diff --git a/src/clojars/auth.clj b/src/clojars/auth.clj index e6dd12a5..50e32a9f 100644 --- a/src/clojars/auth.clj +++ b/src/clojars/auth.clj @@ -1,6 +1,6 @@ (ns clojars.auth (:require [cemerick.friend :as friend] - [clojars.db :refer [group-membernames]])) + [clojars.db :refer [group-membernames find-user-by-user-or-email]])) (defmacro with-account [body] `(friend/authenticated (try-account ~body))) @@ -9,6 +9,12 @@ `(let [~'account (:username (friend/current-authentication))] ~body)) +(defn get-user [id] + (when-let [{:keys [user password]} + (find-user-by-user-or-email id)] + (when (not (empty? password)) + {:username user :password password}))) + (defn authorized? [account group] (let [names# (group-membernames group)] (or (some #{account} names#) (empty? names#)))) diff --git a/src/clojars/web.clj b/src/clojars/web.clj index d51dbb10..15ba1e1e 100644 --- a/src/clojars/web.clj +++ b/src/clojars/web.clj @@ -3,7 +3,8 @@ find-jar recent-versions count-versions find-user-by-user-or-email]] [clojars.config :refer [config]] - [clojars.auth :refer [with-account try-account require-authorization]] + [clojars.auth :refer [with-account try-account require-authorization + get-user]] [clojars.repo :as repo] [clojars.friend.registration :as registration] [clojars.web.dashboard :refer [dashboard index-page]] @@ -154,29 +155,23 @@ (friend/authenticate {:credential-fn (partial creds/bcrypt-credential-fn - (fn [id] - (when-let [{:keys [user password]} - (find-user-by-user-or-email id)] - {:username user :password password}))) + get-user) :workflows [(workflows/http-basic :realm "clojars")] :unauthorized-handler (partial workflows/http-basic-deny "clojars")}) (repo/wrap-file (:repo config)))) (site (-> main-routes - (friend/authenticate - {:credential-fn - (partial creds/bcrypt-credential-fn - (fn [id] - (when-let [{:keys [user password]} - (find-user-by-user-or-email id)] - {:username user :password password}))) - :workflows [(workflows/interactive-form) - registration/workflow] - :login-uri "/login" - :default-landing-uri "/" - :unauthorized-handler - (fn [r] - (-> (redirect "/login") - (assoc-in [:session ::friend/unauthorized-uri] (:uri r))))}) - (wrap-resource "public") - (wrap-file-info)))) + (friend/authenticate + {:credential-fn + (partial creds/bcrypt-credential-fn + get-user) + :workflows [(workflows/interactive-form) + registration/workflow] + :login-uri "/login" + :default-landing-uri "/" + :unauthorized-handler + (fn [r] + (-> (redirect "/login") + (assoc-in [:session ::friend/unauthorized-uri] (:uri r))))}) + (wrap-resource "public") + (wrap-file-info)))) diff --git a/test/clojars/test/integration/sessions.clj b/test/clojars/test/integration/sessions.clj index 3b02109b..3f20f15b 100644 --- a/test/clojars/test/integration/sessions.clj +++ b/test/clojars/test/integration/sessions.clj @@ -3,10 +3,11 @@ [kerodon.core :refer :all] [kerodon.test :refer :all] [clojars.test.integration.steps :refer :all] + [clojars.db :as db] [clojars.web :as web] [clojars.test.test-helper :as help] [net.cgrand.enlive-html :as enlive] - [net.cgrand.xml :as x])) + [korma.core :as korma])) (help/use-fixtures) @@ -32,4 +33,17 @@ (follow-redirect) (has (status? 200)) (within [:nav [:li enlive/first-child] :a] - (has (text? "login")))))) \ No newline at end of file + (has (text? "login")))))) + +(deftest user-with-password-wipe-gets-message + (-> (session web/clojars-app) + (register-as "fixture" "fixture@example.org" "password" "")) + (korma/update db/users + (korma/set-fields {:password ""}) + (korma/where {:user "fixture"})) + (-> (session web/clojars-app) + (login-as "fixture" "password") + (follow-redirect) + (has (status? 200)) + (within [:article :div :p.error] + (has (text? "Incorrect username and/or password."))))) \ No newline at end of file