Skip to content

Commit b4111d7

Browse files
torkelotorkelo
committed
fix(security): fixed login issue that was a potential for social engineering, fixes grafana#6014 
1 parent 4a16931 commit b4111d7

File tree

2 files changed

+11
-6
lines changed

2 files changed

+11
-6
lines changed

pkg/api/login_oauth.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ package api
33
import (
44
"errors"
55
"fmt"
6-
"net/url"
76

87
"golang.org/x/oauth2"
98

@@ -46,9 +45,9 @@ func OAuthLogin(ctx *middleware.Context) {
4645
userInfo, err := connect.UserInfo(token)
4746
if err != nil {
4847
if err == social.ErrMissingTeamMembership {
49-
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github team membership not fulfilled"))
48+
ctx.Redirect(setting.AppSubUrl + "/login?failCode=1000")
5049
} else if err == social.ErrMissingOrganizationMembership {
51-
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github organization membership not fulfilled"))
50+
ctx.Redirect(setting.AppSubUrl + "/login?failCode=1001")
5251
} else {
5352
ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
5453
}
@@ -60,7 +59,7 @@ func OAuthLogin(ctx *middleware.Context) {
6059
// validate that the email is allowed to login to grafana
6160
if !connect.IsEmailAllowed(userInfo.Email) {
6261
ctx.Logger.Info("OAuth login attempt with unallowed email", "email", userInfo.Email)
63-
ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required email domain not fulfilled"))
62+
ctx.Redirect(setting.AppSubUrl + "/login?failCode=1002")
6463
return
6564
}
6665

public/app/core/controllers/login_ctrl.js

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ define([
66
function (angular, coreModule, config) {
77
'use strict';
88

9+
var failCodes = {
10+
"1000": "Required Github team membership not fulfilled",
11+
"1001": "Required Github organization membership not fulfilled",
12+
"1002": "Required email domain not fulfilled",
13+
};
14+
915
coreModule.default.controller('LoginCtrl', function($scope, backendSrv, contextSrv, $location) {
1016
$scope.formModel = {
1117
user: '',
@@ -31,8 +37,8 @@ function (angular, coreModule, config) {
3137
$scope.$watch("loginMode", $scope.loginModeChanged);
3238

3339
var params = $location.search();
34-
if (params.failedMsg) {
35-
$scope.appEvent('alert-warning', ['Login Failed', params.failedMsg]);
40+
if (params.failCode) {
41+
$scope.appEvent('alert-warning', ['Login Failed', failCodes[params.failCode]]);
3642
delete params.failedMsg;
3743
$location.search(params);
3844
}

0 commit comments

Comments
 (0)