studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Restrict password login to accounts of type 'password' or legacy untyped.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-06-18 09:20:41 +00:00
parent b3a47566ff
commit f68038a826
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/api/client/session/password.rs
View File

@@ -65,6 +65,17 @@ pub(super) async fn password_login(
lowercased_user_id: &UserId, lowercased_user_id: &UserId,
password: &str, password: &str,
) -> Result<OwnedUserId> { ) -> Result<OwnedUserId> {
// Restrict login to accounts only of type 'password', including untyped
// legacy accounts which are equivalent to 'password'.
if services
.users
.origin(user_id)
.await
.is_ok_and(|origin| origin != "password")
{
return Err!(Request(Forbidden("Account does not permit password login.")));
}
let (hash, user_id) = services let (hash, user_id) = services
.users .users
.password_hash(user_id) .password_hash(user_id)