Oauth2 consumer (#679)
* initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
This commit is contained in:
Willem van Dreumel
Kim "BKC" Carlbäcker
parent
fd941db246
commit
01d957677f
76 changed files with 7275 additions and 137 deletions
|
|
@ -53,6 +53,7 @@ var (
|
|||
{models.LoginNames[models.LoginDLDAP], models.LoginDLDAP},
|
||||
{models.LoginNames[models.LoginSMTP], models.LoginSMTP},
|
||||
{models.LoginNames[models.LoginPAM], models.LoginPAM},
|
||||
{models.LoginNames[models.LoginOAuth2], models.LoginOAuth2},
|
||||
}
|
||||
securityProtocols = []dropdownItem{
|
||||
{models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted},
|
||||
|
|
@ -75,6 +76,14 @@ func NewAuthSource(ctx *context.Context) {
|
|||
ctx.Data["AuthSources"] = authSources
|
||||
ctx.Data["SecurityProtocols"] = securityProtocols
|
||||
ctx.Data["SMTPAuths"] = models.SMTPAuths
|
||||
ctx.Data["OAuth2Providers"] = models.OAuth2Providers
|
||||
|
||||
// only the first as default
|
||||
for key := range models.OAuth2Providers {
|
||||
ctx.Data["oauth2_provider"] = key
|
||||
break
|
||||
}
|
||||
|
||||
ctx.HTML(200, tplAuthNew)
|
||||
}
|
||||
|
||||
|
|
@ -113,6 +122,14 @@ func parseSMTPConfig(form auth.AuthenticationForm) *models.SMTPConfig {
|
|||
}
|
||||
}
|
||||
|
||||
func parseOAuth2Config(form auth.AuthenticationForm) *models.OAuth2Config {
|
||||
return &models.OAuth2Config{
|
||||
Provider: form.Oauth2Provider,
|
||||
ClientID: form.Oauth2Key,
|
||||
ClientSecret: form.Oauth2Secret,
|
||||
}
|
||||
}
|
||||
|
||||
// NewAuthSourcePost response for adding an auth source
|
||||
func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("admin.auths.new")
|
||||
|
|
@ -124,6 +141,7 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
|
|||
ctx.Data["AuthSources"] = authSources
|
||||
ctx.Data["SecurityProtocols"] = securityProtocols
|
||||
ctx.Data["SMTPAuths"] = models.SMTPAuths
|
||||
ctx.Data["OAuth2Providers"] = models.OAuth2Providers
|
||||
|
||||
hasTLS := false
|
||||
var config core.Conversion
|
||||
|
|
@ -138,6 +156,8 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
|
|||
config = &models.PAMConfig{
|
||||
ServiceName: form.PAMServiceName,
|
||||
}
|
||||
case models.LoginOAuth2:
|
||||
config = parseOAuth2Config(form)
|
||||
default:
|
||||
ctx.Error(400)
|
||||
return
|
||||
|
|
@ -178,6 +198,7 @@ func EditAuthSource(ctx *context.Context) {
|
|||
|
||||
ctx.Data["SecurityProtocols"] = securityProtocols
|
||||
ctx.Data["SMTPAuths"] = models.SMTPAuths
|
||||
ctx.Data["OAuth2Providers"] = models.OAuth2Providers
|
||||
|
||||
source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
|
||||
if err != nil {
|
||||
|
|
@ -187,16 +208,20 @@ func EditAuthSource(ctx *context.Context) {
|
|||
ctx.Data["Source"] = source
|
||||
ctx.Data["HasTLS"] = source.HasTLS()
|
||||
|
||||
if source.IsOAuth2() {
|
||||
ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.OAuth2().Provider]
|
||||
}
|
||||
ctx.HTML(200, tplAuthEdit)
|
||||
}
|
||||
|
||||
// EditAuthSourcePost resposne for editing auth source
|
||||
// EditAuthSourcePost response for editing auth source
|
||||
func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("admin.auths.edit")
|
||||
ctx.Data["PageIsAdmin"] = true
|
||||
ctx.Data["PageIsAdminAuthentications"] = true
|
||||
|
||||
ctx.Data["SMTPAuths"] = models.SMTPAuths
|
||||
ctx.Data["OAuth2Providers"] = models.OAuth2Providers
|
||||
|
||||
source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
|
||||
if err != nil {
|
||||
|
|
@ -221,6 +246,8 @@ func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
|
|||
config = &models.PAMConfig{
|
||||
ServiceName: form.PAMServiceName,
|
||||
}
|
||||
case models.LoginOAuth2:
|
||||
config = parseOAuth2Config(form)
|
||||
default:
|
||||
ctx.Error(400)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ func GlobalInit() {
|
|||
log.Fatal(4, "Failed to initialize ORM engine: %v", err)
|
||||
}
|
||||
models.HasEngine = true
|
||||
models.InitOAuth2()
|
||||
|
||||
models.LoadRepoConfig()
|
||||
models.NewRepoContext()
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ func HTTP(ctx *context.Context) {
|
|||
isWiki := false
|
||||
if strings.HasSuffix(reponame, ".wiki") {
|
||||
isWiki = true
|
||||
reponame = reponame[:len(reponame)-5]
|
||||
reponame = reponame[:len(reponame) - 5]
|
||||
}
|
||||
|
||||
repoUser, err := models.GetUserByName(username)
|
||||
|
|
@ -191,9 +191,9 @@ func HTTP(ctx *context.Context) {
|
|||
|
||||
var lastLine int64
|
||||
for {
|
||||
head := input[lastLine : lastLine+2]
|
||||
head := input[lastLine: lastLine + 2]
|
||||
if head[0] == '0' && head[1] == '0' {
|
||||
size, err := strconv.ParseInt(string(input[lastLine+2:lastLine+4]), 16, 32)
|
||||
size, err := strconv.ParseInt(string(input[lastLine + 2:lastLine + 4]), 16, 32)
|
||||
if err != nil {
|
||||
log.Error(4, "%v", err)
|
||||
return
|
||||
|
|
@ -204,7 +204,7 @@ func HTTP(ctx *context.Context) {
|
|||
break
|
||||
}
|
||||
|
||||
line := input[lastLine : lastLine+size]
|
||||
line := input[lastLine: lastLine + size]
|
||||
idx := bytes.IndexRune(line, '\000')
|
||||
if idx > -1 {
|
||||
line = line[:idx]
|
||||
|
|
@ -370,7 +370,7 @@ func gitCommand(dir string, args ...string) []byte {
|
|||
|
||||
func getGitConfig(option, dir string) string {
|
||||
out := string(gitCommand(dir, "config", option))
|
||||
return out[0 : len(out)-1]
|
||||
return out[0: len(out) - 1]
|
||||
}
|
||||
|
||||
func getConfigSetting(service, dir string) bool {
|
||||
|
|
@ -501,7 +501,7 @@ func updateServerInfo(dir string) []byte {
|
|||
}
|
||||
|
||||
func packetWrite(str string) []byte {
|
||||
s := strconv.FormatInt(int64(len(str)+4), 16)
|
||||
s := strconv.FormatInt(int64(len(str) + 4), 16)
|
||||
if len(s)%4 != 0 {
|
||||
s = strings.Repeat("0", 4-len(s)%4) + s
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,10 @@ import (
|
|||
"code.gitea.io/gitea/modules/context"
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"net/http"
|
||||
"code.gitea.io/gitea/modules/auth/oauth2"
|
||||
"github.com/markbates/goth"
|
||||
"strings"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -30,6 +34,7 @@ const (
|
|||
tplResetPassword base.TplName = "user/auth/reset_passwd"
|
||||
tplTwofa base.TplName = "user/auth/twofa"
|
||||
tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
|
||||
tplLinkAccount base.TplName = "user/auth/link_account"
|
||||
)
|
||||
|
||||
// AutoSignIn reads cookie and try to auto-login.
