From 98813e69bccc568eff771cfcaf907ccdd82ce3f1 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 27 Apr 2020 11:42:01 +0200
Subject: Check auth plugin result

---
 server/lib/auth.ts                                 | 29 ++++++++-
 .../main.js                                        | 69 ++++++++++++++++++++++
 server/tests/plugins/id-and-pass-auth.ts           | 14 +++++
 3 files changed, 110 insertions(+), 2 deletions(-)

diff --git a/server/lib/auth.ts b/server/lib/auth.ts
index c47ec62d0..5a6dd9dec 100644
--- a/server/lib/auth.ts
+++ b/server/lib/auth.ts
@@ -7,6 +7,7 @@ import { logger } from '@server/helpers/logger'
 import { UserRole } from '@shared/models'
 import { revokeToken } from '@server/lib/oauth-model'
 import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
+import { isUserUsernameValid, isUserRoleValid, isUserDisplayNameValid } from '@server/helpers/custom-validators/users'
 
 const oAuthServer = new OAuthServer({
   useErrorHandler: true,
@@ -120,10 +121,12 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response
 
   for (const pluginAuth of pluginAuths) {
     const authOptions = pluginAuth.registerAuthOptions
+    const authName = authOptions.authName
+    const npmName = pluginAuth.npmName
 
     logger.debug(
       'Using auth method %s of plugin %s to login %s with weight %d.',
-      authOptions.authName, pluginAuth.npmName, loginOptions.id, authOptions.getWeight()
+      authName, npmName, loginOptions.id, authOptions.getWeight()
     )
 
     try {
@@ -131,9 +134,31 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response
       if (loginResult) {
         logger.info(
           'Login success with auth method %s of plugin %s for %s.',
-          authOptions.authName, pluginAuth.npmName, loginOptions.id
+          authName, npmName, loginOptions.id
         )
 
+        if (!isUserUsernameValid(loginResult.username)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { loginResult })
+          continue
+        }
+
+        if (!loginResult.email) {
+          logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { loginResult })
+          continue
+        }
+
+        // role is optional
+        if (loginResult.role && !isUserRoleValid(loginResult.role)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { loginResult })
+          continue
+        }
+
+        // display name is optional
+        if (loginResult.displayName && !isUserDisplayNameValid(loginResult.displayName)) {
+          logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { loginResult })
+          continue
+        }
+
         res.locals.bypassLogin = {
           bypass: true,
           pluginName: pluginAuth.npmName,
diff --git a/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js b/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js
index 372f3fa0c..caa6a7ccd 100644
--- a/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js
+++ b/server/tests/fixtures/peertube-plugin-test-id-pass-auth-three/main.js
@@ -23,6 +23,75 @@ async function register ({
       return null
     }
   })
+
+  registerIdAndPassAuth({
+    authName: 'ward-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'ward') {
+        return Promise.resolve({
+          username: 'ward-42',
+          email: 'ward@example.com'
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'kiros-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'kiros') {
+        return Promise.resolve({
+          username: 'kiros',
+          email: 'kiros@example.com',
+          displayName: 'a'.repeat(5000)
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'raine-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'raine') {
+        return Promise.resolve({
+          username: 'raine',
+          email: 'raine@example.com',
+          role: 42
+        })
+      }
+
+      return null
+    }
+  })
+
+  registerIdAndPassAuth({
+    authName: 'ellone-auth',
+
+    getWeight: () => 5,
+
+    login (body) {
+      if (body.id === 'ellone') {
+        return Promise.resolve({
+          username: 'ellone'
+        })
+      }
+
+      return null
+    }
+  })
 }
 
 async function unregister () {
diff --git a/server/tests/plugins/id-and-pass-auth.ts b/server/tests/plugins/id-and-pass-auth.ts
index caf65b55f..c6382435d 100644
--- a/server/tests/plugins/id-and-pass-auth.ts
+++ b/server/tests/plugins/id-and-pass-auth.ts
@@ -151,6 +151,20 @@ describe('Test id and pass auth plugins', function () {
     await getMyUserInformation(server.url, lagunaAccessToken, 401)
   })
 
+  it('Should reject an invalid username, email, role or display name', async function () {
+    await userLogin(server, { username: 'ward', password: 'ward password' }, 400)
+    await waitUntilLog(server, 'valid username')
+
+    await userLogin(server, { username: 'kiros', password: 'kiros password' }, 400)
+    await waitUntilLog(server, 'valid display name')
+
+    await userLogin(server, { username: 'raine', password: 'raine password' }, 400)
+    await waitUntilLog(server, 'valid role')
+
+    await userLogin(server, { username: 'ellone', password: 'elonne password' }, 400)
+    await waitUntilLog(server, 'valid email')
+  })
+
   it('Should uninstall the plugin one and do not login existing Crash', async function () {
     await uninstallPlugin({
       url: server.url,
-- 
cgit v1.2.3