mirror of
https://github.com/NodeBB/NodeBB.git
synced 2026-01-01 13:20:41 +01:00
fix: #10027, properly auto confirm first user
This commit is contained in:
Barış Soner Uşaklı
@@ -77,9 +77,6 @@ module.exports = function (User) {
|
||||
const isFirstUser = uid === 1;
|
||||
userData.uid = uid;
|
||||
|
||||
if (isFirstUser) {
|
||||
userData['email:confirmed'] = 1;
|
||||
}
|
||||
await db.setObject(`user:${uid}`, userData);
|
||||
|
||||
const bulkAdd = [
|
||||
@@ -97,20 +94,20 @@ module.exports = function (User) {
|
||||
bulkAdd.push(['fullname:sorted', 0, `${userData.fullname.toLowerCase()}:${userData.uid}`]);
|
||||
}
|
||||
|
||||
const groupsToJoin = ['registered-users'].concat(
|
||||
isFirstUser ? 'verified-users' : 'unverified-users'
|
||||
);
|
||||
|
||||
await Promise.all([
|
||||
db.incrObjectField('global', 'userCount'),
|
||||
analytics.increment('registrations'),
|
||||
db.sortedSetAddBulk(bulkAdd),
|
||||
groups.join(groupsToJoin, userData.uid),
|
||||
groups.join(['registered-users', 'unverified-users'], userData.uid),
|
||||
User.notifications.sendWelcomeNotification(userData.uid),
|
||||
storePassword(userData.uid, data.password),
|
||||
User.updateDigestSetting(userData.uid, meta.config.dailyDigestFreq),
|
||||
]);
|
||||
|
||||
if (userData.email && isFirstUser) {
|
||||
await User.email.confirmByUid(userData.uid);
|
||||
}
|
||||
|
||||
if (userData.email && userData.uid > 1) {
|
||||
User.email.sendValidationEmail(userData.uid, {
|
||||
email: userData.email,
|
||||
|
||||
@@ -16,44 +16,35 @@ const privileges = require('../src/privileges');
|
||||
const helpers = require('./helpers');
|
||||
|
||||
describe('authentication', () => {
|
||||
function loginUser(username, password, callback) {
|
||||
const jar = request.jar();
|
||||
request({
|
||||
url: `${nconf.get('url')}/api/config`,
|
||||
json: true,
|
||||
jar: jar,
|
||||
}, (err, response, body) => {
|
||||
if (err) {
|
||||
return callback(err);
|
||||
}
|
||||
|
||||
request.post(`${nconf.get('url')}/login`, {
|
||||
form: {
|
||||
username: username,
|
||||
password: password,
|
||||
},
|
||||
json: true,
|
||||
jar: jar,
|
||||
headers: {
|
||||
'x-csrf-token': body.csrf_token,
|
||||
},
|
||||
}, (err, response, body) => {
|
||||
callback(err, response, body, jar);
|
||||
});
|
||||
});
|
||||
}
|
||||
const loginUserPromisified = util.promisify(loginUser);
|
||||
|
||||
const jar = request.jar();
|
||||
let regularUid;
|
||||
before((done) => {
|
||||
user.create({ username: 'regular', password: 'regularpwd', email: 'regular@nodebb.org' }, (err, uid) => {
|
||||
assert.ifError(err);
|
||||
regularUid = uid;
|
||||
assert.strictEqual(uid, 1);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should allow login with email for uid 1', async () => {
|
||||
const oldValue = meta.config.allowLoginWith;
|
||||
meta.config.allowLoginWith = 'email';
|
||||
const { res } = await helpers.loginUser('regular@nodebb.org', 'regularpwd');
|
||||
assert.strictEqual(res.statusCode, 200);
|
||||
meta.config.allowLoginWith = oldValue;
|
||||
});
|
||||
|
||||
it('second user should fail to login with email since email is not confirmed', async () => {
|
||||
const oldValue = meta.config.allowLoginWith;
|
||||
meta.config.allowLoginWith = 'email';
|
||||
const uid = await user.create({ username: '2nduser', password: '2ndpassword', email: '2nduser@nodebb.org' });
|
||||
const { res, body } = await helpers.loginUser('2nduser@nodebb.org', '2ndpassword');
|
||||
assert.strictEqual(res.statusCode, 403);
|
||||
assert.strictEqual(body, '[[error:invalid-login-credentials]]');
|
||||
meta.config.allowLoginWith = oldValue;
|
||||
});
|
||||
|
||||
