improved security checks

3 files changed, 6 insertions, 0 deletions

diff --git a/kvmd/plugins/auth/htpasswd.py b/kvmd/plugins/auth/htpasswd.py
index 94e29711..045475f8 100644
--- a/kvmd/plugins/auth/htpasswd.py
+++ b/kvmd/plugins/auth/htpasswd.py
@@ -43,5 +43,7 @@ class Plugin(BaseAuthService):
         }
 
     async def authorize(self, user: str, passwd: str) -> bool:
+        assert user == user.strip()
+        assert user
         htpasswd = passlib.apache.HtpasswdFile(self.__path)
         return htpasswd.check_password(user, passwd)
diff --git a/kvmd/plugins/auth/http.py b/kvmd/plugins/auth/http.py
index 66e23ea1..4cba34fe 100644
--- a/kvmd/plugins/auth/http.py
+++ b/kvmd/plugins/auth/http.py
@@ -71,6 +71,8 @@ class Plugin(BaseAuthService):
         }
 
     async def authorize(self, user: str, passwd: str) -> bool:
+        assert user == user.strip()
+        assert user
         session = self.__ensure_session()
         try:
             async with session.request(
diff --git a/kvmd/plugins/auth/pam.py b/kvmd/plugins/auth/pam.py
index bb364c8c..bcdde5e4 100644
--- a/kvmd/plugins/auth/pam.py
+++ b/kvmd/plugins/auth/pam.py
@@ -67,6 +67,8 @@ class Plugin(BaseAuthService):
         }
 
     async def authorize(self, user: str, passwd: str) -> bool:
+        assert user == user.strip()
+        assert user
         async with self.__lock:
             return (await aiotools.run_async(self.__inner_authorize, user, passwd))