Failed authentication are now properly logged #2334
Conversation
daviian
force-pushed
the
auth-failed-statuscode
branch
from
24bcd80
to
1d6f917
Compare
daviian
force-pushed
the
auth-failed-statuscode
branch
4 times, most recently
from
53a657d
to
6852aab
Compare
|
LGTM |
tboerger
added
the
lgtm/need 1
|
It seems CI status is disappeared? |
|
@lunny yes it was there until recent force push when he fixed my suggested in discord changes :) Don't know how Drone status got lost |
integrations/signin_test.go
Outdated
| {username: "user1@example.com", password: "wrongPassword", errorMessage: i18n.Tr("en", "form.username_password_incorrect")}, | ||
| } | ||
|
|
||
| prepareTestEnv(t) |
There was a problem hiding this comment.
Shouldn't this be in the testLoginFailed function because each call represents a seperate test case!?
There was a problem hiding this comment.
if test-case would change data that need to be reset than yes, otherwise it will only make tests run slower.
There was a problem hiding this comment.
I'm not sure returning a 401 on failed login is the correct thing to do; see https://stackoverflow.com/questions/8273757/should-a-failed-login-attempt-result-in-a-http-401-response
I've investigated several public-facing sites (Google, Amazon, Instagram, Github, Gitlab), and none of them returned 401 on failed login.
models/fixtures/user.yml
Outdated
| @@ -218,3 +218,33 @@ | |||
| avatar_email: user13@example.com | |||
| num_repos: 3 | |||
| is_active: true | |||
|
|
|||
There was a problem hiding this comment.
Is there a reason we can't just use existing user fixtures? user16 isn't used anywhere, and it seems we could use any existing user in place of user15 in TestSignin.
There was a problem hiding this comment.
Didn't want to intervene in other test cases because of duplicate email address.
But if that's not the case of course I can remove user16.
There was a problem hiding this comment.
Oh, I missed that user15 and user16 had the same email addresses; sorry about that.
Instead of introducing two new fixtures for testing the duplicate email case, could we instead do something like:
func TestDuplicateEmailFailedLogin(t *testing.T) {
prepareTestEnv(t)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
// add new user with user2's email
user.Name = "testuser"
user.LowerName = strings.ToLower(user.Name)
user.ID = 0 // will be auto-populated on insert
models.AssertSuccessfulInsert(t, user)
// TODO try to login with user.Email, should fail with duplicate email
}
It's not really scalable for us to add new test fixtures for every corner case we need to test.
There was a problem hiding this comment.
If others feel the same way I will change that ;-)
modules/context/context.go
Outdated
| ctx.Data["Flash"] = ctx.Flash | ||
| ctx.HTML(200, tpl) | ||
| ctx.Flash.Error(msg, true) | ||
| ctx.HTML(status, tpl) |
There was a problem hiding this comment.
Why did you remove the ctx.Data["Flash"] = ctx.Flash line?
There was a problem hiding this comment.
@ethantkoenig ctx.Flash.Error(...) sets ctx.Data["Flash"]
There was a problem hiding this comment.
@lafriks @ethantkoenig Only if second parameter is true
|
The main reason for 401 status code was to enable easier fail2ban configuration. |
|
I'm now thinking that entry to gitea log would be better than changing response status code |
|
@lafriks @ethantkoenig Then it's settled. I will change PR. |
|
@lafriks @ethantkoenig Which log level would you say is appropriate? Or is there a way to log independent from the set log level? |
|
@daviian I would say "Info", because I think it makes sense to reserve "Warning" and "Error" for actionable entries |
|
@ethantkoenig but than fail2ban can be only used by enabling only at least info log level that is not best option. And in case of fail2ban usage failed authorization is actionable entry |
|
@ethantkoenig @lafriks I was also struggling with this, but I think users who want to use fail2ban have to set the necessary log level either way. And I agree that |
Signed-off-by: David Schneiderbauer <dschneiderbauer@gmail.com>
daviian
force-pushed
the
auth-failed-statuscode
branch
from
95c7640
to
fc83835
Compare
|
Why did you remove integration tests? These were useful anyway |
|
I thought that they are not part of the PR if it is only logging. But I can add them again. |
|
You could at least submit them in other PR then, we need tests :) |
|
And regarding the log level. I am open for discussion ;-) It's not cast in stone yet ;-) |
|
@ethantkoenig need your approval |
bkcsoft
changed the title
|
Changed the title to reflect the change 🙂 |
|
Let's try again LGTM |
tboerger
added
lgtm/done
Targets #2301
Failed authentication now returns 401 status code.
Done by introducing a new RenderFormWithErr function in context to allow passing of a statuscode
Tested in following browsers: