joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature: User Lockout (#4749)

Browse Source 
* Allows masterKey to lock _User object and prevent login with email / password

* Ensure the authData based auth can be locked out as well when accounts is masterKey only
This commit is contained in:
Florent Vilmart
2018-05-16 15:40:02 -04:00
committed by GitHub
parent bfd0c4bf2f
commit ad244d6654
3 changed files with 75 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Routers/UsersRouter.js
View File

@@ -114,6 +114,12 @@ export class UsersRouter extends ClassesRouter {
if (!isValidPassword) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}
// Ensure the user isn't locked out
// A locked out user won't be able to login
// To lock a user out, just set the ACL to `masterKey` only ({}).
if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}
if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {
throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
}