Skip to content

Commit 2314397

Browse files
mjl-mjl-
committedMar 7, 2025
Fix recently introduced bug when authentication with password.
In case the precis check failed, our return of a nil account cleared acc, and we were then trying to close it, returning in a nil pointer dereference. Rewrite the return statements so we don't overwrite the named return variables.
1 parent 1c58d38 commit 2314397

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed
 

‎store/account.go

+12-12
Original file line numberDiff line numberDiff line change
@@ -3052,12 +3052,12 @@ func manageAuthCache() {
30523052
// The email address may contain a catchall separator.
30533053
// For invalid credentials, a nil account is returned, but accName may be
30543054
// non-empty.
3055-
func OpenEmailAuth(log mlog.Log, email string, password string, checkLoginDisabled bool) (acc *Account, accName string, rerr error) {
3055+
func OpenEmailAuth(log mlog.Log, email string, password string, checkLoginDisabled bool) (racc *Account, raccName string, rerr error) {
30563056
// We check for LoginDisabled after verifying the password. Otherwise users can get
30573057
// messages about the account being disabled without knowing the password.
3058-
acc, accName, _, rerr = OpenEmail(log, email, false)
3059-
if rerr != nil {
3060-
return
3058+
acc, accName, _, err := OpenEmail(log, email, false)
3059+
if err != nil {
3060+
return nil, "", err
30613061
}
30623062

30633063
defer func() {
@@ -3068,38 +3068,38 @@ func OpenEmailAuth(log mlog.Log, email string, password string, checkLoginDisabl
30683068
}
30693069
}()
30703070

3071-
password, err := precis.OpaqueString.String(password)
3071+
password, err = precis.OpaqueString.String(password)
30723072
if err != nil {
3073-
return nil, accName, ErrUnknownCredentials
3073+
return nil, "", ErrUnknownCredentials
30743074
}
30753075

30763076
pw, err := bstore.QueryDB[Password](context.TODO(), acc.DB).Get()
30773077
if err != nil {
30783078
if err == bstore.ErrAbsent {
3079-
return acc, accName, ErrUnknownCredentials
3079+
return nil, "", ErrUnknownCredentials
30803080
}
3081-
return acc, accName, fmt.Errorf("looking up password: %v", err)
3081+
return nil, "", fmt.Errorf("looking up password: %v", err)
30823082
}
30833083
authCache.Lock()
30843084
ok := len(password) >= 8 && authCache.success[authKey{email, pw.Hash}] == password
30853085
authCache.Unlock()
30863086
if !ok {
30873087
if err := bcrypt.CompareHashAndPassword([]byte(pw.Hash), []byte(password)); err != nil {
3088-
return acc, accName, ErrUnknownCredentials
3088+
return nil, "", ErrUnknownCredentials
30893089
}
30903090
}
30913091
if checkLoginDisabled {
30923092
conf, aok := acc.Conf()
30933093
if !aok {
3094-
return acc, accName, fmt.Errorf("cannot find config for account")
3094+
return nil, "", fmt.Errorf("cannot find config for account")
30953095
} else if conf.LoginDisabled != "" {
3096-
return acc, accName, fmt.Errorf("%w: %s", ErrLoginDisabled, conf.LoginDisabled)
3096+
return nil, "", fmt.Errorf("%w: %s", ErrLoginDisabled, conf.LoginDisabled)
30973097
}
30983098
}
30993099
authCache.Lock()
31003100
authCache.success[authKey{email, pw.Hash}] = password
31013101
authCache.Unlock()
3102-
return
3102+
return acc, accName, nil
31033103
}
31043104

31053105
// OpenEmail opens an account given an email address.

0 commit comments

Comments
 (0)