Skip to content

N
nexpie-grafana-theme
Commit b4111d78 by Torkel Ödegaard
Options

fix(security): fixed login issue that was a potential for social engineering, fixes #6014

parent 4a169319
Showing with 11 additions and 6 deletions
pkg/api/login_oauth.go
...@@ -3,7 +3,6 @@ package api ...@@ -3,7 +3,6 @@ package api
import ( import (
"errors" "errors"
"fmt" "fmt"
"net/url"
"golang.org/x/oauth2" "golang.org/x/oauth2"
...@@ -46,9 +45,9 @@ func OAuthLogin(ctx *middleware.Context) { ...@@ -46,9 +45,9 @@ func OAuthLogin(ctx *middleware.Context) {
userInfo, err := connect.UserInfo(token) userInfo, err := connect.UserInfo(token)
if err != nil { if err != nil {
if err == social.ErrMissingTeamMembership { if err == social.ErrMissingTeamMembership {
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github team membership not fulfilled")) ctx.Redirect(setting.AppSubUrl + "/login?failCode=1000")
} else if err == social.ErrMissingOrganizationMembership { } else if err == social.ErrMissingOrganizationMembership {
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github organization membership not fulfilled")) ctx.Redirect(setting.AppSubUrl + "/login?failCode=1001")
} else { } else {
ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err) ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
} }
...@@ -60,7 +59,7 @@ func OAuthLogin(ctx *middleware.Context) { ...@@ -60,7 +59,7 @@ func OAuthLogin(ctx *middleware.Context) {
// validate that the email is allowed to login to grafana // validate that the email is allowed to login to grafana
if !connect.IsEmailAllowed(userInfo.Email) { if !connect.IsEmailAllowed(userInfo.Email) {
ctx.Logger.Info("OAuth login attempt with unallowed email", "email", userInfo.Email) ctx.Logger.Info("OAuth login attempt with unallowed email", "email", userInfo.Email)
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required email domain not fulfilled")) ctx.Redirect(setting.AppSubUrl + "/login?failCode=1002")
return return
} }
......
public/app/core/controllers/login_ctrl.js
...@@ -6,6 +6,12 @@ define([ ...@@ -6,6 +6,12 @@ define([
function (angular, coreModule, config) { function (angular, coreModule, config) {
'use strict'; 'use strict';
var failCodes = {
"1000": "Required Github team membership not fulfilled",
"1001": "Required Github organization membership not fulfilled",
"1002": "Required email domain not fulfilled",
};
coreModule.default.controller('LoginCtrl', function($scope, backendSrv, contextSrv, $location) { coreModule.default.controller('LoginCtrl', function($scope, backendSrv, contextSrv, $location) {
$scope.formModel = { $scope.formModel = {
user: '', user: '',
...@@ -31,8 +37,8 @@ function (angular, coreModule, config) { ...@@ -31,8 +37,8 @@ function (angular, coreModule, config) {
$scope.$watch("loginMode", $scope.loginModeChanged); $scope.$watch("loginMode", $scope.loginModeChanged);
var params = $location.search(); var params = $location.search();
if (params.failedMsg) { if (params.failCode) {
$scope.appEvent('alert-warning', ['Login Failed', params.failedMsg]); $scope.appEvent('alert-warning', ['Login Failed', failCodes[params.failCode]]);
delete params.failedMsg; delete params.failedMsg;
$location.search(params); $location.search(params);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment