Skip to content

Commit 4ea859c

Browse files
EmyrkEmyrk
committed
Fix audit log on login failure
1 parent bc506c1 commit 4ea859c

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

coderd/userauth.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -175,11 +175,12 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
175175
}
176176

177177
user, roles, ok := api.loginRequest(ctx, rw, loginWithPassword)
178+
// 'user.ID' will be empty, or will be an actual value.
179+
aReq.UserID = user.ID
178180
if !ok {
179181
// user failed to login
180182
return
181183
}
182-
aReq.UserID = user.ID
183184

184185
userSubj := rbac.Subject{
185186
ID: user.ID.String(),
@@ -224,7 +225,7 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
224225
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
225226
Message: "Internal error.",
226227
})
227-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
228+
return user, database.GetAuthorizationUserRolesRow{}, false
228229
}
229230

230231
// If the user doesn't exist, it will be a default struct.
@@ -233,7 +234,7 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
233234
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
234235
Message: "Internal error.",
235236
})
236-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
237+
return user, database.GetAuthorizationUserRolesRow{}, false
237238
}
238239

239240
if !equal {
@@ -242,7 +243,7 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
242243
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
243244
Message: "Incorrect email or password.",
244245
})
245-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
246+
return user, database.GetAuthorizationUserRolesRow{}, false
246247
}
247248

248249
// If password authentication is disabled and the user does not have the
@@ -251,14 +252,14 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
251252
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
252253
Message: "Password authentication is disabled.",
253254
})
254-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
255+
return user, database.GetAuthorizationUserRolesRow{}, false
255256
}
256257

257258
if user.LoginType != database.LoginTypePassword {
258259
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
259260
Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypePassword, user.LoginType),
260261
})
261-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
262+
return user, database.GetAuthorizationUserRolesRow{}, false
262263
}
263264

264265
//nolint:gocritic // System needs to fetch user roles in order to login user.
@@ -267,15 +268,15 @@ func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req co
267268
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
268269
Message: "Internal error.",
269270
})
270-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
271+
return user, database.GetAuthorizationUserRolesRow{}, false
271272
}
272273

273274
// If the user logged into a suspended account, reject the login request.
274275
if roles.Status != database.UserStatusActive {
275276
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
276277
Message: "Your account is suspended. Contact an admin to reactivate your account.",
277278
})
278-
return database.User{}, database.GetAuthorizationUserRolesRow{}, false
279+
return user, database.GetAuthorizationUserRolesRow{}, false
279280
}
280281

281282
return user, roles, true

0 commit comments

Comments
 (0)