Add SuperAdmin provider bypass (#4943)

* Add SuperAdmin provider by-pass

* Add bn check on role instead of user

* Add bn check on session create

* Fix logic, add specs

* rubocop

* Improve logic

app/controllers/api/v1/sessions_controller.rb

@@ -32,13 +32,20 @@ module Api
       # POST /api/v1/sessions
       # Signs a user in and updates the session cookie
       def create
-        user = User.find_by(email: session_params[:email], provider: current_provider)
-
         # TODO: Add proper error logging for non-verified token hcaptcha
         return render_error if hcaptcha_enabled? && !verify_hcaptcha(response: params[:token])
 
+        # Search for a user within the current provider and, if not found, search for a super admin within bn provider
+        user = User.find_by(email: session_params[:email], provider: current_provider) || User.find_by(email: session_params[:email], provider: 'bn')
+
+        # Return an error if the user is not found
+        return render_error if user.blank?
+
+        # Will return an error if the user is NOT from the current provider and if the user is NOT a super admin
+        return render_error if user.provider != current_provider && !user.super_admin?
+
         # TODO: Add proper error logging for non-verified token hcaptcha
-        if user.present? && user.authenticate(session_params[:password])
+        if user.authenticate(session_params[:password])
           return render_error data: user.id, errors: Rails.configuration.custom_error_msgs[:unverified_user] unless user.verified?
           return render_error errors: Rails.configuration.custom_error_msgs[:pending_user] if user.pending?
           return render_error errors: Rails.configuration.custom_error_msgs[:banned_user] if user.banned?

app/controllers/application_controller.rb

@@ -78,10 +78,10 @@ class ApplicationController < ActionController::Base
 
   # Parses the url for the user domain
   def parse_user_domain(hostname)
-    provider = hostname&.split('.')&.first
+    tenant = hostname&.split('.')&.first
 
-    raise 'Invalid domain' unless Tenant.exists?(name: hostname)
+    raise 'Invalid domain' unless Tenant.exists?(name: tenant)
 
-    provider
+    tenant
   end
 end

app/models/user.rb

@@ -206,6 +206,10 @@ class User < ApplicationRecord
     update! verified: false
   end
 
+  def super_admin?
+    role.name == 'SuperAdmin' && role.provider == 'bn'
+  end
+
   def check_user_role_provider
     return unless role
 

app/serializers/current_user_serializer.rb

@@ -35,6 +35,6 @@ class CurrentUserSerializer < UserSerializer
   end
 
   def super_admin
-    object.role.name == 'SuperAdmin' && object.role.provider == 'bn'
+    object.super_admin?
   end
 end

spec/controllers/sessions_controller_spec.rb

@@ -20,6 +20,8 @@ require 'rails_helper'
 
 RSpec.describe Api::V1::SessionsController, type: :controller do
   let!(:user) { create(:user, email: 'email@email.com', password: 'Password1!', password_confirmation: 'Password1!') }
+  let!(:super_admin_role) { create(:role, :with_super_admin) }
+  let!(:super_admin) { create(:user, role: super_admin_role, email: 'email@email.com', provider: 'bn') }
 
   before do
     request.headers['ACCEPT'] = 'application/json'
@@ -91,6 +93,20 @@ RSpec.describe Api::V1::SessionsController, type: :controller do
 
       expect(JSON.parse(response.body)['errors']).to eq('PendingUser')
     end
+
+    it 'logs in with greenlight account before bn account' do
+      post :create, params: { session: { email: user.email, password: 'Password1!' } }
+      expect(response).to have_http_status(:ok)
+      expect(session[:session_token]).to eq(user.reload.session_token)
+    end
+
+    it 'logs in with bn account if greenlight account does not exist' do
+      user.provider = 'random_provider'
+      user.save
+      post :create, params: { session: { email: user.email, password: 'Password1!' } }
+      expect(response).to have_http_status(:ok)
+      expect(session[:session_token]).to eq(super_admin.reload.session_token)
+    end
   end
 
   describe '#destroy' do

spec/factories/role_factory.rb

@@ -29,5 +29,10 @@ FactoryBot.define do
       RolePermission.find_or_create_by(permission: perm2, role:, value: '100')
       RolePermission.find_or_create_by(permission: perm3, role:, value: 'true')
     end
+
+    trait :with_super_admin do
+      name { 'SuperAdmin' }
+      provider { 'bn' }
+    end
   end
 end