fix(security): fixed login issue that was a potential for social engineering, fixes #6014

b4111d78 · Torkel Ödegaard · 4a169319 · b4111d78 · b4111d78
Commit b4111d78 authored Sep 21, 2016 by Torkel Ödegaard
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

pkg/api/login_oauth.go
+3 -4

public/app/core/controllers/login_ctrl.js
+8 -2

No files found.
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -3,7 +3,6 @@ package api
 import (
 	"errors"
 	"fmt"
-	"net/url"

 	"golang.org/x/oauth2"

@@ -46,9 +45,9 @@ func OAuthLogin(ctx *middleware.Context) {
 	userInfo, err := connect.UserInfo(token)
 	if err != nil {
 		if err == social.ErrMissingTeamMembership {
-			ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github team membership not fulfilled"))
+			ctx.Redirect(setting.AppSubUrl + "/login?failCode=1000")
 		} else if err == social.ErrMissingOrganizationMembership {
-			ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github organization membership not fulfilled"))
+			ctx.Redirect(setting.AppSubUrl + "/login?failCode=1001")
 		} else {
 			ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
 		}
@@ -60,7 +59,7 @@ func OAuthLogin(ctx *middleware.Context) {
 	// validate that the email is allowed to login to grafana
 	if !connect.IsEmailAllowed(userInfo.Email) {
 		ctx.Logger.Info("OAuth login attempt with unallowed email", "email", userInfo.Email)
-		ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required email domain not fulfilled"))
+		ctx.Redirect(setting.AppSubUrl + "/login?failCode=1002")
 		return
 	}


--- a/public/app/core/controllers/login_ctrl.js
+++ b/public/app/core/controllers/login_ctrl.js
@@ -6,6 +6,12 @@ define([
 function (angular, coreModule, config) {
  'use strict';

+  var failCodes = {
+    "1000": "Required Github team membership not fulfilled",
+    "1001": "Required Github organization membership not fulfilled",
+    "1002": "Required email domain not fulfilled",
+  };
+
  coreModule.default.controller('LoginCtrl', function($scope, backendSrv, contextSrv, $location) {
    $scope.formModel = {
      user: '',
@@ -31,8 +37,8 @@ function (angular, coreModule, config) {
      $scope.$watch("loginMode", $scope.loginModeChanged);

      var params = $location.search();
-      if (params.failedMsg) {
-        $scope.appEvent('alert-warning', ['Login Failed', params.failedMsg]);
+      if (params.failCode) {
+        $scope.appEvent('alert-warning', ['Login Failed', failCodes[params.failCode]]);
        delete params.failedMsg;
        $location.search(params);
      }