Users with wiped password see login failure and password wipe msg

Check for empty password before passing to bcrypt. Otherwise when a user logs in and has a wiped password bcrypt will die. Fixes clojars#47
swr1bm86 · Jun 1, 2012 · 0b178f5 · 0b178f5
1 parent cba32f1
commit 0b178f5
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 25 deletions.
diff --git a/src/clojars/auth.clj b/src/clojars/auth.clj
@@ -1,6 +1,6 @@
 (ns clojars.auth
   (:require [cemerick.friend :as friend]
-            [clojars.db :refer [group-membernames]]))
+            [clojars.db :refer [group-membernames find-user-by-user-or-email]]))
 
 (defmacro with-account [body]
   `(friend/authenticated (try-account ~body)))
@@ -9,6 +9,12 @@
   `(let [~'account (:username (friend/current-authentication))]
      ~body))
 
+(defn get-user [id]
+  (when-let [{:keys [user password]}
+             (find-user-by-user-or-email id)]
+    (when (not (empty? password))
+      {:username user :password password})))
+
 (defn authorized? [account group]
   (let [names# (group-membernames group)]
     (or (some #{account} names#) (empty? names#))))

diff --git a/src/clojars/web.clj b/src/clojars/web.clj
@@ -3,7 +3,8 @@
                                 find-jar recent-versions count-versions
                                 find-user-by-user-or-email]]
             [clojars.config :refer [config]]
-            [clojars.auth :refer [with-account try-account require-authorization]]
+            [clojars.auth :refer [with-account try-account require-authorization
+                                  get-user]]
             [clojars.repo :as repo]
             [clojars.friend.registration :as registration]
             [clojars.web.dashboard :refer [dashboard index-page]]
@@ -154,29 +155,23 @@
                (friend/authenticate
                 {:credential-fn
                  (partial creds/bcrypt-credential-fn
-                          (fn [id]
-                            (when-let [{:keys [user password]}
-                                       (find-user-by-user-or-email id)]
-                              {:username user :password password})))
+                          get-user)
                  :workflows [(workflows/http-basic :realm "clojars")]
                  :unauthorized-handler
                  (partial workflows/http-basic-deny "clojars")})
                (repo/wrap-file (:repo config))))
   (site (-> main-routes
-      (friend/authenticate
-       {:credential-fn
-        (partial creds/bcrypt-credential-fn
-                 (fn [id]
-                   (when-let [{:keys [user password]}
-                              (find-user-by-user-or-email id)]
-                     {:username user :password password})))
-        :workflows [(workflows/interactive-form)
-                    registration/workflow]
-        :login-uri "/login"
-        :default-landing-uri "/"
-        :unauthorized-handler
-        (fn [r]
-          (-> (redirect "/login")
-              (assoc-in [:session ::friend/unauthorized-uri] (:uri r))))})
-      (wrap-resource "public")
-      (wrap-file-info))))
+            (friend/authenticate
+             {:credential-fn
+              (partial creds/bcrypt-credential-fn
+                       get-user)
+              :workflows [(workflows/interactive-form)
+                          registration/workflow]
+              :login-uri "/login"
+              :default-landing-uri "/"
+              :unauthorized-handler
+              (fn [r]
+                (-> (redirect "/login")
+                    (assoc-in [:session ::friend/unauthorized-uri] (:uri r))))})
+            (wrap-resource "public")
+            (wrap-file-info))))
diff --git a/test/clojars/test/integration/sessions.clj b/test/clojars/test/integration/sessions.clj
@@ -3,10 +3,11 @@
             [kerodon.core :refer :all]
             [kerodon.test :refer :all]
             [clojars.test.integration.steps :refer :all]
+            [clojars.db :as db]
             [clojars.web :as web]
             [clojars.test.test-helper :as help]
             [net.cgrand.enlive-html :as enlive]
-            [net.cgrand.xml :as x]))
+            [korma.core :as korma]))
 
 (help/use-fixtures)
 
@@ -32,4 +33,17 @@
         (follow-redirect)
         (has (status? 200))
         (within [:nav [:li enlive/first-child] :a]
-                (has (text? "login"))))))
+                (has (text? "login"))))))
+
+(deftest user-with-password-wipe-gets-message
+  (-> (session web/clojars-app)
+      (register-as "fixture" "[email protected]" "password" ""))
+  (korma/update db/users
+                (korma/set-fields {:password ""})
+                (korma/where {:user "fixture"}))
+  (-> (session web/clojars-app)
+      (login-as "fixture" "password")
+      (follow-redirect)
+      (has (status? 200))
+      (within [:article :div :p.error]
+              (has (text? "Incorrect username and/or password.")))))