From fe0de086454da3381b79867c5cb9b9ad8aed2450 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Tue, 29 Mar 2022 21:46:09 +0100
Subject: [PATCH 1/2] Restore user autoregistration with email addresses

Unfortunately #18789 disabled autoregistration using email addresses as they would
be shortcut to email address does not exist.

This PR attempts to restore autoregistration by allowing an unknown email address
to percolate through to the autoregistration path of UserSignin.

Fix #19256

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/auth/signin.go | 64 ++++++++++++++++++++++++-----------------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/services/auth/signin.go b/services/auth/signin.go
index aa9a9660c039..ab4974649c74 100644
--- a/services/auth/signin.go
+++ b/services/auth/signin.go
@@ -23,19 +23,23 @@ import (
 // UserSignIn validates user name and password.
 func UserSignIn(username, password string) (*user_model.User, *auth.Source, error) {
 	var user *user_model.User
+	isEmail := false
 	if strings.Contains(username, "@") {
+		isEmail = true
 		emailAddress := user_model.EmailAddress{LowerEmail: strings.ToLower(strings.TrimSpace(username))}
 		// check same email
-		has, err := db.GetEngine(db.DefaultContext).Where("is_activated=?", true).Get(&emailAddress)
+		has, err := db.GetEngine(db.DefaultContext).Get(&emailAddress)
 		if err != nil {
 			return nil, nil, err
 		}
-		if !has {
+		if !emailAddress.IsActivated {
 			return nil, nil, user_model.ErrEmailAddressNotExist{
 				Email: username,
 			}
 		}
-		user = &user_model.User{ID: emailAddress.UID}
+		if has {
+			user = &user_model.User{ID: emailAddress.UID}
+		}
 	} else {
 		trimmedUsername := strings.TrimSpace(username)
 		if len(trimmedUsername) == 0 {
@@ -45,38 +49,40 @@ func UserSignIn(username, password string) (*user_model.User, *auth.Source, erro
 		user = &user_model.User{LowerName: strings.ToLower(trimmedUsername)}
 	}
 
-	hasUser, err := user_model.GetUser(user)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if hasUser {
-		source, err := auth.GetSourceByID(user.LoginSource)
+	if user != nil {
+		hasUser, err := user_model.GetUser(user)
 		if err != nil {
 			return nil, nil, err
 		}
 
-		if !source.IsActive {
-			return nil, nil, oauth2.ErrAuthSourceNotActived
-		}
+		if hasUser {
+			source, err := auth.GetSourceByID(user.LoginSource)
+			if err != nil {
+				return nil, nil, err
+			}
 
-		authenticator, ok := source.Cfg.(PasswordAuthenticator)
-		if !ok {
-			return nil, nil, smtp.ErrUnsupportedLoginType
-		}
+			if !source.IsActive {
+				return nil, nil, oauth2.ErrAuthSourceNotActived
+			}
 
-		user, err := authenticator.Authenticate(user, user.LoginName, password)
-		if err != nil {
-			return nil, nil, err
-		}
+			authenticator, ok := source.Cfg.(PasswordAuthenticator)
+			if !ok {
+				return nil, nil, smtp.ErrUnsupportedLoginType
+			}
 
-		// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
-		// user could be hint to resend confirm email.
-		if user.ProhibitLogin {
-			return nil, nil, user_model.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
-		}
+			user, err := authenticator.Authenticate(user, user.LoginName, password)
+			if err != nil {
+				return nil, nil, err
+			}
 
-		return user, source, nil
+			// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
+			// user could be hint to resend confirm email.
+			if user.ProhibitLogin {
+				return nil, nil, user_model.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
+			}
+
+			return user, source, nil
+		}
 	}
 
 	sources, err := auth.AllActiveSources()
@@ -111,5 +117,9 @@ func UserSignIn(username, password string) (*user_model.User, *auth.Source, erro
 		}
 	}
 
+	if isEmail {
+		return nil, nil, user_model.ErrEmailAddressNotExist{Email: username}
+	}
+
 	return nil, nil, user_model.ErrUserNotExist{Name: username}
 }

From a611e8b980c2d6b68bd3dbe75b1cfbff04625028 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 30 Mar 2022 21:17:39 +0100
Subject: [PATCH 2/2] only return notExist if the email address does exist but
 is not activated.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/auth/signin.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/services/auth/signin.go b/services/auth/signin.go
index ab4974649c74..3ccf68c3a7ea 100644
--- a/services/auth/signin.go
+++ b/services/auth/signin.go
@@ -32,12 +32,12 @@ func UserSignIn(username, password string) (*user_model.User, *auth.Source, erro
 		if err != nil {
 			return nil, nil, err
 		}
-		if !emailAddress.IsActivated {
-			return nil, nil, user_model.ErrEmailAddressNotExist{
-				Email: username,
-			}
-		}
 		if has {
+			if !emailAddress.IsActivated {
+				return nil, nil, user_model.ErrEmailAddressNotExist{
+					Email: username,
+				}
+			}
 			user = &user_model.User{ID: emailAddress.UID}
 		}
 	} else {