self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
Code Issues Releases Activity

Refactor auth under nginx.check_credentials()

Browse Source
This commit is contained in:
Florent Daigniere 2021-02-09 09:20:02 +01:00
parent f9ed517b39
commit df230cb482
2 changed files with 19 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
core/admin/mailu/internal/nginx.py
View File

@ -19,6 +19,20 @@ STATUSES = {
}), }),
} }
def check_credentials(user, password, ip, protocol=None):
if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
return False
is_ok = False
# All tokens are 32 characters hex lowercase
if len(password) == 32:
for token in user.tokens:
if (token.check_password(password) and
(not token.ip or token.ip == ip)):
is_ok = True
break
if not is_ok and user.check_password(password):
is_ok = True
return is_ok
def handle_authentication(headers): def handle_authentication(headers):
""" Handle an HTTP nginx authentication request """ Handle an HTTP nginx authentication request
@ -47,23 +61,7 @@ def handle_authentication(headers):
password = raw_password.encode("iso8859-1").decode("utf8") password = raw_password.encode("iso8859-1").decode("utf8")
ip = urllib.parse.unquote(headers["Client-Ip"]) ip = urllib.parse.unquote(headers["Client-Ip"])
user = models.User.query.get(user_email) user = models.User.query.get(user_email)
status = False if check_credentials(user, password, ip, protocol):
if user:
# All tokens are 32 characters hex lowercase
if len(password) == 32:
for token in user.tokens:
if (token.check_password(password) and
(not token.ip or token.ip == ip)):
status = True
break
if not status and user.check_password(password):
status = True
if status:
if protocol == "imap" and not user.enable_imap:
status = False
elif protocol == "pop3" and not user.enable_pop:
status = False
if status and user.enabled:
return { return {
"Auth-Status": "OK", "Auth-Status": "OK",
"Auth-Server": server, "Auth-Server": server,

20
core/admin/mailu/internal/views/auth.py
View File

@ -53,22 +53,10 @@ def basic_authentication():
encoded = authorization.replace("Basic ", "") encoded = authorization.replace("Basic ", "")
user_email, password = base64.b64decode(encoded).split(b":") user_email, password = base64.b64decode(encoded).split(b":")
user = models.User.query.get(user_email.decode("utf8")) user = models.User.query.get(user_email.decode("utf8"))
if user and user.enabled: if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
password = password.decode('utf-8') response = flask.Response()
status = False response.headers["X-User"] = user.email
# All tokens are 32 characters hex lowercase return response
if len(password) == 32:
for token in user.tokens:
if (token.check_password(password) and
(not token.ip or token.ip == ip)):
status = True
break
if not status and user.check_password(password):
status = True
if status:
response = flask.Response()
response.headers["X-User"] = user.email
return response
response = flask.Response(status=401) response = flask.Response(status=401)
response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"' response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
return response return response