Merge branch 'no-insecure-auth' into 'develop'

Lock insecure auth methods behind config setting

See merge request soapbox-pub/rebased!278

config/config.exs

@@ -668,6 +668,10 @@
 
 config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
 
+config :pleroma, :auth, basic_auth: false
+
+config :pleroma, :auth, mongoose_im: false
+
 config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
 
 config :pleroma, Pleroma.Emails.UserEmail,

lib/pleroma/web/mongoose_im/mongoose_im_controller.ex

@@ -13,7 +13,10 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
   plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
   plug(RateLimiter, [name: :authentication, params: ["user"]] when action == :check_password)
 
+  def enabled?, do: Pleroma.Config.get([:auth, :mongoose_im], false)
+
   def user_exists(conn, %{"user" => username}) do
+    if enabled?() do
       with %User{} <- Repo.get_by(User, nickname: username, local: true, is_active: true) do
         conn
         |> json(true)
@@ -23,9 +26,15 @@ def user_exists(conn, %{"user" => username}) do
           |> put_status(:not_found)
           |> json(false)
       end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
+    end
   end
 
   def check_password(conn, %{"user" => username, "pass" => password}) do
+    if enabled?() do
       with %User{password_hash: password_hash, is_active: true} <-
              Repo.get_by(User, nickname: username, local: true),
            true <- AuthenticationPlug.checkpw(password, password_hash) do
@@ -42,5 +51,10 @@ def check_password(conn, %{"user" => username, "pass" => password}) do
           |> put_status(:not_found)
           |> json(false)
       end
+    else
+      conn
+      |> put_status(:not_found)
+      |> json(false)
+    end
   end
 end

lib/pleroma/web/plugs/basic_auth_decoder_plug.ex

@@ -16,6 +16,7 @@ def init(options) do
   end
 
   def call(conn, _opts) do
+    if Pleroma.Config.get([:auth, :basic_auth], false) do
       with ["Basic " <> header] <- get_req_header(conn, "authorization"),
            {:ok, userinfo} <- Base.decode64(header),
            [username, password] <- String.split(userinfo, ":", parts: 2) do
@@ -27,5 +28,8 @@ def call(conn, _opts) do
       else
         _ -> conn
       end
+    else
+      conn
+    end
   end
 end

test/pleroma/web/auth/basic_auth_test.exs

@@ -10,6 +10,7 @@ defmodule Pleroma.Web.Auth.BasicAuthTest do
   test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{
     conn: conn
   } do
+    clear_config([:auth, :basic_auth], true)
     user = insert(:user)
     assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
 

test/pleroma/web/mongoose_im_controller_test.exs

@@ -7,6 +7,7 @@ defmodule Pleroma.Web.MongooseIMControllerTest do
   import Pleroma.Factory
 
   test "/user_exists", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
     _user = insert(:user, nickname: "lain")
     _remote_user = insert(:user, nickname: "alice", local: false)
     _deactivated_user = insert(:user, nickname: "konata", is_active: false)
@@ -41,6 +42,7 @@ test "/user_exists", %{conn: conn} do
   end
 
   test "/check_password", %{conn: conn} do
+    clear_config([:auth, :mongoose_im], true)
     user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))
 
     _deactivated_user =