JWT-only authentication for some users (#3012)

author: Alexey Shchepin <alexey@process-one.net> 2019-09-18 18:45:51 +0300
committer: Alexey Shchepin <alexey@process-one.net> 2019-09-18 18:46:24 +0300
commit: 0fe1e40a9d6edb6f70d76f60b8f3dc95ae6a34eb (patch)
tree: f576cb4f0cc88b5edfaee69565d28d92c9802db3 /src/ejabberd_auth.erl
parent: mod_jidprep: Don't call gen_mod functions directly (diff)
1 files changed, 25 insertions, 13 deletions
diff --git a/src/ejabberd_auth.erl b/src/ejabberd_auth.erl
index 2f498350..9a7479e4 100644
--- a/src/ejabberd_auth.erl
+++ b/src/ejabberd_auth.erl
@@ -76,7 +76,7 @@
     {ets_cache:tag(), {ok, password()} | {error, db_failure | not_allowed}}.
 -callback remove_user(binary(), binary()) -> ok | {error, db_failure | not_allowed}.
 -callback user_exists(binary(), binary()) -> {ets_cache:tag(), boolean() | {error, db_failure}}.
--callback check_password(binary(), binary(), binary(), binary()) -> {ets_cache:tag(), boolean()}.
+-callback check_password(binary(), binary(), binary(), binary()) -> {ets_cache:tag(), boolean() | {stop, boolean()}}.
 -callback try_register(binary(), binary(), password()) ->
     {ets_cache:tag(), {ok, password()} | {error, exists | db_failure | not_allowed}}.
 -callback get_users(binary(), opts()) -> [{binary(), binary()}].
@@ -237,17 +237,20 @@ check_password_with_authmodule(User, AuthzId, Server, Password, Digest, DigestGe
 		error ->
 		    false;
 		LAuthzId ->
-		    lists:foldl(
-		      fun(Mod, false) ->
-			      case db_check_password(
-				     LUser, LAuthzId, LServer, Password,
-				     Digest, DigestGen, Mod) of
-				  true -> {true, Mod};
-				  false -> false
-			      end;
-			 (_, Acc) ->
-			      Acc
-		      end, false, auth_modules(LServer))
+                    untag_stop(
+                      lists:foldl(
+                        fun(Mod, false) ->
+                                case db_check_password(
+                                       LUser, LAuthzId, LServer, Password,
+                                       Digest, DigestGen, Mod) of
+                                    true -> {true, Mod};
+                                    false -> false;
+                                    {stop, true} -> {stop, {true, Mod}};
+                                    {stop, false} -> {stop, false}
+                                end;
+                           (_, Acc) ->
+                                Acc
+                        end, false, auth_modules(LServer)))
 	    end;
 	_ ->
 	    false
@@ -484,7 +487,11 @@ remove_user(User, Server, Password) ->
 				  <<"">>, undefined, Mod) of
 			       true ->
 				   db_remove_user(LUser, LServer, Mod);
+			       {stop, true} ->
+				   db_remove_user(LUser, LServer, Mod);
 			       false ->
+				   {error, not_allowed};
+			       {stop, false} ->
 				   {error, not_allowed}
 			   end
 		   end, {error, not_allowed}, auth_modules(Server)) of
@@ -654,7 +661,9 @@ db_check_password(User, AuthzId, Server, ProvidedPassword,
 				   case Mod:check_password(
 					  User, AuthzId, Server, ProvidedPassword) of
 				       {CacheTag, true} -> {CacheTag, {ok, ProvidedPassword}};
-				       {CacheTag, false} -> {CacheTag, error}
+				       {CacheTag, {stop, true}} -> {CacheTag, {ok, ProvidedPassword}};
+				       {CacheTag, false} -> {CacheTag, error};
+				       {CacheTag, {stop, false}} -> {CacheTag, error}
 				   end
 			   end) of
 			{ok, _} ->
@@ -891,6 +900,9 @@ validate_credentials(User, Server, Password) ->
 	    end
     end.
 
+untag_stop({stop, Val}) -> Val;
+untag_stop(Val) -> Val.
+
 import_info() ->
     [{<<"users">>, 3}].
author	Alexey Shchepin <alexey@process-one.net>	2019-09-18 18:45:51 +0300
committer	Alexey Shchepin <alexey@process-one.net>	2019-09-18 18:46:24 +0300
commit	0fe1e40a9d6edb6f70d76f60b8f3dc95ae6a34eb (patch)
tree	f576cb4f0cc88b5edfaee69565d28d92c9802db3 /src/ejabberd_auth.erl
parent	mod_jidprep: Don't call gen_mod functions directly (diff)