Merge pull request #781 from appwrite/bug-777-blocked-users-can-create-sessions
Bug 777 blocked users can create sessions
This commit is contained in:
commit
d69985b57c
2 changed files with 91 additions and 0 deletions
|
@ -179,6 +179,10 @@ App::post('/v1/account/sessions')
|
||||||
throw new Exception('Invalid credentials', 401); // Wrong password or username
|
throw new Exception('Invalid credentials', 401); // Wrong password or username
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked
|
||||||
|
throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
|
||||||
|
}
|
||||||
|
|
||||||
$dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));
|
$dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));
|
||||||
|
|
||||||
$dd->parse();
|
$dd->parse();
|
||||||
|
@ -524,6 +528,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (Auth::USER_STATUS_BLOCKED == $user->getAttribute('status')) { // Account is blocked
|
||||||
|
throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
|
||||||
|
}
|
||||||
|
|
||||||
// Create session token, verify user account and update OAuth2 ID and Access Token
|
// Create session token, verify user account and update OAuth2 ID and Access Token
|
||||||
|
|
||||||
$dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));
|
$dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));
|
||||||
|
@ -1263,6 +1271,10 @@ App::post('/v1/account/recovery')
|
||||||
throw new Exception('User not found', 404); // TODO maybe hide this
|
throw new Exception('User not found', 404); // TODO maybe hide this
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked
|
||||||
|
throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
|
||||||
|
}
|
||||||
|
|
||||||
$secret = Auth::tokenGenerator();
|
$secret = Auth::tokenGenerator();
|
||||||
$recovery = new Document([
|
$recovery = new Document([
|
||||||
'$collection' => Database::SYSTEM_COLLECTION_TOKENS,
|
'$collection' => Database::SYSTEM_COLLECTION_TOKENS,
|
||||||
|
|
|
@ -49,4 +49,83 @@ class AccountCustomClientTest extends Scope
|
||||||
|
|
||||||
return [];
|
return [];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testBlockedAccount():array
|
||||||
|
{
|
||||||
|
$email = uniqid().'user@localhost.test';
|
||||||
|
$password = 'password';
|
||||||
|
$name = 'User Name (blocked)';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test for SUCCESS
|
||||||
|
*/
|
||||||
|
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
||||||
|
'origin' => 'http://localhost',
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
]), [
|
||||||
|
'email' => $email,
|
||||||
|
'password' => $password,
|
||||||
|
'name' => $name,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$id = $response['body']['$id'];
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 201);
|
||||||
|
|
||||||
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([
|
||||||
|
'origin' => 'http://localhost',
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
]), [
|
||||||
|
'email' => $email,
|
||||||
|
'password' => $password,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 201);
|
||||||
|
|
||||||
|
$sessionId = $response['body']['$id'];
|
||||||
|
$session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']];
|
||||||
|
|
||||||
|
$response = $this->client->call(Client::METHOD_GET, '/account', array_merge([
|
||||||
|
'origin' => 'http://localhost',
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
|
||||||
|
]));
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 200);
|
||||||
|
|
||||||
|
$response = $this->client->call(Client::METHOD_PATCH, '/users/' . $id . '/status', [
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
'x-appwrite-key' => $this->getProject()['apiKey'],
|
||||||
|
], [
|
||||||
|
'status' => 2,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 200);
|
||||||
|
|
||||||
|
$response = $this->client->call(Client::METHOD_GET, '/account', array_merge([
|
||||||
|
'origin' => 'http://localhost',
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
|
||||||
|
]));
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 401);
|
||||||
|
|
||||||
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([
|
||||||
|
'origin' => 'http://localhost',
|
||||||
|
'content-type' => 'application/json',
|
||||||
|
'x-appwrite-project' => $this->getProject()['$id'],
|
||||||
|
]), [
|
||||||
|
'email' => $email,
|
||||||
|
'password' => $password,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->assertEquals($response['headers']['status-code'], 401);
|
||||||
|
|
||||||
|
return [];
|
||||||
|
}
|
||||||
}
|
}
|
Loading…
Reference in a new issue