Prevent disabled User from SSO login

This commit is contained in:
Timshel 2024-11-28 16:44:37 +01:00
parent 02a9ab5d48
commit 28146e292d
2 changed files with 49 additions and 6 deletions

View file

@ -152,7 +152,12 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
crate::ratelimit::check_limit_login(&ip.ip)?; crate::ratelimit::check_limit_login(&ip.ip)?;
let code = match data.code.as_ref() { let code = match data.code.as_ref() {
None => err!("Got no code in OIDC data"), None => err!(
"Got no code in OIDC data",
ErrorEvent {
event: EventType::UserFailedLogIn
}
),
Some(code) => code, Some(code) => code,
}; };
@ -166,14 +171,33 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled", "Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
user_infos.identifier, user.uuid, user.email user_infos.identifier, user.uuid, user.email
); );
err_silent!("Existing non SSO user with same email") err_silent!(
"Existing non SSO user with same email",
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
} }
Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => { Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => {
error!( error!(
"Login failure ({}), existing SSO user ({}) with same email ({})", "Login failure ({}), existing SSO user ({}) with same email ({})",
user_infos.identifier, user.uuid, user.email user_infos.identifier, user.uuid, user.email
); );
err_silent!("Existing SSO user with same email") err_silent!(
"Existing SSO user with same email",
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
}
Some((user, _)) if !user.enabled => {
err!(
"This user has been disabled",
format!("IP: {}. Username: {}.", ip.ip, user.name),
ErrorEvent {
event: EventType::UserFailedLogIn
}
)
} }
Some((user, sso_user)) => { Some((user, sso_user)) => {
let (mut device, new_device) = get_device(&data, conn, &user).await?; let (mut device, new_device) = get_device(&data, conn, &user).await?;
@ -190,15 +214,28 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
let (user, mut device, new_device, twofactor_token, sso_user) = match user_data { let (user, mut device, new_device, twofactor_token, sso_user) = match user_data {
None => { None => {
if !CONFIG.is_email_domain_allowed(&user_infos.email) { if !CONFIG.is_email_domain_allowed(&user_infos.email) {
err!("Email domain not allowed"); err!(
"Email domain not allowed",
ErrorEvent {
event: EventType::UserFailedLogIn
}
);
} }
match user_infos.email_verified { match user_infos.email_verified {
None if !CONFIG.sso_allow_unknown_email_verification() => err!( None if !CONFIG.sso_allow_unknown_email_verification() => err!(
"Your provider does not send email verification status.\n\ "Your provider does not send email verification status.\n\
You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in." You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in.",
ErrorEvent {
event: EventType::UserFailedLogIn
}
),
Some(false) => err!(
"You need to verify your email with your provider before you can log in",
ErrorEvent {
event: EventType::UserFailedLogIn
}
), ),
Some(false) => err!("You need to verify your email with your provider before you can log in"),
_ => (), _ => (),
} }

View file

@ -255,9 +255,15 @@ macro_rules! err_silent {
($msg:expr) => {{ ($msg:expr) => {{
return Err($crate::error::Error::new($msg, $msg)); return Err($crate::error::Error::new($msg, $msg));
}}; }};
($msg:expr, ErrorEvent $err_event:tt) => {{
return Err($crate::error::Error::new($msg, $msg).with_event($crate::error::ErrorEvent $err_event));
}};
($usr_msg:expr, $log_value:expr) => {{ ($usr_msg:expr, $log_value:expr) => {{
return Err($crate::error::Error::new($usr_msg, $log_value)); return Err($crate::error::Error::new($usr_msg, $log_value));
}}; }};
($usr_msg:expr, $log_value:expr, ErrorEvent $err_event:tt) => {{
return Err($crate::error::Error::new($usr_msg, $log_value).with_event($crate::error::ErrorEvent $err_event));
}};
} }
#[macro_export] #[macro_export]