go-gitea · techknowlogick · Jul 3, 2023 · Jun 21, 2023 · Jun 22, 2023 · Jun 22, 2023
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
@@ -26,6 +26,7 @@ import (
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/routers/utils"
 	auth_service "code.gitea.io/gitea/services/auth"
+	auth_db "code.gitea.io/gitea/services/auth/source/db"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/forms"
@@ -201,7 +202,8 @@ func SignInPost(ctx *context.Context) {
 
 	u, source, err := auth_service.UserSignIn(form.UserName, form.Password)
 	if err != nil {
-		if user_model.IsErrUserNotExist(err) || user_model.IsErrEmailAddressNotExist(err) {
+		if user_model.IsErrUserNotExist(err) || user_model.IsErrEmailAddressNotExist(err) ||
+			auth_db.IsErrUserPasswordNotSet(err) || auth_db.IsErrUserPasswordInvalidate(err) {
 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
 			log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
 		} else if user_model.IsErrEmailAlreadyUsed(err) {

diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
@@ -13,9 +13,11 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web"
 	auth_service "code.gitea.io/gitea/services/auth"
+	auth_db "code.gitea.io/gitea/services/auth/source/db"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/forms"
@@ -81,6 +83,31 @@ func LinkAccount(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplLinkAccount)
 }
 
+func handleSingInError(ctx *context.Context, userName string, ptrForm any, invoker string, err error) {
+	if user_model.IsErrUserNotExist(err) || user_model.IsErrEmailAddressNotExist(err) ||
+		auth_db.IsErrUserPasswordNotSet(err) || auth_db.IsErrUserPasswordInvalidate(err) {
+		ctx.Data["user_exists"] = true
+		ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, ptrForm)
+	} else if user_model.IsErrUserProhibitLogin(err) {
+		ctx.Data["user_exists"] = true
+		log.Info("Failed authentication attempt for %s from %s: %v", userName, ctx.RemoteAddr(), err)
+		ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+		ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+	} else if user_model.IsErrUserInactive(err) {
+		ctx.Data["user_exists"] = true
+		if setting.Service.RegisterEmailConfirm {
+			ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+			ctx.HTML(http.StatusOK, TplActivate)
+		} else {
+			log.Info("Failed authentication attempt for %s from %s: %v", userName, ctx.RemoteAddr(), err)
+			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+			ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+		}
+	} else {
+		ctx.ServerError(invoker, err)
+	}
+}
+
 // LinkAccountPostSignIn handle the coupling of external account with another account using signIn
 func LinkAccountPostSignIn(ctx *context.Context) {
 	signInForm := web.GetForm(ctx).(*forms.SignInForm)
@@ -116,12 +143,7 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 
 	u, _, err := auth_service.UserSignIn(signInForm.UserName, signInForm.Password)
 	if err != nil {
-		if user_model.IsErrUserNotExist(err) {
-			ctx.Data["user_exists"] = true
-			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
-		} else {
-			ctx.ServerError("UserLinkAccount", err)
-		}
+		handleSingInError(ctx, signInForm.UserName, &signInForm, "UserLinkAccount", err)
 		return
 	}
 

diff --git a/routers/web/auth/openid.go b/routers/web/auth/openid.go
@@ -282,11 +282,7 @@ func ConnectOpenIDPost(ctx *context.Context) {
 
 	u, _, err := auth.UserSignIn(form.UserName, form.Password)
 	if err != nil {
-		if user_model.IsErrUserNotExist(err) {
-			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
-		} else {
-			ctx.ServerError("ConnectOpenIDPost", err)
-		}
+		handleSingInError(ctx, form.UserName, &form, "ConnectOpenIDPost", err)
 		return
 	}
 

diff --git a/services/auth/source/db/authenticate.go b/services/auth/source/db/authenticate.go
@@ -4,19 +4,66 @@
 package db
 
 import (
+	"fmt"
+
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 )
 
+// ErrUserPasswordNotSet represents a "ErrUserPasswordNotSet" kind of error.
+type ErrUserPasswordNotSet struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserPasswordNotSet checks if an error is a ErrUserPasswordNotSet
+func IsErrUserPasswordNotSet(err error) bool {
+	_, ok := err.(ErrUserPasswordNotSet)
+	return ok
+}
+
+func (err ErrUserPasswordNotSet) Error() string {
+	return fmt.Sprintf("user's password doesn't set [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// Unwrap unwraps this error as a ErrPermission error
+func (err ErrUserPasswordNotSet) Unwrap() error {
+	return util.ErrPermissionDenied
+}
+
+// ErrUserPasswordInvalidate represents a "ErrUserPasswordInvalidate" kind of error.
+type ErrUserPasswordInvalidate struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserPasswordInvalidate checks if an error is a ErrUserPasswordInvalidate
+func IsErrUserPasswordInvalidate(err error) bool {
+	_, ok := err.(ErrUserPasswordInvalidate)
+	return ok
+}
+
+func (err ErrUserPasswordInvalidate) Error() string {
+	return fmt.Sprintf("user's password is invalidated [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// Unwrap unwraps this error as a ErrPermission error
+func (err ErrUserPasswordInvalidate) Unwrap() error {
+	return util.ErrPermissionDenied
+}
+
 // Authenticate authenticates the provided user against the DB
 func Authenticate(user *user_model.User, login, password string) (*user_model.User, error) {
 	if user == nil {
 		return nil, user_model.ErrUserNotExist{Name: login}
 	}
 
-	if !user.IsPasswordSet() || !user.ValidatePassword(password) {
-		return nil, user_model.ErrUserNotExist{UID: user.ID, Name: user.Name}
+	if !user.IsPasswordSet() {
+		return nil, ErrUserPasswordNotSet{UID: user.ID, Name: user.Name}
+	} else if !user.ValidatePassword(password) {
+		return nil, ErrUserPasswordInvalidate{UID: user.ID, Name: user.Name}
 	}
 
 	// Update password hash if server password hash algorithm have changed