diff options
Diffstat (limited to 'web')
| -rw-r--r-- | web/react/components/signup_user_complete.jsx | 2 | ||||
| -rw-r--r-- | web/web.go | 56 |
2 files changed, 54 insertions, 4 deletions
diff --git a/web/react/components/signup_user_complete.jsx b/web/react/components/signup_user_complete.jsx index 1b1fe15fb..577651b90 100644 --- a/web/react/components/signup_user_complete.jsx +++ b/web/react/components/signup_user_complete.jsx @@ -119,7 +119,7 @@ module.exports = React.createClass({ <div className="form-group form-group--small"> <span></span> </div> - <p>{"Choose your username and password for the " + this.props.teamDisplayName + " " + strings.Team} <a href={"/"+this.props.teamName+"/signup/gitlab"}>{"or sign up with GitLab."}</a></p> + <p>{"Choose your username and password for the " + this.props.teamDisplayName + " " + strings.Team} <a href={"/"+this.props.teamName+"/signup/gitlab"+window.location.search}>{"or sign up with GitLab."}</a></p> <p>Your username can be made of lowercase letters and numbers.</p> <label className="control-label">Username</label> <div className={ name_error ? "form-group has-error" : "form-group" }> diff --git a/web/web.go b/web/web.go index ef2bae624..975b65002 100644 --- a/web/web.go +++ b/web/web.go @@ -453,10 +453,48 @@ func resetPassword(c *api.Context, w http.ResponseWriter, r *http.Request) { func signupWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("signupWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + hash := r.URL.Query().Get("h") + + var team *model.Team + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } else { + team = result.Data.(*model.Team) + } + + if api.IsVerifyHashRequired(nil, team, hash) { + data := r.URL.Query().Get("d") + props := model.MapFromJson(strings.NewReader(data)) + + if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.ServiceSettings.InviteSalt)) { + c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "") + return + } + + t, err := strconv.ParseInt(props["time"], 10, 64) + if err != nil || model.GetMillis()-t > 1000*60*60*48 { // 48 hours + c.Err = model.NewAppError("createUser", "The signup link has expired", "") + return + } + + if team.Id != props["id"] { + c.Err = model.NewAppError("createUser", "Invalid team name", data) + return + } + } redirectUri := c.GetSiteURL() + "/signup/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { @@ -522,11 +560,23 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) func loginWithOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] - l4g.Debug(service) + teamName := params["team"] + + if len(teamName) == 0 { + c.Err = model.NewAppError("loginWithOAuth", "Invalid team name", "team_name="+teamName) + c.Err.StatusCode = http.StatusBadRequest + return + } + + // Make sure team exists + if result := <-api.Srv.Store.Team().GetByName(teamName); result.Err != nil { + c.Err = result.Err + return + } redirectUri := c.GetSiteURL() + "/login/" + service + "/complete" - api.GetAuthorizationCode(c, w, r, service, redirectUri) + api.GetAuthorizationCode(c, w, r, teamName, service, redirectUri) } func loginCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) { |