From 658d1656fafa18d5e58be81ef4e02178f6cbd4a6 Mon Sep 17 00:00:00 2001 From: Daniel Oaks Date: Wed, 11 Jan 2017 01:02:26 +1000 Subject: [PATCH] accounts: Only allow verified accounts to SASL auth --- irc/accounts.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/irc/accounts.go b/irc/accounts.go index 2ec3fd26..9ab9b84d 100644 --- a/irc/accounts.go +++ b/irc/accounts.go @@ -198,6 +198,12 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value [] // load and check acct data all in one update to prevent races. // as noted elsewhere, change to proper locking for Account type later probably err = server.store.Update(func(tx *buntdb.Tx) error { + // confirm account is verified + _, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey)) + if err != nil { + return errSaslFail + } + creds, err := loadAccountCredentials(tx, accountKey) if err != nil { return err @@ -251,6 +257,12 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value return errSaslFail } + // confirm account is verified + _, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey)) + if err != nil { + return errSaslFail + } + // confirm the certfp in that account's credentials creds, err := loadAccountCredentials(tx, accountKey) if err != nil || creds.Certificate != client.certfp {