From e45e26f3bd712e472036b971a4088f35ce822674 Mon Sep 17 00:00:00 2001 From: Evert Pot Date: Thu, 25 Jul 2024 23:25:01 -0400 Subject: [PATCH] Check the 'validated_at' value of identities when logging in. --- src/login/controller/login.ts | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/login/controller/login.ts b/src/login/controller/login.ts index 92321d3b..83115739 100644 --- a/src/login/controller/login.ts +++ b/src/login/controller/login.ts @@ -9,9 +9,10 @@ import * as webAuthnService from '../../mfa/webauthn/service.js'; import { getSetting } from '../../server-settings.js'; import { hasUsers, PrincipalService } from '../../principal/service.js'; import * as userService from '../../user/service.js'; -import { User } from '../../types.js'; +import { PrincipalIdentity, User } from '../../types.js'; import { isValidRedirect } from '../utilities.js'; import { loginForm } from '../formats/html.js'; +import * as services from '../../services.js'; class LoginController extends Controller { @@ -47,8 +48,10 @@ class LoginController extends Controller { const principalService = new PrincipalService('insecure'); let user: User; + let identity: PrincipalIdentity; try { - user = await principalService.findByIdentity('mailto:' + ctx.request.body.userName) as User; + identity = await services.principalIdentity.findByUri('mailto:' + ctx.request.body.username); + user = await principalService.findByIdentity(identity) as User; } catch (err) { if (err instanceof NotFound) { log(EventType.loginFailed, ctx); @@ -67,6 +70,10 @@ class LoginController extends Controller { log(EventType.loginFailedInactive, ctx.ip(), user.id, ctx.request.headers.get('User-Agent')); return this.redirectToLogin(ctx, '', 'This account is inactive. Please contact Admin'); } + if (!identity.verifiedAt) { + log(EventType.loginFailedNotVerified, ctx.ip(), user.id, ctx.request.headers.get('User-Agent')); + return this.redirectToLogin(ctx, '', 'This identity has not been verified'); + } if (await this.shouldMfaRedirect(ctx, user)) { return;