From c83684ed830d8577b843ddd398b4dd8d9600c1db Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 1 Mar 2023 14:49:44 +0000 Subject: [PATCH 1/3] Prevent showing user exists for password disabled actions --- .../backend-core/src/middleware/authenticated.ts | 3 ++- .../worker/src/api/controllers/global/auth.ts | 2 +- .../src/api/routes/global/tests/auth.spec.ts | 16 +++------------- packages/worker/src/sdk/auth/auth.ts | 2 +- packages/worker/src/tests/api/auth.ts | 12 +++++++----- 5 files changed, 14 insertions(+), 21 deletions(-) diff --git a/packages/backend-core/src/middleware/authenticated.ts b/packages/backend-core/src/middleware/authenticated.ts index d7e6346b3f..0708581570 100644 --- a/packages/backend-core/src/middleware/authenticated.ts +++ b/packages/backend-core/src/middleware/authenticated.ts @@ -154,7 +154,8 @@ export default function ( return next() } } catch (err: any) { - console.error("Auth Error", err?.message || err) + console.error(`Auth Error: ${err.message}`) + console.error(err) // invalid token, clear the cookie if (err && err.name === "JsonWebTokenError") { clearCookie(ctx, Cookie.Auth) diff --git a/packages/worker/src/api/controllers/global/auth.ts b/packages/worker/src/api/controllers/global/auth.ts index 92cf014a48..362723abd9 100644 --- a/packages/worker/src/api/controllers/global/auth.ts +++ b/packages/worker/src/api/controllers/global/auth.ts @@ -62,7 +62,7 @@ export const login = async (ctx: Ctx, next: any) => { const user = await userSdk.getUserByEmail(email) if (user && (await userSdk.isPreventPasswordActions(user))) { - ctx.throw(400, "Password login is disabled for this user") + ctx.throw(403, "Invalid credentials") } return passport.authenticate( diff --git a/packages/worker/src/api/routes/global/tests/auth.spec.ts b/packages/worker/src/api/routes/global/tests/auth.spec.ts index 9b5392fc73..f79bfb538c 100644 --- a/packages/worker/src/api/routes/global/tests/auth.spec.ts +++ b/packages/worker/src/api/routes/global/tests/auth.spec.ts @@ -106,12 +106,12 @@ describe("/api/global/auth", () => { tenantId, email, password, - { status: 400 } + { status: 403 } ) expect(response.body).toEqual({ - message: "Password login is disabled for this user", - status: 400, + message: "Invalid credentials", + status: 403, }) } @@ -171,17 +171,7 @@ describe("/api/global/auth", () => { const { res } = await config.api.auth.requestPasswordReset( sendMailMock, user.email, - { status: 400 } ) - - expect(res.body).toEqual({ - message: "Password reset is disabled for this user", - status: 400, - error: { - code: "http", - type: "generic", - }, - }) expect(sendMailMock).not.toHaveBeenCalled() } diff --git a/packages/worker/src/sdk/auth/auth.ts b/packages/worker/src/sdk/auth/auth.ts index 8e9cff18dd..98830c576d 100644 --- a/packages/worker/src/sdk/auth/auth.ts +++ b/packages/worker/src/sdk/auth/auth.ts @@ -59,7 +59,7 @@ export const reset = async (email: string) => { // exit if user has sso if (await userSdk.isPreventPasswordActions(user)) { - throw new HTTPError("Password reset is disabled for this user", 400) + return } // send password reset diff --git a/packages/worker/src/tests/api/auth.ts b/packages/worker/src/tests/api/auth.ts index bd0471ca74..552d4da505 100644 --- a/packages/worker/src/tests/api/auth.ts +++ b/packages/worker/src/tests/api/auth.ts @@ -61,11 +61,13 @@ export class AuthAPI extends TestAPI { let code: string | undefined if (res.status === 200) { - const emailCall = sendMailMock.mock.calls[0][0] - const parts = emailCall.html.split( - `http://localhost:10000/builder/auth/reset?code=` - ) - code = parts[1].split('"')[0].split("&")[0] + if (sendMailMock.mock.calls.length) { + const emailCall = sendMailMock.mock.calls[0][0] + const parts = emailCall.html.split( + `http://localhost:10000/builder/auth/reset?code=` + ) + code = parts[1].split('"')[0].split("&")[0] + } } return { code, res } From 467ad71dcc93ddbd739a74aa2848071c66e7c568 Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 1 Mar 2023 15:30:15 +0000 Subject: [PATCH 2/3] Move enforceable sso to enterprise --- .../builder/src/pages/builder/portal/settings/auth/index.svelte | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/builder/src/pages/builder/portal/settings/auth/index.svelte b/packages/builder/src/pages/builder/portal/settings/auth/index.svelte index af272b5d7c..0e82dd31e7 100644 --- a/packages/builder/src/pages/builder/portal/settings/auth/index.svelte +++ b/packages/builder/src/pages/builder/portal/settings/auth/index.svelte @@ -368,7 +368,7 @@ {#if !$licensing.enforceableSSO} - Business plan + Enterprise plan {/if} From 6917abb6e70530590712f480f5b3d9a84096423d Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Wed, 1 Mar 2023 15:31:46 +0000 Subject: [PATCH 3/3] lint --- packages/worker/src/api/routes/global/tests/auth.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/worker/src/api/routes/global/tests/auth.spec.ts b/packages/worker/src/api/routes/global/tests/auth.spec.ts index f79bfb538c..6c133df652 100644 --- a/packages/worker/src/api/routes/global/tests/auth.spec.ts +++ b/packages/worker/src/api/routes/global/tests/auth.spec.ts @@ -170,7 +170,7 @@ describe("/api/global/auth", () => { async function testSSOUser() { const { res } = await config.api.auth.requestPasswordReset( sendMailMock, - user.email, + user.email ) expect(sendMailMock).not.toHaveBeenCalled() }