Short circuit user verification if cookie is present.

32aa83f3 · lain · e1525edb · 32aa83f3 · 32aa83f3
Commit 32aa83f3 authored 7 years ago by lain
--- a/lib/pleroma/plugs/authentication_plug.ex
+++ b/lib/pleroma/plugs/authentication_plug.ex
@@ -8,20 +8,28 @@ defmodule Pleroma.Plugs.AuthenticationPlug do
  def call(conn, opts) do
    with {:ok, username, password} <- decode_header(conn),
         {:ok, user} <- opts[:fetcher].(username),
-         {:ok, verified_user} <- verify(user, password)
+         saved_user_id <- get_session(conn, :user_id),
+         {:ok, verified_user} <- verify(user, password, saved_user_id)
    do
-      conn |> assign(:user, verified_user)
+      conn
+      |> assign(:user, verified_user)
+      |> put_session(:user_id, verified_user.id)
    else
      _ -> conn |> halt_or_continue(opts)
    end
  end

-  defp verify(nil, _password) do
+  # Short-circuit if we have a cookie with the id for the given user.
+  defp verify(%{id: id} = user, _password, id) do
+    {:ok, user}
+  end
+
+  defp verify(nil, _password, _user_id) do
    Comeonin.Pbkdf2.dummy_checkpw
    :error
  end

-  defp verify(user, password) do
+  defp verify(user, password, _user_id) do
    if Comeonin.Pbkdf2.checkpw(password, user.password_hash) do
      {:ok, user}
    else

--- a/test/plugs/authentication_plug_test.exs
+++ b/test/plugs/authentication_plug_test.exs
@@ -13,6 +13,12 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
    password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
  }

+  @session_opts [
+    store: :cookie,
+    key: "_test",
+    signing_salt: "cooldude"
+  ]
+
  defp fetch_user(_name) do
    {:ok, @user}
  end
@@ -23,14 +29,20 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do

  describe "without an authorization header" do
    test "it halts the application" do
-      conn = build_conn() |> AuthenticationPlug.call(%{})
+      conn = build_conn()
+      |> Plug.Session.call(Plug.Session.init(@session_opts))
+      |> fetch_session
+      |> AuthenticationPlug.call(%{})

      assert conn.status == 403
      assert conn.halted == true
    end

    test "it assigns a nil user if the 'optional' option is used" do
-      conn = build_conn() |> AuthenticationPlug.call(%{optional: true})
+      conn = build_conn()
+      |> Plug.Session.call(Plug.Session.init(@session_opts))
+      |> fetch_session
+      |> AuthenticationPlug.call(%{optional: true})

      assert %{ user: nil } == conn.assigns
    end
@@ -40,6 +52,8 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
    test "it halts the application" do
      conn =
        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
        |> AuthenticationPlug.call(%{fetcher: &fetch_nil/1})

      assert conn.status == 403
@@ -49,6 +63,8 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
    test "it assigns a nil user if the 'optional' option is used" do
      conn =
        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
        |> AuthenticationPlug.call(%{optional: true, fetcher: &fetch_nil/1 })

      assert %{ user: nil } == conn.assigns
@@ -65,6 +81,8 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do

      conn =
        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
        |> put_req_header("authorization", header)
        |> AuthenticationPlug.call(opts)

@@ -82,6 +100,8 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do

      conn =
        build_conn()
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
        |> put_req_header("authorization", header)
        |> AuthenticationPlug.call(opts)

@@ -90,7 +110,7 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
  end

  describe "with a correct authorization header for an existing user" do
-    test "it assigns the user" do
+    test "it assigns the user", %{conn: conn} do
      opts = %{
        optional: true,
        fetcher: &fetch_user/1
@@ -98,12 +118,35 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do

      header = basic_auth_enc("dude", "guy")

-      conn =
-        build_conn()
+      conn = conn
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
+        |> put_req_header("authorization", header)
+        |> AuthenticationPlug.call(opts)
+
+      assert %{ user: @user } == conn.assigns
+      assert get_session(conn, :user_id) == @user.id
+      assert conn.halted == false
+    end
+  end
+  describe "with a user_id in the session for an existing user" do
+    test "it assigns the user", %{conn: conn} do
+      opts = %{
+        optional: true,
+        fetcher: &fetch_user/1
+      }
+
+      header = basic_auth_enc("dude", "THIS IS WRONG")
+
+      conn = conn
+        |> Plug.Session.call(Plug.Session.init(@session_opts))
+        |> fetch_session
+        |> put_session(:user_id, @user.id)
        |> put_req_header("authorization", header)
        |> AuthenticationPlug.call(opts)

      assert %{ user: @user } == conn.assigns
+      assert get_session(conn, :user_id) == @user.id
      assert conn.halted == false
    end
  end