ircd.chat/ircd
11
1
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity

accounts: Only allow verified accounts to SASL auth

Browse Source
This commit is contained in:
Daniel Oaks 2017-01-11 01:02:26 +10:00
parent 7bce531914
commit 658d1656fa
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
irc/accounts.go
View File

@ -198,6 +198,12 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
// load and check acct data all in one update to prevent races.
// as noted elsewhere, change to proper locking for Account type later probably
err = server.store.Update(func(tx *buntdb.Tx) error {
// confirm account is verified
_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
if err != nil {
return errSaslFail
}
creds, err := loadAccountCredentials(tx, accountKey)
if err != nil {
return err
@ -251,6 +257,12 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
return errSaslFail
}
// confirm account is verified
_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
if err != nil {
return errSaslFail
}
// confirm the certfp in that account's credentials
creds, err := loadAccountCredentials(tx, accountKey)
if err != nil || creds.Certificate != client.certfp {