diff --git a/server/src/domain/error.rs b/server/src/domain/error.rs index 24d1aa5..b71533e 100644 --- a/server/src/domain/error.rs +++ b/server/src/domain/error.rs @@ -3,7 +3,7 @@ use thiserror::Error; #[allow(clippy::enum_variant_names)] #[derive(Error, Debug)] pub enum DomainError { - #[error("Authentication error: `{0}`")] + #[error("Authentication error {0}")] AuthenticationError(String), #[error("Database error: `{0}`")] DatabaseError(#[from] sea_orm::DbErr), diff --git a/server/src/domain/sql_opaque_handler.rs b/server/src/domain/sql_opaque_handler.rs index b296615..8949495 100644 --- a/server/src/domain/sql_opaque_handler.rs +++ b/server/src/domain/sql_opaque_handler.rs @@ -9,6 +9,7 @@ use super::{ use async_trait::async_trait; use base64::Engine; use lldap_auth::opaque; +use log::info; use sea_orm::{ActiveModelTrait, ActiveValue, EntityTrait, QuerySelect}; use secstr::SecUtf8; use tracing::{debug, instrument}; @@ -70,14 +71,15 @@ impl LoginHandler for SqlBackendHandler { .get_password_file_for_user(request.name.clone()) .await? { - if let Err(e) = passwords_match( + info!(r#"Login attempt for "{}""#, &request.name); + if passwords_match( &password_hash, &request.password, self.config.get_server_setup(), &request.name, - ) { - debug!(r#"Invalid password for "{}": {}"#, &request.name, e); - } else { + ) + .is_ok() + { return Ok(()); } } else { @@ -87,7 +89,7 @@ impl LoginHandler for SqlBackendHandler { ); } Err(DomainError::AuthenticationError(format!( - " for user '{}'", + r#"for user "{}""#, request.name ))) } diff --git a/server/src/infra/auth_service.rs b/server/src/infra/auth_service.rs index 8bf6473..762c985 100644 --- a/server/src/infra/auth_service.rs +++ b/server/src/infra/auth_service.rs @@ -345,6 +345,7 @@ async fn opaque_login_start( where Backend: OpaqueHandler + 'static, { + info!(r#"OPAQUE login attempt for "{}""#, &request.username); data.get_opaque_handler() .login_start(request.into_inner()) .await @@ -401,11 +402,20 @@ async fn opaque_login_finish( where Backend: TcpBackendHandler + BackendHandler + OpaqueHandler + 'static, { - let name = data + match data .get_opaque_handler() .login_finish(request.into_inner()) - .await?; - get_login_successful_response(&data, &name).await + .await + { + Ok(name) => { + info!(r#"OPAQUE login successful"#); + get_login_successful_response(&data, &name).await + } + Err(e) => { + warn!(r#"OPAQUE login attempt failed"#); + Err(e.into()) + } + } } async fn opaque_login_finish_handler( @@ -449,31 +459,6 @@ where .unwrap_or_else(error_to_http_response) } -#[instrument(skip_all, level = "debug", fields(name = %request.name))] -async fn post_authorize( - data: web::Data>, - request: web::Json, -) -> TcpResult -where - Backend: TcpBackendHandler + BackendHandler + LoginHandler + 'static, -{ - let name = request.name.clone(); - data.get_login_handler().bind(request.into_inner()).await?; - get_login_successful_response(&data, &name).await -} - -async fn post_authorize_handler( - data: web::Data>, - request: web::Json, -) -> HttpResponse -where - Backend: TcpBackendHandler + BackendHandler + LoginHandler + 'static, -{ - post_authorize(data, request) - .await - .unwrap_or_else(error_to_http_response) -} - #[instrument(skip_all, level = "debug")] async fn opaque_register_start( request: actix_web::HttpRequest, @@ -648,32 +633,28 @@ pub fn configure_server(cfg: &mut web::ServiceConfig, enable_password_r where Backend: TcpBackendHandler + LoginHandler + OpaqueHandler + BackendHandler + 'static, { - cfg.service(web::resource("").route(web::post().to(post_authorize_handler::))) - .service( - web::resource("/opaque/login/start") - .route(web::post().to(opaque_login_start::)), - ) - .service( - web::resource("/opaque/login/finish") - .route(web::post().to(opaque_login_finish_handler::)), - ) - .service( - web::resource("/simple/login").route(web::post().to(simple_login_handler::)), - ) - .service(web::resource("/refresh").route(web::get().to(get_refresh_handler::))) - .service(web::resource("/logout").route(web::get().to(get_logout_handler::))) - .service( - web::scope("/opaque/register") - .wrap(CookieToHeaderTranslatorFactory) - .service( - web::resource("/start") - .route(web::post().to(opaque_register_start_handler::)), - ) - .service( - web::resource("/finish") - .route(web::post().to(opaque_register_finish_handler::)), - ), - ); + cfg.service( + web::resource("/opaque/login/start").route(web::post().to(opaque_login_start::)), + ) + .service( + web::resource("/opaque/login/finish") + .route(web::post().to(opaque_login_finish_handler::)), + ) + .service(web::resource("/simple/login").route(web::post().to(simple_login_handler::))) + .service(web::resource("/refresh").route(web::get().to(get_refresh_handler::))) + .service(web::resource("/logout").route(web::get().to(get_logout_handler::))) + .service( + web::scope("/opaque/register") + .wrap(CookieToHeaderTranslatorFactory) + .service( + web::resource("/start") + .route(web::post().to(opaque_register_start_handler::)), + ) + .service( + web::resource("/finish") + .route(web::post().to(opaque_register_finish_handler::)), + ), + ); if enable_password_reset { cfg.service( web::resource("/reset/step1/{user_id}")