mirrors
/
gitea
镜像来自 https://github.com/go-gitea/gitea.git
關註 1
收藏 0
複製 0
程式碼 問題管理 0 版本發佈 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6554 Commit
17 分支
目錄樹: adf3f004b6
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'adf3f004b6'
${ noResults }
gitea/routers/user/auth.go

auth.go 35KB
原始文件 Blame 文件歷史

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2018 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package user

  7. 

  8. import (

  9. 	"errors"

  10. 	"fmt"

  11. 	"net/http"

  12. 	"net/url"

  13. 	"strings"

  14. 

  15. 	"code.gitea.io/gitea/models"

  16. 	"code.gitea.io/gitea/modules/auth"

  17. 	"code.gitea.io/gitea/modules/auth/oauth2"

  18. 	"code.gitea.io/gitea/modules/base"

  19. 	"code.gitea.io/gitea/modules/context"

  20. 	"code.gitea.io/gitea/modules/log"

  21. 	"code.gitea.io/gitea/modules/recaptcha"

  22. 	"code.gitea.io/gitea/modules/setting"

  23. 	"code.gitea.io/gitea/modules/util"

  24. 

  25. 	"github.com/go-macaron/captcha"

  26. 	"github.com/markbates/goth"

  27. 	"github.com/tstranex/u2f"

  28. )

  29. 

  30. const (

  31. 	// tplSignIn template for sign in page

  32. 	tplSignIn base.TplName = "user/auth/signin"

  33. 	// tplSignUp template path for sign up page

  34. 	tplSignUp base.TplName = "user/auth/signup"

  35. 	// TplActivate template path for activate user

  36. 	TplActivate       base.TplName = "user/auth/activate"

  37. 	tplForgotPassword base.TplName = "user/auth/forgot_passwd"

  38. 	tplResetPassword  base.TplName = "user/auth/reset_passwd"

  39. 	tplTwofa          base.TplName = "user/auth/twofa"

  40. 	tplTwofaScratch   base.TplName = "user/auth/twofa_scratch"

  41. 	tplLinkAccount    base.TplName = "user/auth/link_account"

  42. 	tplU2F            base.TplName = "user/auth/u2f"

  43. )

  44. 

  45. // AutoSignIn reads cookie and try to auto-login.

  46. func AutoSignIn(ctx *context.Context) (bool, error) {

  47. 	if !models.HasEngine {

  48. 		return false, nil

  49. 	}

  50. 

  51. 	uname := ctx.GetCookie(setting.CookieUserName)

  52. 	if len(uname) == 0 {

  53. 		return false, nil

  54. 	}

  55. 

  56. 	isSucceed := false

  57. 	defer func() {

  58. 		if !isSucceed {

  59. 			log.Trace("auto-login cookie cleared: %s", uname)

  60. 			ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL)

  61. 			ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL)

  62. 		}

  63. 	}()

  64. 

  65. 	u, err := models.GetUserByName(uname)

  66. 	if err != nil {

  67. 		if !models.IsErrUserNotExist(err) {

  68. 			return false, fmt.Errorf("GetUserByName: %v", err)

  69. 		}

  70. 		return false, nil

  71. 	}

  72. 

  73. 	if val, _ := ctx.GetSuperSecureCookie(

  74. 		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {

  75. 		return false, nil

  76. 	}

  77. 

  78. 	isSucceed = true

  79. 	ctx.Session.Set("uid", u.ID)

  80. 	ctx.Session.Set("uname", u.Name)

  81. 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)

  82. 	return true, nil

  83. }

  84. 

  85. func checkAutoLogin(ctx *context.Context) bool {

  86. 	// Check auto-login.

  87. 	isSucceed, err := AutoSignIn(ctx)

  88. 	if err != nil {

  89. 		ctx.ServerError("AutoSignIn", err)

  90. 		return true

  91. 	}

  92. 

  93. 	redirectTo := ctx.Query("redirect_to")

  94. 	if len(redirectTo) > 0 {

  95. 		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL)

  96. 	} else {

  97. 		redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))

  98. 	}

  99. 

  100. 	if isSucceed {

  101. 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)

  102. 		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))

  103. 		return true

  104. 	}

  105. 

  106. 	return false

  107. }

  108. 

  109. // SignIn render sign in page

  110. func SignIn(ctx *context.Context) {

  111. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  112. 

  113. 	// Check auto-login.

  114. 	if checkAutoLogin(ctx) {

  115. 		return

  116. 	}

  117. 

  118. 	orderedOAuth2Names, oauth2Providers, err := models.GetActiveOAuth2Providers()

  119. 	if err != nil {

  120. 		ctx.ServerError("UserSignIn", err)

  121. 		return

  122. 	}

  123. 	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names

  124. 	ctx.Data["OAuth2Providers"] = oauth2Providers

  125. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  126. 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"

  127. 	ctx.Data["PageIsSignIn"] = true

  128. 	ctx.Data["PageIsLogin"] = true

  129. 

  130. 	ctx.HTML(200, tplSignIn)

  131. }

  132. 

  133. // SignInPost response for sign in request

  134. func SignInPost(ctx *context.Context, form auth.SignInForm) {

  135. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  136. 

  137. 	orderedOAuth2Names, oauth2Providers, err := models.GetActiveOAuth2Providers()

  138. 	if err != nil {

  139. 		ctx.ServerError("UserSignIn", err)

  140. 		return

  141. 	}

  142. 	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names

  143. 	ctx.Data["OAuth2Providers"] = oauth2Providers

  144. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  145. 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"

  146. 	ctx.Data["PageIsSignIn"] = true

  147. 	ctx.Data["PageIsLogin"] = true

  148. 

  149. 	if ctx.HasError() {

  150. 		ctx.HTML(200, tplSignIn)

  151. 		return

  152. 	}

  153. 

  154. 	u, err := models.UserSignIn(form.UserName, form.Password)

  155. 	if err != nil {

  156. 		if models.IsErrUserNotExist(err) {

  157. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)

  158. 			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())

  159. 		} else if models.IsErrEmailAlreadyUsed(err) {

  160. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)

  161. 			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())

  162. 		} else {

  163. 			ctx.ServerError("UserSignIn", err)

  164. 		}

  165. 		return

  166. 	}

  167. 	// If this user is enrolled in 2FA, we can't sign the user in just yet.

  168. 	// Instead, redirect them to the 2FA authentication page.

  169. 	_, err = models.GetTwoFactorByUID(u.ID)

  170. 	if err != nil {

  171. 		if models.IsErrTwoFactorNotEnrolled(err) {

  172. 			handleSignIn(ctx, u, form.Remember)

  173. 		} else {

  174. 			ctx.ServerError("UserSignIn", err)

  175. 		}

  176. 		return

  177. 	}

  178. 

  179. 	// User needs to use 2FA, save data and redirect to 2FA page.

  180. 	ctx.Session.Set("twofaUid", u.ID)

  181. 	ctx.Session.Set("twofaRemember", form.Remember)

  182. 

  183. 	regs, err := models.GetU2FRegistrationsByUID(u.ID)

  184. 	if err == nil && len(regs) > 0 {

  185. 		ctx.Redirect(setting.AppSubURL + "/user/u2f")

  186. 		return

  187. 	}

  188. 

  189. 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")

  190. }

  191. 

  192. // TwoFactor shows the user a two-factor authentication page.

  193. func TwoFactor(ctx *context.Context) {

  194. 	ctx.Data["Title"] = ctx.Tr("twofa")

  195. 

  196. 	// Check auto-login.

  197. 	if checkAutoLogin(ctx) {

  198. 		return

  199. 	}

  200. 

  201. 	// Ensure user is in a 2FA session.

  202. 	if ctx.Session.Get("twofaUid") == nil {

  203. 		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))

  204. 		return

  205. 	}

  206. 

  207. 	ctx.HTML(200, tplTwofa)

  208. }

  209. 

  210. // TwoFactorPost validates a user's two-factor authentication token.

  211. func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {

  212. 	ctx.Data["Title"] = ctx.Tr("twofa")

  213. 

  214. 	// Ensure user is in a 2FA session.

  215. 	idSess := ctx.Session.Get("twofaUid")

  216. 	if idSess == nil {

  217. 		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))

  218. 		return

  219. 	}

  220. 

  221. 	id := idSess.(int64)

  222. 	twofa, err := models.GetTwoFactorByUID(id)

  223. 	if err != nil {

  224. 		ctx.ServerError("UserSignIn", err)

  225. 		return

  226. 	}

  227. 

  228. 	// Validate the passcode with the stored TOTP secret.

  229. 	ok, err := twofa.ValidateTOTP(form.Passcode)

  230. 	if err != nil {

  231. 		ctx.ServerError("UserSignIn", err)

  232. 		return

  233. 	}

  234. 

  235. 	if ok && twofa.LastUsedPasscode != form.Passcode {

  236. 		remember := ctx.Session.Get("twofaRemember").(bool)

  237. 		u, err := models.GetUserByID(id)

  238. 		if err != nil {

  239. 			ctx.ServerError("UserSignIn", err)

  240. 			return

  241. 		}

  242. 

  243. 		if ctx.Session.Get("linkAccount") != nil {

  244. 			gothUser := ctx.Session.Get("linkAccountGothUser")

  245. 			if gothUser == nil {

  246. 				ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))

  247. 				return

  248. 			}

  249. 

  250. 			err = models.LinkAccountToUser(u, gothUser.(goth.User))

  251. 			if err != nil {

  252. 				ctx.ServerError("UserSignIn", err)

  253. 				return

  254. 			}

  255. 		}

  256. 

  257. 		twofa.LastUsedPasscode = form.Passcode

  258. 		if err = models.UpdateTwoFactor(twofa); err != nil {

  259. 			ctx.ServerError("UserSignIn", err)

  260. 			return

  261. 		}

  262. 

  263. 		handleSignIn(ctx, u, remember)

  264. 		return

  265. 	}

  266. 

  267. 	ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, auth.TwoFactorAuthForm{})

  268. }

  269. 

  270. // TwoFactorScratch shows the scratch code form for two-factor authentication.

  271. func TwoFactorScratch(ctx *context.Context) {

  272. 	ctx.Data["Title"] = ctx.Tr("twofa_scratch")

  273. 

  274. 	// Check auto-login.

  275. 	if checkAutoLogin(ctx) {

  276. 		return

  277. 	}

  278. 

  279. 	// Ensure user is in a 2FA session.

  280. 	if ctx.Session.Get("twofaUid") == nil {

  281. 		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))

  282. 		return

  283. 	}

  284. 

  285. 	ctx.HTML(200, tplTwofaScratch)

  286. }

  287. 

  288. // TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.

  289. func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthForm) {

  290. 	ctx.Data["Title"] = ctx.Tr("twofa_scratch")

  291. 

  292. 	// Ensure user is in a 2FA session.

  293. 	idSess := ctx.Session.Get("twofaUid")

  294. 	if idSess == nil {

  295. 		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))

  296. 		return

  297. 	}

  298. 

  299. 	id := idSess.(int64)

  300. 	twofa, err := models.GetTwoFactorByUID(id)

  301. 	if err != nil {

  302. 		ctx.ServerError("UserSignIn", err)

  303. 		return

  304. 	}

  305. 

  306. 	// Validate the passcode with the stored TOTP secret.

  307. 	if twofa.VerifyScratchToken(form.Token) {

  308. 		// Invalidate the scratch token.

  309. 		_, err = twofa.GenerateScratchToken()

  310. 		if err != nil {

  311. 			ctx.ServerError("UserSignIn", err)

  312. 			return

  313. 		}

  314. 		if err = models.UpdateTwoFactor(twofa); err != nil {

  315. 			ctx.ServerError("UserSignIn", err)

  316. 			return

  317. 		}

  318. 

  319. 		remember := ctx.Session.Get("twofaRemember").(bool)

  320. 		u, err := models.GetUserByID(id)

  321. 		if err != nil {

  322. 			ctx.ServerError("UserSignIn", err)

  323. 			return

  324. 		}

  325. 

  326. 		handleSignInFull(ctx, u, remember, false)

  327. 		ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))

  328. 		ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  329. 		return

  330. 	}

  331. 

  332. 	ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, auth.TwoFactorScratchAuthForm{})

  333. }

  334. 

  335. // U2F shows the U2F login page

  336. func U2F(ctx *context.Context) {

  337. 	ctx.Data["Title"] = ctx.Tr("twofa")

  338. 	ctx.Data["RequireU2F"] = true

  339. 	// Check auto-login.

  340. 	if checkAutoLogin(ctx) {

  341. 		return

  342. 	}

  343. 

  344. 	// Ensure user is in a 2FA session.

  345. 	if ctx.Session.Get("twofaUid") == nil {

  346. 		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))

  347. 		return

  348. 	}

  349. 

  350. 	ctx.HTML(200, tplU2F)

  351. }

  352. 

  353. // U2FChallenge submits a sign challenge to the browser

  354. func U2FChallenge(ctx *context.Context) {

  355. 	// Ensure user is in a U2F session.

  356. 	idSess := ctx.Session.Get("twofaUid")

  357. 	if idSess == nil {

  358. 		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))

  359. 		return

  360. 	}

  361. 	id := idSess.(int64)

  362. 	regs, err := models.GetU2FRegistrationsByUID(id)

  363. 	if err != nil {

  364. 		ctx.ServerError("UserSignIn", err)

  365. 		return

  366. 	}

  367. 	if len(regs) == 0 {

  368. 		ctx.ServerError("UserSignIn", errors.New("no device registered"))

  369. 		return

  370. 	}

  371. 	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)

  372. 	if err = ctx.Session.Set("u2fChallenge", challenge); err != nil {

  373. 		ctx.ServerError("UserSignIn", err)

  374. 		return

  375. 	}

  376. 	ctx.JSON(200, challenge.SignRequest(regs.ToRegistrations()))

  377. }

  378. 

  379. // U2FSign authenticates the user by signResp

  380. func U2FSign(ctx *context.Context, signResp u2f.SignResponse) {

  381. 	challSess := ctx.Session.Get("u2fChallenge")

  382. 	idSess := ctx.Session.Get("twofaUid")

  383. 	if challSess == nil || idSess == nil {

  384. 		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))

  385. 		return

  386. 	}

  387. 	challenge := challSess.(*u2f.Challenge)

  388. 	id := idSess.(int64)

  389. 	regs, err := models.GetU2FRegistrationsByUID(id)

  390. 	if err != nil {

  391. 		ctx.ServerError("UserSignIn", err)

  392. 		return

  393. 	}

  394. 	for _, reg := range regs {

  395. 		r, err := reg.Parse()

  396. 		if err != nil {

  397. 			log.Fatal(4, "parsing u2f registration: %v", err)

  398. 			continue

  399. 		}

  400. 		newCounter, authErr := r.Authenticate(signResp, *challenge, reg.Counter)

  401. 		if authErr == nil {

  402. 			reg.Counter = newCounter

  403. 			user, err := models.GetUserByID(id)

  404. 			if err != nil {

  405. 				ctx.ServerError("UserSignIn", err)

  406. 				return

  407. 			}

  408. 			remember := ctx.Session.Get("twofaRemember").(bool)

  409. 			if err := reg.UpdateCounter(); err != nil {

  410. 				ctx.ServerError("UserSignIn", err)

  411. 				return

  412. 			}

  413. 

  414. 			if ctx.Session.Get("linkAccount") != nil {

  415. 				gothUser := ctx.Session.Get("linkAccountGothUser")

  416. 				if gothUser == nil {

  417. 					ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))

  418. 					return

  419. 				}

  420. 

  421. 				err = models.LinkAccountToUser(user, gothUser.(goth.User))

  422. 				if err != nil {

  423. 					ctx.ServerError("UserSignIn", err)

  424. 					return

  425. 				}

  426. 			}

  427. 			redirect := handleSignInFull(ctx, user, remember, false)

  428. 			if redirect == "" {

  429. 				redirect = setting.AppSubURL + "/"

  430. 			}

  431. 			ctx.PlainText(200, []byte(redirect))

  432. 			return

  433. 		}

  434. 	}

  435. 	ctx.Error(401)

  436. }

  437. 

  438. // This handles the final part of the sign-in process of the user.

  439. func handleSignIn(ctx *context.Context, u *models.User, remember bool) {

  440. 	handleSignInFull(ctx, u, remember, true)

  441. }

  442. 

  443. func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {

  444. 	if remember {

  445. 		days := 86400 * setting.LogInRememberDays

  446. 		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)

  447. 		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),

  448. 			setting.CookieRememberName, u.Name, days, setting.AppSubURL)

  449. 	}

  450. 

  451. 	ctx.Session.Delete("openid_verified_uri")

  452. 	ctx.Session.Delete("openid_signin_remember")

  453. 	ctx.Session.Delete("openid_determined_email")

  454. 	ctx.Session.Delete("openid_determined_username")

  455. 	ctx.Session.Delete("twofaUid")

  456. 	ctx.Session.Delete("twofaRemember")

  457. 	ctx.Session.Delete("u2fChallenge")

  458. 	ctx.Session.Delete("linkAccount")

  459. 	ctx.Session.Set("uid", u.ID)

  460. 	ctx.Session.Set("uname", u.Name)

  461. 

  462. 	// Language setting of the user overwrites the one previously set

  463. 	// If the user does not have a locale set, we save the current one.

  464. 	if len(u.Language) == 0 {

  465. 		u.Language = ctx.Locale.Language()

  466. 		if err := models.UpdateUserCols(u, "language"); err != nil {

  467. 			log.Error(4, fmt.Sprintf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))

  468. 			return setting.AppSubURL + "/"

  469. 		}

  470. 	}

  471. 

  472. 	ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL)

  473. 

  474. 	// Clear whatever CSRF has right now, force to generate a new one

  475. 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)

  476. 

  477. 	// Register last login

  478. 	u.SetLastLogin()

  479. 	if err := models.UpdateUserCols(u, "last_login_unix"); err != nil {

  480. 		ctx.ServerError("UpdateUserCols", err)

  481. 		return setting.AppSubURL + "/"

  482. 	}

  483. 

  484. 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {

  485. 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)

  486. 		if obeyRedirect {

  487. 			ctx.RedirectToFirst(redirectTo)

  488. 		}

  489. 		return redirectTo

  490. 	}

  491. 

  492. 	if obeyRedirect {

  493. 		ctx.Redirect(setting.AppSubURL + "/")

  494. 	}

  495. 	return setting.AppSubURL + "/"

  496. }

  497. 

  498. // SignInOAuth handles the OAuth2 login buttons

  499. func SignInOAuth(ctx *context.Context) {

  500. 	provider := ctx.Params(":provider")

  501. 

  502. 	loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)

  503. 	if err != nil {

  504. 		ctx.ServerError("SignIn", err)

  505. 		return

  506. 	}

  507. 

  508. 	// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user

  509. 	user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)

  510. 	if err == nil && user != nil {

  511. 		// we got the user without going through the whole OAuth2 authentication flow again

  512. 		handleOAuth2SignIn(user, gothUser, ctx, err)

  513. 		return

  514. 	}

  515. 

  516. 	err = oauth2.Auth(loginSource.Name, ctx.Req.Request, ctx.Resp)

  517. 	if err != nil {

  518. 		ctx.ServerError("SignIn", err)

  519. 	}

  520. 	// redirect is done in oauth2.Auth

  521. }

  522. 

  523. // SignInOAuthCallback handles the callback from the given provider

  524. func SignInOAuthCallback(ctx *context.Context) {

  525. 	provider := ctx.Params(":provider")

  526. 

  527. 	// first look if the provider is still active

  528. 	loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)

  529. 	if err != nil {

  530. 		ctx.ServerError("SignIn", err)

  531. 		return

  532. 	}

  533. 

  534. 	if loginSource == nil {

  535. 		ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider"))

  536. 		return

  537. 	}

  538. 

  539. 	u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)

  540. 

  541. 	handleOAuth2SignIn(u, gothUser, ctx, err)

  542. }

  543. 

  544. func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context, err error) {

  545. 	if err != nil {

  546. 		ctx.ServerError("UserSignIn", err)

  547. 		return

  548. 	}

  549. 

  550. 	if u == nil {

  551. 		// no existing user is found, request attach or new account

  552. 		ctx.Session.Set("linkAccountGothUser", gothUser)

  553. 		ctx.Redirect(setting.AppSubURL + "/user/link_account")

  554. 		return

  555. 	}

  556. 

  557. 	// If this user is enrolled in 2FA, we can't sign the user in just yet.

  558. 	// Instead, redirect them to the 2FA authentication page.

  559. 	_, err = models.GetTwoFactorByUID(u.ID)

  560. 	if err != nil {

  561. 		if models.IsErrTwoFactorNotEnrolled(err) {

  562. 			ctx.Session.Set("uid", u.ID)

  563. 			ctx.Session.Set("uname", u.Name)

  564. 

  565. 			// Clear whatever CSRF has right now, force to generate a new one

  566. 			ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)

  567. 

  568. 			// Register last login

  569. 			u.SetLastLogin()

  570. 			if err := models.UpdateUserCols(u, "last_login_unix"); err != nil {

  571. 				ctx.ServerError("UpdateUserCols", err)

  572. 				return

  573. 			}

  574. 

  575. 			if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {

  576. 				ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)

  577. 				ctx.RedirectToFirst(redirectTo)

  578. 				return

  579. 			}

  580. 

  581. 			ctx.Redirect(setting.AppSubURL + "/")

  582. 		} else {

  583. 			ctx.ServerError("UserSignIn", err)

  584. 		}

  585. 		return

  586. 	}

  587. 

  588. 	// User needs to use 2FA, save data and redirect to 2FA page.

  589. 	ctx.Session.Set("twofaUid", u.ID)

  590. 	ctx.Session.Set("twofaRemember", false)

  591. 

