From 4429ba2da1ddea1d99bfefb8f6d57c53c04983e1 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Mon, 4 Jul 2022 18:08:41 +0200
Subject: [PATCH] fix(caldav): make sure the caldav tokens of non-local
 accounts are properly checked

---
 pkg/routes/caldav/auth.go | 11 ++++++-----
 pkg/user/error.go         | 27 +++++++++++++++++++++++++++
 pkg/user/user.go          |  4 ++++
 3 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/pkg/routes/caldav/auth.go b/pkg/routes/caldav/auth.go
index 8b9a9d4ed..273915418 100644
--- a/pkg/routes/caldav/auth.go
+++ b/pkg/routes/caldav/auth.go
@@ -28,14 +28,15 @@ import (
 )
 
 func BasicAuth(username, password string, c echo.Context) (bool, error) {
-	creds := &user.Login{
+	s := db.NewSession()
+	defer s.Close()
+
+	credentials := &user.Login{
 		Username: username,
 		Password: password,
 	}
-	s := db.NewSession()
-	defer s.Close()
-	u, err := user.CheckUserCredentials(s, creds)
-	if err != nil && !user.IsErrWrongUsernameOrPassword(err) {
+	u, err := user.CheckUserCredentials(s, credentials)
+	if err != nil && !user.IsErrWrongUsernameOrPassword(err) && !user.IsErrAccountIsNotLocal(err) {
 		log.Errorf("Error during basic auth for caldav: %v", err)
 		return false, nil
 	}
diff --git a/pkg/user/error.go b/pkg/user/error.go
index 089eef1b9..88c4f5766 100644
--- a/pkg/user/error.go
+++ b/pkg/user/error.go
@@ -452,3 +452,30 @@ func (err *ErrAccountDisabled) HTTPError() web.HTTPError {
 		Message:  "This account is disabled. Check your emails or ask your administrator.",
 	}
 }
+
+// ErrAccountIsNotLocal represents a "AccountIsNotLocal" kind of error.
+type ErrAccountIsNotLocal struct {
+	UserID int64
+}
+
+// IsErrAccountIsNotLocal checks if an error is a ErrAccountIsNotLocal.
+func IsErrAccountIsNotLocal(err error) bool {
+	_, ok := err.(*ErrAccountIsNotLocal)
+	return ok
+}
+
+func (err *ErrAccountIsNotLocal) Error() string {
+	return "Account is not local"
+}
+
+// ErrCodeAccountIsNotLocal holds the unique world-error code of this error
+const ErrCodeAccountIsNotLocal = 1021
+
+// HTTPError holds the http error description
+func (err *ErrAccountIsNotLocal) HTTPError() web.HTTPError {
+	return web.HTTPError{
+		HTTPCode: http.StatusPreconditionFailed,
+		Code:     ErrCodeAccountIsNotLocal,
+		Message:  "This account is managed by a third-party authentication provider.",
+	}
+}
diff --git a/pkg/user/user.go b/pkg/user/user.go
index 802fb27ce..6224617eb 100644
--- a/pkg/user/user.go
+++ b/pkg/user/user.go
@@ -314,6 +314,10 @@ func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
 		return nil, ErrWrongUsernameOrPassword{}
 	}
 
+	if user.Issuer != IssuerLocal {
+		return user, &ErrAccountIsNotLocal{UserID: user.ID}
+	}
+
 	// The user is invalid if they need to verify their email address
 	if user.Status == StatusEmailConfirmationRequired {
 		return &User{}, ErrEmailNotConfirmed{UserID: user.ID}