Merge branch 'no-insecure-auth' into 'develop'

Lock insecure auth methods behind config setting See merge request soapbox-pub/rebased!278
2023-09-22 13:35:50 +00:00 · 2023-09-22 13:35:50 +00:00 · 1d74716c99
commit 1d74716c99
parent 601da71fe0 b882bcc884
5 changed files with 54 additions and 29 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -668,6 +668,10 @@

 config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies

+config :pleroma, :auth, basic_auth: false
+
+config :pleroma, :auth, mongoose_im: false
+
 config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false

 config :pleroma, Pleroma.Emails.UserEmail,
--- a/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex
@ -13,34 +13,48 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
  plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
  plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)

+  def enabled?, do: Pleroma.Config.get([:auth, :mongoose_im], false)
+
  def user_exists(conn, %{"user" => username}) do
-    with %User{} <- Repo.get_by(User, nickname: username, local: true, is_active: true) do
-      conn
-      |> json(true)
-    else
-      _ ->
+    if enabled?() do
+      with %User{} <- Repo.get_by(User, nickname: username, local: true, is_active: true) do
        conn
-        |> put_status(:not_found)
-        |> json(false)
+        |> json(true)
+      else
+        _ ->
+          conn
+          |> put_status(:not_found)
+          |> json(false)
+      end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
    end
  end

  def check_password(conn, %{"user" => username, "pass" => password}) do
-    with %User{password_hash: password_hash, is_active: true} <-
-           Repo.get_by(User, nickname: username, local: true),
-         true <- AuthenticationPlug.checkpw(password, password_hash) do
-      conn
-      |> json(true)
-    else
-      false ->
+    if enabled?() do
+      with %User{password_hash: password_hash, is_active: true} <-
+             Repo.get_by(User, nickname: username, local: true),
+           true <- AuthenticationPlug.checkpw(password, password_hash) do
        conn
-        |> put_status(:forbidden)
-        |> json(false)
+        |> json(true)
+      else
+        false ->
+          conn
+          |> put_status(:forbidden)
+          |> json(false)

-      _ ->
-        conn
-        |> put_status(:not_found)
-        |> json(false)
+        _ ->
+          conn
+          |> put_status(:not_found)
+          |> json(false)
+      end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
    end
  end
 end
--- a/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
+++ b/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
@ -16,16 +16,20 @@ def init(options) do
  end

  def call(conn, _opts) do
-    with ["Basic " <> header] <- get_req_header(conn, "authorization"),
-         {:ok, userinfo} <- Base.decode64(header),
-         [username, password] <- String.split(userinfo, ":", parts: 2) do
-      conn
-      |> assign(:auth_credentials, %{
-        username: username,
-        password: password
-      })
+    if Pleroma.Config.get([:auth, :basic_auth], false) do
+      with ["Basic " <> header] <- get_req_header(conn, "authorization"),
+           {:ok, userinfo} <- Base.decode64(header),
+           [username, password] <- String.split(userinfo, ":", parts: 2) do
+        conn
+        |> assign(:auth_credentials, %{
+          username: username,
+          password: password
+        })
+      else
+        _ -> conn
+      end
    else
-      _ -> conn
+      conn
    end
  end
 end
--- a/test/pleroma/web/auth/basic_auth_test.exs
+++ b/test/pleroma/web/auth/basic_auth_test.exs
@ -10,6 +10,7 @@ defmodule Pleroma.Web.Auth.BasicAuthTest do
  test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
    conn: conn
  } do
+    clear_config([:auth, :basic_auth], true)
    user = insert(:user)
    assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)

--- a/test/pleroma/web/mongoose_im_controller_test.exs
+++ b/test/pleroma/web/mongoose_im_controller_test.exs
@ -7,6 +7,7 @@ defmodule Pleroma.Web.MongooseIMControllerTest do
  import Pleroma.Factory

  test "/user_exists", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
    _user = insert(:user, nickname: "lain")
    _remote_user = insert(:user, nickname: "alice", local: false)
    _deactivated_user = insert(:user, nickname: "konata", is_active: false)
@ -41,6 +42,7 @@ test "/user_exists", %{conn: conn} do
  end

  test "/check_password", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
    user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))

    _deactivated_user =