  592. 	// If U2F is enrolled -> Redirect to U2F instead

  593. 	regs, err := models.GetU2FRegistrationsByUID(u.ID)

  594. 	if err == nil && len(regs) > 0 {

  595. 		ctx.Redirect(setting.AppSubURL + "/user/u2f")

  596. 		return

  597. 	}

  598. 

  599. 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")

  600. }

  601. 

  602. // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful

  603. // login the user

  604. func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) {

  605. 	gothUser, err := oauth2.ProviderCallback(loginSource.Name, request, response)

  606. 

  607. 	if err != nil {

  608. 		return nil, goth.User{}, err

  609. 	}

  610. 

  611. 	user := &models.User{

  612. 		LoginName:   gothUser.UserID,

  613. 		LoginType:   models.LoginOAuth2,

  614. 		LoginSource: loginSource.ID,

  615. 	}

  616. 

  617. 	hasUser, err := models.GetUser(user)

  618. 	if err != nil {

  619. 		return nil, goth.User{}, err

  620. 	}

  621. 

  622. 	if hasUser {

  623. 		return user, goth.User{}, nil

  624. 	}

  625. 

  626. 	// search in external linked users

  627. 	externalLoginUser := &models.ExternalLoginUser{

  628. 		ExternalID:    gothUser.UserID,

  629. 		LoginSourceID: loginSource.ID,

  630. 	}

  631. 	hasUser, err = models.GetExternalLogin(externalLoginUser)

  632. 	if err != nil {

  633. 		return nil, goth.User{}, err

  634. 	}

  635. 	if hasUser {

  636. 		user, err = models.GetUserByID(externalLoginUser.UserID)

  637. 		return user, goth.User{}, err

  638. 	}

  639. 

  640. 	// no user found to login

  641. 	return nil, gothUser, nil

  642. 

  643. }

  644. 

  645. // LinkAccount shows the page where the user can decide to login or create a new account

  646. func LinkAccount(ctx *context.Context) {

  647. 	ctx.Data["Title"] = ctx.Tr("link_account")

  648. 	ctx.Data["LinkAccountMode"] = true

  649. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  650. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  651. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  652. 	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration

  653. 	ctx.Data["ShowRegistrationButton"] = false

  654. 

  655. 	// use this to set the right link into the signIn and signUp templates in the link_account template

  656. 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"

  657. 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"

  658. 

  659. 	gothUser := ctx.Session.Get("linkAccountGothUser")

  660. 	if gothUser == nil {

  661. 		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))

  662. 		return

  663. 	}

  664. 

  665. 	ctx.Data["user_name"] = gothUser.(goth.User).NickName

  666. 	ctx.Data["email"] = gothUser.(goth.User).Email

  667. 

  668. 	ctx.HTML(200, tplLinkAccount)

  669. }

  670. 

  671. // LinkAccountPostSignIn handle the coupling of external account with another account using signIn

  672. func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {

  673. 	ctx.Data["Title"] = ctx.Tr("link_account")

  674. 	ctx.Data["LinkAccountMode"] = true

  675. 	ctx.Data["LinkAccountModeSignIn"] = true

  676. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  677. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  678. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  679. 	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration

  680. 	ctx.Data["ShowRegistrationButton"] = false

  681. 

  682. 	// use this to set the right link into the signIn and signUp templates in the link_account template

  683. 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"

  684. 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"

  685. 

  686. 	gothUser := ctx.Session.Get("linkAccountGothUser")

  687. 	if gothUser == nil {

  688. 		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))

  689. 		return

  690. 	}

  691. 

  692. 	if ctx.HasError() {

  693. 		ctx.HTML(200, tplLinkAccount)

  694. 		return

  695. 	}

  696. 

  697. 	u, err := models.UserSignIn(signInForm.UserName, signInForm.Password)

  698. 	if err != nil {

  699. 		if models.IsErrUserNotExist(err) {

  700. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)

  701. 		} else {

  702. 			ctx.ServerError("UserLinkAccount", err)

  703. 		}

  704. 		return

  705. 	}

  706. 

  707. 	// If this user is enrolled in 2FA, we can't sign the user in just yet.

  708. 	// Instead, redirect them to the 2FA authentication page.

  709. 	_, err = models.GetTwoFactorByUID(u.ID)

  710. 	if err != nil {

  711. 		if models.IsErrTwoFactorNotEnrolled(err) {

  712. 			err = models.LinkAccountToUser(u, gothUser.(goth.User))

  713. 			if err != nil {

  714. 				ctx.ServerError("UserLinkAccount", err)

  715. 			} else {

  716. 				handleSignIn(ctx, u, signInForm.Remember)

  717. 			}

  718. 		} else {

  719. 			ctx.ServerError("UserLinkAccount", err)

  720. 		}

  721. 		return

  722. 	}

  723. 

  724. 	// User needs to use 2FA, save data and redirect to 2FA page.

  725. 	ctx.Session.Set("twofaUid", u.ID)

  726. 	ctx.Session.Set("twofaRemember", signInForm.Remember)

  727. 	ctx.Session.Set("linkAccount", true)

  728. 

  729. 	// If U2F is enrolled -> Redirect to U2F instead

  730. 	regs, err := models.GetU2FRegistrationsByUID(u.ID)

  731. 	if err == nil && len(regs) > 0 {

  732. 		ctx.Redirect(setting.AppSubURL + "/user/u2f")

  733. 		return

  734. 	}

  735. 

  736. 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")

  737. }

  738. 

