Merge pull request #3238 from Budibase/user-password-fix

Fix: Prevent user updates in multi tenant mode from deleting user password
2024-09-29 16:51:33 +13:00 · 2021-11-03 16:10:39 +00:00 · 2021-11-03 16:10:39 +00:00 · 2358c215d9
commit 2358c215d9
parent 551be52bfb 85cca04321
4 changed files with 19 additions and 4 deletions
--- a/packages/auth/src/middleware/passport/local.js
+++ b/packages/auth/src/middleware/passport/local.js
@ -9,6 +9,8 @@ const { createASession } = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")

 const INVALID_ERR = "Invalid Credentials"
+const SSO_NO_PASSWORD = "SSO user does not have a password set"
+const EXPIRED = "This account has expired. Please reset your password"

 exports.options = {
  passReqToCallback: true,
@ -36,6 +38,19 @@ exports.authenticate = async function (ctx, email, password, done) {
    return authError(done, INVALID_ERR)
  }

+  // check that the user has a stored password before proceeding
+  if (!dbUser.password) {
+    if (
+      (dbUser.account && dbUser.account.authType === "sso") || // root account sso
+      dbUser.thirdPartyProfile // internal sso
+    ) {
+      return authError(done, SSO_NO_PASSWORD)
+    }
+
+    console.error("Non SSO usser has no password set", dbUser)
+    return authError(done, EXPIRED)
+  }
+
  // authenticate
  if (await compare(password, dbUser.password)) {
    const sessionId = newid()
--- a/packages/auth/src/utils.js
+++ b/packages/auth/src/utils.js
@ -181,8 +181,8 @@ exports.saveUser = async (

    // check budibase users in other tenants
    if (env.MULTI_TENANCY) {
-      dbUser = await getTenantUser(email)
-      if (dbUser != null && dbUser.tenantId !== tenantId) {
+      const tenantUser = await getTenantUser(email)
+      if (tenantUser != null && tenantUser.tenantId !== tenantId) {
        throw `Email address ${email} already in use.`
      }
    }
--- a/packages/builder/src/pages/builder/auth/login.svelte
+++ b/packages/builder/src/pages/builder/auth/login.svelte
@ -44,7 +44,7 @@
      }
    } catch (err) {
      console.error(err)
-      notifications.error("Invalid credentials")
+      notifications.error(err.message ? err.message : "Invalid Credentials")
    }
  }

--- a/packages/builder/src/stores/portal/auth.js
+++ b/packages/builder/src/stores/portal/auth.js
@ -112,7 +112,7 @@ export function createAuthStore() {
      if (response.status === 200) {
        setUser(json.user)
      } else {
-        throw "Invalid credentials"
+        throw new Error(json.message ? json.message : "Invalid credentials")
      }
      return json
    },