feat: Guest email authentication (#1088)

* feat: API endpoints for email signin * fix: After testing * Initial signin flow working * move shared middleware * feat: Add guest signin toggle, obey on endpoints * feat: Basic email signin when enabled * Improve guest signin email Disable double signin with JWT * fix: Simple rate limiting * create placeholder users in db * fix: Give invited users default avatar add invited users to people settings * test * add transaction * tmp: test CI * derp * md5 * urgh * again * test: pass * test * fix: Remove usage of data values * guest signin page * Visually separator 'Invited' from other people tabs * fix: Edge case attempting SSO signin for guest email account * fix: Correctly set email auth method to cookie * Improve rate limit error display * lint: cleanup / comments * Improve invalid token error display * style tweaks * pass guest value to subdomain * Restore copy link option * feat: Allow invite revoke from people management * fix: Incorrect users email schema does not allow for user deletion * lint * fix: avatarUrl for deleted user failure * change default to off for guest invites * fix: Changing security settings wipes subdomain * fix: user delete permissioning * test: Add user.invite specs
2019-12-15 18:46:08 -08:00
parent 5731ff34a4
commit 6d8216c54e
45 changed files with 846 additions and 206 deletions
--- a/server/api/snapshots/users.test.js.snap
+++ b/server/api/snapshots/users.test.js.snap
@@ -3,7 +3,7 @@
 exports[`#users.activate should activate a suspended user 1`] = `
 Object {
  "data": Object {
-    "avatarUrl": "http://example.com/avatar.png",
+    "avatarUrl": "https://tiley.herokuapp.com/avatar/111d68d06e2d317b5a59c2c6c5bad808/U.png",
    "createdAt": "2018-01-02T00:00:00.000Z",
    "email": "user1@example.com",
    "id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
@@ -38,7 +38,7 @@ Object {
 exports[`#users.demote should demote an admin 1`] = `
 Object {
  "data": Object {
-    "avatarUrl": "http://example.com/avatar.png",
+    "avatarUrl": "https://tiley.herokuapp.com/avatar/111d68d06e2d317b5a59c2c6c5bad808/U.png",
    "createdAt": "2018-01-02T00:00:00.000Z",
    "email": "user1@example.com",
    "id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
@@ -52,6 +52,15 @@ Object {
 }
 `;

+exports[`#users.demote should not demote admins if only one available 1`] = `
+Object {
+  "error": "validation_error",
+  "message": "At least one admin is required",
+  "ok": false,
+  "status": 400,
+}
+`;
+
 exports[`#users.demote should require admin 1`] = `
 Object {
  "error": "admin_required",
@@ -61,19 +70,10 @@ Object {
 }
 `;

-exports[`#users.demote shouldn't demote admins if only one available  1`] = `
-Object {
-  "error": "validation_error",
-  "message": "At least one admin is required",
-  "ok": false,
-  "status": 400,
-}
-`;
-
 exports[`#users.promote should promote a new admin 1`] = `
 Object {
  "data": Object {
-    "avatarUrl": "http://example.com/avatar.png",
+    "avatarUrl": "https://tiley.herokuapp.com/avatar/111d68d06e2d317b5a59c2c6c5bad808/U.png",
    "createdAt": "2018-01-02T00:00:00.000Z",
    "email": "user1@example.com",
    "id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
@@ -96,6 +96,15 @@ Object {
 }
 `;

+exports[`#users.suspend should not allow suspending the user themselves 1`] = `
+Object {
+  "error": "validation_error",
+  "message": "Unable to suspend the current user",
+  "ok": false,
+  "status": 400,
+}
+`;
+
 exports[`#users.suspend should require admin 1`] = `
 Object {
  "error": "admin_required",
@@ -108,7 +117,7 @@ Object {
 exports[`#users.suspend should suspend an user 1`] = `
 Object {
  "data": Object {
-    "avatarUrl": "http://example.com/avatar.png",
+    "avatarUrl": "https://tiley.herokuapp.com/avatar/111d68d06e2d317b5a59c2c6c5bad808/U.png",
    "createdAt": "2018-01-02T00:00:00.000Z",
    "email": "user1@example.com",
    "id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
@@ -122,15 +131,6 @@ Object {
 }
 `;

