about summary refs log tree commit diff
path: root/config
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-09-27 23:42:49 +0200
committerGitHub <noreply@github.com>2017-09-27 23:42:49 +0200
commitdb3ed498b08d1ff3b1ca16d326a51abef28b9184 (patch)
treea3ce2dd83e876d0f6a791fe710b05513be44344b /config
parent901fc48aaec8c6c5f1ae3c210c701abce3c03c7c (diff)
When OAuth password verification fails, return 401 instead of redirect (#5111)
Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.
Diffstat (limited to 'config')
-rw-r--r--config/initializers/doorkeeper.rb9
1 files changed, 4 insertions, 5 deletions
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 689e2ac4a..074f8c410 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -7,15 +7,14 @@ Doorkeeper.configure do
     current_user || redirect_to(new_user_session_url)
   end
 
-  resource_owner_from_credentials do |routes|
-    request.params[:user] = { email: request.params[:username], password: request.params[:password] }
-    request.env["devise.allow_params_authentication"] = true
-    request.env["warden"].authenticate!(scope: :user)
+  resource_owner_from_credentials do |_routes|
+    user = User.find_by(email: request.params[:username])
+    user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
   end
 
   # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
   admin_authenticator do
-    (current_user && current_user.admin?) || redirect_to(new_user_session_url)
+    current_user&.admin? || redirect_to(new_user_session_url)
   end
 
   # Authorization Code expiration time (default 10 minutes).