Only authenticate logins when password is set (#13147)

* auth: never authenticate passwords shorter than 4 chars. * auth: refactoring password length check. * auth: does not authenticate when password is empty. * auth: removes unneccesary change.
2025-02-25 18:55:37 -06:00 · 2018-09-05 12:12:46 +02:00 · 2018-09-05 12:12:46 +02:00 · 275f613050
commit 275f613050
parent c9ae585d2a
2 changed files with 30 additions and 1 deletions
--- a/pkg/login/auth.go
+++ b/pkg/login/auth.go
@ -2,7 +2,6 @@ package login

 import (
 	"errors"
-
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
 )
@ -14,6 +13,7 @@ var (
 	ErrProviderDeniedRequest = errors.New("Login provider denied login request")
 	ErrSignUpNotAllowed      = errors.New("Signup is not allowed for this adapter")
 	ErrTooManyLoginAttempts  = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
+	ErrPasswordEmpty         = errors.New("No password provided.")
 	ErrUsersQuotaReached     = errors.New("Users quota reached")
 	ErrGettingUserQuota      = errors.New("Error getting user quota")
 )
@ -28,6 +28,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
 		return err
 	}

+	if err := validatePasswordSet(query.Password); err != nil {
+		return err
+	}
+
 	err := loginUsingGrafanaDB(query)
 	if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
 		return err
@ -52,3 +56,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {

 	return err
 }
+func validatePasswordSet(password string) error {
+	if len(password) == 0 {
+		return ErrPasswordEmpty
+	}
+
+	return nil
+}
--- a/pkg/login/auth_test.go
+++ b/pkg/login/auth_test.go
@ -10,6 +10,24 @@ import (

 func TestAuthenticateUser(t *testing.T) {
 	Convey("Authenticate user", t, func() {
+		authScenario("When a user authenticates without setting a password", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(nil, sc)
+			mockLoginUsingLdap(false, nil, sc)
+
+			loginQuery := m.LoginUserQuery{
+				Username: "user",
+				Password: "",
+			}
+			err := AuthenticateUser(&loginQuery)
+
+			Convey("login should fail", func() {
+				So(sc.grafanaLoginWasCalled, ShouldBeFalse)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(err, ShouldEqual, ErrPasswordEmpty)
+			})
+		})
+
 		authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) {
 			mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc)
 			mockLoginUsingGrafanaDB(nil, sc)