  739. // LinkAccountPostRegister handle the creation of a new account for an external account using signUp

  740. func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {

  741. 	ctx.Data["Title"] = ctx.Tr("link_account")

  742. 	ctx.Data["LinkAccountMode"] = true

  743. 	ctx.Data["LinkAccountModeRegister"] = true

  744. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  745. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  746. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  747. 	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration

  748. 	ctx.Data["ShowRegistrationButton"] = false

  749. 

  750. 	// use this to set the right link into the signIn and signUp templates in the link_account template

  751. 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"

  752. 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"

  753. 

  754. 	gothUser := ctx.Session.Get("linkAccountGothUser")

  755. 	if gothUser == nil {

  756. 		ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))

  757. 		return

  758. 	}

  759. 

  760. 	if ctx.HasError() {

  761. 		ctx.HTML(200, tplLinkAccount)

  762. 		return

  763. 	}

  764. 

  765. 	if setting.Service.DisableRegistration {

  766. 		ctx.Error(403)

  767. 		return

  768. 	}

  769. 

  770. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ImageCaptcha && !cpt.VerifyReq(ctx.Req) {

  771. 		ctx.Data["Err_Captcha"] = true

  772. 		ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)

  773. 		return

  774. 	}

  775. 

  776. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ReCaptcha {

  777. 		valid, _ := recaptcha.Verify(form.GRecaptchaResponse)

  778. 		if !valid {

  779. 			ctx.Data["Err_Captcha"] = true

  780. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)

  781. 			return

  782. 		}

  783. 	}

  784. 

  785. 	if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {

  786. 		ctx.Data["Err_Password"] = true

  787. 		ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)

  788. 		return

  789. 	}

  790. 	if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {

  791. 		ctx.Data["Err_Password"] = true

  792. 		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)

  793. 		return

  794. 	}

  795. 

  796. 	loginSource, err := models.GetActiveOAuth2LoginSourceByName(gothUser.(goth.User).Provider)

  797. 	if err != nil {

  798. 		ctx.ServerError("CreateUser", err)

  799. 	}

  800. 

  801. 	u := &models.User{

  802. 		Name:        form.UserName,

  803. 		Email:       form.Email,

  804. 		Passwd:      form.Password,

  805. 		IsActive:    !setting.Service.RegisterEmailConfirm,

  806. 		LoginType:   models.LoginOAuth2,

  807. 		LoginSource: loginSource.ID,

  808. 		LoginName:   gothUser.(goth.User).UserID,

  809. 	}

  810. 

  811. 	if err := models.CreateUser(u); err != nil {

  812. 		switch {

  813. 		case models.IsErrUserAlreadyExist(err):

  814. 			ctx.Data["Err_UserName"] = true

  815. 			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplLinkAccount, &form)

  816. 		case models.IsErrEmailAlreadyUsed(err):

  817. 			ctx.Data["Err_Email"] = true

  818. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplLinkAccount, &form)

  819. 		case models.IsErrNameReserved(err):

  820. 			ctx.Data["Err_UserName"] = true

  821. 			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplLinkAccount, &form)

  822. 		case models.IsErrNamePatternNotAllowed(err):

  823. 			ctx.Data["Err_UserName"] = true

  824. 			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplLinkAccount, &form)

  825. 		default:

  826. 			ctx.ServerError("CreateUser", err)

  827. 		}

  828. 		return

  829. 	}

  830. 	log.Trace("Account created: %s", u.Name)

  831. 

  832. 	// Auto-set admin for the only user.

  833. 	if models.CountUsers() == 1 {

  834. 		u.IsAdmin = true

  835. 		u.IsActive = true

  836. 		u.SetLastLogin()

  837. 		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {

  838. 			ctx.ServerError("UpdateUser", err)

  839. 			return

  840. 		}

  841. 	}

  842. 

  843. 	// Send confirmation email

  844. 	if setting.Service.RegisterEmailConfirm && u.ID > 1 {

  845. 		models.SendActivateAccountMail(ctx.Context, u)

  846. 		ctx.Data["IsSendRegisterMail"] = true

  847. 		ctx.Data["Email"] = u.Email

  848. 		ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  849. 		ctx.HTML(200, TplActivate)

  850. 

  851. 		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  852. 			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)

  853. 		}

  854. 		return

  855. 	}

  856. 

  857. 	ctx.Redirect(setting.AppSubURL + "/user/login")

  858. }

  859. 

  860. // SignOut sign out from login status

  861. func SignOut(ctx *context.Context) {

  862. 	ctx.Session.Delete("uid")

  863. 	ctx.Session.Delete("uname")

  864. 	ctx.Session.Delete("socialId")

  865. 	ctx.Session.Delete("socialName")

  866. 	ctx.Session.Delete("socialEmail")

  867. 	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL)

  868. 	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL)

  869. 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)

  870. 	ctx.SetCookie("lang", "", -1, setting.AppSubURL) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.

  871. 	ctx.Redirect(setting.AppSubURL + "/")

  872. }

  873. 

  874. // SignUp render the register page

  875. func SignUp(ctx *context.Context) {

  876. 	ctx.Data["Title"] = ctx.Tr("sign_up")

  877. 

  878. 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"

  879. 

  880. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  881. 

  882. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  883. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  884. 

  885. 	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration

  886. 

  887. 	ctx.HTML(200, tplSignUp)

  888. }

  889. 

  890. // SignUpPost response for sign up information submission

  891. func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {

  892. 	ctx.Data["Title"] = ctx.Tr("sign_up")

  893. 

  894. 	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"

  895. 

  896. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  897. 

  898. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  899. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  900. 

  901. 	//Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true

  902. 	if !setting.Service.ShowRegistrationButton {

  903. 		ctx.Error(403)

  904. 		return

  905. 	}

  906. 

