Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-02-28 09:31:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #10027, properly auto confirm first user

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2021-11-22 23:20:31 -05:00
parent 71e34be565
commit 2473d5d873
4 changed files with 86 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/user/create.js
View File

@@ -77,9 +77,6 @@ module.exports = function (User) {
const isFirstUser = uid === 1; const isFirstUser = uid === 1;
userData.uid = uid; userData.uid = uid;
if (isFirstUser) {
userData['email:confirmed'] = 1;
}
await db.setObject(`user:${uid}`, userData); await db.setObject(`user:${uid}`, userData);
const bulkAdd = [ const bulkAdd = [
@@ -97,20 +94,20 @@ module.exports = function (User) {
bulkAdd.push(['fullname:sorted', 0, `${userData.fullname.toLowerCase()}:${userData.uid}`]); bulkAdd.push(['fullname:sorted', 0, `${userData.fullname.toLowerCase()}:${userData.uid}`]);
} }
const groupsToJoin = ['registered-users'].concat(
isFirstUser ? 'verified-users' : 'unverified-users'
);
await Promise.all([ await Promise.all([
db.incrObjectField('global', 'userCount'), db.incrObjectField('global', 'userCount'),
analytics.increment('registrations'), analytics.increment('registrations'),
db.sortedSetAddBulk(bulkAdd), db.sortedSetAddBulk(bulkAdd),
groups.join(groupsToJoin, userData.uid), groups.join(['registered-users', 'unverified-users'], userData.uid),
User.notifications.sendWelcomeNotification(userData.uid), User.notifications.sendWelcomeNotification(userData.uid),
storePassword(userData.uid, data.password), storePassword(userData.uid, data.password),
User.updateDigestSetting(userData.uid, meta.config.dailyDigestFreq), User.updateDigestSetting(userData.uid, meta.config.dailyDigestFreq),
]); ]);
if (userData.email && isFirstUser) {
await User.email.confirmByUid(userData.uid);
}
if (userData.email && userData.uid > 1) { if (userData.email && userData.uid > 1) {
User.email.sendValidationEmail(userData.uid, { User.email.sendValidationEmail(userData.uid, {
email: userData.email, email: userData.email,

157
test/authentication.js
View File

@@ -16,44 +16,35 @@ const privileges = require('../src/privileges');
const helpers = require('./helpers'); const helpers = require('./helpers');
describe('authentication', () => { describe('authentication', () => {
function loginUser(username, password, callback) {
const jar = request.jar();
request({
url: `${nconf.get('url')}/api/config`,
json: true,
jar: jar,
}, (err, response, body) => {
if (err) {
return callback(err);
}
request.post(`${nconf.get('url')}/login`, {
form: {
username: username,
password: password,
},
json: true,
jar: jar,
headers: {
'x-csrf-token': body.csrf_token,
},
}, (err, response, body) => {
callback(err, response, body, jar);
});
});
}
const loginUserPromisified = util.promisify(loginUser);
const jar = request.jar(); const jar = request.jar();
let regularUid; let regularUid;
before((done) => { before((done) => {
user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, (err, uid) => { user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, (err, uid) => {
assert.ifError(err); assert.ifError(err);
regularUid = uid; regularUid = uid;
assert.strictEqual(uid, 1);
done(); done();
}); });
}); });
it('should allow login with email for uid 1', async () => {
const oldValue = meta.config.allowLoginWith;
meta.config.allowLoginWith = 'email';
const { res } = await helpers.loginUser('regular@nodebb.org', 'regularpwd');
assert.strictEqual(res.statusCode, 200);
meta.config.allowLoginWith = oldValue;
});
it('second user should fail to login with email since email is not confirmed', async () => {
const oldValue = meta.config.allowLoginWith;
meta.config.allowLoginWith = 'email';
const uid = await user.create({ username: '2nduser', password: '2ndpassword', email: '2nduser@nodebb.org' });
const { res, body } = await helpers.loginUser('2nduser@nodebb.org', '2ndpassword');
assert.strictEqual(res.statusCode, 403);
assert.strictEqual(body, '[[error:invalid-login-credentials]]');
meta.config.allowLoginWith = oldValue;
});
it('should fail to create user if username is too short', (done) => { it('should fail to create user if username is too short', (done) => {
helpers.registerUser({ helpers.registerUser({
username: 'a', username: 'a',
@@ -164,13 +155,13 @@ describe('authentication', () => {
}); });
it('should login a user', (done) => { it('should login a user', (done) => {
loginUser('regular', 'regularpwd', (err, response, body, jar) => { helpers.loginUser('regular', 'regularpwd', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert(body); assert(data.body);
request({ request({
url: `${nconf.get('url')}/api/self`, url: `${nconf.get('url')}/api/self`,
json: true, json: true,
jar: jar, jar: data.jar,
}, (err, response, body) => { }, (err, response, body) => {
assert.ifError(err); assert.ifError(err);
assert(body); assert(body);
@@ -245,37 +236,37 @@ describe('authentication', () => {
}); });
it('should fail to login if user does not exist', (done) => { it('should fail to login if user does not exist', (done) => {
loginUser('doesnotexist', 'nopassword', (err, response, body) => { helpers.loginUser('doesnotexist', 'nopassword', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:invalid-login-credentials]]'); assert.equal(data.body, '[[error:invalid-login-credentials]]');
done(); done();
}); });
}); });
it('should fail to login if username is empty', (done) => { it('should fail to login if username is empty', (done) => {
loginUser('', 'some password', (err, response, body) => { helpers.loginUser('', 'some password', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]'); assert.equal(data.body, '[[error:invalid-username-or-password]]');
done(); done();
}); });
}); });
it('should fail to login if password is empty', (done) => { it('should fail to login if password is empty', (done) => {
loginUser('someuser', '', (err, response, body) => { helpers.loginUser('someuser', '', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]'); assert.equal(data.body, '[[error:invalid-username-or-password]]');
done(); done();
}); });
}); });
it('should fail to login if username and password are empty', (done) => { it('should fail to login if username and password are empty', (done) => {
loginUser('', '', (err, response, body) => { helpers.loginUser('', '', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:invalid-username-or-password]]'); assert.equal(data.body, '[[error:invalid-username-or-password]]');
done(); done();
}); });
}); });
@@ -283,10 +274,10 @@ describe('authentication', () => {
it('should fail to login if user does not have password field in db', (done) => { it('should fail to login if user does not have password field in db', (done) => {
user.create({ username: 'hasnopassword', email: 'no@pass.org' }, (err, uid) => { user.create({ username: 'hasnopassword', email: 'no@pass.org' }, (err, uid) => {
assert.ifError(err); assert.ifError(err);
loginUser('hasnopassword', 'doesntmatter', (err, response, body) => { helpers.loginUser('hasnopassword', 'doesntmatter', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:invalid-login-credentials]]'); assert.equal(data.body, '[[error:invalid-login-credentials]]');
done(); done();
}); });
}); });
@@ -297,10 +288,10 @@ describe('authentication', () => {
for (let i = 0; i < 5000; i++) { for (let i = 0; i < 5000; i++) {
longPassword += 'a'; longPassword += 'a';
} }
loginUser('someuser', longPassword, (err, response, body) => { helpers.loginUser('someuser', longPassword, (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:password-too-long]]'); assert.equal(data.body, '[[error:password-too-long]]');
done(); done();
}); });
}); });
@@ -308,10 +299,10 @@ describe('authentication', () => {
it('should fail to login if local login is disabled', (done) => { it('should fail to login if local login is disabled', (done) => {
privileges.global.rescind(['groups:local:login'], 'registered-users', (err) => { privileges.global.rescind(['groups:local:login'], 'registered-users', (err) => {
assert.ifError(err); assert.ifError(err);
loginUser('regular', 'regularpwd', (err, response, body) => { helpers.loginUser('regular', 'regularpwd', (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:local-login-disabled]]'); assert.equal(data.body, '[[error:local-login-disabled]]');
privileges.global.give(['groups:local:login'], 'registered-users', done); privileges.global.give(['groups:local:login'], 'registered-users', done);
}); });
}); });
