Fix: Prevent user updates in multi tenant mode from deleting user password. Also forward the authentication error from the backend to the login page to warn when an sso user is trying to log in with a password when one is not present

2024-06-29 11:31:06 +12:00 · 2021-11-03 15:04:05 +00:00 · 2021-11-03 15:04:05 +00:00 · 2dced6f7a8
parent b0a9de45cf
commit 2dced6f7a8
4 changed files with 18 additions and 4 deletions
--- a/packages/auth/src/middleware/passport/local.js
+++ b/packages/auth/src/middleware/passport/local.js
@ -9,6 +9,7 @@ const { createASession } = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")

 const INVALID_ERR = "Invalid Credentials"
+const SSO_NO_PASSWORD = "SSO user does not have a password set"

 exports.options = {
  passReqToCallback: true,
@ -36,6 +37,19 @@ exports.authenticate = async function (ctx, email, password, done) {
    return authError(done, INVALID_ERR)
  }

+  // check that the user has a stored password before proceeding
+  if (!dbUser.password) {
+    if (
+      (dbUser.account && dbUser.account.authType === "sso") || // root account sso
+      dbUser.thirdPartyProfile // internal sso
+    ) {
+      return authError(done, SSO_NO_PASSWORD)
+    }
+
+    console.error("User has no password", dbUser)
+    return authError(done, INVALID_ERR)
+  }
+
  // authenticate
  if (await compare(password, dbUser.password)) {
    const sessionId = newid()
--- a/packages/auth/src/utils.js
+++ b/packages/auth/src/utils.js
@ -181,8 +181,8 @@ exports.saveUser = async (

    // check budibase users in other tenants
    if (env.MULTI_TENANCY) {
-      dbUser = await getTenantUser(email)
-      if (dbUser != null && dbUser.tenantId !== tenantId) {
+      const tenantUser = await getTenantUser(email)
+      if (tenantUser != null && tenantUser.tenantId !== tenantId) {
        throw `Email address ${email} already in use.`
      }
    }
--- a/packages/builder/src/pages/builder/auth/login.svelte
+++ b/packages/builder/src/pages/builder/auth/login.svelte
@ -44,7 +44,7 @@
      }
    } catch (err) {
      console.error(err)
-      notifications.error("Invalid credentials")
+      notifications.error(err.message ? err.message : "Invalid Credentials")
    }
  }

--- a/packages/builder/src/stores/portal/auth.js
+++ b/packages/builder/src/stores/portal/auth.js
@ -112,7 +112,7 @@ export function createAuthStore() {
      if (response.status === 200) {
        setUser(json.user)
      } else {
-        throw "Invalid credentials"
+        throw new Error(json.message ? json.message : "Invalid credentials")
      }
      return json
    },