Allow clients to retry authentication after it failed

progval · spb · commit b5ef1401e061 · 2026-02-08T13:49:23.000Z
eg. because of invalid password
diff --git a/sable_ircd/src/client.rs b/sable_ircd/src/client.rs
@@ -80,8 +80,8 @@ pub struct PreClient {
     pub realname: OnceLock<Realname>,
     #[serde_as(as = "WrapOption<Hostname>")]
     pub hostname: OnceLock<Hostname>,
-    #[serde_as(as = "WrapOption<SaslSessionId>")]
-    pub sasl_session: OnceLock<SaslSessionId>,
+    #[serde(skip, default = "Default::default")]
+    pub sasl_session: tokio::sync::Mutex<Option<SaslSessionId>>,
     #[serde_as(as = "WrapOption<AccountId>")]
     pub sasl_account: OnceLock<AccountId>,
 
@@ -240,7 +240,7 @@ impl PreClient {
             nick: OnceLock::new(),
             realname: OnceLock::new(),
             hostname: OnceLock::new(),
-            sasl_session: OnceLock::new(),
+            sasl_session: tokio::sync::Mutex::new(None),
             sasl_account: OnceLock::new(),
             progress_flags: AtomicU32::new(0),
         }
diff --git a/sable_ircd/src/command/handlers/services/sasl.rs b/sable_ircd/src/command/handlers/services/sasl.rs
@@ -16,17 +16,17 @@ async fn handle_authenticate(
     services: Conditional<ServicesTarget<'_>>,
     text: &str,
 ) -> CommandResult {
-    let authenticate_request = if let Some(session) = source.sasl_session.get() {
+    let mut session_ref = source.sasl_session.lock().await;
+    let authenticate_request = if let Some(session) = *session_ref {
         // A session already exists, so the argument is "*" or base64-encoded session data
+        tracing::debug!(?session, "Resuming SASL session");
         if text == "*" {
-            RemoteServicesServerRequestType::AbortAuthenticate(*session)
+            RemoteServicesServerRequestType::AbortAuthenticate(session)
         } else {
-            let Ok(data) = BASE64_STANDARD.decode(text) else {
-                response.numeric(make_numeric!(SaslFail));
-                return Ok(());
-            };
-
-            RemoteServicesServerRequestType::Authenticate(*session, data)
+            match BASE64_STANDARD.decode(text) {
+                Err(_) => RemoteServicesServerRequestType::FailAuthenticate(session),
+                Ok(data) => RemoteServicesServerRequestType::Authenticate(session, data),
+            }
         }
     } else {
         // No session, so the argument is the mechanism name
@@ -46,13 +46,15 @@ async fn handle_authenticate(
 
         // Special case for EXTERNAL, which we can handle without going to services
         if text == "EXTERNAL" {
+            drop(session_ref); // release lock, which borrows 'source'
             return do_sasl_external(source, cmd.connection(), net, response);
         }
 
         let mechanism = text.to_owned();
 
         let session = server.ids().next();
-        source.sasl_session.set(session).ok();
+        *session_ref = Some(session);
+        tracing::debug!(?session, "Beginning new SASL session ");
 
         RemoteServicesServerRequestType::BeginAuthenticate(session, mechanism)
     };
@@ -88,9 +90,11 @@ async fn handle_authenticate(
                     response.numeric(make_numeric!(SaslSuccess));
                 }
                 Fail => {
+                    *session_ref = None;
                     response.numeric(make_numeric!(SaslFail));
                 }
                 Aborted => {
+                    *session_ref = None;
                     response.numeric(make_numeric!(SaslAborted));
                 }
             }
diff --git a/sable_network/src/rpc/network_message.rs b/sable_network/src/rpc/network_message.rs
@@ -72,8 +72,10 @@ pub enum RemoteServicesServerRequestType {
     BeginAuthenticate(SaslSessionId, String),
     /// SASL traffic
     Authenticate(SaslSessionId, Vec<u8>),
-    /// Abort a SASL session
+    /// Abort a SASL session, sends error to client
     AbortAuthenticate(SaslSessionId),
+    /// Abort a SASL session, don't send error to client
+    FailAuthenticate(SaslSessionId),
     /// Register a channel
     RegisterChannel(AccountId, ChannelId),
     /// Add, modify or remove a channel access (None to delete)
diff --git a/sable_services/src/server/command/sasl_commands.rs b/sable_services/src/server/command/sasl_commands.rs
@@ -50,4 +50,9 @@ impl<DB: DatabaseConnection> ServicesServer<DB> {
         self.sasl_sessions.remove(&session_id);
         Ok(Authenticate(Aborted).into())
     }
+
+    pub fn fail_authenticate(&self, session_id: SaslSessionId) -> CommandResult {
+        self.sasl_sessions.remove(&session_id);
+        Ok(Authenticate(Fail).into())
+    }
 }
diff --git a/sable_services/src/server/mod.rs b/sable_services/src/server/mod.rs
@@ -194,6 +194,11 @@ where
 
                     self.abort_authenticate(session)
                 }
+                FailAuthenticate(session) => {
+                    tracing::debug!(?session, "Got fail authenticate");
+
+                    self.fail_authenticate(session)
+                }
                 AddAccountFingerprint(acc, fp) => {
                     tracing::debug!(?acc, ?fp, "Got add fingerprint");
 

Original file line number	Diff line number	Diff line change
`@@ -50,4 +50,9 @@ impl<DB: DatabaseConnection> ServicesServer<DB> {`
`50`	`50`	`self.sasl_sessions.remove(&session_id);`
`51`	`51`	`Ok(Authenticate(Aborted).into())`
`52`	`52`	`}`
	`53`	`+`
	`54`	`+ pub fn fail_authenticate(&self, session_id: SaslSessionId) -> CommandResult {`
	`55`	`+ self.sasl_sessions.remove(&session_id);`
	`56`	`+ Ok(Authenticate(Fail).into())`
	`57`	`+ }`
`53`	`58`	`}`