diff options
Diffstat (limited to 'src/api/identity.rs')
-rw-r--r-- | src/api/identity.rs | 60 |
1 files changed, 34 insertions, 26 deletions
diff --git a/src/api/identity.rs b/src/api/identity.rs index 672f128c..003e4d97 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -165,20 +165,22 @@ async fn _password_login( // Set the user_uuid here to be passed back used for event logging. *user_uuid = Some(user.uuid.clone()); - // Check password - let password = data.password.as_ref().unwrap(); - if let Some(auth_request_uuid) = data.auth_request.clone() { - if let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await { - if !auth_request.check_access_code(password) { - err!( - "Username or access code is incorrect. Try again", - format!("IP: {}. Username: {}.", ip.ip, username), - ErrorEvent { - event: EventType::UserFailedLogIn, - } - ) + // Check if the user is disabled + if !user.enabled { + err!( + "This user has been disabled", + format!("IP: {}. Username: {}.", ip.ip, username), + ErrorEvent { + event: EventType::UserFailedLogIn } - } else { + ) + } + + let password = data.password.as_ref().unwrap(); + + // If we get an auth request, we don't check the user's password, but the access code of the auth request + if let Some(ref auth_request_uuid) = data.auth_request { + let Some(auth_request) = AuthRequest::find_by_uuid(auth_request_uuid.as_str(), conn).await else { err!( "Auth request not found. Try again.", format!("IP: {}. Username: {}.", ip.ip, username), @@ -186,6 +188,23 @@ async fn _password_login( event: EventType::UserFailedLogIn, } ) + }; + + // Delete the request after we used it + auth_request.delete(conn).await?; + + if auth_request.user_uuid != user.uuid + || !auth_request.approved.unwrap_or(false) + || ip.ip.to_string() != auth_request.request_ip + || !auth_request.check_access_code(password) + { + err!( + "Username or access code is incorrect. Try again", + format!("IP: {}. Username: {}.", ip.ip, username), + ErrorEvent { + event: EventType::UserFailedLogIn, + } + ) } } else if !user.check_valid_password(password) { err!( @@ -197,8 +216,8 @@ async fn _password_login( ) } - // Change the KDF Iterations - if user.password_iterations != CONFIG.password_iterations() { + // Change the KDF Iterations (only when not logging in with an auth request) + if data.auth_request.is_none() && user.password_iterations != CONFIG.password_iterations() { user.password_iterations = CONFIG.password_iterations(); user.set_password(password, None, false, None); @@ -207,17 +226,6 @@ async fn _password_login( } } - // Check if the user is disabled - if !user.enabled { - err!( - "This user has been disabled", - format!("IP: {}. Username: {}.", ip.ip, username), - ErrorEvent { - event: EventType::UserFailedLogIn - } - ) - } - let now = Utc::now().naive_utc(); if user.verified_at.is_none() && CONFIG.mail_enabled() && CONFIG.signups_verify() { |