|
||||
|
|
@ -61,7 +66,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
|||
}
|
||||
|
||||
if val, _ := ctx.GetSuperSecureCookie(
|
||||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
|
||||
base.EncodeMD5(u.Rands + u.Passwd), setting.CookieRememberName); val != u.Name {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
|
|
@ -109,6 +114,13 @@ func SignIn(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
oauth2Providers, err := models.GetActiveOAuth2Providers()
|
||||
if err != nil {
|
||||
ctx.Handle(500, "UserSignIn", err)
|
||||
return
|
||||
}
|
||||
ctx.Data["OAuth2Providers"] = oauth2Providers
|
||||
|
||||
ctx.HTML(200, tplSignIn)
|
||||
}
|
||||
|
||||
|
|
@ -116,6 +128,13 @@ func SignIn(ctx *context.Context) {
|
|||
func SignInPost(ctx *context.Context, form auth.SignInForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("sign_in")
|
||||
|
||||
oauth2Providers, err := models.GetActiveOAuth2Providers()
|
||||
if err != nil {
|
||||
ctx.Handle(500, "UserSignIn", err)
|
||||
return
|
||||
}
|
||||
ctx.Data["OAuth2Providers"] = oauth2Providers
|
||||
|
||||
if ctx.HasError() {
|
||||
ctx.HTML(200, tplSignIn)
|
||||
return
|
||||
|
|
@ -277,7 +296,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
|||
if remember {
|
||||
days := 86400 * setting.LogInRememberDays
|
||||
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
|
||||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
||||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands + u.Passwd),
|
||||
setting.CookieRememberName, u.Name, days, setting.AppSubURL)
|
||||
}
|
||||
|
||||
|
|
@ -309,6 +328,333 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
|||
}
|
||||
}
|
||||
|
||||
// SignInOAuth handles the OAuth2 login buttons
|
||||
func SignInOAuth(ctx *context.Context) {
|
||||
provider := ctx.Params(":provider")
|
||||
|
||||
loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)
|
||||
if err != nil {
|
||||
ctx.Handle(500, "SignIn", err)
|
||||
return
|
||||
}
|
||||
|
||||
// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
|
||||
user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
|
||||
if err == nil && user != nil {
|
||||
// we got the user without going through the whole OAuth2 authentication flow again
|
||||
handleOAuth2SignIn(user, gothUser, ctx, err)
|
||||
return
|
||||
}
|
||||
|
||||
err = oauth2.Auth(loginSource.Name, ctx.Req.Request, ctx.Resp)
|
||||
if err != nil {
|
||||
ctx.Handle(500, "SignIn", err)
|
||||
}
|
||||
// redirect is done in oauth2.Auth
|
||||
}
|
||||
|
||||
// SignInOAuthCallback handles the callback from the given provider
|
||||
func SignInOAuthCallback(ctx *context.Context) {
|
||||
provider := ctx.Params(":provider")
|
||||
|
||||
// first look if the provider is still active
|
||||
loginSource, err := models.GetActiveOAuth2LoginSourceByName(provider)
|
||||
if err != nil {
|
||||
ctx.Handle(500, "SignIn", err)
|
||||
return
|
||||
}
|
||||
|
||||
if loginSource == nil {
|
||||
ctx.Handle(500, "SignIn", errors.New("No valid provider found, check configured callback url in provider"))
|
||||
return
|
||||
}
|
||||
|
||||
u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
|
||||
|
||||
handleOAuth2SignIn(u, gothUser, ctx, err)
|
||||
}
|
||||
|
||||
func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context, err error) {
|
||||
if err != nil {
|
||||
ctx.Handle(500, "UserSignIn", err)
|
||||
return
|
||||
}
|
||||
|
||||
if u == nil {
|
||||
// no existing user is found, request attach or new account
|
||||
ctx.Session.Set("linkAccountGothUser", gothUser)
|
||||
ctx.Redirect(setting.AppSubURL + "/user/link_account")
|
||||
return
|
||||
}
|
||||
|
||||
// If this user is enrolled in 2FA, we can't sign the user in just yet.
|
||||
// Instead, redirect them to the 2FA authentication page.
|
||||
_, err = models.GetTwoFactorByUID(u.ID)
|
||||
if err != nil {
|
||||
if models.IsErrTwoFactorNotEnrolled(err) {
|
||||
ctx.Session.Set("uid", u.ID)
|
||||
ctx.Session.Set("uname", u.Name)
|
||||
|
||||
// Clear whatever CSRF has right now, force to generate a new one
|
||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
|
||||
|
||||
// Register last login
|
||||
u.SetLastLogin()
|
||||
if err := models.UpdateUser(u); err != nil {
|
||||
ctx.Handle(500, "UpdateUser", err)
|
||||
return
|
||||
}
|
||||
|
||||
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
|
||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
||||
ctx.Redirect(redirectTo)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Redirect(setting.AppSubURL + "/")
|
||||
} else {
|
||||
ctx.Handle(500, "UserSignIn", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// User needs to use 2FA, save data and redirect to 2FA page.