@@ -396,17 +387,17 @@ describe('authentication', () => {
it('should be able to login with email', async () => { it('should be able to login with email', async () => {
const uid = await user.create({ username: 'ginger', password: '123456', email: 'ginger@nodebb.org' }); const uid = await user.create({ username: 'ginger', password: '123456', email: 'ginger@nodebb.org' });
await user.email.confirmByUid(uid); await user.email.confirmByUid(uid);
const response = await loginUserPromisified('ginger@nodebb.org', '123456'); const { res } = await helpers.loginUser('ginger@nodebb.org', '123456');
assert.equal(response.statusCode, 200); assert.equal(res.statusCode, 200);
}); });
it('should fail to login if login type is username and an email is sent', (done) => { it('should fail to login if login type is username and an email is sent', (done) => {
meta.config.allowLoginWith = 'username'; meta.config.allowLoginWith = 'username';
loginUser('ginger@nodebb.org', '123456', (err, response, body) => { helpers.loginUser('ginger@nodebb.org', '123456', (err, data) => {
meta.config.allowLoginWith = 'username-email'; meta.config.allowLoginWith = 'username-email';
assert.ifError(err); assert.ifError(err);
assert.equal(response.statusCode, 400); assert.equal(data.res.statusCode, 400);
assert.equal(body, '[[error:wrong-login-type-username]]'); assert.equal(data.body, '[[error:wrong-login-type-username]]');
done(); done();
}); });
}); });
@@ -450,28 +441,28 @@ describe('authentication', () => {
it('should prevent banned user from logging in', (done) => { it('should prevent banned user from logging in', (done) => {
user.bans.ban(bannedUser.uid, 0, 'spammer', (err) => { user.bans.ban(bannedUser.uid, 0, 'spammer', (err) => {
assert.ifError(err); assert.ifError(err);
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => { helpers.loginUser(bannedUser.username, bannedUser.pw, (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(res.statusCode, 403); assert.equal(data.res.statusCode, 403);
delete body.timestamp; delete data.body.timestamp;
assert.deepStrictEqual(body, { assert.deepStrictEqual(data.body, {
banned_until: 0, banned_until: 0,
banned_until_readable: '', banned_until_readable: '',
expiry: 0, expiry: 0,
expiry_readable: '', expiry_readable: '',
reason: 'spammer', reason: 'spammer',
uid: 6, uid: bannedUser.uid,
}); });
user.bans.unban(bannedUser.uid, (err) => { user.bans.unban(bannedUser.uid, (err) => {
assert.ifError(err); assert.ifError(err);
const expiry = Date.now() + 10000; const expiry = Date.now() + 10000;
user.bans.ban(bannedUser.uid, expiry, '', (err) => { user.bans.ban(bannedUser.uid, expiry, '', (err) => {
assert.ifError(err); assert.ifError(err);
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => { helpers.loginUser(bannedUser.username, bannedUser.pw, (err, data) => {
assert.ifError(err); assert.ifError(err);
assert.equal(res.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert(body.banned_until); assert(data.body.banned_until);
assert(body.reason, '[[user:info.banned-no-reason]]'); assert(data.body.reason, '[[user:info.banned-no-reason]]');
done(); done();
}); });
}); });
@@ -482,14 +473,14 @@ describe('authentication', () => {
it('should allow banned user to log in if the "banned-users" group has "local-login" privilege', async () => { it('should allow banned user to log in if the "banned-users" group has "local-login" privilege', async () => {
await privileges.global.give(['groups:local:login'], 'banned-users'); await privileges.global.give(['groups:local:login'], 'banned-users');
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw); const { res } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
assert.strictEqual(res.statusCode, 200); assert.strictEqual(res.statusCode, 200);
}); });
it('should allow banned user to log in if the user herself has "local-login" privilege', async () => { it('should allow banned user to log in if the user herself has "local-login" privilege', async () => {
await privileges.global.rescind(['groups:local:login'], 'banned-users'); await privileges.global.rescind(['groups:local:login'], 'banned-users');
await privileges.categories.give(['local:login'], 0, bannedUser.uid); await privileges.categories.give(['local:login'], 0, bannedUser.uid);
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw); const { res } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
assert.strictEqual(res.statusCode, 200); assert.strictEqual(res.statusCode, 200);
}); });
}); });
@@ -503,26 +494,26 @@ describe('authentication', () => {
}, },
function (_uid, next) { function (_uid, next) {
uid = _uid; uid = _uid;
loginUser('lockme', 'abcdef', next); helpers.loginUser('lockme', 'abcdef', next);
}, },
function (res, body, jar, next) { function (data, next) {
loginUser('lockme', 'abcdef', next); helpers.loginUser('lockme', 'abcdef', next);
}, },
function (res, body, jar, next) { function (data, next) {
loginUser('lockme', 'abcdef', next); helpers.loginUser('lockme', 'abcdef', next);
}, },
function (res, body, jar, next) { function (data, next) {
loginUser('lockme', 'abcdef', next); helpers.loginUser('lockme', 'abcdef', next);
}, },
function (res, body, jar, next) { function (data, next) {
meta.config.loginAttempts = 5; meta.config.loginAttempts = 5;
assert.equal(res.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:account-locked]]'); assert.equal(data.body, '[[error:account-locked]]');
loginUser('lockme', 'abcdef', next); helpers.loginUser('lockme', 'abcdef', next);
}, },
function (res, body, jar, next) { function (data, next) {
assert.equal(res.statusCode, 403); assert.equal(data.res.statusCode, 403);
assert.equal(body, '[[error:account-locked]]'); assert.equal(data.body, '[[error:account-locked]]');
db.exists(`lockout:${uid}`, next); db.exists(`lockout:${uid}`, next);
}, },
function (locked, next) { function (locked, next) {
@@ -534,7 +525,7 @@ describe('authentication', () => {
it('should clear all reset tokens upon successful login', async () => { it('should clear all reset tokens upon successful login', async () => {
const code = await user.reset.generate(regularUid); const code = await user.reset.generate(regularUid);
await loginUserPromisified('regular', 'regularpwd'); await helpers.loginUser('regular', 'regularpwd');
const valid = await user.reset.validate(code); const valid = await user.reset.validate(code);
assert.strictEqual(valid, false); assert.strictEqual(valid, false);
}); });

