtils::tokenCreate($this->getTestUser('ned@kolab.org')->id);
	+ $this->assertFalse(isset(User::findAndAuthenticate($user->email, $token)['user']));
	+ }
	+
	}

File Metadata

Mime Type: text/plain
Expires: Sat, Apr 4, 11:04 AM (11 h, 30 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18829136
Default Alt Text: D5074.1775300690.diff (2 KB)

D5074.1775300690.diffNo OneTemporaryActions

D5074.1775300690.diffView Options

File Metadata

Event Timeline

D5074.1775300690.diff
No OneTemporary
Actions

D5074.1775300690.diff
View Options