Remove check on username if AccessToken authentication (#11015)

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2020-04-14 19:32:03 +01:00 committed by GitHub
parent f7ecc2bee7
commit 7c48085ff4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 35 deletions

View file

@ -85,22 +85,12 @@ func (b *Basic) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models
} }
token, err := models.GetAccessTokenBySHA(authToken) token, err := models.GetAccessTokenBySHA(authToken)
if err == nil { if err == nil {
if isUsernameToken { u, err = models.GetUserByID(token.UID)
u, err = models.GetUserByID(token.UID) if err != nil {
if err != nil { log.Error("GetUserByID: %v", err)
log.Error("GetUserByID: %v", err) return nil
return nil
}
} else {
u, err = models.GetUserByName(uname)
if err != nil {
log.Error("GetUserByID: %v", err)
return nil
}
if u.ID != token.UID {
return nil
}
} }
token.UpdatedUnix = timeutil.TimeStampNow() token.UpdatedUnix = timeutil.TimeStampNow()
if err = models.UpdateAccessToken(token); err != nil { if err = models.UpdateAccessToken(token); err != nil {
log.Error("UpdateAccessToken: %v", err) log.Error("UpdateAccessToken: %v", err)

View file

@ -188,27 +188,12 @@ func HTTP(ctx *context.Context) {
// Assume password is a token. // Assume password is a token.
token, err := models.GetAccessTokenBySHA(authToken) token, err := models.GetAccessTokenBySHA(authToken)
if err == nil { if err == nil {
if isUsernameToken { authUser, err = models.GetUserByID(token.UID)
authUser, err = models.GetUserByID(token.UID) if err != nil {
if err != nil { ctx.ServerError("GetUserByID", err)
ctx.ServerError("GetUserByID", err) return
return
}
} else {
authUser, err = models.GetUserByName(authUsername)
if err != nil {
if models.IsErrUserNotExist(err) {
ctx.HandleText(http.StatusUnauthorized, fmt.Sprintf("invalid credentials from %s", ctx.RemoteAddr()))
} else {
ctx.ServerError("GetUserByName", err)
}
return
}
if authUser.ID != token.UID {
ctx.HandleText(http.StatusUnauthorized, fmt.Sprintf("invalid credentials from %s", ctx.RemoteAddr()))
return
}
} }
token.UpdatedUnix = timeutil.TimeStampNow() token.UpdatedUnix = timeutil.TimeStampNow()
if err = models.UpdateAccessToken(token); err != nil { if err = models.UpdateAccessToken(token); err != nil {
ctx.ServerError("UpdateAccessToken", err) ctx.ServerError("UpdateAccessToken", err)