  907. 	if ctx.HasError() {

  908. 		ctx.HTML(200, tplSignUp)

  909. 		return

  910. 	}

  911. 

  912. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ImageCaptcha && !cpt.VerifyReq(ctx.Req) {

  913. 		ctx.Data["Err_Captcha"] = true

  914. 		ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)

  915. 		return

  916. 	}

  917. 

  918. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ReCaptcha {

  919. 		valid, _ := recaptcha.Verify(form.GRecaptchaResponse)

  920. 		if !valid {

  921. 			ctx.Data["Err_Captcha"] = true

  922. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)

  923. 			return

  924. 		}

  925. 	}

  926. 

  927. 	if form.Password != form.Retype {

  928. 		ctx.Data["Err_Password"] = true

  929. 		ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form)

  930. 		return

  931. 	}

  932. 	if len(form.Password) < setting.MinPasswordLength {

  933. 		ctx.Data["Err_Password"] = true

  934. 		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form)

  935. 		return

  936. 	}

  937. 

  938. 	u := &models.User{

  939. 		Name:     form.UserName,

  940. 		Email:    form.Email,

  941. 		Passwd:   form.Password,

  942. 		IsActive: !setting.Service.RegisterEmailConfirm,

  943. 	}

  944. 	if err := models.CreateUser(u); err != nil {

  945. 		switch {

  946. 		case models.IsErrUserAlreadyExist(err):

  947. 			ctx.Data["Err_UserName"] = true

  948. 			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUp, &form)

  949. 		case models.IsErrEmailAlreadyUsed(err):

  950. 			ctx.Data["Err_Email"] = true

  951. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUp, &form)

  952. 		case models.IsErrNameReserved(err):

  953. 			ctx.Data["Err_UserName"] = true

  954. 			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUp, &form)

  955. 		case models.IsErrNamePatternNotAllowed(err):

  956. 			ctx.Data["Err_UserName"] = true

  957. 			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUp, &form)

  958. 		default:

  959. 			ctx.ServerError("CreateUser", err)

  960. 		}

  961. 		return

  962. 	}

  963. 	log.Trace("Account created: %s", u.Name)

  964. 

  965. 	// Auto-set admin for the only user.

  966. 	if models.CountUsers() == 1 {

  967. 		u.IsAdmin = true

  968. 		u.IsActive = true

  969. 		u.SetLastLogin()

  970. 		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {

  971. 			ctx.ServerError("UpdateUser", err)

  972. 			return

  973. 		}

  974. 	}

  975. 

  976. 	// Send confirmation email, no need for social account.

  977. 	if setting.Service.RegisterEmailConfirm && u.ID > 1 {

  978. 		models.SendActivateAccountMail(ctx.Context, u)

  979. 		ctx.Data["IsSendRegisterMail"] = true

  980. 		ctx.Data["Email"] = u.Email

  981. 		ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  982. 		ctx.HTML(200, TplActivate)

  983. 

  984. 		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  985. 			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)

  986. 		}

  987. 		return

  988. 	}

  989. 

  990. 	ctx.Redirect(setting.AppSubURL + "/user/login")

  991. }

  992. 

  993. // Activate render activate user page

  994. func Activate(ctx *context.Context) {

  995. 	code := ctx.Query("code")

  996. 	if len(code) == 0 {

  997. 		ctx.Data["IsActivatePage"] = true

  998. 		if ctx.User.IsActive {

  999. 			ctx.Error(404)

  1000. 			return

  1001. 		}

  1002. 		// Resend confirmation email.

  1003. 		if setting.Service.RegisterEmailConfirm {

  1004. 			if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) {

  1005. 				ctx.Data["ResendLimited"] = true

  1006. 			} else {

  1007. 				ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  1008. 				models.SendActivateAccountMail(ctx.Context, ctx.User)

  1009. 

  1010. 				if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil {

  1011. 					log.Error(4, "Set cache(MailResendLimit) fail: %v", err)

  1012. 				}

  1013. 			}

  1014. 		} else {

  1015. 			ctx.Data["ServiceNotEnabled"] = true

  1016. 		}

  1017. 		ctx.HTML(200, TplActivate)

  1018. 		return

  1019. 	}

  1020. 

  1021. 	// Verify code.

  1022. 	if user := models.VerifyUserActiveCode(code); user != nil {

  1023. 		user.IsActive = true

  1024. 		var err error

  1025. 		if user.Rands, err = models.GetUserSalt(); err != nil {

  1026. 			ctx.ServerError("UpdateUser", err)

  1027. 			return

  1028. 		}

  1029. 		if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {

  1030. 			if models.IsErrUserNotExist(err) {

  1031. 				ctx.Error(404)

  1032. 			} else {

  1033. 				ctx.ServerError("UpdateUser", err)

  1034. 			}

  1035. 			return

  1036. 		}

  1037. 

  1038. 		log.Trace("User activated: %s", user.Name)

  1039. 

  1040. 		ctx.Session.Set("uid", user.ID)

  1041. 		ctx.Session.Set("uname", user.Name)

  1042. 		ctx.Flash.Success(ctx.Tr("auth.account_activated"))

  1043. 		ctx.Redirect(setting.AppSubURL + "/")

  1044. 		return

  1045. 	}

  1046. 

  1047. 	ctx.Data["IsActivateFailed"] = true

  1048. 	ctx.HTML(200, TplActivate)

  1049. }

  1050. 

  1051. // ActivateEmail render the activate email page

  1052. func ActivateEmail(ctx *context.Context) {

  1053. 	code := ctx.Query("code")

  1054. 	emailStr := ctx.Query("email")

  1055. 

  1056. 	// Verify code.

  1057. 	if email := models.VerifyActiveEmailCode(code, emailStr); email != nil {

  1058. 		if err := email.Activate(); err != nil {

  1059. 			ctx.ServerError("ActivateEmail", err)

  1060. 		}

  1061. 

  1062. 		log.Trace("Email activated: %s", email.Email)

  1063. 		ctx.Flash.Success(ctx.Tr("settings.add_email_success"))

  1064. 	}

  1065. 

  1066. 	ctx.Redirect(setting.AppSubURL + "/user/settings/email")

  1067. 	return

  1068. }

  1069. 

  1070. // ForgotPasswd render the forget pasword page

  1071. func ForgotPasswd(ctx *context.Context) {

  1072. 	ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")

  1073. 

  1074. 	if setting.MailService == nil {

  1075. 		ctx.Data["IsResetDisable"] = true

  1076. 		ctx.HTML(200, tplForgotPassword)

  1077. 		return

  1078. 	}

  1079. 

  1080. 	email := ctx.Query("email")

  1081. 	ctx.Data["Email"] = email

  1082. 

  1083. 	ctx.Data["IsResetRequest"] = true

  1084. 	ctx.HTML(200, tplForgotPassword)

  1085. }

  1086. 

  1087. // ForgotPasswdPost response for forget password request

  1088. func ForgotPasswdPost(ctx *context.Context) {

  1089. 	ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")

  1090. 

  1091. 	if setting.MailService == nil {

  1092. 		ctx.NotFound("ForgotPasswdPost", nil)

  1093. 		return

  1094. 	}

  1095. 	ctx.Data["IsResetRequest"] = true

  1096. 

  1097. 	email := ctx.Query("email")

  1098. 	ctx.Data["Email"] = email

  1099. 

  1100. 	u, err := models.GetUserByEmail(email)

  1101. 	if err != nil {

  1102. 		if models.IsErrUserNotExist(err) {

  1103. 			ctx.Data["ResetPwdCodeLives"] = base.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())

  1104. 			ctx.Data["IsResetSent"] = true

  1105. 			ctx.HTML(200, tplForgotPassword)

  1106. 			return

  1107. 		}

  1108. 

  1109. 		ctx.ServerError("user.ResetPasswd(check existence)", err)

  1110. 		return

  1111. 	}

  1112. 

  1113. 	if !u.IsLocal() && !u.IsOAuth2() {

  1114. 		ctx.Data["Err_Email"] = true

  1115. 		ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)

  1116. 		return

  1117. 	}

  1118. 

  1119. 	if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) {

  1120. 		ctx.Data["ResendLimited"] = true

  1121. 		ctx.HTML(200, tplForgotPassword)

  1122. 		return

  1123. 	}

  1124. 

  1125. 	models.SendResetPasswordMail(ctx.Context, u)

  1126. 	if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  1127. 		log.Error(4, "Set cache(MailResendLimit) fail: %v", err)

  1128. 	}

  1129. 

  1130. 	ctx.Data["ResetPwdCodeLives"] = base.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())

  1131. 	ctx.Data["IsResetSent"] = true

  1132. 	ctx.HTML(200, tplForgotPassword)

  1133. }

  1134. 

  1135. // ResetPasswd render the reset password page

  1136. func ResetPasswd(ctx *context.Context) {

  1137. 	ctx.Data["Title"] = ctx.Tr("auth.reset_password")

  1138. 

  1139. 	code := ctx.Query("code")

  1140. 	if len(code) == 0 {

  1141. 		ctx.Error(404)

  1142. 		return

  1143. 	}

  1144. 	ctx.Data["Code"] = code

  1145. 	ctx.Data["IsResetForm"] = true

  1146. 	ctx.HTML(200, tplResetPassword)

  1147. }

  1148. 

  1149. // ResetPasswdPost response from reset password request

  1150. func ResetPasswdPost(ctx *context.Context) {

  1151. 	ctx.Data["Title"] = ctx.Tr("auth.reset_password")

  1152. 

  1153. 	code := ctx.Query("code")

  1154. 	if len(code) == 0 {

  1155. 		ctx.Error(404)

  1156. 		return

  1157. 	}

  1158. 	ctx.Data["Code"] = code

  1159. 

  1160. 	if u := models.VerifyUserActiveCode(code); u != nil {

  1161. 		// Validate password length.

  1162. 		passwd := ctx.Query("password")

  1163. 		if len(passwd) < setting.MinPasswordLength {

  1164. 			ctx.Data["IsResetForm"] = true

  1165. 			ctx.Data["Err_Password"] = true

  1166. 			ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)

  1167. 			return

  1168. 		}

  1169. 

  1170. 		var err error

  1171. 		if u.Rands, err = models.GetUserSalt(); err != nil {

  1172. 			ctx.ServerError("UpdateUser", err)

  1173. 			return

  1174. 		}

  1175. 		if u.Salt, err = models.GetUserSalt(); err != nil {

  1176. 			ctx.ServerError("UpdateUser", err)

  1177. 			return

  1178. 		}

  1179. 		u.HashPassword(passwd)

  1180. 		if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil {

  1181. 			ctx.ServerError("UpdateUser", err)

  1182. 			return

  1183. 		}

  1184. 

  1185. 		log.Trace("User password reset: %s", u.Name)

  1186. 		ctx.Redirect(setting.AppSubURL + "/user/login")

  1187. 		return

  1188. 	}

  1189. 

  1190. 	ctx.Data["IsResetFailed"] = true

  1191. 	ctx.HTML(200, tplResetPassword)

  1192. }