search

sebo-b / warp

Workspace Autonomous Reservation Program - a system to help you efficiently manage hybrid (assigned, hot-desks, etc) office space.
MIT License
139 stars 60 forks source link

Duplicate Account Creation Possible when used with LDAP #48

Open wp99cp opened 4 months ago

wp99cp commented 4 months ago

When using an LDAP server as the authentication provider, duplicate user accounts can be created inside Warp.

By default, the user's DN is case-insensitive (this can be defined in the LDAP schema). Thus, the user can sign in successfully with any combination of capital and lowercase letters matching his username. For example, Username, userName, and username are all valid and accepted. However, as Warp stores the username in a case-sensitive manner, this allows the creation of multiple accounts within Warp for the same LDAP user.

Treating the username as lowercase by default (i.e., by calling .lower() on the login argument) solves the issue. Nevertheless, I don't know if that is the best solution. For the case where the LDAP DN is case-sensitive, this solution will result in different usernames stored with Postgres. If .lower() is executed before calling the LDAP server, as shown below, this will result in an authentication error if the DN includes any capital letter.

Possible Solution

--- a/warp/auth_ldap.py
+++ b/warp/auth_ldap.py
@@ -207,7 +207,7 @@ def login():

     if flask.request.method == 'POST':

-        u = flask.request.form.get('login')
+        u = flask.request.form.get('login').lower()
         p = flask.request.form.get('password')

         LDAP_EXCLUDED_USERS = flask.current_app.config.get('LDAP_EXCLUDED_USERS', [])
davidefu commented 3 months ago

Hi, thanks. merged here https://github.com/davidefu/warp/commit/394ff8860fd4bcf11eb08ed9a0a088d494796491