Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

auth: Handle the case of invalid subdomain at /fetch_api_key endpoint.

This commit is contained in:
Mateusz Mandera 2020-11-10 22:46:49 +01:00 committed by Tim Abbott
parent 2e20ab1658
commit 4f47f35cb4
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
zerver/tests/test_auth_backends.py
View File

@ -3199,6 +3199,13 @@ class FetchAPIKeyTest(ZulipTestCase):
password="wrong")) password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 403) self.assert_json_error(result, "Your username or password is incorrect.", 403)
def test_invalid_subdomain(self) -> None:
with mock.patch("zerver.views.auth.get_realm_from_request", return_value=None):
result = self.client_post("/api/v1/fetch_api_key",
dict(username='hamlet',
password=initial_password(self.email)))
self.assert_json_error(result, "Invalid subdomain", 400)
def test_password_auth_disabled(self) -> None: def test_password_auth_disabled(self) -> None:
with mock.patch('zproject.backends.password_auth_enabled', return_value=False): with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
result = self.client_post("/api/v1/fetch_api_key", result = self.client_post("/api/v1/fetch_api_key",

9
zerver/views/auth.py
View File

@ -851,9 +851,12 @@ def api_dev_list_users(request: HttpRequest) -> HttpResponse:
@has_request_variables @has_request_variables
def api_fetch_api_key(request: HttpRequest, username: str=REQ(), password: str=REQ()) -> HttpResponse: def api_fetch_api_key(request: HttpRequest, username: str=REQ(), password: str=REQ()) -> HttpResponse:
return_data: Dict[str, bool] = {} return_data: Dict[str, bool] = {}
subdomain = get_subdomain(request)
realm = get_realm(subdomain) realm = get_realm_from_request(request)
if not ldap_auth_enabled(realm=get_realm_from_request(request)): if realm is None:
return json_error(_("Invalid subdomain"))
if not ldap_auth_enabled(realm=realm):
# In case we don't authenticate against LDAP, check for a valid # In case we don't authenticate against LDAP, check for a valid
# email. LDAP backend can authenticate against a non-email. # email. LDAP backend can authenticate against a non-email.
validate_login_email(username) validate_login_email(username)