diff options
| author | ntl-purism <57806346+ntl-purism@users.noreply.github.com> | 2019-11-30 12:44:59 -0600 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2019-11-30 19:44:59 +0100 |
| commit | f3a93987b6c3af92aee11fdb4424b8791a67e448 (patch) | |
| tree | 60e5f4d2914a876dac4de7100ad8dfd12f1479f1 /config/initializers | |
| parent | 35b142a7ad19821483f900e81e915a7925fd4eaf (diff) | |
LDAP & PAM added to OAuth password grant strategy (#7999) (#12390)
When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note #1: Since this pull request affects an initializer, it's unclear how to add test automation. Note #2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/doorkeeper.rb | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index a5c9caa4a..7784bec62 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -8,8 +8,20 @@ Doorkeeper.configure do end resource_owner_from_credentials do |_routes| - user = User.find_by(email: request.params[:username]) - user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password]) + if Devise.ldap_authentication + user = User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] }) + end + + if Devise.pam_authentication + user ||= User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] }) + end + + if user.nil? + user = User.find_by(email: request.params[:username]) + user = nil unless user.valid_password?(request.params[:password]) + end + + user if !user&.otp_required_for_login? end # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. |