loading up the forgejo repo on tangled to test page performance
Log the real reason when authentication fails (but don't show the user) (#25414)
authored by
Lunny Xiao
and committed by
GitHub
0403bd98
ad57be04
+68
-14
+1
-1
routers/web/auth/auth.go
+1
-1
routers/web/auth/auth.go
···
201
201
202
202
u, source, err := auth_service.UserSignIn(form.UserName, form.Password)
203
203
if err != nil {
204
-
if user_model.IsErrUserNotExist(err) || user_model.IsErrEmailAddressNotExist(err) {
204
+
if errors.Is(err, util.ErrNotExist) || errors.Is(err, util.ErrInvalidArgument) {
205
205
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
206
206
log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
207
207
} else if user_model.IsErrEmailAlreadyUsed(err) {
+29
-6
routers/web/auth/linkaccount.go
+29
-6
routers/web/auth/linkaccount.go
···
13
13
user_model "code.gitea.io/gitea/models/user"
14
14
"code.gitea.io/gitea/modules/base"
15
15
"code.gitea.io/gitea/modules/context"
16
+
"code.gitea.io/gitea/modules/log"
16
17
"code.gitea.io/gitea/modules/setting"
18
+
"code.gitea.io/gitea/modules/util"
17
19
"code.gitea.io/gitea/modules/web"
18
20
auth_service "code.gitea.io/gitea/services/auth"
19
21
"code.gitea.io/gitea/services/auth/source/oauth2"
···
81
83
ctx.HTML(http.StatusOK, tplLinkAccount)
82
84
}
83
85
86
+
func handleSignInError(ctx *context.Context, userName string, ptrForm any, tmpl base.TplName, invoker string, err error) {
87
+
if errors.Is(err, util.ErrNotExist) {
88
+
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tmpl, ptrForm)
89
+
} else if errors.Is(err, util.ErrInvalidArgument) {
90
+
ctx.Data["user_exists"] = true
91
+
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tmpl, ptrForm)
92
+
} else if user_model.IsErrUserProhibitLogin(err) {
93
+
ctx.Data["user_exists"] = true
94
+
log.Info("Failed authentication attempt for %s from %s: %v", userName, ctx.RemoteAddr(), err)
95
+
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
96
+
ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
97
+
} else if user_model.IsErrUserInactive(err) {
98
+
ctx.Data["user_exists"] = true
99
+
if setting.Service.RegisterEmailConfirm {
100
+
ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
101
+
ctx.HTML(http.StatusOK, TplActivate)
102
+
} else {
103
+
log.Info("Failed authentication attempt for %s from %s: %v", userName, ctx.RemoteAddr(), err)
104
+
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
105
+
ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
106
+
}
107
+
} else {
108
+
ctx.ServerError(invoker, err)
109
+
}
110
+
}
111
+
84
112
// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
85
113
func LinkAccountPostSignIn(ctx *context.Context) {
86
114
signInForm := web.GetForm(ctx).(*forms.SignInForm)
···
116
144
117
145
u, _, err := auth_service.UserSignIn(signInForm.UserName, signInForm.Password)
118
146
if err != nil {
119
-
if user_model.IsErrUserNotExist(err) {
120
-
ctx.Data["user_exists"] = true
121
-
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
122
-
} else {
123
-
ctx.ServerError("UserLinkAccount", err)
124
-
}
147
+
handleSignInError(ctx, signInForm.UserName, &signInForm, tplLinkAccount, "UserLinkAccount", err)
125
148
return
126
149
}
127
150
+1
-5
routers/web/auth/openid.go
+1
-5
routers/web/auth/openid.go
···
282
282
283
283
u, _, err := auth.UserSignIn(form.UserName, form.Password)
284
284
if err != nil {
285
-
if user_model.IsErrUserNotExist(err) {
286
-
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
287
-
} else {
288
-
ctx.ServerError("ConnectOpenIDPost", err)
289
-
}
285
+
handleSignInError(ctx, form.UserName, &form, tplConnectOID, "ConnectOpenIDPost", err)
290
286
return
291
287
}
292
288
+37
-2
services/auth/source/db/authenticate.go
+37
-2
services/auth/source/db/authenticate.go
···
4
4
package db
5
5
6
6
import (
7
+
"fmt"
8
+
7
9
"code.gitea.io/gitea/models/db"
8
10
user_model "code.gitea.io/gitea/models/user"
9
11
"code.gitea.io/gitea/modules/setting"
12
+
"code.gitea.io/gitea/modules/util"
10
13
)
11
14
15
+
// ErrUserPasswordNotSet represents a "ErrUserPasswordNotSet" kind of error.
16
+
type ErrUserPasswordNotSet struct {
17
+
UID int64
18
+
Name string
19
+
}
20
+
21
+
func (err ErrUserPasswordNotSet) Error() string {
22
+
return fmt.Sprintf("user's password isn't set [uid: %d, name: %s]", err.UID, err.Name)
23
+
}
24
+
25
+
// Unwrap unwraps this error as a ErrInvalidArgument error
26
+
func (err ErrUserPasswordNotSet) Unwrap() error {
27
+
return util.ErrInvalidArgument
28
+
}
29
+
30
+
// ErrUserPasswordInvalid represents a "ErrUserPasswordInvalid" kind of error.
31
+
type ErrUserPasswordInvalid struct {
32
+
UID int64
33
+
Name string
34
+
}
35
+
36
+
func (err ErrUserPasswordInvalid) Error() string {
37
+
return fmt.Sprintf("user's password is invalid [uid: %d, name: %s]", err.UID, err.Name)
38
+
}
39
+
40
+
// Unwrap unwraps this error as a ErrInvalidArgument error
41
+
func (err ErrUserPasswordInvalid) Unwrap() error {
42
+
return util.ErrInvalidArgument
43
+
}
44
+
12
45
// Authenticate authenticates the provided user against the DB
13
46
func Authenticate(user *user_model.User, login, password string) (*user_model.User, error) {
14
47
if user == nil {
15
48
return nil, user_model.ErrUserNotExist{Name: login}
16
49
}
17
50
18
-
if !user.IsPasswordSet() || !user.ValidatePassword(password) {
19
-
return nil, user_model.ErrUserNotExist{UID: user.ID, Name: user.Name}
51
+
if !user.IsPasswordSet() {
52
+
return nil, ErrUserPasswordNotSet{UID: user.ID, Name: user.Name}
53
+
} else if !user.ValidatePassword(password) {
54
+
return nil, ErrUserPasswordInvalid{UID: user.ID, Name: user.Name}
20
55
}
21
56
22
57
// Update password hash if server password hash algorithm have changed