Merge pull request #3238 from Budibase/user-password-fix
Fix: Prevent user updates in multi tenant mode from deleting user password
This commit is contained in:
commit
320314ca3e
|
@ -9,6 +9,8 @@ const { createASession } = require("../../security/sessions")
|
|||
const { getTenantId } = require("../../tenancy")
|
||||
|
||||
const INVALID_ERR = "Invalid Credentials"
|
||||
const SSO_NO_PASSWORD = "SSO user does not have a password set"
|
||||
const EXPIRED = "This account has expired. Please reset your password"
|
||||
|
||||
exports.options = {
|
||||
passReqToCallback: true,
|
||||
|
@ -36,6 +38,19 @@ exports.authenticate = async function (ctx, email, password, done) {
|
|||
return authError(done, INVALID_ERR)
|
||||
}
|
||||
|
||||
// check that the user has a stored password before proceeding
|
||||
if (!dbUser.password) {
|
||||
if (
|
||||
(dbUser.account && dbUser.account.authType === "sso") || // root account sso
|
||||
dbUser.thirdPartyProfile // internal sso
|
||||
) {
|
||||
return authError(done, SSO_NO_PASSWORD)
|
||||
}
|
||||
|
||||
console.error("Non SSO usser has no password set", dbUser)
|
||||
return authError(done, EXPIRED)
|
||||
}
|
||||
|
||||
// authenticate
|
||||
if (await compare(password, dbUser.password)) {
|
||||
const sessionId = newid()
|
||||
|
|
|
@ -181,8 +181,8 @@ exports.saveUser = async (
|
|||
|
||||
// check budibase users in other tenants
|
||||
if (env.MULTI_TENANCY) {
|
||||
dbUser = await getTenantUser(email)
|
||||
if (dbUser != null && dbUser.tenantId !== tenantId) {
|
||||
const tenantUser = await getTenantUser(email)
|
||||
if (tenantUser != null && tenantUser.tenantId !== tenantId) {
|
||||
throw `Email address ${email} already in use.`
|
||||
}
|
||||
}
|
||||
|
|
|
@ -44,7 +44,7 @@
|
|||
}
|
||||
} catch (err) {
|
||||
console.error(err)
|
||||
notifications.error("Invalid credentials")
|
||||
notifications.error(err.message ? err.message : "Invalid Credentials")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -112,7 +112,7 @@ export function createAuthStore() {
|
|||
if (response.status === 200) {
|
||||
setUser(json.user)
|
||||
} else {
|
||||
throw "Invalid credentials"
|
||||
throw new Error(json.message ? json.message : "Invalid credentials")
|
||||
}
|
||||
return json
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue