-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed authentication are now properly logged #2334
Conversation
24bcd80
to
1d6f917
Compare
53a657d
to
6852aab
Compare
LGTM |
It seems CI status is disappeared? |
@lunny yes it was there until recent force push when he fixed my suggested in discord changes :) Don't know how Drone status got lost |
integrations/signin_test.go
Outdated
{username: "user1@example.com", password: "wrongPassword", errorMessage: i18n.Tr("en", "form.username_password_incorrect")}, | ||
} | ||
|
||
prepareTestEnv(t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be in the testLoginFailed function because each call represents a seperate test case!?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if test-case would change data that need to be reset than yes, otherwise it will only make tests run slower.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure returning a 401 on failed login is the correct thing to do; see https://stackoverflow.com/questions/8273757/should-a-failed-login-attempt-result-in-a-http-401-response
I've investigated several public-facing sites (Google, Amazon, Instagram, Github, Gitlab), and none of them returned 401 on failed login.
models/fixtures/user.yml
Outdated
@@ -218,3 +218,33 @@ | |||
avatar_email: user13@example.com | |||
num_repos: 3 | |||
is_active: true | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason we can't just use existing user fixtures? user16 isn't used anywhere, and it seems we could use any existing user in place of user15 in TestSignin
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't want to intervene in other test cases because of duplicate email address.
But if that's not the case of course I can remove user16.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I missed that user15 and user16 had the same email addresses; sorry about that.
Instead of introducing two new fixtures for testing the duplicate email case, could we instead do something like:
func TestDuplicateEmailFailedLogin(t *testing.T) {
prepareTestEnv(t)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
// add new user with user2's email
user.Name = "testuser"
user.LowerName = strings.ToLower(user.Name)
user.ID = 0 // will be auto-populated on insert
models.AssertSuccessfulInsert(t, user)
// TODO try to login with user.Email, should fail with duplicate email
}
It's not really scalable for us to add new test fixtures for every corner case we need to test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If others feel the same way I will change that ;-)
modules/context/context.go
Outdated
ctx.Data["Flash"] = ctx.Flash | ||
ctx.HTML(200, tpl) | ||
ctx.Flash.Error(msg, true) | ||
ctx.HTML(status, tpl) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you remove the ctx.Data["Flash"] = ctx.Flash
line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ethantkoenig ctx.Flash.Error(...)
sets ctx.Data["Flash"]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lafriks @ethantkoenig Only if second parameter is true
The main reason for 401 status code was to enable easier fail2ban configuration. |
I'm now thinking that entry to gitea log would be better than changing response status code |
@lafriks @ethantkoenig Then it's settled. I will change PR. |
@lafriks @ethantkoenig Which log level would you say is appropriate? Or is there a way to log independent from the set log level? |
@daviian I would say "Info", because I think it makes sense to reserve "Warning" and "Error" for actionable entries |
@ethantkoenig but than fail2ban can be only used by enabling only at least info log level that is not best option. And in case of fail2ban usage failed authorization is actionable entry |
@ethantkoenig @lafriks I was also struggling with this, but I think users who want to use fail2ban have to set the necessary log level either way. And I agree that |
Signed-off-by: David Schneiderbauer <dschneiderbauer@gmail.com>
95c7640
to
fc83835
Compare
Why did you remove integration tests? These were useful anyway |
I thought that they are not part of the PR if it is only logging. But I can add them again. |
You could at least submit them in other PR then, we need tests :) |
And regarding the log level. I am open for discussion ;-) It's not cast in stone yet ;-) |
@ethantkoenig need your approval |
Changed the title to reflect the change 🙂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Let's try again LGTM |
Targets #2301
Failed authentication now returns 401 status code.
Done by introducing a new RenderFormWithErr function in context to allow passing of a statuscode
Tested in following browsers: