1
0
Fork 0
forked from fedi/mastodon

When OAuth password verification fails, return 401 instead of redirect (#5111)

Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.
This commit is contained in:
Eugen Rochko 2017-09-27 23:42:49 +02:00 committed by GitHub
parent 901fc48aae
commit db3ed498b0

View file

@ -7,15 +7,14 @@ Doorkeeper.configure do
current_user || redirect_to(new_user_session_url) current_user || redirect_to(new_user_session_url)
end end
resource_owner_from_credentials do |routes| resource_owner_from_credentials do |_routes|
request.params[:user] = { email: request.params[:username], password: request.params[:password] } user = User.find_by(email: request.params[:username])
request.env["devise.allow_params_authentication"] = true user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
request.env["warden"].authenticate!(scope: :user)
end end
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
admin_authenticator do admin_authenticator do
(current_user && current_user.admin?) || redirect_to(new_user_session_url) current_user&.admin? || redirect_to(new_user_session_url)
end end
# Authorization Code expiration time (default 10 minutes). # Authorization Code expiration time (default 10 minutes).