b

polterguy · Jan 1, 2024 · 90acfe6 · 90acfe6
1 parent be31fc0
commit 90acfe6
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 9 deletions.
diff --git a/backend/files/system/auth/magic.startup/magic.auth.authenticate.hl b/backend/files/system/auth/magic.startup/magic.auth.authenticate.hl
@@ -1,5 +1,12 @@
 
-// Authenticates the user with the specified [username] and [password] combination.
+/*
+ * Authenticates the user with the specified [username] and [password] combination.
+ * 
+ * Notice, if [check-password] is false, we don't check the user's password, and
+ * if [reset-password] is true, we generate a JWT token that can only be used to
+ * change the user's password. The latter allows us to generated "change password links"
+ * in the frontend, and similar type of logic.
+ */
 slots.create:magic.auth.authenticate
 
    /*
@@ -92,7 +99,7 @@ slots.create:magic.auth.authenticate
                         password
                      where
                         and
-                           username:x:@data.read/@data.read/*/*/user
+                           username.eq:x:@data.read/@data.read/*/*/user
 
                   // Checking if user with specified [username] exists.
                   if
@@ -121,6 +128,11 @@ slots.create:magic.auth.authenticate
 
       else
 
+         // No such user.
+         throw:Access denied
+            status:int:401
+            public:bool:true
+
          // Storing password and username for later.
          set-value:x:@.username
             get-value:x:@data.read/*/*/username
@@ -157,17 +169,23 @@ slots.create:magic.auth.authenticate
             set-value:x:+/+/*/*
                get-value:x:@strings.split/1
             unwrap:x:+/*/*/*
-            insert-after:x:@if/./**/crypto.password.verify
+            insert-after:x:../**/crypto.password.verify
                .
                   foo
                      username:x:@.username
                      password:x:@.arguments/*/password
-            remove-nodes:x:@if/./**/crypto.password.verify
+            remove-nodes:x:../**/crypto.password.verify
 
-      // Verify we have a password match.
+      /*
+       * Verify we have a password match, unless [check-password] was false,
+       * which might occur for instance if a JWT token is generated on behalf of another user.
+       */
       if
-         crypto.password.verify:x:@.arguments/*/password
-            hash:x:@.password
+         or
+            eq:x:@.arguments/*/check-password
+               .:bool:false
+            crypto.password.verify:x:@.arguments/*/password
+               hash:x:@.password
          .lambda
 
             // Now we need to select all roles user belongs to.
@@ -223,4 +241,4 @@ slots.create:magic.auth.authenticate
          // Hash version of password didn't match.
          throw:Access denied
             status:int:401
-            public:bool:true
+            public:bool:true
diff --git a/backend/files/system/config/setup.post.hl b/backend/files/system/config/setup.post.hl
@@ -133,7 +133,7 @@ try
       // Authenticating user and returning new JWT token to client.
       execute:magic.auth.authenticate
          username:x:@.arguments/*/username
-         password:x:@.arguments/*/password
+         check-password:bool:false
 
       // Returns the authentication JWT ticket created above to caller.
       return-nodes:x:@execute/*