diff --git a/auth.py b/auth.py index 50c4eeeef..3110ab868 100644 --- a/auth.py +++ b/auth.py @@ -18,6 +18,7 @@ from utils import data_dir from utils import has_users_path from utils import text_in_file from utils import remove_eol +from utils import valid_nickname from timeFunctions import date_utcnow @@ -89,7 +90,7 @@ def create_basic_auth_header(nickname: str, password: str) -> str: def authorize_basic(base_dir: str, path: str, auth_header: str, - debug: bool) -> bool: + debug: bool, domain: str) -> bool: """HTTP basic auth """ if ' ' not in auth_header: @@ -140,6 +141,10 @@ def authorize_basic(base_dir: str, path: str, auth_header: str, ') does not match the one in the Authorization header (' + nickname + ')') return False + if not valid_nickname(domain, nickname): + if debug: + print('AUTH: invalid nickname ' + nickname) + return False if is_memorial_account(base_dir, nickname): print('basic auth - attempted login using memorial account ' + nickname + ' in Auth header') @@ -248,11 +253,12 @@ def remove_password(base_dir: str, nickname: str) -> None: return -def authorize(base_dir: str, path: str, auth_header: str, debug: bool) -> bool: +def authorize(base_dir: str, path: str, auth_header: str, debug: bool, + domain: str) -> bool: """Authorize using http header """ if auth_header.lower().startswith('basic '): - return authorize_basic(base_dir, path, auth_header, debug) + return authorize_basic(base_dir, path, auth_header, debug, domain) return False diff --git a/daemon_post_login.py b/daemon_post_login.py index 9a15fb578..92cf740af 100644 --- a/daemon_post_login.py +++ b/daemon_post_login.py @@ -141,7 +141,8 @@ def post_login_screen(self, calling_domain: str, cookie: str, print('Login attempt from IP: ' + str(ip_address)) if not authorize_basic(base_dir, '/users/' + login_nickname + '/outbox', - auth_header, False): + auth_header, False, + domain): print('Login failed: ' + login_nickname) clear_login_details(self, login_nickname, calling_domain) fail_time = int(time.time()) diff --git a/daemon_utils.py b/daemon_utils.py index 1f6685697..d935072a4 100644 --- a/daemon_utils.py +++ b/daemon_utils.py @@ -626,7 +626,8 @@ def is_authorized(self) -> bool: if self.headers.get('Authorization'): if authorize(self.server.base_dir, self.path, self.headers['Authorization'], - self.server.debug): + self.server.debug, + self.server.domain): return True print('AUTH: C2S Basic auth did not authorize ' + self.headers['Authorization']) diff --git a/tests.py b/tests.py index 100314a03..da405f63c 100644 --- a/tests.py +++ b/tests.py @@ -3277,24 +3277,25 @@ def _test_authentication(base_dir: str) -> None: assert store_basic_credentials(base_dir, 'badnick', 'otherpa:ss') is False assert store_basic_credentials(base_dir, nickname, password) + domain = "test.domain" auth_header = create_basic_auth_header(nickname, password) assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', - auth_header, False) + auth_header, False, domain) assert authorize_basic(base_dir, '/users/' + nickname, - auth_header, False) is False + auth_header, False, domain) is False assert authorize_basic(base_dir, '/users/othernick/inbox', - auth_header, False) is False + auth_header, False, domain) is False auth_header = create_basic_auth_header(nickname, password + '1') assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', - auth_header, False) is False + auth_header, False, domain) is False password = 'someOtherPassword' assert store_basic_credentials(base_dir, nickname, password) auth_header = create_basic_auth_header(nickname, password) assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', - auth_header, False) + auth_header, False, domain) os.chdir(curr_dir) shutil.rmtree(base_dir, ignore_errors=False)