Improve auth. provider interface

The authentication provider can now provide multiple authorization identities associated with credentials. Protocols that support that (e.g. JMAP, SASL) can let the client select the wanted identity.
2025-04-05 14:07:38 +03:00 · 2020-02-27 01:22:47 +03:00 · 2020-02-27 01:22:47 +03:00 · a45c7090c4
commit a45c7090c4
parent 8f1d57293c
11 changed files with 72 additions and 65 deletions
--- a/internal/auth/shadow/module.go
+++ b/internal/auth/shadow/module.go
@ -67,43 +67,37 @@ func (a *Auth) Init(cfg *config.Map) error {
 	return nil
 }

-func (a *Auth) CheckPlain(username, password string) bool {
+func (a *Auth) AuthPlain(username, password string) ([]string, error) {
 	accountName, _, err := address.Split(username)
 	if err != nil {
-		return false
+		return nil, err
 	}

 	if a.useHelper {
-		return external.AuthUsingHelper(a.Log, a.helperPath, accountName, password)
+		return []string{username}, external.AuthUsingHelper(a.helperPath, accountName, password)
 	}

 	ent, err := Lookup(accountName)
 	if err != nil {
-		if err != ErrNoSuchUser {
-			a.Log.Error("lookup error", err, "username", username)
-		}
-		return false
+		return nil, err
 	}

 	if !ent.IsAccountValid() {
-		a.Log.Msg("account is expired", "username", username)
-		return false
+		return nil, fmt.Errorf("shadow: account is expired")
 	}

 	if !ent.IsPasswordValid() {
-		a.Log.Msg("password is expired", "username", username)
-		return false
+		return nil, fmt.Errorf("shadow: password is expired")
 	}

 	if err := ent.VerifyPassword(password); err != nil {
-		if err != ErrWrongPassword {
-			a.Log.Printf("%v", err)
+		if err == ErrWrongPassword {
+			return nil, module.ErrUnknownCredentials
 		}
-		a.Log.Msg("password verification failed", "username", username)
-		return false
+		return nil, err
 	}

-	return true
+	return []string{username}, nil
 }

 func init() {