go-mail/auth/login.go

// SPDX-FileCopyrightText: 2022 Winni Neessen <winni@neessen.dev>
//
// SPDX-License-Identifier: MIT

// Package auth implements the LOGIN and MD5-DIGEST smtp authentication mechanisms
package auth

import (
	"errors"
	"fmt"
	"net/smtp"
)

type loginAuth struct {
	username, password string
	host               string
}

const (
	// ServerRespUsername represents the "Username:" response by the SMTP server
	ServerRespUsername = "Username:"

	// ServerRespPassword represents the "Password:" response by the SMTP server
	ServerRespPassword = "Password:"
)

// LoginAuth returns an Auth that implements the LOGIN authentication
// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN
// but instead of sending all in one response, the login is handled within
// 3 steps:
// - Sending AUTH LOGIN (server responds with "Username:")
// - Sending the username (server responds with "Password:")
// - Sending the password (server authenticates)
//
// LoginAuth will only send the credentials if the connection is using TLS
// or is connected to localhost. Otherwise authentication will fail with an
// error, without sending the credentials.
func LoginAuth(username, password, host string) smtp.Auth {
	return &loginAuth{username, password, host}
}

func isLocalhost(name string) bool {
	return name == "localhost" || name == "127.0.0.1" || name == "::1"
}

func (a *loginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
	// Must have TLS, or else localhost server.
	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
	// In particular, it doesn't matter if the server advertises LOGIN auth.
	// That might just be the attacker saying
	// "it's ok, you can trust me with your password."
	if !server.TLS && !isLocalhost(server.Name) {
		return "", nil, errors.New("unencrypted connection")
	}
	if server.Name != a.host {
		return "", nil, errors.New("wrong host name")
	}
	return "LOGIN", nil, nil
}

func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
	if more {
		switch string(fromServer) {
		case ServerRespUsername:
			return []byte(a.username), nil
		case ServerRespPassword:
			return []byte(a.password), nil
		default:
			return nil, fmt.Errorf("unexpected server response: %s", string(fromServer))
		}
	}
	return nil, nil
}
#24: Add SPDX license IDs for REUSE compliance # SUMMARY * Bad licenses: * Deprecated licenses: * Licenses without file extension: * Missing licenses: * Unused licenses: * Used licenses: CC0-1.0, MIT * Read errors: 0 * Files with copyright information: 45 / 45 * Files with license information: 45 / 45 Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-) 2022-06-17 15:05:54 +02:00			`// SPDX-FileCopyrightText: 2022 Winni Neessen <winni@neessen.dev>`
			`//`
			`// SPDX-License-Identifier: MIT`

Typos 2022-03-12 20:07:20 +01:00			`// Package auth implements the LOGIN and MD5-DIGEST smtp authentication mechanisms`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`package auth`

			`import (`
			`"errors"`
			`"fmt"`
			`"net/smtp"`
			`)`

			`type loginAuth struct {`
			`username, password string`
			`host string`
			`}`

			`const (`
			`// ServerRespUsername represents the "Username:" response by the SMTP server`
			`ServerRespUsername = "Username:"`

			`// ServerRespPassword represents the "Password:" response by the SMTP server`
			`ServerRespPassword = "Password:"`
			`)`

			`// LoginAuth returns an Auth that implements the LOGIN authentication`
			`// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN`
			`// but instead of sending all in one response, the login is handled within`
			`// 3 steps:`
			`// - Sending AUTH LOGIN (server responds with "Username:")`
			`// - Sending the username (server responds with "Password:")`
			`// - Sending the password (server authenticates)`
			`//`
			`// LoginAuth will only send the credentials if the connection is using TLS`
			`// or is connected to localhost. Otherwise authentication will fail with an`
			`// error, without sending the credentials.`
			`func LoginAuth(username, password, host string) smtp.Auth {`
			`return &loginAuth{username, password, host}`
			`}`

			`func isLocalhost(name string) bool {`
			`return name == "localhost" \|\| name == "127.0.0.1" \|\| name == "::1"`
			`}`

			`func (a loginAuth) Start(server smtp.ServerInfo) (string, []byte, error) {`
			`// Must have TLS, or else localhost server.`
			`// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.`
			`// In particular, it doesn't matter if the server advertises LOGIN auth.`
			`// That might just be the attacker saying`
			`// "it's ok, you can trust me with your password."`
			`if !server.TLS && !isLocalhost(server.Name) {`
			`return "", nil, errors.New("unencrypted connection")`
			`}`
			`if server.Name != a.host {`
			`return "", nil, errors.New("wrong host name")`
			`}`
			`return "LOGIN", nil, nil`
			`}`

			`func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {`
			`if more {`
			`switch string(fromServer) {`
			`case ServerRespUsername:`
			`return []byte(a.username), nil`
			`case ServerRespPassword:`
			`return []byte(a.password), nil`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`default:`
			`return nil, fmt.Errorf("unexpected server response: %s", string(fromServer))`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`
			`}`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`return nil, nil`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`