diff src/server/server.py @ 794:6a2fd7807770

server_side: if a user tries to login with a full JID but his host is the local domain, login with the user part only
author souliane <souliane@mailoo.org>
date Mon, 07 Dec 2015 21:21:44 +0100
parents 249e49f56f67
children fad9c9f82ae3
line wrap: on
line diff
--- a/src/server/server.py	Tue Dec 08 00:12:51 2015 +0100
+++ b/src/server/server.py	Mon Dec 07 21:21:44 2015 +0100
@@ -774,12 +774,16 @@
         if submit_type == 'register':
             return self._registerNewAccount(request)
         elif submit_type == 'login':
-            return self._loginAccount(request)
+            d = self.asyncBridgeCall("getNewAccountDomain")
+            d.addCallback(lambda domain: self._loginAccount(request, domain))
+            return server.NOT_DONE_YET
         return Exception('Unknown submit type')
 
-    def _loginAccount(self, request):
+    def _loginAccount(self, request, new_account_domain):
         """Try to authenticate the user with the request information.
+        
         @param request: request of the register form
+        @param new_account_domain (unicode): host corresponding to the local domain
         @return: a constant indicating the state:
             - C.BAD_REQUEST: something is wrong in the request (bad arguments)
             - C.PROFILE_AUTH_ERROR: either the profile (login) or the profile password is wrong
@@ -792,29 +796,43 @@
             login = request.args['login'][0]
             password = request.args['login_password'][0]
         except KeyError:
-            return C.BAD_REQUEST
+            request.write(C.BAD_REQUEST)
+            request.finish()
+            return
 
         if login.startswith('@'):  # this is checked by javascript but also here for security reason
             raise Exception('No profile_key allowed')
 
         try:
+            login_jid = jid.JID(login)
+        except (RuntimeError, jid.InvalidFormat, AttributeError):
+            request.write(C.PROFILE_AUTH_ERROR)
+            request.finish()
+            return
+
+        # redirect "user@libervia.org" to the "user" profile
+        if login_jid.host == new_account_domain:
+            login = login_jid.user
+
+        try:
             profile = self.sat_host.bridge.getProfileName(login)
-        except Exception as e:
-            try:  # try to connect using XMPP credentials instead of SàT profile credentials
-                jid.JID(login)
-            except (RuntimeError, jid.InvalidFormat, AttributeError):
-                return C.PROFILE_AUTH_ERROR
+        except Exception:
+            # try to connect using XMPP credentials instead of SàT profile credentials
             profile = login
             connect_method = "asyncConnectWithXMPPCredentials"
         else:
-            if profile != login:
-                return C.PROFILE_AUTH_ERROR
-            if not password and profile not in self.sat_host.empty_password_allowed_warning_dangerous_list:
-                return C.PROFILE_AUTH_ERROR  # profiles with empty passwords are restricted to local frontends
+            if profile != login or (not password and profile not in self.sat_host.empty_password_allowed_warning_dangerous_list):
+                # profiles with empty passwords are restricted to local frontends
+                request.write(C.PROFILE_AUTH_ERROR)
+                request.finish()
+                return
+
             connect_method = "asyncConnect"
 
         if self.waiting_profiles.getRequest(profile):
-            return C.ALREADY_WAITING
+            request.write(C.ALREADY_WAITING)
+            request.finish()
+            return
 
         def auth_eb(failure):
             fault = failure.value.faultString
@@ -837,9 +855,6 @@
         d = self.asyncBridgeCall(connect_method, profile, password)
         d.addCallbacks(lambda connected: self._logged(profile, request) if connected else None, auth_eb)
 
-        return server.NOT_DONE_YET
-
-
     def _registerNewAccount(self, request):
         """Create a new account, or return error
         @param request: request of the register form