-exports[`#users.suspend shouldn't allow suspending the user themselves 1`] = `
-Object {
-  "error": "validation_error",
-  "message": "Unable to suspend the current user",
-  "ok": false,
-  "status": 400,
-}
-`;
-
 exports[`#users.update should require authentication 1`] = `
 Object {
  "error": "authentication_required",
--- a/server/api/events.test.js
+++ b/server/api/events.test.js
@@ -56,6 +56,7 @@ describe('#events.list', async () => {
    const res = await server.post('/api/events.list', {
      body: { token: admin.getJwtToken() },
    });
+
    const body = await res.json();

    expect(res.status).toEqual(200);
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -18,9 +18,9 @@ import notificationSettings from './notificationSettings';
 import utils from './utils';

 import { NotFoundError } from '../errors';
-import errorHandling from './middlewares/errorHandling';
+import errorHandling from '../middlewares/errorHandling';
 import validation from '../middlewares/validation';
-import methodOverride from './middlewares/methodOverride';
+import methodOverride from '../middlewares/methodOverride';
 import cache from './middlewares/cache';
 import apiWrapper from './middlewares/apiWrapper';

--- a/server/api/middlewares/errorHandling.js
+++ b/server/api/middlewares/errorHandling.js
@@ -1,51 +0,0 @@
-// @flow
-import Sequelize from 'sequelize';
-import { snakeCase } from 'lodash';
-import { type Context } from 'koa';
-
-export default function errorHandling() {
-  return async function errorHandlingMiddleware(
-    ctx: Context,
-    next: () => Promise<*>
-  ) {
-    try {
-      await next();
-    } catch (err) {
-      ctx.status = err.status || 500;
-      let message = err.message || err.name;
-      let error;
-
-      if (err instanceof Sequelize.ValidationError) {
-        // super basic form error handling
-        ctx.status = 400;
-        if (err.errors && err.errors[0]) {
-          message = `${err.errors[0].message} (${err.errors[0].path})`;
-        }
-      }
-
-      if (message.match(/Not found/i)) {
-        ctx.status = 404;
-        error = 'not_found';
-      }
-
-      if (message.match(/Authorization error/i)) {
-        ctx.status = 403;
-        error = 'authorization_error';
-      }
-
-      if (ctx.status === 500) {
-        message = 'Internal Server Error';
-        error = 'internal_server_error';
-        ctx.app.emit('error', err, ctx);
-      }
-
-      ctx.body = {
-        ok: false,
-        error: snakeCase(err.id || error),
-        status: err.status,
-        message,
-        data: err.errorData ? err.errorData : undefined,
-      };
-    }
-  };
-}
--- a/server/api/middlewares/methodOverride.js
+++ b/server/api/middlewares/methodOverride.js
@@ -1,19 +0,0 @@
-// @flow
-import queryString from 'query-string';
-import { type Context } from 'koa';
-
-export default function methodOverride() {
-  return async function methodOverrideMiddleware(
-    ctx: Context,
-    next: () => Promise<*>
-  ) {
-    if (ctx.method === 'POST') {
-      // $FlowFixMe
-      ctx.body = ctx.request.body;
-    } else if (ctx.method === 'GET') {
-      ctx.method = 'POST'; // eslint-disable-line
-      ctx.body = queryString.parse(ctx.querystring);
-    }
-    return next();
-  };
-}
--- a/server/api/team.js
+++ b/server/api/team.js
@@ -11,20 +11,28 @@ const { authorize } = policy;
 const router = new Router();

 router.post('team.update', auth(), async ctx => {
-  const { name, avatarUrl, subdomain, sharing, documentEmbeds } = ctx.body;
+  const {
+    name,
+    avatarUrl,
+    subdomain,
+    sharing,
+    guestSignin,
+    documentEmbeds,
+  } = ctx.body;
  const endpoint = publicS3Endpoint();

  const user = ctx.state.user;
  const team = await Team.findByPk(user.teamId);
  authorize(user, 'update', team);

