From d919c4418562bc6020605486d669e9b3a3f4788e Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Thu, 9 Sep 2021 17:08:27 +0100 Subject: [PATCH] Add pre-hased password option to admin creation --- .../worker/src/api/controllers/global/users.js | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/packages/worker/src/api/controllers/global/users.js b/packages/worker/src/api/controllers/global/users.js index 24b00fe3a6..7fd367964c 100644 --- a/packages/worker/src/api/controllers/global/users.js +++ b/packages/worker/src/api/controllers/global/users.js @@ -33,7 +33,7 @@ async function allUsers() { return response.rows.map(row => row.doc) } -async function saveUser(user, tenantId) { +async function saveUser(user, tenantId, hashPassword = true) { if (!tenantId) { throw "No tenancy specified." } @@ -56,7 +56,7 @@ async function saveUser(user, tenantId) { // get the password, make sure one is defined let hashedPassword if (password) { - hashedPassword = await hash(password) + hashedPassword = hashPassword ? await hash(password) : password } else if (dbUser) { hashedPassword = dbUser.password } else { @@ -110,6 +110,15 @@ exports.save = async ctx => { exports.adminUser = async ctx => { const { email, password, tenantId } = ctx.request.body + + // account portal sends a pre-hashed password - honour param to prevent double hashing + let hashPassword = ctx.request.query.hashPassword + if (hashPassword && hashPassword == "false") { + hashPassword = false + } else { + hashPassword = true + } + if (await doesTenantExist(tenantId)) { ctx.throw(403, "Organisation already exists.") } @@ -141,7 +150,7 @@ exports.adminUser = async ctx => { tenantId, } try { - ctx.body = await saveUser(user, tenantId) + ctx.body = await saveUser(user, tenantId, hashPassword) } catch (err) { ctx.throw(err.status || 400, err) }