From 54f753f2a7163bcede797b50b9ce081005d7409b Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Sun, 27 Dec 2020 13:57:42 +0200 Subject: [PATCH 1/3] Checking if user is blocked before session creation --- app/controllers/api/account.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 79e5a0be5..fd06fc0ea 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -179,6 +179,10 @@ App::post('/v1/account/sessions') throw new Exception('Invalid credentials', 401); // Wrong password or username } + if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked + throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked + } + $dd = new DeviceDetector($request->getUserAgent('UNKNOWN')); $dd->parse(); @@ -524,6 +528,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect') } } + if (Auth::USER_STATUS_BLOCKED == $user->getAttribute('status')) { // Account is blocked + throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked + } + // Create session token, verify user account and update OAuth2 ID and Access Token $dd = new DeviceDetector($request->getUserAgent('UNKNOWN')); @@ -1263,6 +1271,10 @@ App::post('/v1/account/recovery') throw new Exception('User not found', 404); // TODO maybe hide this } + if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked + throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked + } + $secret = Auth::tokenGenerator(); $recovery = new Document([ '$collection' => Database::SYSTEM_COLLECTION_TOKENS, From 846b5ca3d6a203b2cca5153214df8d29ba5a001a Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Sun, 27 Dec 2020 19:21:16 +0200 Subject: [PATCH 2/3] Added tests --- tests/e2e/Services/Account/AccountBase.php | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/tests/e2e/Services/Account/AccountBase.php b/tests/e2e/Services/Account/AccountBase.php index 7bd96682d..fe4c10f74 100644 --- a/tests/e2e/Services/Account/AccountBase.php +++ b/tests/e2e/Services/Account/AccountBase.php @@ -1057,4 +1057,83 @@ trait AccountBase return $data; } + + public function testBlockedAccount():array + { + $email = uniqid().'user@localhost.test'; + $password = 'password'; + $name = 'User Name (blocked)'; + + /** + * Test for SUCCESS + */ + $response = $this->client->call(Client::METHOD_POST, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + 'name' => $name, + ]); + + $id = $response['body']['$id']; + + $this->assertEquals($response['headers']['status-code'], 201); + + $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + ]); + + $this->assertEquals($response['headers']['status-code'], 201); + + $sessionId = $response['body']['$id']; + $session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']]; + + $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, + ])); + + $this->assertEquals($response['headers']['status-code'], 200); + + $response = $this->client->call(Client::METHOD_PATCH, '/users/' . $id . '/status', array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], $this->getHeaders()), [ + 'status' => 2, + ]); + + $this->assertEquals($response['headers']['status-code'], 200); + + $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, + ])); + + $this->assertEquals($response['headers']['status-code'], 401); + + $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + ]); + + $this->assertEquals($response['headers']['status-code'], 401); + + return []; + } } \ No newline at end of file From 5caaa227d0e6fe1e32887985f7f7152ae8a7adf3 Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Sun, 27 Dec 2020 22:32:39 +0200 Subject: [PATCH 3/3] Fixed tests --- tests/e2e/Services/Account/AccountBase.php | 79 ------------------- .../Account/AccountCustomClientTest.php | 79 +++++++++++++++++++ 2 files changed, 79 insertions(+), 79 deletions(-) diff --git a/tests/e2e/Services/Account/AccountBase.php b/tests/e2e/Services/Account/AccountBase.php index fe4c10f74..7bd96682d 100644 --- a/tests/e2e/Services/Account/AccountBase.php +++ b/tests/e2e/Services/Account/AccountBase.php @@ -1057,83 +1057,4 @@ trait AccountBase return $data; } - - public function testBlockedAccount():array - { - $email = uniqid().'user@localhost.test'; - $password = 'password'; - $name = 'User Name (blocked)'; - - /** - * Test for SUCCESS - */ - $response = $this->client->call(Client::METHOD_POST, '/account', array_merge([ - 'origin' => 'http://localhost', - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ]), [ - 'email' => $email, - 'password' => $password, - 'name' => $name, - ]); - - $id = $response['body']['$id']; - - $this->assertEquals($response['headers']['status-code'], 201); - - $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ - 'origin' => 'http://localhost', - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ]), [ - 'email' => $email, - 'password' => $password, - ]); - - $this->assertEquals($response['headers']['status-code'], 201); - - $sessionId = $response['body']['$id']; - $session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']]; - - $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ - 'origin' => 'http://localhost', - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, - ])); - - $this->assertEquals($response['headers']['status-code'], 200); - - $response = $this->client->call(Client::METHOD_PATCH, '/users/' . $id . '/status', array_merge([ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - 'x-appwrite-key' => $this->getProject()['apiKey'], - ], $this->getHeaders()), [ - 'status' => 2, - ]); - - $this->assertEquals($response['headers']['status-code'], 200); - - $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ - 'origin' => 'http://localhost', - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, - ])); - - $this->assertEquals($response['headers']['status-code'], 401); - - $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ - 'origin' => 'http://localhost', - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ]), [ - 'email' => $email, - 'password' => $password, - ]); - - $this->assertEquals($response['headers']['status-code'], 401); - - return []; - } } \ No newline at end of file diff --git a/tests/e2e/Services/Account/AccountCustomClientTest.php b/tests/e2e/Services/Account/AccountCustomClientTest.php index eac28e2bd..0e17d8fcc 100644 --- a/tests/e2e/Services/Account/AccountCustomClientTest.php +++ b/tests/e2e/Services/Account/AccountCustomClientTest.php @@ -49,4 +49,83 @@ class AccountCustomClientTest extends Scope return []; } + + public function testBlockedAccount():array + { + $email = uniqid().'user@localhost.test'; + $password = 'password'; + $name = 'User Name (blocked)'; + + /** + * Test for SUCCESS + */ + $response = $this->client->call(Client::METHOD_POST, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + 'name' => $name, + ]); + + $id = $response['body']['$id']; + + $this->assertEquals($response['headers']['status-code'], 201); + + $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + ]); + + $this->assertEquals($response['headers']['status-code'], 201); + + $sessionId = $response['body']['$id']; + $session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']]; + + $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, + ])); + + $this->assertEquals($response['headers']['status-code'], 200); + + $response = $this->client->call(Client::METHOD_PATCH, '/users/' . $id . '/status', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], [ + 'status' => 2, + ]); + + $this->assertEquals($response['headers']['status-code'], 200); + + $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session, + ])); + + $this->assertEquals($response['headers']['status-code'], 401); + + $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([ + 'origin' => 'http://localhost', + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]), [ + 'email' => $email, + 'password' => $password, + ]); + + $this->assertEquals($response['headers']['status-code'], 401); + + return []; + } } \ No newline at end of file