Skip to content
Snippets Groups Projects
Unverified Commit a21088d7 authored by Ahmad Farhat's avatar Ahmad Farhat Committed by GitHub
Browse files

Prevent local users from signing in if external accounts is enabled (#5542)

parent e5adc752
No related branches found
No related tags found
No related merge requests found
......@@ -20,6 +20,7 @@ module Api
module V1
class SessionsController < ApiController
skip_before_action :ensure_authenticated, only: %i[index create]
before_action :ensure_unauthenticated, only: :create
# GET /api/v1/sessions
# Returns the current_user
......@@ -43,7 +44,7 @@ module Api
return render_error if user.blank?
# Will return an error if the user is NOT from the current provider and if the user is NOT a super admin
return render_error if user.provider != current_provider && !user.super_admin?
return render_error status: :forbidden if !user.super_admin? && (user.provider != current_provider || external_auth?)
# Password is not set (local user migrated from v2)
if user.external_id.blank? && user.password_digest.blank?
......
......@@ -29,6 +29,11 @@ module Authorizable
render_error status: :unauthorized unless current_user
end
# Ensures that the user is NOT logged in
def ensure_unauthenticated
render_error status: :unauthorized if current_user
end
# PermissionsChecker service will return a true or false depending on whether the current_user's role has the provided permission_name
def ensure_authorized(permission_names, user_id: nil, friendly_id: nil, record_id: nil)
render_error status: :forbidden unless PermissionsChecker.new(
......
......@@ -54,6 +54,49 @@ RSpec.describe Api::V1::SessionsController, type: :controller do
expect(session[:session_token]).to eq(user.session_token)
end
it 'logs in with greenlight account before bn account' do
post :create, params: { session: { email: user.email, password: 'Password1!' } }
expect(response).to have_http_status(:ok)
expect(session[:session_token]).to eq(user.reload.session_token)
end
it 'logs in with bn account if greenlight account does not exist' do
user.provider = 'random_provider'
user.save
post :create, params: { session: { email: user.email, password: 'Password1!' } }
expect(response).to have_http_status(:ok)
expect(session[:session_token]).to eq(super_admin.reload.session_token)
end
context 'errors' do
it 'returns unauthorized if the user is already signed in' do
sign_in_user(user)
post :create, params: {
session: {
email: 'email@email.com',
password: 'Password1!',
extend_session: false
}
}, as: :json
expect(response).to be_unauthorized
end
it 'returns forbidden if the external auth is enabled' do
allow(controller).to receive(:external_auth?).and_return(true)
post :create, params: {
session: {
email: 'email@email.com',
password: 'Password1!',
extend_session: false
}
}, as: :json
expect(response).to be_forbidden
end
it 'returns UnverifiedUser error if the user is not verified' do
unverified_user = create(:user, password: 'Password1!', verified: false)
......@@ -93,19 +136,6 @@ RSpec.describe Api::V1::SessionsController, type: :controller do
expect(response.parsed_body['errors']).to eq('PendingUser')
end
it 'logs in with greenlight account before bn account' do
post :create, params: { session: { email: user.email, password: 'Password1!' } }
expect(response).to have_http_status(:ok)
expect(session[:session_token]).to eq(user.reload.session_token)
end
it 'logs in with bn account if greenlight account does not exist' do
user.provider = 'random_provider'
user.save
post :create, params: { session: { email: user.email, password: 'Password1!' } }
expect(response).to have_http_status(:ok)
expect(session[:session_token]).to eq(super_admin.reload.session_token)
end
end
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment