prevent login and password reset for system accounts

This commit is contained in:
Hazel K 2024-10-07 14:58:39 -04:00
parent 126a2fcf15
commit cd9bce3072
8 changed files with 45 additions and 1 deletions

View File

@ -638,6 +638,8 @@ userSuspended: "This user has been suspended."
userSilenced: "This user is being silenced." userSilenced: "This user is being silenced."
yourAccountSuspendedTitle: "This account is suspended" yourAccountSuspendedTitle: "This account is suspended"
yourAccountSuspendedDescription: "This account has been suspended due to breaking the server's terms of services or similar. Contact the administrator if you would like to know a more detailed reason. Please do not create a new account." yourAccountSuspendedDescription: "This account has been suspended due to breaking the server's terms of services or similar. Contact the administrator if you would like to know a more detailed reason. Please do not create a new account."
systemAccountTitle: "This is a system account"
systemAccountDescription: "This account is created and managed automatically by the system, and cannot be logged into."
tokenRevoked: "Invalid token" tokenRevoked: "Invalid token"
tokenRevokedDescription: "This token has expired. Please log in again." tokenRevokedDescription: "This token has expired. Please log in again."
accountDeleted: "Account deleted" accountDeleted: "Account deleted"

8
locales/index.d.ts vendored
View File

@ -2568,6 +2568,14 @@ export interface Locale extends ILocale {
* *
*/ */
"yourAccountSuspendedDescription": string; "yourAccountSuspendedDescription": string;
/**
* This is a system account
*/
"systemAccountTitle": string;
/**
* This account is created and managed automatically by the system, and cannot be logged into.
*/
"systemAccountDescription": string;
/** /**
* *
*/ */

View File

@ -638,6 +638,8 @@ userSuspended: "このユーザーは凍結されています。"
userSilenced: "このユーザーはサイレンスされています。" userSilenced: "このユーザーはサイレンスされています。"
yourAccountSuspendedTitle: "アカウントが凍結されています" yourAccountSuspendedTitle: "アカウントが凍結されています"
yourAccountSuspendedDescription: "このアカウントは、サーバーの利用規約に違反したなどの理由により、凍結されています。詳細については管理者までお問い合わせください。新しいアカウントを作らないでください。" yourAccountSuspendedDescription: "このアカウントは、サーバーの利用規約に違反したなどの理由により、凍結されています。詳細については管理者までお問い合わせください。新しいアカウントを作らないでください。"
systemAccountTitle: "This is a system account"
systemAccountDescription: "This account is created and managed automatically by the system, and cannot be logged into."
tokenRevoked: "トークンが無効です" tokenRevoked: "トークンが無効です"
tokenRevokedDescription: "ログイントークンが失効しています。ログインし直してください。" tokenRevokedDescription: "ログイントークンが失効しています。ログインし直してください。"
accountDeleted: "アカウントは削除されています" accountDeleted: "アカウントは削除されています"

View File

@ -26,6 +26,7 @@ import { RateLimiterService } from './RateLimiterService.js';
import { SigninService } from './SigninService.js'; import { SigninService } from './SigninService.js';
import type { AuthenticationResponseJSON } from '@simplewebauthn/types'; import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
import type { FastifyReply, FastifyRequest } from 'fastify'; import type { FastifyReply, FastifyRequest } from 'fastify';
import { isSystemAccount } from '@/misc/is-system-account.js';
@Injectable() @Injectable()
export class SigninApiService { export class SigninApiService {
@ -125,6 +126,12 @@ export class SigninApiService {
}); });
} }
if (isSystemAccount(user)) {
return error(403, {
id: 's8dhsj9s-a93j-493j-ja9k-kas9sj20aml2',
});
}
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
if (!user.approved && instance.approvalRequiredForSignup) { if (!user.approved && instance.approvalRequiredForSignup) {

View File

@ -11,6 +11,7 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { secureRndstr } from '@/misc/secure-rndstr.js'; import { secureRndstr } from '@/misc/secure-rndstr.js';
import { ModerationLogService } from '@/core/ModerationLogService.js'; import { ModerationLogService } from '@/core/ModerationLogService.js';
import { isSystemAccount } from '@/misc/is-system-account.js';
export const meta = { export const meta = {
tags: ['admin'], tags: ['admin'],
@ -63,6 +64,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
throw new Error('cannot reset password of root'); throw new Error('cannot reset password of root');
} }
if (isSystemAccount(user)) {
throw new Error('cannot reset password of system account');
}
const passwd = secureRndstr(8); const passwd = secureRndstr(8);
// Generate hash of password // Generate hash of password

View File

@ -77,6 +77,7 @@ import { misskeyApi } from '@/scripts/misskey-api.js';
import { query, extractDomain } from '@/scripts/url.js'; import { query, extractDomain } from '@/scripts/url.js';
import { login } from '@/account.js'; import { login } from '@/account.js';
import { i18n } from '@/i18n.js'; import { i18n } from '@/i18n.js';
import { showSystemAccountDialog } from '@/scripts/show-system-account-dialog.js';
const signing = ref(false); const signing = ref(false);
const user = ref<Misskey.entities.UserDetailed | null>(null); const user = ref<Misskey.entities.UserDetailed | null>(null);
@ -204,6 +205,10 @@ function loginFailed(err: any): void {
showSuspendedDialog(); showSuspendedDialog();
break; break;
} }
case 's8dhsj9s-a93j-493j-ja9k-kas9sj20aml2': {
showSystemAccountDialog();
break;
}
case '22d05606-fbcf-421a-a2db-b32610dcfd1b': { case '22d05606-fbcf-421a-a2db-b32610dcfd1b': {
os.alert({ os.alert({
type: 'error', type: 'error',

View File

@ -83,7 +83,7 @@ SPDX-License-Identifier: AGPL-3.0-only
<MkSwitch v-model="markedAsNSFW" @update:modelValue="toggleNSFW">{{ i18n.ts.markAsNSFW }}</MkSwitch> <MkSwitch v-model="markedAsNSFW" @update:modelValue="toggleNSFW">{{ i18n.ts.markAsNSFW }}</MkSwitch>
<div> <div>
<MkButton v-if="user.host == null" inline style="margin-right: 8px;" @click="resetPassword"><i class="ti ti-key"></i> {{ i18n.ts.resetPassword }}</MkButton> <MkButton v-if="user.host == null && !isSystem" inline style="margin-right: 8px;" @click="resetPassword"><i class="ti ti-key"></i> {{ i18n.ts.resetPassword }}</MkButton>
</div> </div>
<MkFolder> <MkFolder>

View File

@ -0,0 +1,15 @@
/*
* SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
* SPDX-License-Identifier: AGPL-3.0-only
*/
import * as os from '@/os.js';
import { i18n } from '@/i18n.js';
export function showSystemAccountDialog(): Promise<void> {
return os.alert({
type: 'error',
title: i18n.ts.systemAccountTitle,
text: i18n.ts.systemAccountDescription,
});
}