mirror of
https://github.com/wneessen/go-mail.git
synced 2024-11-15 10:22:56 +01:00
Winni Neessen
f5531eae14
Implemented a new SMTPAuthPlainNoEnc option to allow PLAIN authentication over unencrypted connections. Refactored the PlainAuth function to accept an additional allowUnencryptedAuth parameter. Updated relevant tests to cover the new authentication method.
57 lines
2.2 KiB
Go
57 lines
2.2 KiB
Go
// SPDX-FileCopyrightText: Copyright 2010 The Go Authors. All rights reserved.
|
|
// SPDX-FileCopyrightText: Copyright (c) 2022-2023 The go-mail Authors
|
|
//
|
|
// Original net/smtp code from the Go stdlib by the Go Authors.
|
|
// Use of this source code is governed by a BSD-style
|
|
// LICENSE file that can be found in this directory.
|
|
//
|
|
// go-mail specific modifications by the go-mail Authors.
|
|
// Licensed under the MIT License.
|
|
// See [PROJECT ROOT]/LICENSES directory for more information.
|
|
//
|
|
// SPDX-License-Identifier: BSD-3-Clause AND MIT
|
|
|
|
package smtp
|
|
|
|
// plainAuth is the type that satisfies the Auth interface for the "SMTP PLAIN" auth
|
|
type plainAuth struct {
|
|
identity, username, password string
|
|
host string
|
|
allowUnencryptedAuth bool
|
|
}
|
|
|
|
// PlainAuth returns an [Auth] that implements the PLAIN authentication
|
|
// mechanism as defined in RFC 4616. The returned Auth uses the given
|
|
// username and password to authenticate to host and act as identity.
|
|
// Usually identity should be the empty string, to act as username.
|
|
//
|
|
// PlainAuth will only send the credentials if the connection is using TLS
|
|
// or is connected to localhost. Otherwise authentication will fail with an
|
|
// error, without sending the credentials.
|
|
func PlainAuth(identity, username, password, host string, allowUnEnc bool) Auth {
|
|
return &plainAuth{identity, username, password, host, allowUnEnc}
|
|
}
|
|
|
|
func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
|
|
// Must have TLS, or else localhost server.
|
|
// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
|
|
// In particular, it doesn't matter if the server advertises PLAIN auth.
|
|
// That might just be the attacker saying
|
|
// "it's ok, you can trust me with your password."
|
|
if !a.allowUnencryptedAuth && !server.TLS && !isLocalhost(server.Name) {
|
|
return "", nil, ErrUnencrypted
|
|
}
|
|
if server.Name != a.host {
|
|
return "", nil, ErrWrongHostname
|
|
}
|
|
resp := []byte(a.identity + "\x00" + a.username + "\x00" + a.password)
|
|
return "PLAIN", resp, nil
|
|
}
|
|
|
|
func (a *plainAuth) Next(_ []byte, more bool) ([]byte, error) {
|
|
if more {
|
|
// We've already sent everything.
|
|
return nil, ErrUnexpectedServerChallange
|
|
}
|
|
return nil, nil
|
|
}
|