From dfa22391ad88bce492c9dc14de7bbc6908559cff Mon Sep 17 00:00:00 2001
From: Kevin Kuang <kvnkuang@users.noreply.github.com>
Date: Tue, 25 Aug 2020 10:34:26 -0400
Subject: [PATCH] Fix beforeLogin for users logging in with AuthData (#6872)

* fix beforeLogin

* Remove Facebook AccountKit auth (#6870)

* Remove Facebook AccountKit auth

Account Kit services are no longer available.

https://developers.facebook.com/blog/post/2019/09/09/account-kit-services-no-longer-available-starting-march/

https://www.sinch.com/blog/facebook-account-kit-is-closing-down-are-your-apps-covered/

* remove flaky test

* fix: upgrade uuid from 8.2.0 to 8.3.0 (#6865)

Snyk has created this PR to upgrade uuid from 8.2.0 to 8.3.0.

See this package in npm:
https://www.npmjs.com/package/uuid

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#6864)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-590103

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade ldapjs from 2.0.0 to 2.1.0 (#6857)

Snyk has created this PR to upgrade ldapjs from 2.0.0 to 2.1.0.

See this package in npm:
https://www.npmjs.com/package/ldapjs

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade apollo-server-express from 2.15.1 to 2.16.0 (#6851)

Snyk has created this PR to upgrade apollo-server-express from 2.15.1 to 2.16.0.

See this package in npm:
https://www.npmjs.com/package/apollo-server-express

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13 (#6845)

Snyk has created this PR to upgrade @graphql-tools/stitch from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/stitch

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix: upgrade @graphql-tools/utils from 6.0.12 to 6.0.13 (#6846)

Snyk has created this PR to upgrade @graphql-tools/utils from 6.0.12 to 6.0.13.

See this package in npm:
https://www.npmjs.com/package/@graphql-tools/utils

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* [Snyk] Upgrade winston from 3.2.1 to 3.3.2 (#6799)

* fix: upgrade winston from 3.2.1 to 3.3.2

Snyk has created this PR to upgrade winston from 3.2.1 to 3.3.2.

See this package in NPM:
https://www.npmjs.com/package/winston

See this project in Snyk:
https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr

* fix tests

Co-authored-by: Diamond Lewis <findlewis@gmail.com>

* fix beforeLogin

* add test case

Co-authored-by: Diamond Lewis <findlewis@gmail.com>
Co-authored-by: Snyk bot <snyk-bot@snyk.io>
---
 spec/ParseUser.spec.js | 30 ++++++++++++++++++++++++++++++
 src/RestWrite.js       |  4 ++++
 2 files changed, 34 insertions(+)

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index 8484cb4b..45e577ac 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -1524,6 +1524,36 @@ describe('Parse.User testing', () => {
     done();
   });
 
+  it('login with provider should be blockable by beforeLogin even when the user has a attached file', async done => {
+    const provider = getMockFacebookProvider();
+    Parse.User._registerAuthenticationProvider(provider);
+
+    let hit = 0;
+    Parse.Cloud.beforeLogin(req => {
+      hit++;
+      if (req.object.get('isBanned')) {
+        throw new Error('banned account');
+      }
+    });
+
+    const user = await Parse.User._logInWith('facebook');
+    const base64 = 'aHR0cHM6Ly9naXRodWIuY29tL2t2bmt1YW5n';
+    const file = new Parse.File('myfile.txt', { base64 });
+    await file.save();
+    await user.save({ isBanned: true, file });
+    await Parse.User.logOut();
+
+    try {
+      await Parse.User._logInWith('facebook');
+      throw new Error('should not have continued login.');
+    } catch (e) {
+      expect(e.message).toBe('banned account');
+    }
+
+    expect(hit).toBe(1);
+    done();
+  });
+
   it('logout with provider should call afterLogout trigger', async done => {
     const provider = getMockFacebookProvider();
     Parse.User._registerAuthenticationProvider(provider);
diff --git a/src/RestWrite.js b/src/RestWrite.js
index b26fc90b..d6a64b89 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -329,6 +329,10 @@ RestWrite.prototype.runBeforeLoginTrigger = async function(userData) {
 
   // Cloud code gets a bit of extra data for its objects
   const extraData = { className: this.className };
+
+  // Expand file objects
+  this.config.filesController.expandFilesInObject(this.config, userData);
+
   const user = triggers.inflate(extraData, userData);
 
   // no need to return a response