Check auth plugin result

2020-04-27 11:42:01 +02:00 · 2020-04-27 11:42:01 +02:00 · 98813e69bc
parent 829b794a85
commit 98813e69bc
3 changed files with 110 additions and 2 deletions
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@ -7,6 +7,7 @@ import { logger } from '@server/helpers/logger'
 import { UserRole } from '@shared/models'
 import { revokeToken } from '@server/lib/oauth-model'
 import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
+import { isUserUsernameValid, isUserRoleValid, isUserDisplayNameValid } from '@server/helpers/custom-validators/users'

 const oAuthServer = new OAuthServer({
  useErrorHandler: true,
@ -120,10 +121,12 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response

  for (const pluginAuth of pluginAuths) {
    const authOptions = pluginAuth.registerAuthOptions
+    const authName = authOptions.authName
+    const npmName = pluginAuth.npmName

    logger.debug(
      'Using auth method %s of plugin %s to login %s with weight %d.',
-      authOptions.authName, pluginAuth.npmName, loginOptions.id, authOptions.getWeight()
+      authName, npmName, loginOptions.id, authOptions.getWeight()
    )

    try {
@ -131,9 +134,31 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response
      if (loginResult) {
        logger.info(
          'Login success with auth method %s of plugin %s for %s.',
-          authOptions.authName, pluginAuth.npmName, loginOptions.id
+          authName, npmName, loginOptions.id
        )

+        if (!isUserUsernameValid(loginResult.username)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { loginResult })
+          continue
+        }
+
+        if (!loginResult.email) {
+          logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { loginResult })
+          continue
+        }
+
+        // role is optional
+        if (loginResult.role && !isUserRoleValid(loginResult.role)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { loginResult })
+          continue
+        }
+
+        // display name is optional
+        if (loginResult.displayName && !isUserDisplayNameValid(loginResult.displayName)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { loginResult })
+          continue
+        }
+
        res.locals.bypassLogin = {
          bypass: true,
          pluginName: pluginAuth.npmName,
--- a/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js
+++ b/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js
@ -23,6 +23,75 @@ async function register ({
      return null
    }
  })
+
+  registerIdAndPassAuth({
+    authName: 'ward-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'ward') {
+        return Promise.resolve({
+          username: 'ward-42',
+          email: 'ward@example.com'
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'kiros-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'kiros') {
+        return Promise.resolve({
+          username: 'kiros',
+          email: 'kiros@example.com',
+          displayName: 'a'.repeat(5000)
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'raine-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'raine') {
+        return Promise.resolve({
+          username: 'raine',
+          email: 'raine@example.com',
+          role: 42
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'ellone-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'ellone') {
+        return Promise.resolve({
+          username: 'ellone'
+        })
+      }
+
+      return null
+    }
+  })
 }

 async function unregister () {
--- a/server/tests/plugins/id-and-pass-auth.ts
+++ b/server/tests/plugins/id-and-pass-auth.ts
@ -151,6 +151,20 @@ describe('Test id and pass auth plugins', function () {
    await getMyUserInformation(server.url, lagunaAccessToken, 401)
  })

+  it('Should reject an invalid username, email, role or display name', async function () {
+    await userLogin(server, { username: 'ward', password: 'ward password' }, 400)
+    await waitUntilLog(server, 'valid username')
+
+    await userLogin(server, { username: 'kiros', password: 'kiros password' }, 400)
+    await waitUntilLog(server, 'valid display name')
+
+    await userLogin(server, { username: 'raine', password: 'raine password' }, 400)
+    await waitUntilLog(server, 'valid role')
+
+    await userLogin(server, { username: 'ellone', password: 'elonne password' }, 400)
+    await waitUntilLog(server, 'valid email')
+  })
+
  it('Should uninstall the plugin one and do not login existing Crash', async function () {
    await uninstallPlugin({
      url: server.url,