From 2720e1b9ad46a7bfdd26f0c4740e900a9a99a57c Mon Sep 17 00:00:00 2001
From: Andreas Shimokawa <shimokawa@fsfe.org>
Date: Tue, 19 May 2020 23:13:49 +0200
Subject: [PATCH 1/5] Verify passwords for activation

This is to prevent 3rd party activation
---
 models/user.go                    | 10 ++++++++++
 routers/user/auth.go              | 13 +++++++++++--
 templates/user/auth/activate.tmpl | 15 ++++++++++++++-
 3 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/models/user.go b/models/user.go
index 9489ff4e8bb58..e451d2d6c2de2 100644
--- a/models/user.go
+++ b/models/user.go
@@ -890,6 +890,16 @@ func VerifyUserActiveCode(code string) (user *User) {
 	return nil
 }
 
+// VerifyUserActiveCode verifies active code and password when activating account
+func VerifyUserActiveCodeAndPassword(code string, password string) (user *User) {
+	if user = VerifyUserActiveCode(code); user != nil {
+		if user.ValidatePassword(password) {
+			return user
+		}
+	}
+	return nil
+}
+
 // VerifyActiveEmailCode verifies active email code when active account
 func VerifyActiveEmailCode(code, email string) *EmailAddress {
 	minutes := setting.Service.ActiveCodeLives
diff --git a/routers/user/auth.go b/routers/user/auth.go
index ba6420967f646..ef3b529201334 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -1203,6 +1203,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 // Activate render activate user page
 func Activate(ctx *context.Context) {
 	code := ctx.Query("code")
+	password := ctx.Query("password")
+
 	if len(code) == 0 {
 		ctx.Data["IsActivatePage"] = true
 		if ctx.User.IsActive {
@@ -1228,8 +1230,15 @@ func Activate(ctx *context.Context) {
 		return
 	}
 
-	// Verify code.
-	if user := models.VerifyUserActiveCode(code); user != nil {
+	if len(password) == 0 {
+		ctx.Data["Code"] = code
+		ctx.Data["NeedsPassword"] = true
+		ctx.HTML(200, TplActivate)
+		return
+	}
+
+	// Verify code and password
+	if user := models.VerifyUserActiveCodeAndPassword(code, password); user != nil {
 		user.IsActive = true
 		var err error
 		if user.Rands, err = models.GetUserSalt(); err != nil {
diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl
index c24362bb8c42b..269893b987e7e 100644
--- a/templates/user/auth/activate.tmpl
+++ b/templates/user/auth/activate.tmpl
@@ -18,7 +18,20 @@
 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.SignedUser.Email|Escape) .ActiveCodeLives | Str2html}}</p>
 						{{end}}
 					{{else}}
-						{{if .IsSendRegisterMail}}
+						{{if .NeedsPassword}}
+							<form class="ui form" action="/user/activate" method="post">
+								<div class="required inline field">
+									<label for="password">{{.i18n.Tr "password"}}</label>
+									<input id="password" name="password" type="password" autocomplete="off" required>
+								</div>
+
+								<div class="inline field">
+									<label></label>
+									<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>
+								</div>
+								<input id="code" name="code" type="hidden" value="{{.Code}}">
+							</form>
+						{{else if .IsSendRegisterMail}}
 							<p>{{.i18n.Tr "auth.confirmation_mail_sent_prompt" (.Email|Escape) .ActiveCodeLives | Str2html}}</p>
 						{{else if .IsActivateFailed}}
 							<p>{{.i18n.Tr "auth.invalid_code"}}</p>

From a7162ac8af3b85383305e71a1bdb7bc44a4f878c Mon Sep 17 00:00:00 2001
From: Lauris BH <lauris@nix.lv>
Date: Thu, 19 Nov 2020 07:49:09 +0200
Subject: [PATCH 2/5] Fix function comment

---
 models/user.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/user.go b/models/user.go
index e451d2d6c2de2..2b91bd2778169 100644
--- a/models/user.go
+++ b/models/user.go
@@ -890,7 +890,7 @@ func VerifyUserActiveCode(code string) (user *User) {
 	return nil
 }
 
-// VerifyUserActiveCode verifies active code and password when activating account
+// VerifyUserActiveCodeAndPassword verifies active code and password when activating account
 func VerifyUserActiveCodeAndPassword(code string, password string) (user *User) {
 	if user = VerifyUserActiveCode(code); user != nil {
 		if user.ValidatePassword(password) {

From f07fa2f5494e5df98e390f2b4371e882a367cbb4 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Fri, 20 Nov 2020 00:02:28 +0100
Subject: [PATCH 3/5] only veify password on local-account aktivation

---
 models/user.go       | 10 -------
 routers/user/auth.go | 70 +++++++++++++++++++++++++-------------------
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/models/user.go b/models/user.go
index 2b91bd2778169..9489ff4e8bb58 100644
--- a/models/user.go
+++ b/models/user.go
@@ -890,16 +890,6 @@ func VerifyUserActiveCode(code string) (user *User) {
 	return nil
 }
 
