From baa86bf667b349831b1d7dee211a4a4082414f31 Mon Sep 17 00:00:00 2001 From: Karchnu Date: Tue, 13 Oct 2020 06:21:58 +0200 Subject: [PATCH] User deletion. --- src/main.cr | 53 ++++++++++++++++++++++++++++++++++++++++-- utils/authc.cr | 2 +- utils/better-parser.cr | 2 +- 3 files changed, 53 insertions(+), 4 deletions(-) diff --git a/src/main.cr b/src/main.cr index f6e4326..d430745 100644 --- a/src/main.cr +++ b/src/main.cr @@ -62,11 +62,11 @@ class AuthD::Service return Response::Error.new "invalid credentials" end - if user.password_hash != hash_password request.password + if user.nil? return Response::Error.new "invalid credentials" end - if user.nil? + if user.password_hash != hash_password request.password return Response::Error.new "invalid credentials" end @@ -517,6 +517,55 @@ class AuthD::Service @users_per_uid.update user Response::UserEdited.new user.uid + when Request::Delete + uid_or_login = request.user + user_to_delete = if uid_or_login.is_a? Int32 + @users_per_uid.get? uid_or_login.to_s + else + @users_per_login.get? uid_or_login + end + + if user_to_delete.nil? + return Response::Error.new "invalid user" + end + + # Either the request comes from an admin or the user. + # Shared key == admin, check the key. + if key = request.shared_key + return Response::Error.new "unauthorized (wrong shared key)" unless key == @jwt_key + else + login = request.login + pass = request.password + if login.nil? || pass.nil? + return Response::Error.new "authentication failed (no shared key, no login)" + end + + # authenticate the user + begin + user = @users_per_login.get login + rescue e : DODB::MissingEntry + return Response::Error.new "invalid credentials" + end + + if user.nil? + return Response::Error.new "invalid credentials" + end + + if user.password_hash != hash_password pass + return Response::Error.new "invalid credentials" + end + + # Is the user to delete the requesting user? + if user.uid != user_to_delete.uid + return Response::Error.new "invalid credentials" + end + end + + # User or admin is now verified: let's proceed with the user deletion. + @users_per_login.delete user_to_delete.login + + # TODO: better response + Response::User.new user_to_delete.to_public else Response::Error.new "unhandled request type" end diff --git a/utils/authc.cr b/utils/authc.cr index 196bbe3..0a8095a 100644 --- a/utils/authc.cr +++ b/utils/authc.cr @@ -136,7 +136,7 @@ class Actions def user_deletion args = Context.args.not_nil! - userid = args[0] + userid = args[0].to_i # Check if the request comes from an admin or the user. res = if Context.shared_key.nil? diff --git a/utils/better-parser.cr b/utils/better-parser.cr index b74cb38..37ac85d 100644 --- a/utils/better-parser.cr +++ b/utils/better-parser.cr @@ -113,7 +113,7 @@ parser = OptionParser.new do |parser| parser.on "delete", "Remove user." do parser.banner = "Usage: user delete userid [opt]" Baguette::Log.info "Remove user." - Context.command = "delete" + Context.command = "user-delete" # You can either be the owner of the account, or an admin. opt_authd_login.call parser opt_authd_admin.call parser