From cd51f2f6522cf763229d480ee67874241168bc1b Mon Sep 17 00:00:00 2001 From: Alejandro Alonso Date: Mon, 19 Aug 2024 15:42:54 +0200 Subject: [PATCH] :sparkles: Improve disabled registry flows --- CHANGES.md | 6 ++ backend/src/app/rpc/commands/auth.clj | 9 +- backend/src/app/rpc/commands/verify_token.clj | 18 ++-- .../test/backend_tests/rpc_profile_test.clj | 91 +++++++++++++++---- frontend/src/app/main/ui/auth/register.cljs | 3 +- version.txt | 2 +- 6 files changed, 99 insertions(+), 30 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5544b031e..0aa485362 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,12 @@ ### :bug: Bugs fixed +- Don't allow registry with email and password, if password login is disabled (invitation workflow) [Github #4975](https://github.com/penpot/penpot/issues/4975) + +## 2.1.2 + +### :bug: Bugs fixed + - User switch language to "zh_hant" will get 400 [Github #4884](https://github.com/penpot/penpot/issues/4884) - Smtp config ignoring port if ssl is set [Github #4872](https://github.com/penpot/penpot/issues/4872) - Ability to let users to authenticate with a private oidc provider only [Github #4963](https://github.com/penpot/penpot/issues/4963) diff --git a/backend/src/app/rpc/commands/auth.clj b/backend/src/app/rpc/commands/auth.clj index abb0fcf26..33cf52b7d 100644 --- a/backend/src/app/rpc/commands/auth.clj +++ b/backend/src/app/rpc/commands/auth.clj @@ -180,10 +180,11 @@ (defn- validate-register-attempt! [cfg params] - (when-not (contains? cf/flags :registration) - (when-not (contains? params :invitation-token) - (ex/raise :type :restriction - :code :registration-disabled))) + (when (or + (not (contains? cf/flags :registration)) + (not (contains? cf/flags :login-with-password))) + (ex/raise :type :restriction + :code :registration-disabled)) (when (contains? params :invitation-token) (let [invitation (tokens/verify (::setup/props cfg) diff --git a/backend/src/app/rpc/commands/verify_token.clj b/backend/src/app/rpc/commands/verify_token.clj index 14c9024bc..a5c96ddd8 100644 --- a/backend/src/app/rpc/commands/verify_token.clj +++ b/backend/src/app/rpc/commands/verify_token.clj @@ -8,6 +8,7 @@ (:require [app.common.exceptions :as ex] [app.common.spec :as us] + [app.config :as cf] [app.db :as db] [app.db.sql :as-alias sql] [app.http.session :as session] @@ -152,11 +153,12 @@ (us/verify! ::team-invitation-claims claims) - (let [invitation (db/get* conn :team-invitation - {:team-id team-id :email-to member-email}) - profile (db/get* conn :profile - {:id profile-id} - {:columns [:id :email]})] + (let [invitation (db/get* conn :team-invitation + {:team-id team-id :email-to member-email}) + profile (db/get* conn :profile + {:id profile-id} + {:columns [:id :email]}) + registration-disabled? (not (contains? cf/flags :registration))] (when (nil? invitation) (ex/raise :type :validation :code :invalid-token @@ -185,12 +187,12 @@ :hint "logged-in user does not matches the invitation")) ;; If we have not logged-in user, and invitation comes with member-id we - ;; redirect user to login, if no memeber-id is present in the invitation - ;; token, we redirect user the the register page. + ;; redirect user to login, if no memeber-id is present and in the invitation + ;; token and registration is enabled, we redirect user the the register page. {:invitation-token token :iss :team-invitation - :redirect-to (if member-id :auth-login :auth-register) + :redirect-to (if (or member-id registration-disabled?) :auth-login :auth-register) :state :pending}))) ;; --- Default diff --git a/backend/test/backend_tests/rpc_profile_test.clj b/backend/test/backend_tests/rpc_profile_test.clj index 7a90c9a81..1bd49db48 100644 --- a/backend/test/backend_tests/rpc_profile_test.clj +++ b/backend/test/backend_tests/rpc_profile_test.clj @@ -505,6 +505,54 @@ (t/is (nil? (:error out))) (t/is (= 0 (:call-count @mock)))))))) +(t/deftest prepare-and-register-with-invitation-and-enabled-registration-1 + (let [sprops (:app.setup/props th/*system*) + itoken (tokens/generate sprops + {:iss :team-invitation + :exp (dt/in-future "48h") + :role :editor + :team-id uuid/zero + :member-email "user@example.com"}) + data {::th/type :prepare-register-profile + :invitation-token itoken + :email "user@example.com" + :password "foobar"} + + {:keys [result error] :as out} (th/command! data)] + (t/is (nil? error)) + (t/is (map? result)) + (t/is (string? (:token result))) + + (let [rtoken (:token result) + data {::th/type :register-profile + :token rtoken + :fullname "foobar"} + + {:keys [result error] :as out} (th/command! data)] + ;; (th/print-result! out) + (t/is (nil? error)) + (t/is (map? result)) + (t/is (string? (:invitation-token result)))))) + +(t/deftest prepare-and-register-with-invitation-and-enabled-registration-2 + (let [sprops (:app.setup/props th/*system*) + itoken (tokens/generate sprops + {:iss :team-invitation + :exp (dt/in-future "48h") + :role :editor + :team-id uuid/zero + :member-email "user2@example.com"}) + + data {::th/type :prepare-register-profile + :invitation-token itoken + :email "user@example.com" + :password "foobar"} + out (th/command! data)] + + (t/is (not (th/success? out))) + (let [edata (-> out :error ex-data)] + (t/is (= :restriction (:type edata))) + (t/is (= :email-does-not-match-invitation (:code edata)))))) (t/deftest prepare-and-register-with-invitation-and-disabled-registration-1 (with-redefs [app.config/flags [:disable-registration]] @@ -519,22 +567,12 @@ :invitation-token itoken :email "user@example.com" :password "foobar"} + out (th/command! data)] - {:keys [result error] :as out} (th/command! data)] - (t/is (nil? error)) - (t/is (map? result)) - (t/is (string? (:token result))) - - (let [rtoken (:token result) - data {::th/type :register-profile - :token rtoken - :fullname "foobar"} - - {:keys [result error] :as out} (th/command! data)] - ;; (th/print-result! out) - (t/is (nil? error)) - (t/is (map? result)) - (t/is (string? (:invitation-token result))))))) + (t/is (not (th/success? out))) + (let [edata (-> out :error ex-data)] + (t/is (= :restriction (:type edata))) + (t/is (= :registration-disabled (:code edata))))))) (t/deftest prepare-and-register-with-invitation-and-disabled-registration-2 (with-redefs [app.config/flags [:disable-registration]] @@ -555,7 +593,28 @@ (t/is (not (th/success? out))) (let [edata (-> out :error ex-data)] (t/is (= :restriction (:type edata))) - (t/is (= :email-does-not-match-invitation (:code edata))))))) + (t/is (= :registration-disabled (:code edata))))))) + +(t/deftest prepare-and-register-with-invitation-and-disabled-login-with-password + (with-redefs [app.config/flags [:disable-login-with-password]] + (let [sprops (:app.setup/props th/*system*) + itoken (tokens/generate sprops + {:iss :team-invitation + :exp (dt/in-future "48h") + :role :editor + :team-id uuid/zero + :member-email "user2@example.com"}) + + data {::th/type :prepare-register-profile + :invitation-token itoken + :email "user@example.com" + :password "foobar"} + out (th/command! data)] + + (t/is (not (th/success? out))) + (let [edata (-> out :error ex-data)] + (t/is (= :restriction (:type edata))) + (t/is (= :registration-disabled (:code edata))))))) (t/deftest prepare-register-with-registration-disabled (with-redefs [app.config/flags #{}] diff --git a/frontend/src/app/main/ui/auth/register.cljs b/frontend/src/app/main/ui/auth/register.cljs index dff7daa6a..6c0ba1a19 100644 --- a/frontend/src/app/main/ui/auth/register.cljs +++ b/frontend/src/app/main/ui/auth/register.cljs @@ -136,7 +136,8 @@ (when login/show-alt-login-buttons? [:& login/login-buttons {:params params}]) [:hr {:class (stl/css :separator)}] - [:& register-form {:params params :on-success-callback on-success-callback}]]) + (when (contains? cf/flags :login-with-password) + [:& register-form {:params params :on-success-callback on-success-callback}])]) (mf/defc register-page {::mf/props :obj} diff --git a/version.txt b/version.txt index eca07e4c1..ac2cdeba0 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.1.2 +2.1.3