3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-22 20:09:41 +01:00

accounts: Only allow verified accounts to SASL auth

This commit is contained in:
Daniel Oaks 2017-01-11 01:02:26 +10:00
parent 7bce531914
commit 658d1656fa

View File

@ -198,6 +198,12 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
// load and check acct data all in one update to prevent races.
// as noted elsewhere, change to proper locking for Account type later probably
err = server.store.Update(func(tx *buntdb.Tx) error {
// confirm account is verified
_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
if err != nil {
return errSaslFail
}
creds, err := loadAccountCredentials(tx, accountKey)
if err != nil {
return err
@ -251,6 +257,12 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
return errSaslFail
}
// confirm account is verified
_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
if err != nil {
return errSaslFail
}
// confirm the certfp in that account's credentials
creds, err := loadAccountCredentials(tx, accountKey)
if err != nil || creds.Certificate != client.certfp {