go-mail/smtp/auth_login.go

// SPDX-FileCopyrightText: Copyright (c) 2022-2024 The go-mail Authors
//
// SPDX-License-Identifier: MIT

package smtp

import (
	"fmt"
)

// loginAuth is the type that satisfies the Auth interface for the "SMTP LOGIN" auth
type loginAuth struct {
	username, password   string
	host                 string
	respStep             uint8
	allowUnencryptedAuth bool
}

// LoginAuth returns an [Auth] that implements the LOGIN authentication
// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN
// but instead of sending all in one response, the login is handled within
// 3 steps:
// - Sending AUTH LOGIN (server might responds with "Username:")
// - Sending the username (server might responds with "Password:")
// - Sending the password (server authenticates)
// This is the common approach as specified by Microsoft in their MS-XLOGIN spec.
// See: https://msopenspecs.azureedge.net/files/MS-XLOGIN/%5bMS-XLOGIN%5d.pdf
// Yet, there is also an old IETF draft for SMTP AUTH LOGIN that states for clients:
// "The contents of both challenges SHOULD be ignored.".
// See: https://datatracker.ietf.org/doc/html/draft-murchison-sasl-login-00
// Since there is no official standard RFC and we've seen different implementations
// of this mechanism (sending "Username:", "Username", "username", "User name", etc.)
// we follow the IETF-Draft and ignore any server challenge to allow compatibility
// with most mail servers/providers.
//
// LoginAuth will only send the credentials if the connection is using TLS
// or is connected to localhost. Otherwise authentication will fail with an
// error, without sending the credentials.
func LoginAuth(username, password, host string, allowUnenc bool) Auth {
	return &loginAuth{username, password, host, 0, allowUnenc}
}

// Start begins the SMTP authentication process by validating server's TLS status and hostname.
// Returns "LOGIN" on success.
func (a *loginAuth) Start(server *ServerInfo) (string, []byte, error) {
	// Must have TLS, or else localhost server.
	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
	// In particular, it doesn't matter if the server advertises LOGIN auth.
	// That might just be the attacker saying
	// "it's ok, you can trust me with your password."
	if !a.allowUnencryptedAuth && !server.TLS && !isLocalhost(server.Name) {
		return "", nil, ErrUnencrypted
	}
	if server.Name != a.host {
		return "", nil, ErrWrongHostname
	}
	a.respStep = 0
	return "LOGIN", nil, nil
}

// Next processes responses from the server during the SMTP authentication exchange, sending the
// username and password.
func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
	if more {
		switch a.respStep {
		case 0:
			a.respStep++
			return []byte(a.username), nil
		case 1:
			a.respStep++
			return []byte(a.password), nil
		default:
			return nil, fmt.Errorf("%w: %s", ErrUnexpectedServerResponse, string(fromServer))
		}
	}
	return nil, nil
}
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// SPDX-FileCopyrightText: Copyright (c) 2022-2024 The go-mail Authors`
#24: Add SPDX license IDs for REUSE compliance # SUMMARY * Bad licenses: * Deprecated licenses: * Licenses without file extension: * Missing licenses: * Unused licenses: * Used licenses: CC0-1.0, MIT * Read errors: 0 * Files with copyright information: 45 / 45 * Files with license information: 45 / 45 Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-) 2022-06-17 15:05:54 +02:00			`//`
			`// SPDX-License-Identifier: MIT`

Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`package smtp`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00
			`import (`
			`"fmt"`
			`)`

Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`// loginAuth is the type that satisfies the Auth interface for the "SMTP LOGIN" auth`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`type loginAuth struct {`
Add support for unsecured SMTP LOGIN auth Implemented an option to allow SMTP LOGIN authentication over unencrypted channels by introducing a new `SMTPAuthLoginNoEnc` type. Updated relevant functions and tests to handle the new parameter for unsecured authentication. 2024-10-22 15:38:51 +02:00			`username, password string`
			`host string`
			`respStep uint8`
			`allowUnencryptedAuth bool`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`

Refine function comments to include return type details This is a sync with the net/smtp upstream as committed here: https://github.com/golang/go/commit/1d45a7ef560a76318ed59dfdb178cecd58caf948#diff-4f6f6bdb9891d4dd271f9f31430420a2e44018fe4ee539576faf458bebb3cee4. 2024-01-10 11:05:34 +01:00			`// LoginAuth returns an [Auth] that implements the LOGIN authentication`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN`
			`// but instead of sending all in one response, the login is handled within`
			`// 3 steps:`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// - Sending AUTH LOGIN (server might responds with "Username:")`
			`// - Sending the username (server might responds with "Password:")`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`// - Sending the password (server authenticates)`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// This is the common approach as specified by Microsoft in their MS-XLOGIN spec.`
			`// See: https://msopenspecs.azureedge.net/files/MS-XLOGIN/%5bMS-XLOGIN%5d.pdf`
			`// Yet, there is also an old IETF draft for SMTP AUTH LOGIN that states for clients:`
			`// "The contents of both challenges SHOULD be ignored.".`
			`// See: https://datatracker.ietf.org/doc/html/draft-murchison-sasl-login-00`
			`// Since there is no official standard RFC and we've seen different implementations`
			`// of this mechanism (sending "Username:", "Username", "username", "User name", etc.)`
Fix typos in comments for better readability Corrected spelling errors in comments for "challenge" and "compatibility" to improve clarity. This ensures better understanding and adherence to the documented IETF draft standard. 2024-10-16 10:35:29 +02:00			`// we follow the IETF-Draft and ignore any server challenge to allow compatibility`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// with most mail servers/providers.`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`//`
			`// LoginAuth will only send the credentials if the connection is using TLS`
			`// or is connected to localhost. Otherwise authentication will fail with an`
			`// error, without sending the credentials.`
Rename parameter for consistency in auth functions Updated the parameter name `allowUnEnc` to `allowUnenc` in both `LoginAuth` and `PlainAuth` functions to maintain consistent naming conventions. This change improves code readability and follows standard naming practices. 2024-11-07 20:58:20 +01:00			`func LoginAuth(username, password, host string, allowUnenc bool) Auth {`
			`return &loginAuth{username, password, host, 0, allowUnenc}`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`

Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// Start begins the SMTP authentication process by validating server's TLS status and hostname.`
			`// Returns "LOGIN" on success.`
Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`func (a loginAuth) Start(server ServerInfo) (string, []byte, error) {`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`// Must have TLS, or else localhost server.`
			`// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.`
			`// In particular, it doesn't matter if the server advertises LOGIN auth.`
			`// That might just be the attacker saying`
			`// "it's ok, you can trust me with your password."`
Add support for unsecured SMTP LOGIN auth Implemented an option to allow SMTP LOGIN authentication over unencrypted channels by introducing a new `SMTPAuthLoginNoEnc` type. Updated relevant functions and tests to handle the new parameter for unsecured authentication. 2024-10-22 15:38:51 +02:00			`if !a.allowUnencryptedAuth && !server.TLS && !isLocalhost(server.Name) {`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`return "", nil, ErrUnencrypted`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`
			`if server.Name != a.host {`
Refactor error handling in SMTP authentication Centralized error definitions in `smtp/auth.go` and updated references in `auth_login.go` and `auth_plain.go`. This improves code maintainability and error consistency across the package. 2024-10-02 18:02:23 +02:00			`return "", nil, ErrWrongHostname`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`
Reset response step in AUTH LOGIN initialization The addition of `a.respStep = 0` resets the response step counter at the beginning of the AUTH LOGIN process. This ensures that the state starts correctly and avoids potential issues related to residual values from previous authentications. 2024-10-02 13:09:55 +02:00			`a.respStep = 0`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`return "LOGIN", nil, nil`
			`}`

Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`// Next processes responses from the server during the SMTP authentication exchange, sending the`
			`// username and password.`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {`
			`if more {`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`switch a.respStep {`
			`case 0:`
			`a.respStep++`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`return []byte(a.username), nil`
Enhance SMTP LOGIN auth and add comprehensive tests Refactored SMTP LOGIN auth to improve compatibility with various server responses, consolidating error handling and response steps. Added extensive tests to verify successful and failed authentication across different server configurations. 2024-10-02 12:37:54 +02:00			`case 1:`
			`a.respStep++`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`return []byte(a.password), nil`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`default:`
Refactor error handling in SMTP authentication Centralized error definitions in `smtp/auth.go` and updated references in `auth_login.go` and `auth_plain.go`. This improves code maintainability and error consistency across the package. 2024-10-02 18:02:23 +02:00			`return nil, fmt.Errorf("%w: %s", ErrUnexpectedServerResponse, string(fromServer))`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`
			`}`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`return nil, nil`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`