feature: User Lockout #4749
feature: User Lockout #4749
Conversation
Codecov Report
@@ Coverage Diff @@
## master #4749 +/- ##
==========================================
+ Coverage 92.61% 92.62% +0.01%
==========================================
Files 119 119
Lines 8585 8588 +3
==========================================
+ Hits 7951 7955 +4
+ Misses 634 633 -1
Continue to review full report at Codecov.
|
|
@flovilmart this looks good to me. I just did a quick first pass. I'm going to digest and take another look. |
|
so this looks good to me but needs better comment and doc. "masterKey only User objects" maybe instead of that, just call it a 'locked user' and you can mention the master key in the doc, but for the name, I think either 'locked user' or 'locked out user'. |
|
@acinader that's in my plan to add the docs before merging this one, I'll update them soon enough so we can get moving forward with that! Thanks for the review! |
| @@ -114,6 +114,12 @@ export class UsersRouter extends ClassesRouter { | |||
| if (!isValidPassword) { | |||
| throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); | |||
| } | |||
| // Ensure the user isn't locked out | |||
| // A locked out user won't be able to login | |||
| // To lock a user out, just set the ACL to `masterKey` only ({}). | |||
There was a problem hiding this comment.
this comment could be more clear.
would also be nice to update the documentation (sorry if you already have a sep pr for that, I haven't looked this pass).
* Allows masterKey to lock _User object and prevent login with email / password * Ensure the authData based auth can be locked out as well when accounts is masterKey only
Is is possible that a user request to have it's data removed from the database. In order to provide a good experience, an administrator should be able to lock the account out.
In order to lock a user out, it now is allowed to have masterKey only User objects. In those cases, the account will be consider locked out.