-// VerifyUserActiveCodeAndPassword verifies active code and password when activating account
-func VerifyUserActiveCodeAndPassword(code string, password string) (user *User) {
-	if user = VerifyUserActiveCode(code); user != nil {
-		if user.ValidatePassword(password) {
-			return user
-		}
-	}
-	return nil
-}
-
 // VerifyActiveEmailCode verifies active email code when active account
 func VerifyActiveEmailCode(code, email string) *EmailAddress {
 	minutes := setting.Service.ActiveCodeLives
diff --git a/routers/user/auth.go b/routers/user/auth.go
index ef3b529201334..191ca60aa6762 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -1230,49 +1230,59 @@ func Activate(ctx *context.Context) {
 		return
 	}
 
-	if len(password) == 0 {
-		ctx.Data["Code"] = code
-		ctx.Data["NeedsPassword"] = true
+	user := models.VerifyUserActiveCode(code)
+	// if code is wrong
+	if user == nil {
+		ctx.Data["IsActivateFailed"] = true
 		ctx.HTML(200, TplActivate)
 		return
 	}
 
-	// Verify code and password
-	if user := models.VerifyUserActiveCodeAndPassword(code, password); user != nil {
-		user.IsActive = true
-		var err error
-		if user.Rands, err = models.GetUserSalt(); err != nil {
-			ctx.ServerError("UpdateUser", err)
+	// if account is local account, verify password
+	if user.LoginSource == 0 {
+		if len(password) == 0 {
+			ctx.Data["Code"] = code
+			ctx.Data["NeedsPassword"] = true
+			ctx.HTML(200, TplActivate)
 			return
 		}
-		if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
-			if models.IsErrUserNotExist(err) {
-				ctx.Error(404)
-			} else {
-				ctx.ServerError("UpdateUser", err)
-			}
+		if !user.ValidatePassword(password) {
+			ctx.Data["IsActivateFailed"] = true
+			ctx.HTML(200, TplActivate)
 			return
 		}
+	}
 
-		log.Trace("User activated: %s", user.Name)
-
-		if err := ctx.Session.Set("uid", user.ID); err != nil {
-			log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
-		}
-		if err := ctx.Session.Set("uname", user.Name); err != nil {
-			log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
-		}
-		if err := ctx.Session.Release(); err != nil {
-			log.Error("Error storing session: %v", err)
+	user.IsActive = true
+	var err error
+	if user.Rands, err = models.GetUserSalt(); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+	if err := models.UpdateUserCols(user, "is_active", "rands"); err != nil {
+		if models.IsErrUserNotExist(err) {
+			ctx.Error(404)
+		} else {
+			ctx.ServerError("UpdateUser", err)
 		}
-
-		ctx.Flash.Success(ctx.Tr("auth.account_activated"))
-		ctx.Redirect(setting.AppSubURL + "/")
 		return
 	}
 
-	ctx.Data["IsActivateFailed"] = true
-	ctx.HTML(200, TplActivate)
+	log.Trace("User activated: %s", user.Name)
+
+	if err := ctx.Session.Set("uid", user.ID); err != nil {
+		log.Error(fmt.Sprintf("Error setting uid in session: %v", err))
+	}
+	if err := ctx.Session.Set("uname", user.Name); err != nil {
+		log.Error(fmt.Sprintf("Error setting uname in session: %v", err))
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Error storing session: %v", err)
+	}
+
+	ctx.Flash.Success(ctx.Tr("auth.account_activated"))
+	ctx.Redirect(setting.AppSubURL + "/")
+	return
 }
 
 // ActivateEmail render the activate email page

From 65c4b300d441e94064c5e6bb298d3938b20f5aef Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Fri, 20 Nov 2020 00:24:57 +0100
Subject: [PATCH 4/5] fix lint

---
 routers/user/auth.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/routers/user/auth.go b/routers/user/auth.go
index 191ca60aa6762..d347962ca7e21 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -1282,7 +1282,6 @@ func Activate(ctx *context.Context) {
 
 	ctx.Flash.Success(ctx.Tr("auth.account_activated"))
 	ctx.Redirect(setting.AppSubURL + "/")
-	return
 }
 
 // ActivateEmail render the activate email page

From 0244d70b42c0ea80a99c146992e15a8ed22b5459 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Wed, 25 Nov 2020 01:12:17 +0100
Subject: [PATCH 5/5] Update templates/user/auth/activate.tmpl

Co-authored-by: silverwind <me@silverwind.io>
---
 templates/user/auth/activate.tmpl | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl
index 269893b987e7e..c3f136add429f 100644
--- a/templates/user/auth/activate.tmpl
+++ b/templates/user/auth/activate.tmpl
@@ -24,7 +24,6 @@
 									<label for="password">{{.i18n.Tr "password"}}</label>
 									<input id="password" name="password" type="password" autocomplete="off" required>
 								</div>
-
 								<div class="inline field">
 									<label></label>
 									<button class="ui green button">{{.i18n.Tr "install.confirm_password"}}</button>