Commit bafd30f9 authored by Andrey Krivko's avatar Andrey Krivko Committed by Dmitriy Zaporozhets

Session API: Use case-insensitive authentication like in UI

parent 8388bbe8
...@@ -5,6 +5,7 @@ v 7.5.0 ...@@ -5,6 +5,7 @@ v 7.5.0
- Fix LDAP config lookup for provider 'ldap' - Fix LDAP config lookup for provider 'ldap'
- Add Atlassian Bamboo CI service (Drew Blessing) - Add Atlassian Bamboo CI service (Drew Blessing)
- Mentioned @user will receive email even if he is not participating in issue or commit - Mentioned @user will receive email even if he is not participating in issue or commit
- Session API: Use case-insensitive authentication like in UI (Andrey Krivko)
v 7.4.2 v 7.4.2
- Fix internal snippet exposing for unauthenticated users - Fix internal snippet exposing for unauthenticated users
......
...@@ -226,6 +226,11 @@ class User < ActiveRecord::Base ...@@ -226,6 +226,11 @@ class User < ActiveRecord::Base
where("lower(name) LIKE :query OR lower(email) LIKE :query OR lower(username) LIKE :query", query: "%#{query.downcase}%") where("lower(name) LIKE :query OR lower(email) LIKE :query OR lower(username) LIKE :query", query: "%#{query.downcase}%")
end end
def by_login(login)
where('lower(username) = :value OR lower(email) = :value',
value: login.to_s.downcase).first
end
def by_username_or_id(name_or_id) def by_username_or_id(name_or_id)
where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
end end
......
module Gitlab module Gitlab
class Auth class Auth
def find(login, password) def find(login, password)
user = User.find_by(email: login) || User.find_by(username: login) user = User.by_login(login)
# If no user is found, or it's an LDAP server, try LDAP. # If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP # LDAP users are only authenticated via LDAP
......
...@@ -10,13 +10,21 @@ describe Gitlab::Auth do ...@@ -10,13 +10,21 @@ describe Gitlab::Auth do
password: password, password: password,
password_confirmation: password) password_confirmation: password)
end end
let(:username) { 'john' } let(:username) { 'John' } # username isn't lowercase, test this
let(:password) { 'my-secret' } let(:password) { 'my-secret' }
it "should find user by valid login/password" do it "should find user by valid login/password" do
expect( gl_auth.find(username, password) ).to eql user expect( gl_auth.find(username, password) ).to eql user
end end
it 'should find user by valid email/password with case-insensitive email' do
expect(gl_auth.find(user.email.upcase, password)).to eql user
end
it 'should find user by valid username/password with case-insensitive username' do
expect(gl_auth.find(username.upcase, password)).to eql user
end
it "should not find user with invalid password" do it "should not find user with invalid password" do
password = 'wrong' password = 'wrong'
expect( gl_auth.find(username, password) ).to_not eql user expect( gl_auth.find(username, password) ).to_not eql user
......
...@@ -287,6 +287,20 @@ describe User do ...@@ -287,6 +287,20 @@ describe User do
end end
end end
describe '.by_login' do
let(:username) { 'John' }
let!(:user) { create(:user, username: username) }
it 'should get the correct user' do
expect(User.by_login(user.email.upcase)).to eq user
expect(User.by_login(user.email)).to eq user
expect(User.by_login(username.downcase)).to eq user
expect(User.by_login(username)).to eq user
expect(User.by_login(nil)).to be_nil
expect(User.by_login('')).to be_nil
end
end
describe 'all_ssh_keys' do describe 'all_ssh_keys' do
it { should have_many(:keys).dependent(:destroy) } it { should have_many(:keys).dependent(:destroy) }
......
...@@ -19,6 +19,32 @@ describe API::API, api: true do ...@@ -19,6 +19,32 @@ describe API::API, api: true do
end end
end end
context 'when email has case-typo and password is valid' do
it 'should return private token' do
post api('/session'), email: user.email.upcase, password: '12345678'
expect(response.status).to eq 201
expect(json_response['email']).to eq user.email
expect(json_response['private_token']).to eq user.private_token
expect(json_response['is_admin']).to eq user.is_admin?
expect(json_response['can_create_project']).to eq user.can_create_project?
expect(json_response['can_create_group']).to eq user.can_create_group?
end
end
context 'when login has case-typo and password is valid' do
it 'should return private token' do
post api('/session'), login: user.username.upcase, password: '12345678'
expect(response.status).to eq 201
expect(json_response['email']).to eq user.email
expect(json_response['private_token']).to eq user.private_token
expect(json_response['is_admin']).to eq user.is_admin?
expect(json_response['can_create_project']).to eq user.can_create_project?
expect(json_response['can_create_group']).to eq user.can_create_group?
end
end
context "when invalid password" do context "when invalid password" do
it "should return authentication error" do it "should return authentication error" do
post api("/session"), email: user.email, password: '123' post api("/session"), email: user.email, password: '123'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment