From 062887269ba1bea8e76ba053befb15cefad3d8ab Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Thu, 24 Nov 2022 10:13:19 +0100 Subject: [PATCH] fix(login): check user state before ignoreUnknownUsernames setting (#4759) Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> --- .../eventsourcing/eventstore/auth_request.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index 1379798f55..b9ac3da531 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -668,7 +668,15 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain if repo.checkDomainDiscovery(ctx, request, loginName) { return nil } - // let's just check for if unknown usernames are ignored + // let's once again check if the user was just inactive + if user != nil && user.State == int32(domain.UserStateInactive) { + return errors.ThrowPreconditionFailed(nil, "AUTH-2n8fs", "Errors.User.Inactive") + } + // or locked + if user != nil && user.State == int32(domain.UserStateLocked) { + return errors.ThrowPreconditionFailed(nil, "AUTH-SF3gb", "Errors.User.Locked") + } + // let's just check if unknown usernames are ignored if request.LoginPolicy != nil && request.LoginPolicy.IgnoreUnknownUsernames { if request.LabelPolicy != nil && request.LabelPolicy.HideLoginNameSuffix { preferredLoginName = loginName @@ -685,14 +693,6 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain if !user.MachineView.IsZero() { return errors.ThrowPreconditionFailed(nil, "AUTH-DGV4g", "Errors.User.NotHuman") } - // let's once again check if the user was just inactive - if user != nil && user.State == int32(domain.UserStateInactive) { - return errors.ThrowPreconditionFailed(nil, "AUTH-2n8fs", "Errors.User.Inactive") - } - // or locked - if user != nil && user.State == int32(domain.UserStateLocked) { - return errors.ThrowPreconditionFailed(nil, "AUTH-SF3gb", "Errors.User.Locked") - } // everything should be handled by now logging.WithFields("authRequest", request.ID, "loginName", loginName).Error("unhandled state for checkLoginName") return errors.ThrowInternal(nil, "AUTH-asf3df", "Errors.Internal")