|
||||
ctx.Session.Set("twofaUid", u.ID)
|
||||
ctx.Session.Set("twofaRemember", false)
|
||||
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
|
||||
}
|
||||
|
||||
// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
|
||||
// login the user
|
||||
func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) {
|
||||
gothUser, err := oauth2.ProviderCallback(loginSource.Name, request, response)
|
||||
|
||||
if err != nil {
|
||||
return nil, goth.User{}, err
|
||||
}
|
||||
|
||||
user := &models.User{
|
||||
LoginName: gothUser.UserID,
|
||||
LoginType: models.LoginOAuth2,
|
||||
LoginSource: loginSource.ID,
|
||||
}
|
||||
|
||||
hasUser, err := models.GetUser(user)
|
||||
if err != nil {
|
||||
return nil, goth.User{}, err
|
||||
}
|
||||
|
||||
if hasUser {
|
||||
return user, goth.User{}, nil
|
||||
}
|
||||
|
||||
// search in external linked users
|
||||
externalLoginUser := &models.ExternalLoginUser{
|
||||
ExternalID: gothUser.UserID,
|
||||
LoginSourceID: loginSource.ID,
|
||||
}
|
||||
hasUser, err = models.GetExternalLogin(externalLoginUser)
|
||||
if err != nil {
|
||||
return nil, goth.User{}, err
|
||||
}
|
||||
if hasUser {
|
||||
user, err = models.GetUserByID(externalLoginUser.UserID)
|
||||
return user, goth.User{}, err
|
||||
}
|
||||
|
||||
// no user found to login
|
||||
return nil, gothUser, nil
|
||||
|
||||
}
|
||||
|
||||
// LinkAccount shows the page where the user can decide to login or create a new account
|
||||
func LinkAccount(ctx *context.Context) {
|
||||
ctx.Data["Title"] = ctx.Tr("link_account")
|
||||
ctx.Data["LinkAccountMode"] = true
|
||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||
ctx.Data["ShowRegistrationButton"] = false
|
||||
|
||||
// use this to set the right link into the signIn and signUp templates in the link_account template
|
||||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
|
||||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
|
||||
|
||||
gothUser := ctx.Session.Get("linkAccountGothUser")
|
||||
if gothUser == nil {
|
||||
ctx.Handle(500, "UserSignIn", errors.New("not in LinkAccount session"))
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Data["user_name"] = gothUser.(goth.User).NickName
|
||||
ctx.Data["email"] = gothUser.(goth.User).Email
|
||||
|
||||
ctx.HTML(200, tplLinkAccount)
|
||||
}
|
||||
|
||||
// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
|
||||
func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("link_account")
|
||||
ctx.Data["LinkAccountMode"] = true
|
||||
ctx.Data["LinkAccountModeSignIn"] = true
|
||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||
ctx.Data["ShowRegistrationButton"] = false
|
||||
|
||||
// use this to set the right link into the signIn and signUp templates in the link_account template
|
||||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
|
||||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
|
||||
|
||||
gothUser := ctx.Session.Get("linkAccountGothUser")
|
||||
if gothUser == nil {
|
||||
ctx.Handle(500, "UserSignIn", errors.New("not in LinkAccount session"))
|
||||
return
|
||||
}
|
||||
|
||||
if ctx.HasError() {
|
||||
ctx.HTML(200, tplLinkAccount)
|
||||
return
|
||||
}
|
||||
|
||||
u, err := models.UserSignIn(signInForm.UserName, signInForm.Password)
|
||||
if err != nil {
|
||||
if models.IsErrUserNotExist(err) {
|
||||
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
|
||||
} else {
|
||||
ctx.Handle(500, "UserLinkAccount", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// If this user is enrolled in 2FA, we can't sign the user in just yet.
|
||||
// Instead, redirect them to the 2FA authentication page.
|
||||
_, err = models.GetTwoFactorByUID(u.ID)
|
||||
if err != nil {
|
||||
if models.IsErrTwoFactorNotEnrolled(err) {
|
||||
models.LinkAccountToUser(u, gothUser.(goth.User))
|
||||
handleSignIn(ctx, u, signInForm.Remember)
|
||||
} else {
|
||||
ctx.Handle(500, "UserLinkAccount", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// User needs to use 2FA, save data and redirect to 2FA page.
|
||||
ctx.Session.Set("twofaUid", u.ID)
|
||||
ctx.Session.Set("twofaRemember", signInForm.Remember)
|
||||
ctx.Session.Set("linkAccount", true)
|
||||
|
||||
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
|
||||
}
|
||||
|
||||
// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
|
||||
func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterForm) {
|
||||
ctx.Data["Title"] = ctx.Tr("link_account")
|
||||
ctx.Data["LinkAccountMode"] = true
|
||||
ctx.Data["LinkAccountModeRegister"] = true
|
||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||
ctx.Data["ShowRegistrationButton"] = false
|
||||
|
||||
// use this to set the right link into the signIn and signUp templates in the link_account template
|
||||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
|
||||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
|
||||
|
||||
gothUser := ctx.Session.Get("linkAccountGothUser")
|
||||
if gothUser == nil {
|
||||
ctx.Handle(500, "UserSignUp", errors.New("not in LinkAccount session"))
|
||||
return
|
||||
}
|
||||
|
||||
if ctx.HasError() {
|
||||
ctx.HTML(200, tplLinkAccount)
|
||||
return
|
||||
}
|
||||
|
||||
if setting.Service.DisableRegistration {
|
||||
ctx.Error(403)
|
||||
return
|
||||
}
|
||||
|
||||
if setting.Service.EnableCaptcha && !cpt.VerifyReq(ctx.Req) {
|
||||
ctx.Data["Err_Captcha"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
|
||||
return
|
||||
}
|
||||
|
||||
if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
|
||||
ctx.Data["Err_Password"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
|
||||
return
|
||||
}
|
||||
if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
|
||||
ctx.Data["Err_Password"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
|
||||
return
|
||||
}
|
||||
|
||||
loginSource, err := models.GetActiveOAuth2LoginSourceByName(gothUser.(goth.User).Provider)
|
||||
if err != nil {
|
||||
ctx.Handle(500, "CreateUser", err)
|
||||
}
|
||||
|
||||
u := &models.User{
|
||||
Name: form.UserName,
|
||||
Email: form.Email,
|
||||
Passwd: form.Password,
|
||||
IsActive: !setting.Service.RegisterEmailConfirm,
|
||||
LoginType: models.LoginOAuth2,
|
||||
LoginSource: loginSource.ID,
|
||||
LoginName: gothUser.(goth.User).UserID,
|
||||
}
|
||||
|
||||
if err := models.CreateUser(u); err != nil {
|
||||
switch {
|
||||
case models.IsErrUserAlreadyExist(err):
|
||||
ctx.Data["Err_UserName"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplLinkAccount, &form)
|
||||
case models.IsErrEmailAlreadyUsed(err):
|
||||
ctx.Data["Err_Email"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplLinkAccount, &form)
|
||||
case models.IsErrNameReserved(err):
|
||||
ctx.Data["Err_UserName"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplLinkAccount, &form)
|
||||
case models.IsErrNamePatternNotAllowed(err):
|
||||
ctx.Data["Err_UserName"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplLinkAccount, &form)
|
||||
default:
|
||||
ctx.Handle(500, "CreateUser", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
log.Trace("Account created: %s", u.Name)
|
||||
|
||||
// Auto-set admin for the only user.
