From 328a7710f36c38fc509da528dd4b74f21cfe14a7 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 22 Oct 2019 16:18:16 +0100
Subject: [PATCH] people: Ask user to authenticate for Discourse when not
 logged in

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/backend/accounts.py |  8 ++++++++
 src/web/auth.py         | 20 +++++++-------------
 src/web/people.py       | 23 +++++++++++++++++++----
 3 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index 86a9bd24..2bb87c76 100644
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -176,6 +176,14 @@ class Accounts(Object):
 
 		return score >= 50
 
+	def auth(self, username, password):
+		# Find account
+		account = self.backend.accounts.find_account(username)
+
+		# Check credentials
+		if account and account.check_password(password):
+			return account
+
 	# Registration
 
 	def register(self, uid, email, first_name, last_name):
diff --git a/src/web/auth.py b/src/web/auth.py
index d2872695..b969a671 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -15,18 +15,6 @@ class CacheMixin(object):
 
 
 class AuthenticationMixin(CacheMixin):
-	def authenticate(self, username, password):
-		# Find account
-		account = self.backend.accounts.find_account(username)
-		if not account:
-			raise tornado.web.HTTPError(401, "Unknown user: %s" % username)
-
-		# Check credentials
-		if not account.check_password(password):
-			raise tornado.web.HTTPError(401, "Invalid password for %s" % account)
-
-		return self.login(account)
-
 	def login(self, account):
 		# User has logged in, create a session
 		session_id, session_expires = self.backend.accounts.create_session(
@@ -63,8 +51,14 @@ class LoginHandler(AuthenticationMixin, base.BaseHandler):
 		username = self.get_argument("username")
 		password = self.get_argument("password")
 
+		# Find user
+		account = self.backend.accounts.auth(username, password)
+		if not account:
+			raise tornado.web.HTTPError(401, "Unknown user or invalid password: %s" % username)
+
+		# Create session
 		with self.db.transaction():
-			self.authenticate(username, password)
+			self.login(account)
 
 		# Determine the page we should redirect to
 		next = self.get_argument("next", None)
diff --git a/src/web/people.py b/src/web/people.py
index 69dcf4e8..4c82cb86 100644
--- a/src/web/people.py
+++ b/src/web/people.py
@@ -427,12 +427,27 @@ class SSODiscourse(auth.CacheMixin, base.BaseHandler):
 		params = self._get_discourse_params()
 
 		# Redirect back if user is already logged in
-		if self.current_user:
-			return self._redirect_user_to_discourse(self.current_user, **params)
+		#if self.current_user:
+		#	return self._redirect_user_to_discourse(self.current_user, **params)
 
 		# Otherwise the user needs to authenticate
-		# XXX
-		raise tornado.web.HTTPError(401)
+		self.render("auth/login.html", next=None)
+
+	@base.ratelimit(minutes=24*60, requests=100)
+	def post(self):
+		params = self._get_discourse_params()
+
+		# Get credentials
+		username = self.get_argument("username")
+		password = self.get_argument("password")
+
+		# Check credentials
+		account = self.accounts.auth(username, password)
+		if not account:
+			raise tornado.web.HTTPError(401, "Unknown user or invalid password: %s" % username)
+
+		# If the user has been authenticated, we will redirect to Discourse
+		self._redirect_user_to_discourse(account, **params)
 
 
 class NewAccountsModule(ui_modules.UIModule):
-- 
2.47.2