1
0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00

admin: better error when password auth is disabled

This commit is contained in:
Quentin Gliech
2024-08-07 11:52:34 +02:00
parent 475a43df71
commit c61a52a3a0
2 changed files with 54 additions and 1 deletions

View File

@ -36,6 +36,9 @@ pub enum RouteError {
#[error("Password is too weak")] #[error("Password is too weak")]
PasswordTooWeak, PasswordTooWeak,
#[error("Password auth is disabled")]
PasswordAuthDisabled,
#[error("Password hashing failed")] #[error("Password hashing failed")]
Password(#[source] anyhow::Error), Password(#[source] anyhow::Error),
@ -50,6 +53,7 @@ impl IntoResponse for RouteError {
let error = ErrorResponse::from_error(&self); let error = ErrorResponse::from_error(&self);
let status = match self { let status = match self {
Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR, Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR,
Self::PasswordAuthDisabled => StatusCode::FORBIDDEN,
Self::PasswordTooWeak => StatusCode::BAD_REQUEST, Self::PasswordTooWeak => StatusCode::BAD_REQUEST,
Self::NotFound(_) => StatusCode::NOT_FOUND, Self::NotFound(_) => StatusCode::NOT_FOUND,
}; };
@ -83,6 +87,11 @@ pub fn doc(operation: TransformOperation) -> TransformOperation {
let response = ErrorResponse::from_error(&RouteError::PasswordTooWeak); let response = ErrorResponse::from_error(&RouteError::PasswordTooWeak);
t.description("Password is too weak").example(response) t.description("Password is too weak").example(response)
}) })
.response_with::<403, RouteError, _>(|t| {
let response = ErrorResponse::from_error(&RouteError::PasswordAuthDisabled);
t.description("Password auth is disabled in the server configuration")
.example(response)
})
.response_with::<404, RouteError, _>(|t| { .response_with::<404, RouteError, _>(|t| {
let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil())); let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
t.description("User was not found").example(response) t.description("User was not found").example(response)
@ -99,6 +108,10 @@ pub async fn handler(
id: UlidPathParam, id: UlidPathParam,
Json(params): Json<Request>, Json(params): Json<Request>,
) -> Result<StatusCode, RouteError> { ) -> Result<StatusCode, RouteError> {
if !password_manager.is_enabled() {
return Err(RouteError::PasswordAuthDisabled);
}
let user = repo let user = repo
.user() .user()
.lookup(*id) .lookup(*id)
@ -137,7 +150,10 @@ mod tests {
use sqlx::PgPool; use sqlx::PgPool;
use zeroize::Zeroizing; use zeroize::Zeroizing;
use crate::test_utils::{setup, RequestBuilderExt, ResponseExt, TestState}; use crate::{
passwords::PasswordManager,
test_utils::{setup, RequestBuilderExt, ResponseExt, TestState},
};
#[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")] #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
async fn test_set_password(pool: PgPool) { async fn test_set_password(pool: PgPool) {
@ -267,4 +283,24 @@ mod tests {
"User ID 01040G2081040G2081040G2081 not found" "User ID 01040G2081040G2081040G2081 not found"
); );
} }
#[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
async fn test_disabled(pool: PgPool) {
setup();
let mut state = TestState::from_pool(pool).await.unwrap();
state.password_manager = PasswordManager::disabled();
let token = state.token_with_scope("urn:mas:admin").await;
let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/set-password")
.bearer(&token)
.json(serde_json::json!({
"password": "hunter2",
}));
let response = state.request(request).await;
response.assert_status(StatusCode::FORBIDDEN);
let body: serde_json::Value = response.json();
assert_eq!(body["errors"][0]["title"], "Password auth is disabled");
}
} }

View File

@ -367,6 +367,23 @@
} }
} }
}, },
"403": {
"description": "Password auth is disabled in the server configuration",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/ErrorResponse"
},
"example": {
"errors": [
{
"title": "Password auth is disabled"
}
]
}
}
}
},
"404": { "404": {
"description": "User was not found", "description": "User was not found",
"content": { "content": {