mirror of
https://github.com/mattermost/mattermost.git
synced 2026-04-15 14:08:55 -04:00
76b8e3f5f7
Some checks are pending
API / build (push) Waiting to run
Server CI / Compute Go Version (push) Waiting to run
Server CI / Check mocks (push) Blocked by required conditions
Server CI / Check go mod tidy (push) Blocked by required conditions
Server CI / check-style (push) Blocked by required conditions
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Server CI / Vet API (push) Blocked by required conditions
Server CI / Check migration files (push) Blocked by required conditions
Server CI / Generate email templates (push) Blocked by required conditions
Server CI / Check store layers (push) Blocked by required conditions
Server CI / Check mmctl docs (push) Blocked by required conditions
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Server CI / Postgres (push) Blocked by required conditions
Server CI / Postgres (FIPS) (push) Blocked by required conditions
Server CI / Generate Test Coverage (push) Blocked by required conditions
Server CI / Run mmctl tests (push) Blocked by required conditions
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Server CI / Build mattermost server app (push) Blocked by required conditions
Web App CI / check-lint (push) Waiting to run
Web App CI / check-i18n (push) Blocked by required conditions
Web App CI / check-external-links (push) Blocked by required conditions
Web App CI / check-types (push) Blocked by required conditions
Web App CI / test (platform) (push) Blocked by required conditions
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Web App CI / upload-coverage (push) Blocked by required conditions
Web App CI / build (push) Blocked by required conditions
Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>
91 lines
3.1 KiB
Go
91 lines
3.1 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package web
|
|
|
|
import (
|
|
"html"
|
|
"net/http"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/v8/channels/utils"
|
|
)
|
|
|
|
func (w *Web) InitMagicLink() {
|
|
w.MainRouter.Handle("/login/one_time_link", w.APIHandler(loginWithMagicLinkToken)).Methods(http.MethodGet)
|
|
}
|
|
|
|
func loginWithMagicLinkToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
auditRec := c.MakeAuditRecord(model.AuditEventLogin, model.AuditStatusFail)
|
|
auditRec.AddMeta("login_method", "guest_magic_link")
|
|
defer c.LogAuditRec(auditRec)
|
|
|
|
if !*c.App.Config().GuestAccountsSettings.EnableGuestMagicLink {
|
|
http.Redirect(w, r, c.GetSiteURLHeader()+"/login?extra=login_error&message="+html.EscapeString("Magic link is disabled"), http.StatusFound)
|
|
return
|
|
}
|
|
|
|
if c.AppContext.Session() != nil && c.AppContext.Session().UserId != "" {
|
|
http.Redirect(w, r, c.GetSiteURLHeader()+"/error?type=magic_link_already_logged_in", http.StatusFound)
|
|
return
|
|
}
|
|
|
|
tokenString := r.URL.Query().Get("t")
|
|
if tokenString == "" {
|
|
c.Err = model.NewAppError("loginWithMagicLinkToken", "api.user.guest_magic_link.missing_token.app_error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Rate limit by IP to prevent brute force attacks on tokens
|
|
if c.App.Srv().RateLimiter != nil {
|
|
rateLimitKey := c.App.Srv().RateLimiter.GenerateKey(r)
|
|
if c.App.Srv().RateLimiter.RateLimitWriter(r.Context(), rateLimitKey, w) {
|
|
return
|
|
}
|
|
}
|
|
|
|
redirectURL := html.EscapeString(r.URL.Query().Get("redirect_to"))
|
|
|
|
user, err := c.App.AuthenticateUserForGuestMagicLink(c.AppContext, tokenString)
|
|
if err != nil {
|
|
http.Redirect(w, r, c.GetSiteURLHeader()+"/login?extra=login_error&message="+html.EscapeString(err.Message), http.StatusFound)
|
|
return
|
|
}
|
|
|
|
auditRec.AddMeta("user_id", user.Id)
|
|
c.LogAuditWithUserId(user.Id, "attempt - guest_magic_link")
|
|
|
|
// Check user authentication criteria
|
|
if authErr := c.App.CheckUserAllAuthenticationCriteria(c.AppContext, user, ""); authErr != nil {
|
|
c.LogAuditWithUserId(user.Id, "failure - guest_magic_link")
|
|
utils.RenderWebAppError(c.App.Config(), w, r, authErr, c.App.AsymmetricSigningKey())
|
|
return
|
|
}
|
|
|
|
// Create session and log user in
|
|
session, err := c.App.DoLogin(c.AppContext, w, r, user, "", false, false, true)
|
|
if err != nil {
|
|
utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
|
|
return
|
|
}
|
|
|
|
c.AppContext = c.AppContext.WithSession(session)
|
|
|
|
// Mark login as successful in audit log
|
|
auditRec.Success()
|
|
c.LogAuditWithUserId(user.Id, "success - guest_magic_link")
|
|
|
|
// Attach session cookies and redirect
|
|
c.App.AttachSessionCookies(c.AppContext, w, r)
|
|
|
|
// Determine redirect URL
|
|
if redirectURL == "" {
|
|
// No redirect specified - go to root and let webapp route to appropriate location
|
|
redirectURL = c.GetSiteURLHeader()
|
|
} else {
|
|
// Validate and make redirect URL fully qualified
|
|
redirectURL = fullyQualifiedRedirectURL(c.GetSiteURLHeader(), redirectURL, c.App.Config().NativeAppSettings.AppCustomURLSchemes)
|
|
}
|
|
|
|
http.Redirect(w, r, redirectURL, http.StatusFound)
|
|
}
|