aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/lib/auth/oauth.ts
diff options
context:
space:
mode:
Diffstat (limited to 'server/lib/auth/oauth.ts')
-rw-r--r--server/lib/auth/oauth.ts29
1 files changed, 25 insertions, 4 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts
index 2905c79a2..887c4f7c9 100644
--- a/server/lib/auth/oauth.ts
+++ b/server/lib/auth/oauth.ts
@@ -11,20 +11,31 @@ import OAuth2Server, {
11import { randomBytesPromise } from '@server/helpers/core-utils' 11import { randomBytesPromise } from '@server/helpers/core-utils'
12import { isOTPValid } from '@server/helpers/otp' 12import { isOTPValid } from '@server/helpers/otp'
13import { CONFIG } from '@server/initializers/config' 13import { CONFIG } from '@server/initializers/config'
14import { UserRegistrationModel } from '@server/models/user/user-registration'
14import { MOAuthClient } from '@server/types/models' 15import { MOAuthClient } from '@server/types/models'
15import { sha1 } from '@shared/extra-utils' 16import { sha1 } from '@shared/extra-utils'
16import { HttpStatusCode } from '@shared/models' 17import { HttpStatusCode, ServerErrorCode, UserRegistrationState } from '@shared/models'
17import { OTP } from '../../initializers/constants' 18import { OTP } from '../../initializers/constants'
18import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' 19import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
19 20
20class MissingTwoFactorError extends Error { 21class MissingTwoFactorError extends Error {
21 code = HttpStatusCode.UNAUTHORIZED_401 22 code = HttpStatusCode.UNAUTHORIZED_401
22 name = 'missing_two_factor' 23 name = ServerErrorCode.MISSING_TWO_FACTOR
23} 24}
24 25
25class InvalidTwoFactorError extends Error { 26class InvalidTwoFactorError extends Error {
26 code = HttpStatusCode.BAD_REQUEST_400 27 code = HttpStatusCode.BAD_REQUEST_400
27 name = 'invalid_two_factor' 28 name = ServerErrorCode.INVALID_TWO_FACTOR
29}
30
31class RegistrationWaitingForApproval extends Error {
32 code = HttpStatusCode.BAD_REQUEST_400
33 name = ServerErrorCode.ACCOUNT_WAITING_FOR_APPROVAL
34}
35
36class RegistrationApprovalRejected extends Error {
37 code = HttpStatusCode.BAD_REQUEST_400
38 name = ServerErrorCode.ACCOUNT_APPROVAL_REJECTED
28} 39}
29 40
30/** 41/**
@@ -128,7 +139,17 @@ async function handlePasswordGrant (options: {
128 } 139 }
129 140
130 const user = await getUser(request.body.username, request.body.password, bypassLogin) 141 const user = await getUser(request.body.username, request.body.password, bypassLogin)
131 if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') 142 if (!user) {
143 const registration = await UserRegistrationModel.loadByEmailOrUsername(request.body.username)
144
145 if (registration?.state === UserRegistrationState.REJECTED) {
146 throw new RegistrationApprovalRejected('Registration approval for this account has been rejected')
147 } else if (registration?.state === UserRegistrationState.PENDING) {
148 throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval')
149 }
150
151 throw new InvalidGrantError('Invalid grant: user credentials are invalid')
152 }
132 153
133 if (user.otpSecret) { 154 if (user.otpSecret) {
134 if (!request.headers[OTP.HEADER_NAME]) { 155 if (!request.headers[OTP.HEADER_NAME]) {