Fix: Prevent user updates in multi tenant mode from deleting user password. Also forward the authentication error from the backend to the login page to warn when an sso user is trying to log in with a password when one is not present
This commit is contained in:
Rory Powell
parent
484a38c9f5
commit
fbaedd6a34
|
|
@ -9,6 +9,7 @@ const { createASession } = require("../../security/sessions")
|
||||||
const { getTenantId } = require("../../tenancy")
|
const { getTenantId } = require("../../tenancy")
|
||||||
|
|
||||||
const INVALID_ERR = "Invalid Credentials"
|
const INVALID_ERR = "Invalid Credentials"
|
||||||
|
const SSO_NO_PASSWORD = "SSO user does not have a password set"
|
||||||
|
|
||||||
exports.options = {
|
exports.options = {
|
||||||
passReqToCallback: true,
|
passReqToCallback: true,
|
||||||
|
|
@ -36,6 +37,19 @@ exports.authenticate = async function (ctx, email, password, done) {
|
||||||
return authError(done, INVALID_ERR)
|
return authError(done, INVALID_ERR)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check that the user has a stored password before proceeding
|
||||||
|
if (!dbUser.password) {
|
||||||
|
if (
|
||||||
|
(dbUser.account && dbUser.account.authType === "sso") || // root account sso
|
||||||
|
dbUser.thirdPartyProfile // internal sso
|
||||||
|
) {
|
||||||
|
return authError(done, SSO_NO_PASSWORD)
|
||||||
|
}
|
||||||
|
|
||||||
|
console.error("User has no password", dbUser)
|
||||||
|
return authError(done, INVALID_ERR)
|
||||||
|
}
|
||||||
|
|
||||||
// authenticate
|
// authenticate
|
||||||
if (await compare(password, dbUser.password)) {
|
if (await compare(password, dbUser.password)) {
|
||||||
const sessionId = newid()
|
const sessionId = newid()
|
||||||
|
|
|
||||||
|
|
@ -181,8 +181,8 @@ exports.saveUser = async (
|
||||||
|
|
||||||
// check budibase users in other tenants
|
// check budibase users in other tenants
|
||||||
if (env.MULTI_TENANCY) {
|
if (env.MULTI_TENANCY) {
|
||||||
dbUser = await getTenantUser(email)
|
const tenantUser = await getTenantUser(email)
|
||||||
if (dbUser != null && dbUser.tenantId !== tenantId) {
|
if (tenantUser != null && tenantUser.tenantId !== tenantId) {
|
||||||
throw `Email address ${email} already in use.`
|
throw `Email address ${email} already in use.`
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@
|
||||||
}
|
}
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error(err)
|
console.error(err)
|
||||||
notifications.error("Invalid credentials")
|
notifications.error(err.message ? err.message : "Invalid Credentials")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,7 @@ export function createAuthStore() {
|
||||||
if (response.status === 200) {
|
if (response.status === 200) {
|
||||||
setUser(json.user)
|
setUser(json.user)
|
||||||
} else {
|
} else {
|
||||||
throw "Invalid credentials"
|
throw new Error(json.message ? json.message : "Invalid credentials")
|
||||||
}
|
}
|
||||||
return json
|
return json
|
||||||
},
|
},
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue