When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note #1: Since this pull request affects an initializer, it's unclear how to add test automation. Note #2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.
This commit is contained in:
parent
35b142a7ad
commit
f3a93987b6
|
@ -8,8 +8,20 @@ Doorkeeper.configure do
|
||||||
end
|
end
|
||||||
|
|
||||||
resource_owner_from_credentials do |_routes|
|
resource_owner_from_credentials do |_routes|
|
||||||
user = User.find_by(email: request.params[:username])
|
if Devise.ldap_authentication
|
||||||
user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
|
user = User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] })
|
||||||
|
end
|
||||||
|
|
||||||
|
if Devise.pam_authentication
|
||||||
|
user ||= User.authenticate_with_ldap({ :email => request.params[:username], :password => request.params[:password] })
|
||||||
|
end
|
||||||
|
|
||||||
|
if user.nil?
|
||||||
|
user = User.find_by(email: request.params[:username])
|
||||||
|
user = nil unless user.valid_password?(request.params[:password])
|
||||||
|
end
|
||||||
|
|
||||||
|
user if !user&.otp_required_for_login?
|
||||||
end
|
end
|
||||||
|
|
||||||
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
||||||
|
|
Loading…
Reference in New Issue