git.squeep.com Git - akkoma/blob - lib/pleroma/plugs/authentication_plug.ex

   1 defmodule Pleroma.Plugs.AuthenticationPlug do
   2   import Plug.Conn
   3
   4   def init(options) do
   5     options
   6   end
   7
   8   def call(conn, opts) do
   9     with {:ok, username, password} <- decode_header(conn),
  10          {:ok, user} <- opts[:fetcher].(username),
  11          saved_user_id <- get_session(conn, :user_id),
  12          {:ok, verified_user} <- verify(user, password, saved_user_id)
  13     do
  14       conn
  15       |> assign(:user, verified_user)
  16       |> put_session(:user_id, verified_user.id)
  17     else
  18       _ -> conn |> halt_or_continue(opts)
  19     end
  20   end
  21
  22   # Short-circuit if we have a cookie with the id for the given user.
  23   defp verify(%{id: id} = user, _password, id) do
  24     {:ok, user}
  25   end
  26
  27   defp verify(nil, _password, _user_id) do
  28     Comeonin.Pbkdf2.dummy_checkpw
  29     :error
  30   end
  31
  32   defp verify(user, password, _user_id) do
  33     if Comeonin.Pbkdf2.checkpw(password, user.password_hash) do
  34       {:ok, user}
  35     else
  36       :error
  37     end
  38   end
  39
  40   defp decode_header(conn) do
  41     with ["Basic " <> header] <- get_req_header(conn, "authorization"),
  42          {:ok, userinfo} <- Base.decode64(header),
  43          [username, password] <- String.split(userinfo, ":")
  44     do
  45       { :ok, username, password }
  46     end
  47   end
  48
  49   defp halt_or_continue(conn, %{optional: true}) do
  50     conn |> assign(:user, nil)
  51   end
  52
  53   defp halt_or_continue(conn, _) do
  54     conn
  55     |> put_resp_content_type("application/json")
  56     |> send_resp(403, Poison.encode!(%{error: "Invalid credentials."}))
  57     |> halt
  58   end
  59 end