mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-11-02 12:05:57 +01:00
closes #6674
This commit is contained in:
Julian Lam
@@ -419,16 +419,13 @@ authenticationController.localLogin = function (req, username, password, next) {
|
||||
return getBanInfo(uid, next);
|
||||
}
|
||||
|
||||
user.auth.logAttempt(uid, req.ip, next);
|
||||
},
|
||||
function (next) {
|
||||
user.isPasswordCorrect(uid, password, next);
|
||||
user.isPasswordCorrect(uid, password, req.ip, next);
|
||||
},
|
||||
function (passwordMatch, next) {
|
||||
if (!passwordMatch) {
|
||||
return next(new Error('[[error:invalid-login-credentials]]'));
|
||||
}
|
||||
user.auth.clearLoginAttempts(uid);
|
||||
|
||||
next(null, userData, '[[success:authentication-successful]]');
|
||||
},
|
||||
], next);
|
||||
|
||||
@@ -37,8 +37,8 @@ SocketUser.deleteAccount = function (socket, data, callback) {
|
||||
|
||||
async.waterfall([
|
||||
function (next) {
|
||||
user.isPasswordCorrect(socket.uid, data.password, function (err, ok) {
|
||||
next(err || !ok ? new Error('[[error:invalid-password]]') : undefined);
|
||||
user.isPasswordCorrect(socket.uid, data.password, socket.ip, function (err, ok) {
|
||||
next(err || (!ok ? new Error('[[error:invalid-password]]') : undefined));
|
||||
});
|
||||
},
|
||||
function (next) {
|
||||
@@ -61,15 +61,7 @@ SocketUser.deleteAccount = function (socket, data, callback) {
|
||||
});
|
||||
next();
|
||||
},
|
||||
], function (err) {
|
||||
if (err) {
|
||||
return setTimeout(function () {
|
||||
callback(err);
|
||||
}, 2500);
|
||||
}
|
||||
|
||||
callback();
|
||||
});
|
||||
], callback);
|
||||
};
|
||||
|
||||
SocketUser.emailExists = function (socket, data, callback) {
|
||||
|
||||
@@ -15,7 +15,7 @@ module.exports = function (SocketUser) {
|
||||
|
||||
async.waterfall([
|
||||
function (next) {
|
||||
isPrivilegedOrSelfAndPasswordMatch(socket.uid, data, next);
|
||||
isPrivilegedOrSelfAndPasswordMatch(socket, data, next);
|
||||
},
|
||||
function (next) {
|
||||
SocketUser.updateProfile(socket, data, next);
|
||||
@@ -72,26 +72,19 @@ module.exports = function (SocketUser) {
|
||||
], callback);
|
||||
};
|
||||
|
||||
function isPrivilegedOrSelfAndPasswordMatch(uid, data, callback) {
|
||||
function isPrivilegedOrSelfAndPasswordMatch(socket, data, callback) {
|
||||
const uid = socket.uid;
|
||||
const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
|
||||
|
||||
async.waterfall([
|
||||
function (next) {
|
||||
async.parallel({
|
||||
isAdmin: async.apply(user.isAdministrator, uid),
|
||||
isTargetAdmin: async.apply(user.isAdministrator, data.uid),
|
||||
isGlobalMod: async.apply(user.isGlobalModerator, uid),
|
||||
hasPassword: async.apply(user.hasPassword, data.uid),
|
||||
passwordMatch: function (next) {
|
||||
if (data.password) {
|
||||
user.isPasswordCorrect(data.uid, data.password, next);
|
||||
} else {
|
||||
next(null, false);
|
||||
}
|
||||
},
|
||||
}, next);
|
||||
},
|
||||
function (results, next) {
|
||||
var isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
|
||||
|
||||
if (results.isTargetAdmin && !results.isAdmin) {
|
||||
return next(new Error('[[error:no-privileges]]'));
|
||||
}
|
||||
@@ -100,6 +93,17 @@ module.exports = function (SocketUser) {
|
||||
return next(new Error('[[error:no-privileges]]'));
|
||||
}
|
||||
|
||||
async.parallel({
|
||||
hasPassword: async.apply(user.hasPassword, data.uid),
|
||||
passwordMatch: function (next) {
|
||||
if (data.password) {
|
||||
user.isPasswordCorrect(data.uid, data.password, socket.ip, next);
|
||||
} else {
|
||||
next(null, false);
|
||||
}
|
||||
},
|
||||
}, next);
|
||||
}, function (results, next) {
|
||||
if (isSelf && results.hasPassword && !results.passwordMatch) {
|
||||
return next(new Error('[[error:invalid-password]]'));
|
||||
}
|
||||
@@ -119,7 +123,7 @@ module.exports = function (SocketUser) {
|
||||
}
|
||||
async.waterfall([
|
||||
function (next) {
|
||||
user.changePassword(socket.uid, data, next);
|
||||
user.changePassword(socket.uid, Object.assign(data, { ip: socket.ip }), next);
|
||||
},
|
||||
function (next) {
|
||||
events.log({
|
||||
|
||||
@@ -13,6 +13,7 @@ module.exports = function (User) {
|
||||
User.auth = {};
|
||||
|
||||
User.auth.logAttempt = function (uid, ip, callback) {
|
||||
console.log('attempt logged');
|
||||
if (!parseInt(uid, 10)) {
|
||||
return setImmediate(callback);
|
||||
}
|
||||
|
||||
@@ -15,7 +15,7 @@ module.exports = function (User) {
|
||||
Password.hash(nconf.get('bcrypt_rounds') || 12, password, callback);
|
||||
};
|
||||
|
||||
User.isPasswordCorrect = function (uid, password, callback) {
|
||||
User.isPasswordCorrect = function (uid, password, ip, callback) {
|
||||
password = password || '';
|
||||
var hashedPassword;
|
||||
async.waterfall([
|
||||
@@ -30,6 +30,7 @@ module.exports = function (User) {
|
||||
|
||||
User.isPasswordValid(password, 0, next);
|
||||
},
|
||||
async.apply(User.auth.logAttempt, uid, ip),
|
||||
function (next) {
|
||||
Password.compare(password, hashedPassword, next);
|
||||
},
|
||||
@@ -38,10 +39,11 @@ module.exports = function (User) {
|
||||
return callback(err);
|
||||
}
|
||||
|
||||
// Delay return for incorrect current password
|
||||
setTimeout(function () {
|
||||
if (ok) {
|
||||
User.auth.clearLoginAttempts(uid);
|
||||
}
|
||||
|
||||
callback(null, ok);
|
||||
}, ok ? 0 : 2500);
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
@@ -324,12 +324,12 @@ module.exports = function (User) {
|
||||
if (parseInt(uid, 10) !== parseInt(data.uid, 10)) {
|
||||
User.isAdministrator(uid, next);
|
||||
} else {
|
||||
User.isPasswordCorrect(uid, data.currentPassword, next);
|
||||
User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
|
||||
}
|
||||
},
|
||||
function (isAdminOrPasswordMatch, next) {
|
||||
if (!isAdminOrPasswordMatch) {
|
||||
return next(new Error('[[error:change_password_error_wrong_current]]'));
|
||||
return next(new Error('[[user:change_password_error_wrong_current]]'));
|
||||
}
|
||||
|
||||
User.hashPassword(data.newPassword, next);
|
||||
|
||||
Reference in New Issue
Block a user