diff --git a/cmd/admin.go b/cmd/admin.go index f58a1f99607af..976ea4245029a 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -350,7 +350,7 @@ func runChangePassword(c *cli.Context) error { if err != nil { return err } - if err = user.SetPassword(c.String("password")); err != nil { + if err = user.SetPassword(context.Background(), c.String("password")); err != nil { return err } @@ -427,7 +427,7 @@ func runCreateUser(c *cli.Context) error { Theme: setting.UI.DefaultTheme, } - if err := models.CreateUser(u); err != nil { + if err := models.CreateUser(context.Background(), u); err != nil { return fmt.Errorf("CreateUser: %v", err) } diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index ea2fe982f3981..93ce9d413652c 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -378,6 +378,8 @@ INTERNAL_TOKEN= ;; ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed ;PASSWORD_CHECK_PWN = false +;; Only allow a certain number of password hashes to be performed at a time. Set to 0 to have no limit. +;MAXIMUM_CONCURRENT_HASHES = 0 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 54ef780bcac1a..2ff1ff7238680 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -435,6 +435,7 @@ relation to port exhaustion. - spec - use one or more special characters as ``!"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~`` - off - do not check password complexity - `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. +- `MAXIMUM_CONCURRENT_HASHES`: **0**: Only allow a certain number of password hashes to be performed at a time. Set to 0 to have no limit. ## OpenID (`openid`) diff --git a/models/login_source.go b/models/login_source.go index 098b48a8cd5f4..50b2c9b50400a 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -6,6 +6,7 @@ package models import ( + "context" "crypto/tls" "errors" "fmt" @@ -487,7 +488,7 @@ func composeFullName(firstname, surname, username string) string { // LoginViaLDAP queries if login/password is valid against the LDAP directory pool, // and create a local user if success when enabled. -func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) { +func LoginViaLDAP(ctx context.Context, user *User, login, password string, source *LoginSource) (*User, error) { sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP) if sr == nil { // User not in LDAP, do nothing @@ -557,7 +558,7 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*Use IsRestricted: sr.IsRestricted, } - err := CreateUser(user) + err := CreateUser(ctx, user) if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { err = RewriteAllPublicKeys() @@ -635,7 +636,7 @@ func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error { // LoginViaSMTP queries if login/password is valid against the SMTP, // and create a local user if success when enabled. -func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) { +func LoginViaSMTP(ctx context.Context, user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) { // Verify allowed domains. if len(cfg.AllowedDomains) > 0 { idx := strings.Index(login, "@") @@ -686,7 +687,7 @@ func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPC LoginName: login, IsActive: true, } - return user, CreateUser(user) + return user, CreateUser(ctx, user) } // __________ _____ _____ @@ -698,7 +699,7 @@ func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPC // LoginViaPAM queries if login/password is valid against the PAM, // and create a local user if success when enabled. -func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) { +func LoginViaPAM(ctx context.Context, user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) { pamLogin, err := pam.Auth(cfg.ServiceName, login, password) if err != nil { if strings.Contains(err.Error(), "Authentication failure") { @@ -739,11 +740,11 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon LoginName: login, // This is what the user typed in IsActive: true, } - return user, CreateUser(user) + return user, CreateUser(ctx, user) } // ExternalUserLogin attempts a login using external source types. -func ExternalUserLogin(user *User, login, password string, source *LoginSource) (*User, error) { +func ExternalUserLogin(ctx context.Context, user *User, login, password string, source *LoginSource) (*User, error) { if !source.IsActived { return nil, ErrLoginSourceNotActived } @@ -751,11 +752,11 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource) var err error switch source.Type { case LoginLDAP, LoginDLDAP: - user, err = LoginViaLDAP(user, login, password, source) + user, err = LoginViaLDAP(ctx, user, login, password, source) case LoginSMTP: - user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig)) + user, err = LoginViaSMTP(ctx, user, login, password, source.ID, source.Cfg.(*SMTPConfig)) case LoginPAM: - user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig)) + user, err = LoginViaPAM(ctx, user, login, password, source.ID, source.Cfg.(*PAMConfig)) default: return nil, ErrUnsupportedLoginType } @@ -774,7 +775,7 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource) } // UserSignIn validates user name and password. -func UserSignIn(username, password string) (*User, error) { +func UserSignIn(ctx context.Context, username, password string) (*User, error) { var user *User if strings.Contains(username, "@") { user = &User{Email: strings.ToLower(strings.TrimSpace(username))} @@ -805,11 +806,11 @@ func UserSignIn(username, password string) (*User, error) { if hasUser { switch user.LoginType { case LoginNoType, LoginPlain, LoginOAuth2: - if user.IsPasswordSet() && user.ValidatePassword(password) { + if user.IsPasswordSet() && user.ValidatePassword(ctx, password) { // Update password hash if server password hash algorithm have changed if user.PasswdHashAlgo != setting.PasswordHashAlgo { - if err = user.SetPassword(password); err != nil { + if err = user.SetPassword(ctx, password); err != nil { return nil, err } if err = UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { @@ -830,19 +831,19 @@ func UserSignIn(username, password string) (*User, error) { default: var source LoginSource - hasSource, err := x.ID(user.LoginSource).Get(&source) + hasSource, err := x.Context(ctx).ID(user.LoginSource).Get(&source) if err != nil { return nil, err } else if !hasSource { return nil, ErrLoginSourceNotExist{user.LoginSource} } - return ExternalUserLogin(user, user.LoginName, password, &source) + return ExternalUserLogin(ctx, user, user.LoginName, password, &source) } } sources := make([]*LoginSource, 0, 5) - if err = x.Where("is_actived = ?", true).Find(&sources); err != nil { + if err = x.Context(ctx).Where("is_actived = ?", true).Find(&sources); err != nil { return nil, err } @@ -851,7 +852,7 @@ func UserSignIn(username, password string) (*User, error) { // don't try to authenticate against OAuth2 and SSPI sources here continue } - authUser, err := ExternalUserLogin(nil, username, password, source) + authUser, err := ExternalUserLogin(ctx, nil, username, password, source) if err == nil { return authUser, nil } diff --git a/models/user.go b/models/user.go index 002c050651f17..53c5c2eaf58ed 100644 --- a/models/user.go +++ b/models/user.go @@ -18,6 +18,7 @@ import ( "path/filepath" "regexp" "strings" + "sync" "time" "unicode/utf8" @@ -376,13 +377,43 @@ func (u *User) NewGitSig() *git.Signature { } } -func hashPassword(passwd, salt, algo string) string { +var lock = sync.Mutex{} +var cond = sync.NewCond(&lock) +var concurrentHashes = 0 + +func hashPassword(ctx context.Context, passwd, salt, algo string) (string, error) { + if setting.MaximumConcurrentHashes > 0 { + cond.L.Lock() + for concurrentHashes > setting.MaximumConcurrentHashes { + select { + case <-ctx.Done(): + cond.L.Unlock() + return "", ctx.Err() + default: + } + cond.Wait() + } + concurrentHashes++ + cond.L.Unlock() + defer func() { + cond.L.Lock() + concurrentHashes-- + cond.Signal() + cond.L.Unlock() + }() + select { + case <-ctx.Done(): + return "", ctx.Err() + default: + } + } + var tempPasswd []byte switch algo { case algoBcrypt: tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost) - return string(tempPasswd) + return string(tempPasswd), nil case algoScrypt: tempPasswd, _ = scrypt.Key([]byte(passwd), []byte(salt), 65536, 16, 2, 50) case algoArgon2: @@ -393,12 +424,12 @@ func hashPassword(passwd, salt, algo string) string { tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New) } - return fmt.Sprintf("%x", tempPasswd) + return fmt.Sprintf("%x", tempPasswd), nil } // SetPassword hashes a password using the algorithm defined in the config value of PASSWORD_HASH_ALGO // change passwd, salt and passwd_hash_algo fields -func (u *User) SetPassword(passwd string) (err error) { +func (u *User) SetPassword(ctx context.Context, passwd string) (err error) { if len(passwd) == 0 { u.Passwd = "" u.Salt = "" @@ -409,23 +440,49 @@ func (u *User) SetPassword(passwd string) (err error) { if u.Salt, err = GetUserSalt(); err != nil { return err } + hashedPassword, err := hashPassword(ctx, passwd, u.Salt, setting.PasswordHashAlgo) + if err != nil { + return err + } + + u.Passwd = hashedPassword u.PasswdHashAlgo = setting.PasswordHashAlgo - u.Passwd = hashPassword(passwd, u.Salt, setting.PasswordHashAlgo) return nil } // ValidatePassword checks if given password matches the one belongs to the user. -func (u *User) ValidatePassword(passwd string) bool { - tempHash := hashPassword(passwd, u.Salt, u.PasswdHashAlgo) - - if u.PasswdHashAlgo != algoBcrypt && subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(tempHash)) == 1 { - return true +func (u *User) ValidatePassword(ctx context.Context, passwd string) bool { + if u.PasswdHashAlgo != algoBcrypt { + tempHash, err := hashPassword(ctx, passwd, u.Salt, u.PasswdHashAlgo) + if err != nil { + return false + } + return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(tempHash)) == 1 } - if u.PasswdHashAlgo == algoBcrypt && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil { - return true + + // Handle maximum concurrent hashes + if setting.MaximumConcurrentHashes > 0 { + cond.L.Lock() + for concurrentHashes > setting.MaximumConcurrentHashes { + cond.Wait() + select { + case <-ctx.Done(): + return false + default: + } + } + concurrentHashes++ + cond.L.Unlock() + defer func() { + cond.L.Lock() + concurrentHashes-- + cond.Signal() + cond.L.Unlock() + }() } - return false + + return bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil } // IsPasswordSet checks if the password is set or left empty @@ -850,12 +907,12 @@ func IsUsableUsername(name string) error { } // CreateUser creates record of a new user. -func CreateUser(u *User) (err error) { +func CreateUser(ctx context.Context, u *User) (err error) { if err = IsUsableUsername(u.Name); err != nil { return err } - sess := x.NewSession() + sess := x.NewSession().Context(ctx) defer sess.Close() if err = sess.Begin(); err != nil { return err @@ -891,7 +948,7 @@ func CreateUser(u *User) (err error) { if u.Rands, err = GetUserSalt(); err != nil { return err } - if err = u.SetPassword(u.Passwd); err != nil { + if err = u.SetPassword(ctx, u.Passwd); err != nil { return err } u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization && !setting.Admin.DisableRegularOrgCreation @@ -1925,7 +1982,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { IsActive: true, } - err = CreateUser(usr) + err = CreateUser(ctx, usr) if err != nil { log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err) diff --git a/models/user_test.go b/models/user_test.go index 39a1b3c989c05..25ca0cdbcbe41 100644 --- a/models/user_test.go +++ b/models/user_test.go @@ -5,6 +5,7 @@ package models import ( + "context" "fmt" "math/rand" "strings" @@ -230,15 +231,15 @@ func TestHashPasswordDeterministic(t *testing.T) { pass := string(b) // save the current password in the user - hash it and store the result - u.SetPassword(pass) + u.SetPassword(context.Background(), pass) r1 := u.Passwd // run again - u.SetPassword(pass) + u.SetPassword(context.Background(), pass) r2 := u.Passwd assert.NotEqual(t, r1, r2) - assert.True(t, u.ValidatePassword(pass)) + assert.True(t, u.ValidatePassword(context.Background(), pass)) } } } @@ -250,7 +251,7 @@ func BenchmarkHashPassword(b *testing.B) { u := &User{Passwd: pass} b.ResetTimer() for i := 0; i < b.N; i++ { - u.SetPassword(pass) + u.SetPassword(context.Background(), pass) } } @@ -317,7 +318,7 @@ func TestCreateUser(t *testing.T) { MustChangePassword: false, } - assert.NoError(t, CreateUser(user)) + assert.NoError(t, CreateUser(context.Background(), user)) assert.NoError(t, DeleteUser(user)) } @@ -332,7 +333,7 @@ func TestCreateUserInvalidEmail(t *testing.T) { MustChangePassword: false, } - err := CreateUser(user) + err := CreateUser(context.Background(), user) assert.Error(t, err) assert.True(t, IsErrEmailInvalid(err)) } @@ -356,7 +357,7 @@ func TestCreateUser_Issue5882(t *testing.T) { for _, v := range tt { setting.Admin.DisableRegularOrgCreation = v.disableOrgCreation - assert.NoError(t, CreateUser(v.user)) + assert.NoError(t, CreateUser(context.Background(), v.user)) u, err := GetUserByEmail(v.user.Email) assert.NoError(t, err) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 355d1d36d10ca..6a550aa917a7b 