3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-12-23 11:12:44 +01:00

fix SCRAM not supporting client IDs

reported by @Mikaela
This commit is contained in:
Shivaram Lingamneni 2021-08-03 11:47:00 -04:00
parent b13776787b
commit 117401f293
2 changed files with 16 additions and 4 deletions

View File

@ -2008,6 +2008,11 @@ func (am *AccountManager) NewScramConversation() *scram.ServerConversation {
}
func (am *AccountManager) lookupSCRAMCreds(accountName string) (creds scram.StoredCredentials, err error) {
// strip client ID if present:
if strudelIndex := strings.IndexByte(accountName, '@'); strudelIndex != -1 {
accountName = accountName[:strudelIndex]
}
acct, err := am.LoadAccount(accountName)
if err != nil {
return

View File

@ -354,20 +354,27 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
if session.sasl.scramConv.Done() {
continueAuth = false
if session.sasl.scramConv.Valid() {
accountName := session.sasl.scramConv.Username()
authcid := session.sasl.scramConv.Username()
if strudelIndex := strings.IndexByte(authcid, '@'); strudelIndex != -1 {
var deviceID string
authcid, deviceID = authcid[:strudelIndex], authcid[strudelIndex+1:]
if !client.registered {
rb.session.deviceID = deviceID
}
}
authzid := session.sasl.scramConv.AuthzID()
if authzid != "" && authzid != accountName {
if authzid != "" && authzid != authcid {
rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, client.t("SASL authentication failed: authcid and authzid should be the same"))
return false
}
account, err := server.accounts.LoadAccount(accountName)
account, err := server.accounts.LoadAccount(authcid)
if err == nil {
server.accounts.Login(client, account)
if fixupNickEqualsAccount(client, rb, server.Config(), "") {
sendSuccessfulAccountAuth(nil, client, rb, true)
}
} else {
server.logger.Error("internal", "SCRAM succeeded but couldn't load account", accountName, err.Error())
server.logger.Error("internal", "SCRAM succeeded but couldn't load account", authcid, err.Error())
rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, client.t("SASL authentication failed"))
}
} else {