mirror of
https://github.com/go-gitea/gitea
synced 2025-07-03 09:07:19 +00:00
Make LDAP be able to skip local 2FA (#16954)
This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources. Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
@ -20,24 +20,24 @@ import (
|
||||
)
|
||||
|
||||
// UserSignIn validates user name and password.
|
||||
func UserSignIn(username, password string) (*models.User, error) {
|
||||
func UserSignIn(username, password string) (*models.User, *models.LoginSource, error) {
|
||||
var user *models.User
|
||||
if strings.Contains(username, "@") {
|
||||
user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))}
|
||||
// check same email
|
||||
cnt, err := models.Count(user)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
if cnt > 1 {
|
||||
return nil, models.ErrEmailAlreadyUsed{
|
||||
return nil, nil, models.ErrEmailAlreadyUsed{
|
||||
Email: user.Email,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
trimmedUsername := strings.TrimSpace(username)
|
||||
if len(trimmedUsername) == 0 {
|
||||
return nil, models.ErrUserNotExist{Name: username}
|
||||
return nil, nil, models.ErrUserNotExist{Name: username}
|
||||
}
|
||||
|
||||
user = &models.User{LowerName: strings.ToLower(trimmedUsername)}
|
||||
@ -45,41 +45,41 @@ func UserSignIn(username, password string) (*models.User, error) {
|
||||
|
||||
hasUser, err := models.GetUser(user)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
if hasUser {
|
||||
source, err := models.GetLoginSourceByID(user.LoginSource)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
if !source.IsActive {
|
||||
return nil, models.ErrLoginSourceNotActived
|
||||
return nil, nil, models.ErrLoginSourceNotActived
|
||||
}
|
||||
|
||||
authenticator, ok := source.Cfg.(PasswordAuthenticator)
|
||||
if !ok {
|
||||
return nil, models.ErrUnsupportedLoginType
|
||||
return nil, nil, models.ErrUnsupportedLoginType
|
||||
}
|
||||
|
||||
user, err := authenticator.Authenticate(user, username, password)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
|
||||
// user could be hint to resend confirm email.
|
||||
if user.ProhibitLogin {
|
||||
return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
|
||||
return nil, nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
|
||||
}
|
||||
|
||||
return user, nil
|
||||
return user, source, nil
|
||||
}
|
||||
|
||||
sources, err := models.AllActiveLoginSources()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
for _, source := range sources {
|
||||
@ -97,7 +97,7 @@ func UserSignIn(username, password string) (*models.User, error) {
|
||||
|
||||
if err == nil {
|
||||
if !authUser.ProhibitLogin {
|
||||
return authUser, nil
|
||||
return authUser, source, nil
|
||||
}
|
||||
err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name}
|
||||
}
|
||||
@ -109,5 +109,5 @@ func UserSignIn(username, password string) (*models.User, error) {
|
||||
}
|
||||
}
|
||||
|
||||
return nil, models.ErrUserNotExist{Name: username}
|
||||
return nil, nil, models.ErrUserNotExist{Name: username}
|
||||
}
|
||||
|
Reference in New Issue
Block a user