Skip to content

feature: User Lockout #4749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 16, 2018
Merged

feature: User Lockout #4749

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3c37aa9
Allows masterKey to lock _User object and prevent login with email / …
flovilmart May 7, 2018
0d6ea3e
Ensure the authData based auth can be locked out as well when account…
flovilmart May 7, 2018
90b051e
Merge branch 'master' into feature/user-lockout
flovilmart May 8, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions spec/ParseUser.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,71 @@ describe('Parse.User testing', () => {
})
});

it('should let masterKey lockout user', (done) => {
const user = new Parse.User();
const ACL = new Parse.ACL();
ACL.setPublicReadAccess(false);
ACL.setPublicWriteAccess(false);
user.setUsername('asdf');
user.setPassword('zxcv');
user.setACL(ACL);
user.signUp().then(() => {
return Parse.User.logIn("asdf", "zxcv");
}).then((user) => {
equal(user.get("username"), "asdf");
// Lock the user down
const ACL = new Parse.ACL();
user.setACL(ACL);
return user.save(null, { useMasterKey: true });
}).then(() => {
expect(user.getACL().getPublicReadAccess()).toBe(false);
return Parse.User.logIn("asdf", "zxcv");
}).then(done.fail).catch((err) => {
expect(err.message).toBe('Invalid username/password.');
expect(err.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
done();
});
});

it('should be let masterKey lock user out with authData', (done) => {
let objectId;
let sessionToken;

rp.post({
url: 'http://localhost:8378/1/classes/_User',
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
},
json: { key: "value", authData: {anonymous: {id: '00000000-0000-0000-0000-000000000001'}}}
}).then((body) => {
objectId = body.objectId;
sessionToken = body.sessionToken;
expect(sessionToken).toBeDefined();
expect(objectId).toBeDefined();
const user = new Parse.User();
user.id = objectId;
const ACL = new Parse.ACL();
user.setACL(ACL);
return user.save(null, { useMasterKey: true });
}).then(() => {
// update the user
const options = {
url: `http://localhost:8378/1/classes/_User/`,
headers: {
'X-Parse-Application-Id': Parse.applicationId,
'X-Parse-REST-API-Key': 'rest',
},
json: { key: "otherValue", authData: {anonymous: {id: '00000000-0000-0000-0000-000000000001'}}}
}
return rp.post(options);
}).then((res) => {
// Because the user is locked out, this should behave as creating a new user
expect(res.objectId).not.toEqual(objectId);
}).then(done)
.catch(done.fail);
});

it("user login with files", (done) => {
const file = new Parse.File("yolo.txt", [1,2,3], "text/plain");
file.save().then((file) => {
Expand Down
6 changes: 4 additions & 2 deletions src/RestWrite.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,9 @@ RestWrite.prototype.findUsersWithAuthData = function(authData) {
RestWrite.prototype.handleAuthData = function(authData) {
let results;
return this.findUsersWithAuthData(authData).then((r) => {
results = r;
results = r.filter((user) => {
return !this.auth.isMaster && user.ACL && Object.keys(user.ACL).length > 0;
});
if (results.length > 1) {
// More than 1 user with the passed id's
throw new Parse.Error(Parse.Error.ACCOUNT_ALREADY_LINKED,
Expand Down Expand Up @@ -980,7 +982,7 @@ RestWrite.prototype.runDatabaseOperation = function() {
if (this.query) {
// Force the user to not lockout
// Matched with parse.com
if (this.className === '_User' && this.data.ACL) {
if (this.className === '_User' && this.data.ACL && this.auth.isMaster !== true) {
this.data.ACL[this.query.objectId] = { read: true, write: true };
}
// update password timestamp if user password is being changed
Expand Down
6 changes: 6 additions & 0 deletions src/Routers/UsersRouter.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,12 @@ export class UsersRouter extends ClassesRouter {
if (!isValidPassword) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}
// Ensure the user isn't locked out
// A locked out user won't be able to login
// To lock a user out, just set the ACL to `masterKey` only ({}).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment could be more clear.

would also be nice to update the documentation (sorry if you already have a sep pr for that, I haven't looked this pass).

if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}
if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {
throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
}
Expand Down