4
test/flags.js
View File

@@ -673,8 +673,8 @@ describe('Flags', () => {
throw err; throw err;
} }
// 1 for the new event appended, 1 for username change (email not changed immediately) // 1 for the new event appended, 2 for username/email change
assert.strictEqual(entries + 2, history.length); assert.strictEqual(entries + 3, history.length);
done(); done();
}); });
}); });

10
test/helpers/index.js
View File

@@ -43,7 +43,7 @@ helpers.loginUser = function (username, password, callback) {
if (err || res.statusCode !== 200) { if (err || res.statusCode !== 200) {
return callback(err || new Error('[[error:invalid-response]]')); return callback(err || new Error('[[error:invalid-response]]'));
} }
const { csrf_token } = body;
request.post(`${nconf.get('url')}/login`, { request.post(`${nconf.get('url')}/login`, {
form: { form: {
username: username, username: username,
@@ -52,13 +52,13 @@ helpers.loginUser = function (username, password, callback) {
json: true, json: true,
jar: jar, jar: jar,
headers: { headers: {
'x-csrf-token': body.csrf_token, 'x-csrf-token': csrf_token,
}, },
}, (err, res) => { }, (err, res, body) => {
if (err || res.statusCode !== 200) { if (err) {
return callback(err || new Error('[[error:invalid-response]]')); return callback(err || new Error('[[error:invalid-response]]'));
} }
callback(null, { jar, csrf_token: body.csrf_token }); callback(null, { jar, res, body, csrf_token: csrf_token });
}); });
}); });
}; };