Merge pull request #12789 from Budibase/bug/BUDI-7896/incorrect-handling-of-short-passwords-in-user-invitation

[Bug] Incorrect handling of short passwords in user invitation
This commit is contained in:
Adria Navarro 2024-01-16 12:21:43 +01:00 committed by GitHub
commit 39b7a719e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 37 deletions

View File

@ -22,6 +22,7 @@ export enum LockName {
QUOTA_USAGE_EVENT = "quota_usage_event",
APP_MIGRATION = "app_migrations",
PROCESS_AUTO_COLUMNS = "process_auto_columns",
PROCESS_USER_INVITE = "process_user_invite",
}
export type LockOptions = {

View File

@ -12,6 +12,8 @@ import {
InviteUserRequest,
InviteUsersRequest,
InviteUsersResponse,
LockName,
LockType,
MigrationType,
SaveUserResponse,
SearchUsersRequest,
@ -27,6 +29,7 @@ import {
platform,
tenancy,
db,
locks,
} from "@budibase/backend-core"
import { checkAnyUserExists } from "../../../utilities/users"
import { isEmailConfigured } from "../../../utilities/email"
@ -380,9 +383,16 @@ export const inviteAccept = async (
) => {
const { inviteCode, password, firstName, lastName } = ctx.request.body
try {
await locks.doWithLock(
{
type: LockType.AUTO_EXTEND,
name: LockName.PROCESS_USER_INVITE,
resource: inviteCode,
systemLock: true,
},
async () => {
// info is an extension of the user object that was stored by global
const { email, info }: any = await cache.invite.getCode(inviteCode)
await cache.invite.deleteCode(inviteCode)
const { email, info } = await cache.invite.getCode(inviteCode)
const user = await tenancy.doInTenant(info.tenantId, async () => {
let request: any = {
firstName,
@ -393,7 +403,7 @@ export const inviteAccept = async (
roles: info.apps,
tenantId: info.tenantId,
}
let builder: { global: boolean; apps?: string[] } = {
const builder: { global: boolean; apps?: string[] } = {
global: info?.builder?.global || false,
}
@ -408,23 +418,25 @@ export const inviteAccept = async (
}
const saved = await userSdk.db.save(request)
const db = tenancy.getGlobalDB()
const user = await db.get<User>(saved._id)
await events.user.inviteAccepted(user)
await events.user.inviteAccepted(saved)
return saved
})
await cache.invite.deleteCode(inviteCode)
ctx.body = {
_id: user._id!,
_rev: user._rev!,
email: user.email,
}
}
)
} catch (err: any) {
if (err.code === ErrorCode.USAGE_LIMIT_EXCEEDED) {
// explicitly re-throw limit exceeded errors
ctx.throw(400, err)
}
console.warn("Error inviting user", err)
ctx.throw(400, "Unable to create new user, invitation invalid.")
ctx.throw(400, err || "Unable to create new user, invitation invalid.")
}
}