revert http basic auth
it can't be fast and secure.
This commit is contained in:
parent
89f8b47070
commit
618186c384
|
@ -156,7 +156,7 @@ final class Env(
|
|||
scheduler.once(30 seconds)(tor.refresh(_ => funit))
|
||||
scheduler.effect(TorRefreshDelay, "Refresh Tor exit nodes")(tor.refresh(firewall.unblockIps))
|
||||
|
||||
lazy val api = new SecurityApi(storeColl, firewall, geoIP, authenticator, emailAddressValidator, asyncCache)
|
||||
lazy val api = new SecurityApi(storeColl, firewall, geoIP, authenticator, emailAddressValidator)
|
||||
|
||||
lazy val csrfRequestHandler = new CSRFRequestHandler(NetDomain)
|
||||
|
||||
|
|
|
@ -19,8 +19,7 @@ final class SecurityApi(
|
|||
firewall: Firewall,
|
||||
geoIP: GeoIP,
|
||||
authenticator: lila.user.Authenticator,
|
||||
emailValidator: EmailAddressValidator,
|
||||
asyncCache: lila.memo.AsyncCache.Builder
|
||||
emailValidator: EmailAddressValidator
|
||||
) {
|
||||
|
||||
val AccessUri = "access_uri"
|
||||
|
@ -77,7 +76,7 @@ final class SecurityApi(
|
|||
}
|
||||
}
|
||||
}
|
||||
} // orElse BasicAuth(req).map2 { (u: User) => FingerprintedUser(u, false) }
|
||||
}
|
||||
}
|
||||
|
||||
def locatedOpenSessions(userId: User.ID, nb: Int): Fu[List[LocatedSession]] =
|
||||
|
@ -95,29 +94,6 @@ final class SecurityApi(
|
|||
|
||||
def reqSessionId(req: RequestHeader) = req.session get "sessionId"
|
||||
|
||||
private object BasicAuth {
|
||||
|
||||
private type Username = String
|
||||
|
||||
private val cache = asyncCache.multi[(Username, User.ClearPassword), Boolean](
|
||||
name = "security.basic_auth",
|
||||
f = {
|
||||
case (username, password) => authenticator.authenticateByUsername(username, password).map(_.isDefined)
|
||||
},
|
||||
expireAfter = _.ExpireAfterWrite(2 minutes)
|
||||
)
|
||||
|
||||
def apply(req: RequestHeader): Fu[Option[User]] = {
|
||||
req.headers get "Authorization" flatMap lila.common.String.base64.decode map (_.split(":", 2))
|
||||
} ?? {
|
||||
case Array(username, password) =>
|
||||
cache.get(username -> User.ClearPassword(password)) flatMap {
|
||||
_ ?? UserRepo.named(username)
|
||||
}
|
||||
case _ => fuccess(none)
|
||||
}
|
||||
}
|
||||
|
||||
def userIdsSharingIp = userIdsSharingField("ip") _
|
||||
|
||||
def recentByIpExists(ip: IpAddress): Fu[Boolean] = Store recentByIpExists ip
|
||||
|
|
|
@ -26,9 +26,6 @@ final class Authenticator(
|
|||
def authenticateById(id: User.ID, password: ClearPassword): Fu[Option[User]] =
|
||||
loginCandidateById(id) map { _ flatMap { _(password) } }
|
||||
|
||||
def authenticateByUsername(username: String, password: ClearPassword): Fu[Option[User]] =
|
||||
authenticateById(User normalize username, password)
|
||||
|
||||
def authenticateByEmail(email: EmailAddress, password: ClearPassword): Fu[Option[User]] =
|
||||
loginCandidateByEmail(email) map { _ flatMap { _(password) } }
|
||||
|
||||
|
|
Loading…
Reference in a new issue