Merge pull request 'Do not render a different view when user is found but password invalid' (#87) from fabientot/guichet:prevent-bruteforce-on-login-form into main

Reviewed-on: Deuxfleurs/guichet#87

README.md

@@ -8,10 +8,10 @@ Guichet is a simple LDAP web interface for the following tasks:
 - administration of the LDAP directory
 - inviting new users to create accounts
 
-Guichet works well with the [Bottin](https://bottin.eu) LDAP server.
+Guichet works well with the [Bottin](https://git.deuxfleurs.fr/deuxfleurs/bottin) LDAP server.
 Currently, Guichet's templates are only in French as it has been created for
 the [Deuxfleurs](https://deuxfleurs.fr) collective.
-We would gladly merge a pull request with an English transaltion !
+We would gladly merge a pull request with an English translation !
 
 A Docker image is provided on the [Docker hub](https://hub.docker.com/r/lxpz/guichet_amd64).
 An example for running Guichet on a Nomad cluster can be found in `guichet.hcl.example`.
@@ -143,3 +143,62 @@ Here is an example of Bottin ACLs that may be used to support Guichet invitation
 
 Consult [this directory](https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/directory/config)
 to view the full configuration in use on Deuxfleurs.
+
+## Contribute & local development
+
+Guichet needs a few components to work :
+- A Bottin server
+- that needs a consul server
+- And a Garage cluster (of at least one node)
+A basic consul / bottin stack is available through the docker compose file you can find in `integration` subdirectory:
+
+```sh
+cd integration
+docker compose up -d
+```
+
+You can then run Guichet locally :
+```sh
+# First, copy a sample config file
+copy config.json.example config.json
+
+# Run the go development server
+go run .
+```
+
+It will be available on http://localhost:9991.
+
+### First run
+
+#### How to get my admin password
+
+On first Bottin's run, it is displayed in the logs.  
+You can easily find it by reading the container logs :
+```sh
+docker compose logs bottin | grep password:
+```
+
+- The **username** is provided in the log, and should look like this: `cn=admin,dc=bottin,dc=eu`.
+- The **password** is right after in the same log line. 
+
+
+#### Garage
+⚠️ Be aware at this stage that your local Guichet installation is not 100% working, especially the websites features.   
+You need to initialise Garage. It can be done in a few commands, coming from [the official Garage's documentation](https://garagehq.deuxfleurs.fr/documentation/quick-start/):
+
+```sh
+# Find your Garage node ID
+docker compose exec garage /garage
+
+# Your id is eb820c8da5605f78 in the output below
+ID                Hostname      Address         Tags  Zone  Capacity          DataAvail
+eb820c8da5605f78  9bd710b31be0  127.0.0.1:3901              NO ROLE ASSIGNED
+
+# Then create a cluster layout with this id
+docker compose exec garage /garage layout assign -z dc1 -c 1G eb820c8da5605f78
+
+# Finally, apply the layout
+docker compose exec garage /garage layout apply
+```
+
+🎉 You now can go to http://localhost:9991/website without getting 503 errors.

main.go

@@ -237,8 +237,6 @@ func handleLogout(w http.ResponseWriter, r *http.Request) {
 // --- Login Controller ---
 type LoginFormData struct {
 	Username     string
-	WrongUser    bool
-	WrongPass    bool
 	ErrorMessage string
 }
 
@@ -266,10 +264,9 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 			data := &LoginFormData{
 				Username: username,
 			}
-			if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
-				data.WrongPass = true
-			} else if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-				data.WrongUser = true
+			if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) ||
+				ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
+				data.ErrorMessage = "Le mot de passe et identifiant ne correspondent pas."
 			} else {
 				data.ErrorMessage = err.Error()
 			}

templates/garage_website_inspect.html

@@ -42,7 +42,12 @@
 		</p>
 	</div>
 	<div class="col-md-9">
-		<h2>{{ .View.Name.Url }}</h2>
+		<div class="d-flex justify-content-between align-items-center">
+			<h2>{{ .View.Name.Url }}</h2>
+			<div>
+				<a href="https://{{ .View.Name.Url }}" target="_blank" rel="noreferrer external" class="btn btn-dark">Visiter</a>
+			</div>
+		</div>
 
 		<!-- QUOTAS -->
 
@@ -94,7 +99,7 @@
 
 				<pre>
 sudo npm install -g dxfl
-dxfl login
+dxfl login {{ .Describe.Username }}
 				</pre>
 
 				<p>Pour déployer votre site contenu dans le dossier <code>public</code> :</p>
@@ -360,7 +365,7 @@ scp -oHostKeyAlgorithms=+ssh-rsa -P2222 -r ./public/ {{ .Describe.Username }}@sf
 
 	{{ if .View.Name.Expanded }}
 	<h5 class="mt-5">Vous ne savez pas comment configurer votre nom de domaine ?</h5>
-	<p> Le nom de domaine {{ .View.Name.Url }} n'est pas géré par Deuxfleurs, il vous revient donc de configurer la zone DNS. Vous devez ajouter une entrée <code>CNAME garage.deuxfleurs.fr</code> ou <code>ALIAS garage.deuxfleurs.fr</code> auprès de votre hébergeur DNS, qui est souvent aussi le bureau d'enregistrement (eg. Gandi, GoDaddy, BookMyName, etc.).</p>
+	<p> Le nom de domaine {{ .View.Name.Url }} n'est pas géré par Deuxfleurs, il vous revient donc de configurer la zone DNS. Vous devez ajouter une entrée <code>CNAME global.site.deuxfleurs.fr</code> ou <code>ALIAS global.site.deuxfleurs.fr</code> auprès de votre hébergeur DNS, qui est souvent aussi le bureau d'enregistrement (eg. Gandi, GoDaddy, BookMyName, etc.).</p>
 	{{ end }}
 
 

templates/login.html

@@ -4,15 +4,9 @@
 <h4>S'identifier</h4>
 
 <form method="POST">
-  {{if .WrongUser}}
-    <div class="alert alert-danger">Identifiant invalide.</div>
-  {{end}}
-  {{if .WrongPass}}
-    <div class="alert alert-danger">Mot de passe invalide.</div>
-  {{end}}
-  {{if .ErrorMessage}}
+  {{ with .ErrorMessage}}
     <div class="alert alert-danger">Impossible de se connecter.
-      <div style="font-size: 0.8em">{{ .ErrorMessage }}</div>
+      <div style="font-size: 0.8em">{{ . }}</div>
     </div>
   {{end}}
   <div class="form-group">