|
||||
if models.CountUsers() == 1 {
|
||||
u.IsAdmin = true
|
||||
u.IsActive = true
|
||||
if err := models.UpdateUser(u); err != nil {
|
||||
ctx.Handle(500, "UpdateUser", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Send confirmation email
|
||||
if setting.Service.RegisterEmailConfirm && u.ID > 1 {
|
||||
models.SendActivateAccountMail(ctx.Context, u)
|
||||
ctx.Data["IsSendRegisterMail"] = true
|
||||
ctx.Data["Email"] = u.Email
|
||||
ctx.Data["Hours"] = setting.Service.ActiveCodeLives / 60
|
||||
ctx.HTML(200, TplActivate)
|
||||
|
||||
if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
|
||||
log.Error(4, "Set cache(MailResendLimit) fail: %v", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Redirect(setting.AppSubURL + "/user/login")
|
||||
}
|
||||
|
||||
// SignOut sign out from login status
|
||||
func SignOut(ctx *context.Context) {
|
||||
ctx.Session.Delete("uid")
|
||||
|
|
@ -328,11 +674,7 @@ func SignUp(ctx *context.Context) {
|
|||
|
||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||
|
||||
if setting.Service.DisableRegistration {
|
||||
ctx.Data["DisableRegistration"] = true
|
||||
ctx.HTML(200, tplSignUp)
|
||||
return
|
||||
}
|
||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||
|
||||
ctx.HTML(200, tplSignUp)
|
||||
}
|
||||
|
|
@ -540,7 +882,7 @@ func ForgotPasswdPost(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
if !u.IsLocal() {
|
||||
if !u.IsLocal() && !u.IsOAuth2() {
|
||||
ctx.Data["Err_Email"] = true
|
||||
ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ const (
|
|||
tplSettingsApplications base.TplName = "user/settings/applications"
|
||||
tplSettingsTwofa base.TplName = "user/settings/twofa"
|
||||
tplSettingsTwofaEnroll base.TplName = "user/settings/twofa_enroll"
|
||||
tplSettingsAccountLink base.TplName = "user/settings/account_link"
|
||||
tplSettingsDelete base.TplName = "user/settings/delete"
|
||||
tplSecurity base.TplName = "user/security"
|
||||
)
|
||||
|
|
@ -200,7 +201,7 @@ func SettingsPasswordPost(ctx *context.Context, form auth.ChangePasswordForm) {
|
|||
return
|
||||
}
|
||||
|
||||
if !ctx.User.ValidatePassword(form.OldPassword) {
|
||||
if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) {
|
||||
ctx.Flash.Error(ctx.Tr("settings.password_incorrect"))
|
||||
} else if form.Password != form.Retype {
|
||||
ctx.Flash.Error(ctx.Tr("form.password_not_match"))
|
||||
|
|
@ -631,6 +632,49 @@ func SettingsTwoFactorEnrollPost(ctx *context.Context, form auth.TwoFactorAuthFo
|
|||
ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor")
|
||||
}
|
||||
|
||||
// SettingsAccountLinks render the account links settings page
|
||||
func SettingsAccountLinks(ctx *context.Context) {
|
||||
ctx.Data["Title"] = ctx.Tr("settings")
|
||||
ctx.Data["PageIsSettingsAccountLink"] = true
|
||||
|
||||
accountLinks, err := models.ListAccountLinks(ctx.User)
|
||||
if err != nil {
|
||||
ctx.Handle(500, "ListAccountLinks", err)
|
||||
return
|
||||
}
|
||||
|
||||
// map the provider display name with the LoginSource
|
||||
sources := make(map[*models.LoginSource]string)
|
||||
for _, externalAccount := range accountLinks {
|
||||
if loginSource, err := models.GetLoginSourceByID(externalAccount.LoginSourceID); err == nil {
|
||||
var providerDisplayName string
|
||||
if loginSource.IsOAuth2() {
|
||||
providerTechnicalName := loginSource.OAuth2().Provider
|
||||
providerDisplayName = models.OAuth2Providers[providerTechnicalName].DisplayName
|
||||
} else {
|
||||
providerDisplayName = loginSource.Name
|
||||
}
|
||||
sources[loginSource] = providerDisplayName
|
||||
}
|
||||
}
|
||||
ctx.Data["AccountLinks"] = sources
|
||||
|
||||
ctx.HTML(200, tplSettingsAccountLink)
|
||||
}
|
||||
|
||||
// SettingsDeleteAccountLink delete a single account link
|
||||
func SettingsDeleteAccountLink(ctx *context.Context) {
|
||||
if _, err := models.RemoveAccountLink(ctx.User, ctx.QueryInt64("loginSourceID")); err != nil {
|
||||
ctx.Flash.Error("RemoveAccountLink: " + err.Error())
|
||||
} else {
|
||||
ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
|
||||
}
|
||||
|
||||
ctx.JSON(200, map[string]interface{}{
|
||||
"redirect": setting.AppSubURL + "/user/settings/account_link",
|
||||
})
|
||||
}
|
||||
|
||||
// SettingsDelete render user suicide page and response for delete user himself
|
||||
func SettingsDelete(ctx *context.Context) {
|
||||
ctx.Data["Title"] = ctx.Tr("settings")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue