fix(auth): Handle logging-in with disabled auth provider

When only MobilizonAuthenticator provider is available, user can be found, but isn't valid for auth. We need to reject those users as well.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2023-05-02 17:04:35 +02:00
parent 1ea5342fca
commit a22a5e3cb9
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773

View file

@ -13,8 +13,6 @@ defmodule Mobilizon.Service.Auth.MobilizonAuthenticator do
@impl Authenticator
def login(email, password) do
require Logger
with {:user, %User{password_hash: password_hash, provider: nil} = user}
when not is_nil(password_hash) <-
{:user, fetch_user(email)},
@ -23,6 +21,10 @@ defmodule Mobilizon.Service.Auth.MobilizonAuthenticator do
{:checkpw, true} <- {:checkpw, Argon2.verify_pass(password, password_hash)} do
{:ok, user}
else
{:user, %User{}} ->
# User from a 3rd-party provider, doesn't have a password
{:error, :user_not_found}
{:user, {:error, :user_not_found}} ->
{:error, :user_not_found}