Fix: Fix user authentication storage issues

Ensure authentication requests respect `NoAuth` setting and prevent storage of empty passwords in Redis cache. This update refines the process of handling user database queries and enhances security by avoiding redundant password history retrievals. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · Nov 15, 2024 · d1ed22b · d1ed22b
1 parent 52a7b64
commit d1ed22b
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/server/core/auth.go b/server/core/auth.go
@@ -1594,9 +1594,9 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 		}
 	}
 
-	if useCache {
+	// Note: User-DB queries never contain a password!
+	if !a.NoAuth && useCache {
 		// Make sure the cache backend is in front of the used backend.
-		// If this is a userdb-request, the authentication state is forced to "true" (see verifyPassword()-moethod)
 		if passDBResult.Authenticated {
 			if accountName != "" {
 				if backendPos[global.BackendCache] < backendPos[a.UsedPassDBBackend] {
@@ -1640,7 +1640,10 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 						Attributes: a.Attributes,
 					}
 
-					go backend.SaveUserDataToRedis(a.HTTPClientContext, *a.GUID, redisUserKey, config.LoadableConfig.Server.Redis.PosCacheTTL, ppc)
+					// Safety net. Never store empty passwords into ppc.
+					if ppc.Password != "" {
+						go backend.SaveUserDataToRedis(a.HTTPClientContext, *a.GUID, redisUserKey, config.LoadableConfig.Server.Redis.PosCacheTTL, ppc)
+					}
 				}
 			}
 		} else {
@@ -1655,10 +1658,7 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 			a.saveFailedPasswordCounterInRedis()
 		}
 
-		// Only passdb requests need reloading
-		if !a.NoAuth {
-			a.getAllPasswordHistories()
-		}
+		a.getAllPasswordHistories()
 	}
 
 	/*