When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note #1: Since this pull request affects an initializer, it's unclear how to add test automation. Note #2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.gh/stable
parent
35b142a7ad
commit
f3a93987b6
|
@ -8,8 +8,20 @@ Doorkeeper.configure do
|
||||||
end
|
end
|
||||||
|
|
||||||
resource_owner_from_credentials do |_routes|
|
resource_owner_from_credentials do |_routes|
|
||||||
user = User.find_by(email: request.params[:username])
|
if Devise.ldap_authentication
|
||||||
user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
|
user = User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] })
|
||||||
|
end
|
||||||
|
|
||||||
|
if Devise.pam_authentication
|
||||||
|
user ||= User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] })
|
||||||
|
end
|
||||||
|
|
||||||
|
if user.nil?
|
||||||
|
user = User.find_by(email: request.params[:username])
|
||||||
|
user = nil unless user.valid_password?(request.params[:password])
|
||||||
|
end
|
||||||
|
|
||||||
|
user if !user&.otp_required_for_login?
|
||||||
end
|
end
|
||||||
|
|
||||||
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
||||||
|
|
Reference in New Issue