From db3ed498b08d1ff3b1ca16d326a51abef28b9184 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 27 Sep 2017 23:42:49 +0200 Subject: [PATCH] When OAuth password verification fails, return 401 instead of redirect (#5111) Call to warden.authenticate! in resource_owner_from_credentials would make the request redirect to sign-in path, which is a bad response for apps. Now bad credentials just return nil, which leads to HTTP 401 from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into this way. --- config/initializers/doorkeeper.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 689e2ac4..074f8c41 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -7,15 +7,14 @@ Doorkeeper.configure do current_user || redirect_to(new_user_session_url) end - resource_owner_from_credentials do |routes| - request.params[:user] = { email: request.params[:username], password: request.params[:password] } - request.env["devise.allow_params_authentication"] = true - request.env["warden"].authenticate!(scope: :user) + resource_owner_from_credentials do |_routes| + user = User.find_by(email: request.params[:username]) + user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password]) end # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. admin_authenticator do - (current_user && current_user.admin?) || redirect_to(new_user_session_url) + current_user&.admin? || redirect_to(new_user_session_url) end # Authorization Code expiration time (default 10 minutes).