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -184,6 +184,7 @@ var ( OnlyAllowPushIfGiteaEnvironmentSet bool PasswordComplexity []string PasswordHashAlgo string + MaximumConcurrentHashes int PasswordCheckPwn bool // UI settings @@ -835,6 +836,7 @@ func NewContext() { DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") + MaximumConcurrentHashes = sec.Key("MAXIMUM_CONCURRENT_HASHES").MustInt(0) CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false) diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 4bbe7f77ba2ea..5ecc06312a4f3 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -97,7 +97,7 @@ func CreateUser(ctx *context.APIContext) { ctx.Error(http.StatusBadRequest, "PasswordPwned", errors.New("PasswordPwned")) return } - if err := models.CreateUser(u); err != nil { + if err := models.CreateUser(ctx, u); err != nil { if models.IsErrUserAlreadyExist(err) || models.IsErrEmailAlreadyUsed(err) || models.IsErrNameReserved(err) || @@ -175,7 +175,7 @@ func EditUser(ctx *context.APIContext) { ctx.Error(http.StatusInternalServerError, "UpdateUser", err) return } - if err = u.SetPassword(form.Password); err != nil { + if err = u.SetPassword(ctx, form.Password); err != nil { ctx.InternalServerError(err) return } diff --git a/routers/install/install.go b/routers/install/install.go index a7040bccad9f7..f4e03f6bea025 100644 --- a/routers/install/install.go +++ b/routers/install/install.go @@ -421,7 +421,7 @@ func SubmitInstall(ctx *context.Context) { IsAdmin: true, IsActive: true, } - if err = models.CreateUser(u); err != nil { + if err = models.CreateUser(ctx, u); err != nil { if !models.IsErrUserAlreadyExist(err) { setting.InstallLock = false ctx.Data["Err_AdminName"] = true diff --git a/routers/web/admin/users.go b/routers/web/admin/users.go index 1b65795865fa7..41952b3ab21f0 100644 --- a/routers/web/admin/users.go +++ b/routers/web/admin/users.go @@ -126,7 +126,7 @@ func NewUserPost(ctx *context.Context) { } u.MustChangePassword = form.MustChangePassword } - if err := models.CreateUser(u); err != nil { + if err := models.CreateUser(ctx, u); err != nil { switch { case models.IsErrUserAlreadyExist(err): ctx.Data["Err_UserName"] = true @@ -271,7 +271,7 @@ func EditUserPost(ctx *context.Context) { ctx.ServerError("UpdateUser", err) return } - if err = u.SetPassword(form.Password); err != nil { + if err = u.SetPassword(ctx, form.Password); err != nil { ctx.ServerError("SetPassword", err) return } diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 827b7cdef0651..32ac5692effa5 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -174,7 +174,7 @@ func SignInPost(ctx *context.Context) { } form := web.GetForm(ctx).(*forms.SignInForm) - u, err := models.UserSignIn(form.UserName, form.Password) + u, err := models.UserSignIn(ctx, form.UserName, form.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form) @@ -901,7 +901,7 @@ func LinkAccountPostSignIn(ctx *context.Context) { return } - u, err := models.UserSignIn(signInForm.UserName, signInForm.Password) + u, err := models.UserSignIn(ctx, signInForm.UserName, signInForm.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.Data["user_exists"] = true @@ -1231,7 +1231,7 @@ func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form int // createUserInContext creates a user and handles errors within a given context. // Optionally a template can be specified. func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *models.User, gothUser *goth.User, allowLink bool) (ok bool) { - if err := models.CreateUser(u); err != nil { + if err := models.CreateUser(ctx, u); err != nil { if allowLink && (models.IsErrUserAlreadyExist(err) || models.IsErrEmailAlreadyUsed(err)) { if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto { var user *models.User @@ -1403,7 +1403,7 @@ func ActivatePost(ctx *context.Context) { ctx.HTML(http.StatusOK, TplActivate) return } - if !user.ValidatePassword(password) { + if !user.ValidatePassword(ctx, password) { ctx.Data["IsActivateFailed"] = true ctx.HTML(http.StatusOK, TplActivate) return @@ -1669,7 +1669,7 @@ func ResetPasswdPost(ctx *context.Context) { ctx.ServerError("UpdateUser", err) return } - if err = u.SetPassword(passwd); err != nil { + if err = u.SetPassword(ctx, passwd); err != nil { ctx.ServerError("UpdateUser", err) return } @@ -1743,7 +1743,7 @@ func MustChangePasswordPost(ctx *context.Context) { } var err error - if err = u.SetPassword(form.Password); err != nil { + if err = u.SetPassword(ctx, form.Password); err != nil { ctx.ServerError("UpdateUser", err) return } diff --git a/routers/web/user/auth_openid.go b/routers/web/user/auth_openid.go index 1a73a08c4862d..6f1d78038235a 100644 --- a/routers/web/user/auth_openid.go +++ b/routers/web/user/auth_openid.go @@ -290,7 +290,7 @@ func ConnectOpenIDPost(ctx *context.Context) { ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp ctx.Data["OpenID"] = oid - u, err := models.UserSignIn(form.UserName, form.Password) + u, err := models.UserSignIn(ctx, form.UserName, form.