-  if (process.env.SUBDOMAINS_ENABLED === 'true') {
+  if (subdomain !== undefined && process.env.SUBDOMAINS_ENABLED === 'true') {
    team.subdomain = subdomain === '' ? null : subdomain;
  }

  if (name) team.name = name;
  if (sharing !== undefined) team.sharing = sharing;
  if (documentEmbeds !== undefined) team.documentEmbeds = documentEmbeds;
+  if (guestSignin !== undefined) team.guestSignin = guestSignin;
  if (avatarUrl && avatarUrl.startsWith(`${endpoint}/uploads/${user.id}`)) {
    team.avatarUrl = avatarUrl;
  }
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -254,11 +254,12 @@ router.post('users.invite', auth(), async ctx => {
 });

 router.post('users.delete', auth(), async ctx => {
-  const { confirmation } = ctx.body;
+  const { confirmation, id } = ctx.body;
  ctx.assertPresent(confirmation, 'confirmation is required');

-  const user = ctx.state.user;
-  authorize(user, 'delete', user);
+  let user = ctx.state.user;
+  if (id) user = await User.findByPk(id);
+  authorize(ctx.state.user, 'delete', user);

  try {
    await user.destroy();
--- a/server/api/users.test.js
+++ b/server/api/users.test.js
@@ -76,6 +76,26 @@ describe('#users.info', async () => {
  });
 });

+describe('#users.invite', async () => {
+  it('should return sent invites', async () => {
+    const user = await buildUser();
+    const res = await server.post('/api/users.invite', {
+      body: {
+        token: user.getJwtToken(),
+        invites: [{ email: 'test@example.com', name: 'Test', guest: false }],
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.sent.length).toEqual(1);
+  });
+
+  it('should require authentication', async () => {
+    const res = await server.post('/api/users.invite');
+    expect(res.status).toEqual(401);
+  });
+});
+
 describe('#users.delete', async () => {
  it('should not allow deleting without confirmation', async () => {
    const user = await buildUser();
@@ -111,6 +131,27 @@ describe('#users.delete', async () => {
    expect(res.status).toEqual(200);
  });

+  it('should allow deleting pending user account with admin', async () => {
+    const user = await buildUser({ isAdmin: true });
+    const pending = await buildUser({
+      teamId: user.teamId,
+      lastActiveAt: null,
+    });
+    const res = await server.post('/api/users.delete', {
+      body: { token: user.getJwtToken(), id: pending.id, confirmation: true },
+    });
+    expect(res.status).toEqual(200);
+  });
+
+  it('should not allow deleting another user account', async () => {
+    const user = await buildUser({ isAdmin: true });
+    const user2 = await buildUser({ teamId: user.teamId });
+    const res = await server.post('/api/users.delete', {
+      body: { token: user.getJwtToken(), id: user2.id, confirmation: true },
+    });
+    expect(res.status).toEqual(403);
+  });
+
  it('should require authentication', async () => {
    const res = await server.post('/api/users.delete');
    const body = await res.json();
@@ -183,7 +224,7 @@ describe('#users.demote', async () => {
    expect(body).toMatchSnapshot();
  });

-  it("shouldn't demote admins if only one available ", async () => {
+  it('should not demote admins if only one available', async () => {
    const admin = await buildUser({ isAdmin: true });

    const res = await server.post('/api/users.demote', {
@@ -226,7 +267,7 @@ describe('#users.suspend', async () => {
    expect(body).toMatchSnapshot();
  });

-  it("shouldn't allow suspending the user themselves", async () => {
+  it('should not allow suspending the user themselves', async () => {
    const admin = await buildUser({ isAdmin: true });
    const res = await server.post('/api/users.suspend', {
      body: {