From b882bcc88483fb14f2527895faba2e7838bfb6d8 Mon Sep 17 00:00:00 2001
From: niggy <niggygitlab@proton.me>
Date: Fri, 22 Sep 2023 03:50:35 +0000
Subject: [PATCH] Lock insecure auth methods behind config setting

---
 config/config.exs                             |  4 ++
 .../web/mongoose_im/mongoose_im_controller.ex | 54 ++++++++++++-------
 .../web/plugs/basic_auth_decoder_plug.ex      | 22 ++++----
 test/pleroma/web/auth/basic_auth_test.exs     |  1 +
 .../web/mongoose_im_controller_test.exs       |  2 +
 5 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/config/config.exs b/config/config.exs
index 8736948dec..e01e9f27a7 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -668,6 +668,10 @@
 
 config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
 
+config :pleroma, :auth, basic_auth: false
+
+config :pleroma, :auth, mongoose_im: false
+
 config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
 
 config :pleroma, Pleroma.Emails.UserEmail,
diff --git a/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex b/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex
index 0945ebb12c..e819c7c346 100644
--- a/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongoose_im/mongoose_im_controller.ex
@@ -13,34 +13,48 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
   plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
   plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)
 
+  def enabled?, do: Pleroma.Config.get([:auth, :mongoose_im], false)
+
   def user_exists(conn, %{"user" => username}) do
-    with %User{} <- Repo.get_by(User, nickname: username, local: true, is_active: true) do
-      conn
-      |> json(true)
-    else
-      _ ->
+    if enabled?() do
+      with %User{} <- Repo.get_by(User, nickname: username, local: true, is_active: true) do
         conn
-        |> put_status(:not_found)
-        |> json(false)
+        |> json(true)
+      else
+        _ ->
+          conn
+          |> put_status(:not_found)
+          |> json(false)
+      end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
     end
   end
 
   def check_password(conn, %{"user" => username, "pass" => password}) do
-    with %User{password_hash: password_hash, is_active: true} <-
-           Repo.get_by(User, nickname: username, local: true),
-         true <- AuthenticationPlug.checkpw(password, password_hash) do
-      conn
-      |> json(true)
-    else
-      false ->
+    if enabled?() do
+      with %User{password_hash: password_hash, is_active: true} <-
+             Repo.get_by(User, nickname: username, local: true),
+           true <- AuthenticationPlug.checkpw(password, password_hash) do
         conn
-        |> put_status(:forbidden)
-        |> json(false)
+        |> json(true)
+      else
+        false ->
+          conn
+          |> put_status(:forbidden)
+          |> json(false)
 
-      _ ->
-        conn
-        |> put_status(:not_found)
-        |> json(false)
+        _ ->
+          conn
+          |> put_status(:not_found)
+          |> json(false)
+      end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
     end
   end
 end
diff --git a/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex b/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
index 3eb13f9553..38f34e0499 100644
--- a/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
+++ b/lib/pleroma/web/plugs/basic_auth_decoder_plug.ex
@@ -16,16 +16,20 @@ def init(options) do
   end
 
   def call(conn, _opts) do
-    with ["Basic " <> header] <- get_req_header(conn, "authorization"),
-         {:ok, userinfo} <- Base.decode64(header),
-         [username, password] <- String.split(userinfo, ":", parts: 2) do
-      conn
-      |> assign(:auth_credentials, %{
-        username: username,
-        password: password
-      })
+    if Pleroma.Config.get([:auth, :basic_auth], false) do
+      with ["Basic " <> header] <- get_req_header(conn, "authorization"),
+           {:ok, userinfo} <- Base.decode64(header),
+           [username, password] <- String.split(userinfo, ":", parts: 2) do
+        conn
+        |> assign(:auth_credentials, %{
+          username: username,
+          password: password
+        })
+      else
+        _ -> conn
+      end
     else
-      _ -> conn
+      conn
     end
   end
 end
diff --git a/test/pleroma/web/auth/basic_auth_test.exs b/test/pleroma/web/auth/basic_auth_test.exs
index 9d9fdfd161..18544b93b6 100644
--- a/test/pleroma/web/auth/basic_auth_test.exs
+++ b/test/pleroma/web/auth/basic_auth_test.exs
@@ -10,6 +10,7 @@ defmodule Pleroma.Web.Auth.BasicAuthTest do
   test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
     conn: conn
   } do
+    clear_config([:auth, :basic_auth], true)
     user = insert(:user)
     assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
 
diff --git a/test/pleroma/web/mongoose_im_controller_test.exs b/test/pleroma/web/mongoose_im_controller_test.exs
index 46726fb625..200dba8ec6 100644
--- a/test/pleroma/web/mongoose_im_controller_test.exs
+++ b/test/pleroma/web/mongoose_im_controller_test.exs
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.MongooseIMControllerTest do
   import Pleroma.Factory
 
   test "/user_exists", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
     _user = insert(:user, nickname: "lain")
     _remote_user = insert(:user, nickname: "alice", local: false)
     _deactivated_user = insert(:user, nickname: "konata", is_active: false)
@@ -41,6 +42,7 @@ test "/user_exists", %{conn: conn} do
   end
 
   test "/check_password", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
     user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))
 
     _deactivated_user =