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form) diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go index 48ab37d9369e6..683ab26ebf970 100644 --- a/routers/web/user/setting/account.go +++ b/routers/web/user/setting/account.go @@ -52,7 +52,7 @@ func AccountPost(ctx *context.Context) { if len(form.Password) < setting.MinPasswordLength { ctx.Flash.Error(ctx.Tr("auth.password_too_short", setting.MinPasswordLength)) - } else if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(form.OldPassword) { + } else if ctx.User.IsPasswordSet() && !ctx.User.ValidatePassword(ctx, form.OldPassword) { ctx.Flash.Error(ctx.Tr("settings.password_incorrect")) } else if form.Password != form.Retype { ctx.Flash.Error(ctx.Tr("form.password_not_match")) @@ -67,7 +67,7 @@ func AccountPost(ctx *context.Context) { ctx.Flash.Error(errMsg) } else { var err error - if err = ctx.User.SetPassword(form.Password); err != nil { + if err = ctx.User.SetPassword(ctx, form.Password); err != nil { ctx.ServerError("UpdateUser", err) return } @@ -227,7 +227,7 @@ func DeleteAccount(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings") ctx.Data["PageIsSettingsAccount"] = true - if _, err := models.UserSignIn(ctx.User.Name, ctx.Query("password")); err != nil { + if _, err := models.UserSignIn(ctx, ctx.User.Name, ctx.Query("password")); err != nil { if models.IsErrUserNotExist(err) { loadAccountData(ctx) diff --git a/services/auth/basic.go b/services/auth/basic.go index 0bce4f1d067a2..8b91e07d559d9 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -116,7 +116,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore } log.Trace("Basic Authorization: Attempting SignIn for %s", uname) - u, err := models.UserSignIn(uname, passwd) + u, err := models.UserSignIn(req.Context(), uname, passwd) if err != nil { if !models.IsErrUserNotExist(err) { log.Error("UserSignIn: %v", err) diff --git a/services/auth/reverseproxy.go b/services/auth/reverseproxy.go index f958d28c9a664..d424eea15bbe8 100644 --- a/services/auth/reverseproxy.go +++ b/services/auth/reverseproxy.go @@ -115,7 +115,7 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User { Email: email, IsActive: true, } - if err := models.CreateUser(user); err != nil { + if err := models.CreateUser(req.Context(), user); err != nil { // FIXME: should I create a system notice? log.Error("CreateUser: %v", err) return nil diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go index d1289a76174b2..0d13450bfc024 100644 --- a/services/auth/sspi_windows.go +++ b/services/auth/sspi_windows.go @@ -5,6 +5,7 @@ package auth import ( + "context" "errors" "net/http" "strings" @@ -129,7 +130,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, log.Error("User '%s' not found", username) return nil } - user, err = s.newUser(username, cfg) + user, err = s.newUser(req.Context(), username, cfg) if err != nil { log.Error("CreateUser: %v", err) return nil @@ -177,7 +178,7 @@ func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) { // newUser creates a new user object for the purpose of automatic registration // and populates its name and email with the information present in request headers. -func (s *SSPI) newUser(username string, cfg *models.SSPIConfig) (*models.User, error) { +func (s *SSPI) newUser(ctx context.Context, username string, cfg *models.SSPIConfig) (*models.User, error) { email := gouuid.New().String() + "@localhost.localdomain" user := &models.User{ Name: username, @@ -190,7 +191,7 @@ func (s *SSPI) newUser(username string, cfg *models.SSPIConfig) (*models.User, e Avatar: models.DefaultAvatarLink(), EmailNotificationsPreference: models.EmailNotificationsDisabled, } - if err := models.CreateUser(user); err != nil { + if err := models.CreateUser(ctx, user); err != nil { return nil, err } return user, nil