commit 6cd8512bbd869dbb2370798fc473abfbec47fbb3
parent 843604c9e7f755c6d401938640b6bc9fa0886f1e
Author: Jeremy Lin <jeremy.lin@gmail.com>
Date: Tue, 7 Apr 2020 20:40:51 -0700
Fix Duo auth failure with non-lowercased email addresses
Diffstat:
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/api/core/two_factor/duo.rs b/src/api/core/two_factor/duo.rs
@@ -21,9 +21,9 @@ pub fn routes() -> Vec<Route> {
#[derive(Serialize, Deserialize)]
struct DuoData {
- host: String,
- ik: String,
- sk: String,
+ host: String, // Duo API hostname
+ ik: String, // integration key
+ sk: String, // secret key
}
impl DuoData {
@@ -190,6 +190,7 @@ fn duo_api_request(method: &str, path: &str, params: &str, data: &DuoData) -> Em
use reqwest::{header::*, Method, blocking::Client};
use std::str::FromStr;
+ // https://duo.com/docs/authapi#api-details
let url = format!("https://{}{}", &data.host, path);
let date = Utc::now().to_rfc2822();
let username = &data.ik;
@@ -268,6 +269,10 @@ fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64
}
pub fn validate_duo_login(email: &str, response: &str, conn: &DbConn) -> EmptyResult {
+ // email is as entered by the user, so it needs to be normalized before
+ // comparison with auth_user below.
+ let email = &email.to_lowercase();
+
let split: Vec<&str> = response.split(':').collect();
if split.len() != 2 {
err!("Invalid response length");
