Treat fediverse usernames as case-insensitive (#2155)

* treat fediverse usernames as case-insensitive for auth

* add test for case insensitive, clean up duplicate import in federverse auth controller

* fix test, there was an issue with state when all the tests were run
This commit is contained in:
Matt Owens 2022-10-02 14:16:46 -04:00 committed by GitHub
parent 2ff5f31597
commit e20985ecb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 4 deletions

View File

@ -3,6 +3,7 @@ package fediverse
import (
"crypto/rand"
"io"
"strings"
"time"
)
@ -37,7 +38,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
Code: code,
UserID: userID,
UserDisplayName: userDisplayName,
Account: account,
Account: strings.ToLower(account),
Timestamp: time.Now(),
}
pendingAuthRequests[accessToken] = r

View File

@ -1,6 +1,9 @@
package fediverse
import "testing"
import (
"strings"
"testing"
)
const (
accessToken = "fake-access-token"
@ -58,3 +61,18 @@ func TestSingleOTPFlowRequest(t *testing.T) {
t.Error("Second registration should not be permitted.")
}
}
func TestAccountCaseInsensitive(t *testing.T) {
account := "Account"
accessToken := "another-fake-access-token"
r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
_, reg1 := ValidateFediverseOTP(accessToken, r1.Code)
// Simulate second auth with account in different case
r2, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, strings.ToUpper(account))
_, reg2 := ValidateFediverseOTP(accessToken, r2.Code)
if reg1.Account != reg2.Account {
t.Errorf("Account names should be case-insensitive: %s %s", reg1.Account, reg2.Account)
}
}

View File

@ -7,7 +7,6 @@ import (
"github.com/owncast/owncast/activitypub"
"github.com/owncast/owncast/auth"
"github.com/owncast/owncast/auth/fediverse"
fediverseauth "github.com/owncast/owncast/auth/fediverse"
"github.com/owncast/owncast/controllers"
"github.com/owncast/owncast/core/chat"
@ -57,7 +56,7 @@ func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
return
}
accessToken := r.URL.Query().Get("accessToken")
valid, authRegistration := fediverse.ValidateFediverseOTP(accessToken, req.Code)
valid, authRegistration := fediverseauth.ValidateFediverseOTP(accessToken, req.Code)
if !valid {
w.WriteHeader(http.StatusForbidden)
return