joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451)

Browse Source
This commit is contained in:
Daniel
2023-06-08 05:51:53 +10:00
committed by GitHub
parent 0ce3692759
commit 82da30842a
6 changed files with 88 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
spec/ValidationAndPasswordsReset.spec.js
View File

@@ -242,8 +242,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});
it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', done => {
const user = new Parse.User();
it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', async () => {
let sendEmailOptions;
const emailAdapter = {
sendVerificationEmail: options => {
@@ -252,59 +251,32 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {},
};
reconfigureServer({
await reconfigureServer({
appName: 'emailing app',
verifyUserEmails: true,
preventLoginWithUnverifiedEmail: true,
emailAdapter: emailAdapter,
publicServerURL: 'http://localhost:8378/1',
})
.then(() => {
user.setPassword('other-password');
user.setUsername('user');
user.set('email', 'user@parse.com');
return user.signUp();
})
.then(() => {
expect(sendEmailOptions).not.toBeUndefined();
request({
url: sendEmailOptions.link,
followRedirects: false,
}).then(response => {
expect(response.status).toEqual(302);
expect(response.text).toEqual(
'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
);
user
.fetch({ useMasterKey: true })
.then(
() => {
expect(user.get('emailVerified')).toEqual(true);
Parse.User.logIn('user', 'other-password').then(
user => {
expect(typeof user).toBe('object');
expect(user.get('emailVerified')).toBe(true);
done();
},
() => {
fail('login should have succeeded');
done();
}
);
},
err => {
jfail(err);
fail('this should not fail');
done();
}
)
.catch(err => {
jfail(err);
done();
});
});
});
});
let user = new Parse.User();
user.setPassword('other-password');
user.setUsername('user');
user.set('email', 'user@example.com');
await user.signUp();
expect(sendEmailOptions).not.toBeUndefined();
const response = await request({
url: sendEmailOptions.link,
followRedirects: false,
});
expect(response.status).toEqual(302);
expect(response.text).toEqual(
'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
);
user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
expect(user.get('emailVerified')).toEqual(true);
user = await Parse.User.logIn('user', 'other-password');
expect(typeof user).toBe('object');
expect(user.get('emailVerified')).toBe(true);
});
it('allows user to login if email is not verified but preventLoginWithUnverifiedEmail is set to false', done => {
@@ -345,6 +317,35 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});
it('does not allow signup with preventSignupWithUnverified', async () => {
let sendEmailOptions;
const emailAdapter = {
sendVerificationEmail: options => {
sendEmailOptions = options;
},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {},
};
await reconfigureServer({
appName: 'test',
publicServerURL: 'http://localhost:1337/1',
verifyUserEmails: true,
preventLoginWithUnverifiedEmail: true,
preventSignupWithUnverifiedEmail: true,
emailAdapter,
});
const newUser = new Parse.User();
newUser.setPassword('asdf');
newUser.setUsername('zxcv');
newUser.set('email', 'test@example.com');
await expectAsync(newUser.signUp()).toBeRejectedWith(
new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.')
);
const user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
expect(user).toBeDefined();
expect(sendEmailOptions).toBeDefined();
});
it('fails if you include an emailAdapter, set a publicServerURL, but have no appName and send a password reset email', done => {
reconfigureServer({
appName: undefined,

40
spec/VerifyUserPassword.spec.js
View File

@@ -353,8 +353,9 @@ describe('Verify User Password', () => {
done();
});
});
it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', done => {
reconfigureServer({
it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', async () => {
await reconfigureServer({
publicServerURL: 'http://localhost:8378/',
appName: 'emailVerify',
verifyUserEmails: true,
@@ -364,28 +365,21 @@ describe('Verify User Password', () => {
apiKey: 'k',
domain: 'd',
}),
})
.then(() => {
const user = new Parse.User();
return user.save({
username: 'unverified-user',
password: 'mypass',
email: 'unverified-email@user.com',
});
})
.then(() => {
return verifyPassword('unverified-email@user.com', 'mypass', true);
})
.then(res => {
expect(res.status).toBe(400);
expect(res.text).toMatch('{"code":205,"error":"User email is not verified."}');
done();
})
.catch(err => {
fail(err);
done();
});
});
const user = new Parse.User();
await user.save({
username: 'unverified-user',
password: 'mypass',
email: 'unverified-email@example.com',
});
const res = await verifyPassword('unverified-email@example.com', 'mypass', true);
expect(res.status).toBe(400);
expect(res.data).toEqual({
code: Parse.Error.EMAIL_NOT_FOUND,
error: 'User email is not verified.',
});
});
it('verify password lock account if failed verify password attempts are above threshold', done => {
reconfigureServer({
appName: 'lockout threshold',

7
src/Options/Definitions.js
View File

@@ -412,6 +412,13 @@ module.exports.ParseServerOptions = {
action: parsers.booleanParser,
default: false,
},
preventSignupWithUnverifiedEmail: {
env: 'PARSE_SERVER_PREVENT_SIGNUP_WITH_UNVERIFIED_EMAIL',
help:
"If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.",
action: parsers.booleanParser,
default: false,
},
protectedFields: {
env: 'PARSE_SERVER_PROTECTED_FIELDS',
help: 'Protected fields that should be treated with extra security when fetching details.',

1
src/Options/docs.js
View File

@@ -77,6 +77,7 @@
* @property {Number} port The port to run the ParseServer, defaults to 1337.
* @property {Boolean} preserveFileName Enable (or disable) the addition of a unique hash to the file names
* @property {Boolean} preventLoginWithUnverifiedEmail Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.
* @property {Boolean} preventSignupWithUnverifiedEmail If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.
* @property {ProtectedFields} protectedFields Protected fields that should be treated with extra security when fetching details.
* @property {String} publicServerURL Public URL to your parse server with http:// or https://.
* @property {Any} push Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications

7
src/Options/index.js
View File

@@ -165,6 +165,13 @@ export interface ParseServerOptions {
Requires option `verifyUserEmails: true`.
:DEFAULT: false */
preventLoginWithUnverifiedEmail: ?boolean;
/* If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
<br><br>
Default is `false`.
<br>
Requires option `verifyUserEmails: true`.
:DEFAULT: false */
preventSignupWithUnverifiedEmail: ?boolean;
/* Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.
<br><br>
For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).

6
src/RestWrite.js
View File

@@ -160,6 +160,9 @@ RestWrite.prototype.execute = function () {
this.response.response.authDataResponse = this.authDataResponse;
}
}
if (this.storage.rejectSignup && this.config.preventSignupWithUnverifiedEmail) {
throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
}
return this.response;
});
};
@@ -879,7 +882,8 @@ RestWrite.prototype.createSessionTokenIfNeeded = function () {
this.config.verifyUserEmails
) {
// verification is on
return; // do not create the session token in that case!
this.storage.rejectSignup = true;
return;
}
return this.createSessionToken();
};