diff options
| author | zeripath <art27@cantab.net> | 2021-09-17 12:43:47 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-17 12:43:47 +0100 |
| commit | 27b351aba564804f65e5574919a88d6194c75256 (patch) | |
| tree | fa4857e05e344693e629aa14b05b7f8ffba42cfc /services/auth/signin.go | |
| parent | f96d0d3d5b2acb3545c3a2ced7972879a9750c9d (diff) | |
| download | gitea-27b351aba564804f65e5574919a88d6194c75256.tar.gz gitea-27b351aba564804f65e5574919a88d6194c75256.zip | |
Make LDAP be able to skip local 2FA (#16954)
This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'services/auth/signin.go')
| -rw-r--r-- | services/auth/signin.go | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/services/auth/signin.go b/services/auth/signin.go index 2c4bf9b35b..0ac2634c80 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -20,24 +20,24 @@ import ( ) // UserSignIn validates user name and password. -func UserSignIn(username, password string) (*models.User, error) { +func UserSignIn(username, password string) (*models.User, *models.LoginSource, error) { var user *models.User if strings.Contains(username, "@") { user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))} // check same email cnt, err := models.Count(user) if err != nil { - return nil, err + return nil, nil, err } if cnt > 1 { - return nil, models.ErrEmailAlreadyUsed{ + return nil, nil, models.ErrEmailAlreadyUsed{ Email: user.Email, } } } else { trimmedUsername := strings.TrimSpace(username) if len(trimmedUsername) == 0 { - return nil, models.ErrUserNotExist{Name: username} + return nil, nil, models.ErrUserNotExist{Name: username} } user = &models.User{LowerName: strings.ToLower(trimmedUsername)} @@ -45,41 +45,41 @@ func UserSignIn(username, password string) (*models.User, error) { hasUser, err := models.GetUser(user) if err != nil { - return nil, err + return nil, nil, err } if hasUser { source, err := models.GetLoginSourceByID(user.LoginSource) if err != nil { - return nil, err + return nil, nil, err } if !source.IsActive { - return nil, models.ErrLoginSourceNotActived + return nil, nil, models.ErrLoginSourceNotActived } authenticator, ok := source.Cfg.(PasswordAuthenticator) if !ok { - return nil, models.ErrUnsupportedLoginType + return nil, nil, models.ErrUnsupportedLoginType } user, err := authenticator.Authenticate(user, username, password) if err != nil { - return nil, err + return nil, nil, err } // WARN: DON'T check user.IsActive, that will be checked on reqSign so that // user could be hint to resend confirm email. if user.ProhibitLogin { - return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} + return nil, nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} } - return user, nil + return user, source, nil } sources, err := models.AllActiveLoginSources() if err != nil { - return nil, err + return nil, nil, err } for _, source := range sources { @@ -97,7 +97,7 @@ func UserSignIn(username, password string) (*models.User, error) { if err == nil { if !authUser.ProhibitLogin { - return authUser, nil + return authUser, source, nil } err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name} } @@ -109,5 +109,5 @@ func UserSignIn(username, password string) (*models.User, error) { } } - return nil, models.ErrUserNotExist{Name: username} + return nil, nil, models.ErrUserNotExist{Name: username} } |