MT#60656 improve 403 Password Expired for expired passwords

* 403 Password Expired is now correctly returned for POST /login_jwt when a password is expired, instead of returning the token. * 403 Password Expired is now correctly returned for API requests and redirect to /changepassword only happens for non API requests. * improve Utils::Auth::check_max_age() to accept also $auth_user and $ngcp_realm for cases (like /login_jwt) where there is an authenticated user but there is no $c->user. Change-Id: I302ad8654bdf16fe0882625fd6e9a8bba7a8ad42
1 year ago · 46d297dec2
parent 4b00a59d99
commit 46d297dec2
2 changed files with 34 additions and 12 deletions
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@ -478,8 +478,8 @@ sub check_user_access {
        return;
    }

-    # redirect to password change page if password is expired
-    if (! NGCP::Panel::Utils::Auth::check_max_age($c)) {
+    # redirect non API requests to password change page if password is expired
+    if ($c->req->path !~ /^api\/.+/ && !NGCP::Panel::Utils::Auth::check_max_age($c)) {
        $c->session(target => $c->request->uri);
        $c->response->redirect($c->uri_for('/changepassword'));
        return;
@ -735,6 +735,14 @@ sub login_jwt :Chained('/') :PathPart('login_jwt') :Args(0) :Method('POST') {
        }
    }

+    if (! NGCP::Panel::Utils::Auth::check_max_age($c, $auth_user, $ngcp_realm)) {
+        $c->response->status(HTTP_FORBIDDEN);
+        $c->response->body(encode_json({
+            code => HTTP_FORBIDDEN,
+            message => "Password expired"})."\n");
+        return;
+    }
+
    my $result = {};

    if ($ngcp_realm eq 'admin') {
--- a/lib/NGCP/Panel/Utils/Auth.pm
+++ b/lib/NGCP/Panel/Utils/Auth.pm
@ -654,23 +654,36 @@ sub ban_user {

 sub check_max_age {
    my $c = shift;
+    my ($auth_user, $ngcp_realm) = @_;

-    return 1 unless $c->user;
-
+    my $pass_last_modify;
    my $pass_last_modify_time;
+
+    if ($auth_user && $ngcp_realm) {
+        if ($ngcp_realm eq 'admin') {
+            $pass_last_modify = $auth_user->saltedpass_modify_timestamp;
+        } else {
+            $pass_last_modify = $auth_user->webpassword_modify_timestamp;
+        }
+    } else {
+        return 1 unless $c->user;
+
+        if ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin') {
+            $pass_last_modify = $c->user->webpassword_modify_timestamp;
+        } else {
+            $pass_last_modify = $c->user->saltedpass_modify_timestamp;
+        }
+    }
+
    my $strp = DateTime::Format::Strptime->new(
        pattern => '%Y-%m-%dT%H:%M:%S',
        time_zone => 'local',
    );
-    if ($c->user->roles eq 'subscriber' || $c->user->roles eq 'subscriberadmin') {
-        my $webpass_last_modify = $c->user->webpassword_modify_timestamp;
-        my $dt = $strp->parse_datetime($webpass_last_modify // '');
-        $pass_last_modify_time = $dt->epoch if $dt;
-    } else {
-        my $saltedpass_last_modify = $c->user->saltedpass_modify_timestamp;
-        my $dt = $strp->parse_datetime($saltedpass_last_modify // '');
-        $pass_last_modify_time = $dt->epoch if $dt;
+
+    if (my $dt = $strp->parse_datetime($pass_last_modify // '')) {
+        $pass_last_modify_time = $dt->epoch;
    }
+
    if ($pass_last_modify_time) {
        my $max_age = $c->config->{security}{password}{web_max_age_days} // 0;
        if (defined $max_age && $max_age > 0) {
@ -679,6 +692,7 @@ sub check_max_age {
            }
        }
    }
+
    return 1;
 }