it('should fail to create user if username is too short', (done) => {
|
||||
helpers.registerUser({
|
||||
username: 'a',
|
||||
@@ -164,13 +155,13 @@ describe('authentication', () => {
|
||||
});
|
||||
|
||||
it('should login a user', (done) => {
|
||||
loginUser('regular', 'regularpwd', (err, response, body, jar) => {
|
||||
helpers.loginUser('regular', 'regularpwd', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert(body);
|
||||
assert(data.body);
|
||||
request({
|
||||
url: `${nconf.get('url')}/api/self`,
|
||||
json: true,
|
||||
jar: jar,
|
||||
jar: data.jar,
|
||||
}, (err, response, body) => {
|
||||
assert.ifError(err);
|
||||
assert(body);
|
||||
@@ -245,37 +236,37 @@ describe('authentication', () => {
|
||||
});
|
||||
|
||||
it('should fail to login if user does not exist', (done) => {
|
||||
loginUser('doesnotexist', 'nopassword', (err, response, body) => {
|
||||
helpers.loginUser('doesnotexist', 'nopassword', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:invalid-login-credentials]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:invalid-login-credentials]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should fail to login if username is empty', (done) => {
|
||||
loginUser('', 'some password', (err, response, body) => {
|
||||
helpers.loginUser('', 'some password', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:invalid-username-or-password]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:invalid-username-or-password]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should fail to login if password is empty', (done) => {
|
||||
loginUser('someuser', '', (err, response, body) => {
|
||||
helpers.loginUser('someuser', '', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:invalid-username-or-password]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:invalid-username-or-password]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should fail to login if username and password are empty', (done) => {
|
||||
loginUser('', '', (err, response, body) => {
|
||||
helpers.loginUser('', '', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:invalid-username-or-password]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:invalid-username-or-password]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@@ -283,10 +274,10 @@ describe('authentication', () => {
|
||||
it('should fail to login if user does not have password field in db', (done) => {
|
||||
user.create({ username: 'hasnopassword', email: 'no@pass.org' }, (err, uid) => {
|
||||
assert.ifError(err);
|
||||
loginUser('hasnopassword', 'doesntmatter', (err, response, body) => {
|
||||
helpers.loginUser('hasnopassword', 'doesntmatter', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:invalid-login-credentials]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:invalid-login-credentials]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@@ -297,10 +288,10 @@ describe('authentication', () => {
|
||||
for (let i = 0; i < 5000; i++) {
|
||||
longPassword += 'a';
|
||||
}
|
||||
loginUser('someuser', longPassword, (err, response, body) => {
|
||||
helpers.loginUser('someuser', longPassword, (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:password-too-long]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:password-too-long]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@@ -308,10 +299,10 @@ describe('authentication', () => {
|
||||
it('should fail to login if local login is disabled', (done) => {
|
||||
privileges.global.rescind(['groups:local:login'], 'registered-users', (err) => {
|
||||
assert.ifError(err);
|
||||
loginUser('regular', 'regularpwd', (err, response, body) => {
|
||||
helpers.loginUser('regular', 'regularpwd', (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 403);
|
||||
assert.equal(body, '[[error:local-login-disabled]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:local-login-disabled]]');
|
||||
privileges.global.give(['groups:local:login'], 'registered-users', done);
|
||||
});
|
||||
});
|
||||
@@ -396,17 +387,17 @@ describe('authentication', () => {
|
||||
it('should be able to login with email', async () => {
|
||||
const uid = await user.create({ username: 'ginger', password: '123456', email: 'ginger@nodebb.org' });
|
||||
await user.email.confirmByUid(uid);
|
||||
const response = await loginUserPromisified('ginger@nodebb.org', '123456');
|
||||
assert.equal(response.statusCode, 200);
|
||||
const { res } = await helpers.loginUser('ginger@nodebb.org', '123456');
|
||||
assert.equal(res.statusCode, 200);
|
||||
});
|
||||
|
||||
it('should fail to login if login type is username and an email is sent', (done) => {
|
||||
meta.config.allowLoginWith = 'username';
|
||||
loginUser('ginger@nodebb.org', '123456', (err, response, body) => {
|
||||
helpers.loginUser('ginger@nodebb.org', '123456', (err, data) => {
|
||||
meta.config.allowLoginWith = 'username-email';
|
||||
assert.ifError(err);
|
||||
assert.equal(response.statusCode, 400);
|
||||
assert.equal(body, '[[error:wrong-login-type-username]]');
|
||||
assert.equal(data.res.statusCode, 400);
|
||||
assert.equal(data.body, '[[error:wrong-login-type-username]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@@ -450,28 +441,28 @@ describe('authentication', () => {
|
||||
it('should prevent banned user from logging in', (done) => {
|
||||
user.bans.ban(bannedUser.uid, 0, 'spammer', (err) => {
|
||||
assert.ifError(err);
|
||||
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => {
|
||||
helpers.loginUser(bannedUser.username, bannedUser.pw, (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(res.statusCode, 403);
|
||||
delete body.timestamp;
|
||||
assert.deepStrictEqual(body, {
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
delete data.body.timestamp;
|
||||
assert.deepStrictEqual(data.body, {
|
||||
banned_until: 0,
|
||||
banned_until_readable: '',
|
||||
expiry: 0,
|
||||
expiry_readable: '',
|
||||
reason: 'spammer',
|
||||
uid: 6,
|
||||
uid: bannedUser.uid,
|
||||
});
|
||||
user.bans.unban(bannedUser.uid, (err) => {
|
||||
assert.ifError(err);
|
||||
const expiry = Date.now() + 10000;
|
||||
user.bans.ban(bannedUser.uid, expiry, '', (err) => {
|
||||
assert.ifError(err);
|
||||
loginUser(bannedUser.username, bannedUser.pw, (err, res, body) => {
|
||||
helpers.loginUser(bannedUser.username, bannedUser.pw, (err, data) => {
|
||||
assert.ifError(err);
|
||||
assert.equal(res.statusCode, 403);
|
||||
assert(body.banned_until);
|
||||
assert(body.reason, '[[user:info.banned-no-reason]]');
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert(data.body.banned_until);
|
||||
assert(data.body.reason, '[[user:info.banned-no-reason]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
@@ -482,14 +473,14 @@ describe('authentication', () => {
|
||||
|
||||
it('should allow banned user to log in if the "banned-users" group has "local-login" privilege', async () => {
|
||||
await privileges.global.give(['groups:local:login'], 'banned-users');
|
||||
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw);
|
||||
const { res } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
||||
assert.strictEqual(res.statusCode, 200);
|
||||
});
|
||||
|
||||
it('should allow banned user to log in if the user herself has "local-login" privilege', async () => {
|
||||
await privileges.global.rescind(['groups:local:login'], 'banned-users');
|
||||
await privileges.categories.give(['local:login'], 0, bannedUser.uid);
|
||||
const res = await loginUserPromisified(bannedUser.username, bannedUser.pw);
|
||||
const { res } = await helpers.loginUser(bannedUser.username, bannedUser.pw);
|
||||
assert.strictEqual(res.statusCode, 200);
|
||||
});
|
||||
});
|
||||
@@ -503,26 +494,26 @@ describe('authentication', () => {
|
||||
},
|
||||
function (_uid, next) {
|
||||
uid = _uid;
|
||||
loginUser('lockme', 'abcdef', next);
|
||||
helpers.loginUser('lockme', 'abcdef', next);
|
||||
},
|
||||
function (res, body, jar, next) {
|
||||
loginUser('lockme', 'abcdef', next);
|
||||
function (data, next) {
|
||||
helpers.loginUser('lockme', 'abcdef', next);
|
||||
},
|
||||
function (res, body, jar, next) {
|
||||
loginUser('lockme', 'abcdef', next);
|
||||
function (data, next) {
|
||||
helpers.loginUser('lockme', 'abcdef', next);
|
||||
},
|
||||
function (res, body, jar, next) {
|
||||
loginUser('lockme', 'abcdef', next);
|
||||
function (data, next) {
|
||||
helpers.loginUser('lockme', 'abcdef', next);
|
||||
},
|
||||
function (res, body, jar, next) {
|
||||
function (data, next) {
|
||||
meta.config.loginAttempts = 5;
|
||||
assert.equal(res.statusCode, 403);
|
||||
assert.equal(body, '[[error:account-locked]]');
|
||||
loginUser('lockme', 'abcdef', next);
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:account-locked]]');
|
||||
helpers.loginUser('lockme', 'abcdef', next);
|
||||
},
|
||||
function (res, body, jar, next) {
|
||||
assert.equal(res.statusCode, 403);
|
||||
assert.equal(body, '[[error:account-locked]]');
|
||||
function (data, next) {
|
||||
assert.equal(data.res.statusCode, 403);
|
||||
assert.equal(data.body, '[[error:account-locked]]');
|
||||
db.exists(`lockout:${uid}`, next);
|
||||
},
|
||||
function (locked, next) {
|
||||
@@ -534,7 +525,7 @@ describe('authentication', () => {
|
||||
|
||||
it('should clear all reset tokens upon successful login', async () => {
|
||||
const code = await user.reset.generate(regularUid);
|
||||
await loginUserPromisified('regular', 'regularpwd');
|
||||
await helpers.loginUser('regular', 'regularpwd');
|
||||
const valid = await user.reset.validate(code);
|
||||
assert.strictEqual(valid, false);
|
||||
});
|
||||
|
||||
@@ -673,8 +673,8 @@ describe('Flags', () => {
|
||||
throw err;
|
||||
}
|
||||
|
||||
// 1 for the new event appended, 1 for username change (email not changed immediately)
|
||||
assert.strictEqual(entries + 2, history.length);
|
||||
// 1 for the new event appended, 2 for username/email change
|
||||
assert.strictEqual(entries + 3, history.length);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
@@ -43,7 +43,7 @@ helpers.loginUser = function (username, password, callback) {
|
||||
if (err || res.statusCode !== 200) {
|
||||
return callback(err || new Error('[[error:invalid-response]]'));
|
||||
}
|
||||
|
||||
const { csrf_token } = body;
|
||||
request.post(`${nconf.get('url')}/login`, {
|
||||
form: {
|
||||
username: username,
|
||||
@@ -52,13 +52,13 @@ helpers.loginUser = function (username, password, callback) {
|
||||
json: true,
|
||||
jar: jar,
|
||||
headers: {
|
||||
'x-csrf-token': body.csrf_token,
|
||||
'x-csrf-token': csrf_token,
|
||||
},
|
||||
}, (err, res) => {
|
||||
if (err || res.statusCode !== 200) {
|
||||
}, (err, res, body) => {
|
||||
if (err) {
|
||||
return callback(err || new Error('[[error:invalid-response]]'));
|
||||
}
|
||||
callback(null, { jar, csrf_token: body.csrf_token });
|
||||
callback(null, { jar, res, body, csrf_token: csrf_token });
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user