Skip to content

Commit 0f14f69

Browse files
6543ashimokawalafrikssilverwindzeripath
authored
Verify password for local-account activation (go-gitea#13631)
* Verify passwords for activation This is to prevent 3rd party activation * Fix function comment * only veify password on local-account aktivation * fix lint * Update templates/user/auth/activate.tmpl Co-authored-by: silverwind <[email protected]> Co-authored-by: Andreas Shimokawa <[email protected]> Co-authored-by: Lauris BH <[email protected]> Co-authored-by: silverwind <[email protected]> Co-authored-by: zeripath <[email protected]> Co-authored-by: techknowlogick <[email protected]>
1 parent e82150d commit 0f14f69

File tree

2 files changed

+58
-28
lines changed

2 files changed

+58
-28
lines changed

routers/user/auth.go

Lines changed: 45 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
12031203
// Activate render activate user page
12041204
func Activate(ctx *context.Context) {
12051205
code := ctx.Query("code")
1206+
password := ctx.Query("password")
1207+
12061208
if len(code) == 0 {
12071209
ctx.Data["IsActivatePage"] = true
12081210
if ctx.User.IsActive {
@@ -1228,42 +1230,58 @@ func Activate(ctx *context.Context) {
12281230
return
12291231
}
12301232

1231-
// Verify code.
1232-
if user := models.VerifyUserActiveCode(code); user != nil {
1233-
user.IsActive = true
1234-
var err error
1235-
if user.Rands, err = models.GetUserSalt(); err != nil {
1236-
ctx.ServerError("UpdateUser", err)
1233+
user := models.VerifyUserActiveCode(code)
1234+
// if code is wrong
1235+
if user == nil {
1236+
ctx.Data["IsActivateFailed"] = true
1237+
ctx.HTML(200, TplActivate)
1238+
return
1239+
}
1240+
1241+
// if account is local account, verify password
1242+
if user.LoginSource == 0 {
1243+
if len(password) == 0 {
1244+
ctx.Data["Code"] = code
1245+
ctx.Data["NeedsPassword"] = true
1246+
ctx.HTML(200, TplActivate)
12371247
return
12381248
}
1239-
if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
1240-
if models.IsErrUserNotExist(err) {
1241-
ctx.Error(404)
1242-
} else {
1243-
ctx.ServerError("UpdateUser", err)
1244-
}
1249+
if !user.ValidatePassword(password) {
1250+
ctx.Data["IsActivateFailed"] = true
1251+
ctx.HTML(200, TplActivate)
12451252
return
12461253
}
1254+
}
12471255

1248-
log.Trace("User activated: %s", user.Name)
1249-
1250-
if err := ctx.Session.Set("uid", user.ID); err != nil {
1251-
log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
1252-
}
1253-
if err := ctx.Session.Set("uname", user.Name); err != nil {
1254-
log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
1255-
}
1256-
if err := ctx.Session.Release(); err != nil {
1257-
log.Error("Error storing session: %v", err)
1256+
user.IsActive = true
1257+
var err error
1258+
if user.Rands, err = models.GetUserSalt(); err != nil {
1259+
ctx.ServerError("UpdateUser", err)
1260+
return
1261+
}
1262+
if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
1263+
if models.IsErrUserNotExist(err) {
1264+
ctx.Error(404)
1265+
} else {
1266+
ctx.ServerError("UpdateUser", err)
12581267
}
1259-
1260-
ctx.Flash.Success(ctx.Tr("auth.account_activated"))
1261-
ctx.Redirect(setting.AppSubURL + "/")
12621268
return
12631269
}
12641270

1265-
ctx.Data["IsActivateFailed"] = true
1266-
ctx.HTML(200, TplActivate)
1271+
log.Trace("User activated: %s", user.Name)
1272+
1273+
if err := ctx.Session.Set("uid", user.ID); err != nil {
1274+
log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
1275+
}
1276+
if err := ctx.Session.Set("uname", user.Name); err != nil {
1277+
log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
1278+
}
1279+
if err := ctx.Session.Release(); err != nil {
1280+
log.Error("Error storing session: %v", err)
1281+
}
1282+
1283+
ctx.Flash.Success(ctx.Tr("auth.account_activated"))
1284+
ctx.Redirect(setting.AppSubURL + "/")
12671285
}
12681286

12691287
// ActivateEmail render the activate email page

templates/user/auth/activate.tmpl

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,19 @@
1818
<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}</p>
1919
{{end}}
2020
{{else}}
21-
{{if .IsSendRegisterMail}}
21+
{{if .NeedsPassword}}
22+
<form class="ui form" action="/user/activate" method="post">
23+
<div class="required inline field">
24+
<label for="password">{{.i18n.Tr "password"}}</label>
25+
<input id="password" name="password" type="password" autocomplete="off" required>
26+
</div>
27+
<div class="inline field">
28+
<label></label>
29+
<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>
30+
</div>
31+
<input id="code" name="code" type="hidden" value="{{.Code}}">
32+
</form>
33+
{{else if .IsSendRegisterMail}}
2234
<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p>
2335
{{else if .IsActivateFailed}}
2436
<p>{{.i18n.Tr "auth.invalid_code"}}</p>

0 commit comments

Comments
 (0)