diff options
Diffstat (limited to 'server/lib/auth')
| -rw-r--r-- | server/lib/auth/oauth.ts | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts index 2905c79a2..887c4f7c9 100644 --- a/server/lib/auth/oauth.ts +++ b/server/lib/auth/oauth.ts | |||
| @@ -11,20 +11,31 @@ import OAuth2Server, { | |||
| 11 | import { randomBytesPromise } from '@server/helpers/core-utils' | 11 | import { randomBytesPromise } from '@server/helpers/core-utils' |
| 12 | import { isOTPValid } from '@server/helpers/otp' | 12 | import { isOTPValid } from '@server/helpers/otp' |
| 13 | import { CONFIG } from '@server/initializers/config' | 13 | import { CONFIG } from '@server/initializers/config' |
| 14 | import { UserRegistrationModel } from '@server/models/user/user-registration' | ||
| 14 | import { MOAuthClient } from '@server/types/models' | 15 | import { MOAuthClient } from '@server/types/models' |
| 15 | import { sha1 } from '@shared/extra-utils' | 16 | import { sha1 } from '@shared/extra-utils' |
| 16 | import { HttpStatusCode } from '@shared/models' | 17 | import { HttpStatusCode, ServerErrorCode, UserRegistrationState } from '@shared/models' |
| 17 | import { OTP } from '../../initializers/constants' | 18 | import { OTP } from '../../initializers/constants' |
| 18 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' | 19 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' |
| 19 | 20 | ||
| 20 | class MissingTwoFactorError extends Error { | 21 | class MissingTwoFactorError extends Error { |
| 21 | code = HttpStatusCode.UNAUTHORIZED_401 | 22 | code = HttpStatusCode.UNAUTHORIZED_401 |
| 22 | name = 'missing_two_factor' | 23 | name = ServerErrorCode.MISSING_TWO_FACTOR |
| 23 | } | 24 | } |
| 24 | 25 | ||
| 25 | class InvalidTwoFactorError extends Error { | 26 | class InvalidTwoFactorError extends Error { |
| 26 | code = HttpStatusCode.BAD_REQUEST_400 | 27 | code = HttpStatusCode.BAD_REQUEST_400 |
| 27 | name = 'invalid_two_factor' | 28 | name = ServerErrorCode.INVALID_TWO_FACTOR |
| 29 | } | ||
| 30 | |||
| 31 | class RegistrationWaitingForApproval extends Error { | ||
| 32 | code = HttpStatusCode.BAD_REQUEST_400 | ||
| 33 | name = ServerErrorCode.ACCOUNT_WAITING_FOR_APPROVAL | ||
| 34 | } | ||
| 35 | |||
| 36 | class RegistrationApprovalRejected extends Error { | ||
| 37 | code = HttpStatusCode.BAD_REQUEST_400 | ||
| 38 | name = ServerErrorCode.ACCOUNT_APPROVAL_REJECTED | ||
| 28 | } | 39 | } |
| 29 | 40 | ||
| 30 | /** | 41 | /** |
| @@ -128,7 +139,17 @@ async function handlePasswordGrant (options: { | |||
| 128 | } | 139 | } |
| 129 | 140 | ||
| 130 | const user = await getUser(request.body.username, request.body.password, bypassLogin) | 141 | const user = await getUser(request.body.username, request.body.password, bypassLogin) |
| 131 | if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') | 142 | if (!user) { |
| 143 | const registration = await UserRegistrationModel.loadByEmailOrUsername(request.body.username) | ||
| 144 | |||
| 145 | if (registration?.state === UserRegistrationState.REJECTED) { | ||
| 146 | throw new RegistrationApprovalRejected('Registration approval for this account has been rejected') | ||
| 147 | } else if (registration?.state === UserRegistrationState.PENDING) { | ||
| 148 | throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval') | ||
| 149 | } | ||
| 150 | |||
| 151 | throw new InvalidGrantError('Invalid grant: user credentials are invalid') | ||
| 152 | } | ||
| 132 | 153 | ||
| 133 | if (user.otpSecret) { | 154 | if (user.otpSecret) { |
| 134 | if (!request.headers[OTP.HEADER_NAME]) { | 155 | if (!request.headers[OTP.HEADER_NAME]) { |