yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: Add emailed confirmation code to account deletion (#3873)

Browse Source 
* wip

* tests
This commit is contained in:
Tom Moor
2022-07-31 18:59:40 +01:00
committed by GitHub
parent f9d9a82e47
commit cb9773ad85
8 changed files with 238 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
server/routes/api/users.test.ts
View File

@@ -329,48 +329,35 @@ describe("#users.delete", () => {
expect(res.status).toEqual(400);
});
it("should allow deleting user account", async () => {
it("should require correct code", async () => {
const user = await buildAdmin();
await buildUser({
teamId: user.teamId,
isAdmin: false,
});
const res = await server.post("/api/users.delete", {
body: {
code: "123",
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(400);
});
it("should allow deleting user account with correct code", async () => {
const user = await buildUser();
await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/users.delete", {
body: {
code: user.deleteConfirmationCode,
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(200);
});
it("should allow deleting user account with admin", async () => {
const admin = await buildAdmin();
const user = await buildUser({
teamId: admin.teamId,
lastActiveAt: null,
});
const res = await server.post("/api/users.delete", {
body: {
token: admin.getJwtToken(),
id: user.id,
},
});
expect(res.status).toEqual(200);
});
it("should not allow deleting another user account", async () => {
const user = await buildUser();
const user2 = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
id: user2.id,
},
});
expect(res.status).toEqual(403);
});
it("should require authentication", async () => {
const res = await server.post("/api/users.delete");
const body = await res.json();

43
server/routes/api/users.ts
View File

@@ -1,3 +1,4 @@
import crypto from "crypto";
import Router from "koa-router";
import { Op, WhereOptions } from "sequelize";
import userDemoter from "@server/commands/userDemoter";
@@ -5,6 +6,7 @@ import userDestroyer from "@server/commands/userDestroyer";
import userInviter from "@server/commands/userInviter";
import userSuspender from "@server/commands/userSuspender";
import { sequelize } from "@server/database/sequelize";
import ConfirmUserDeleteEmail from "@server/emails/templates/ConfirmUserDeleteEmail";
import InviteEmail from "@server/emails/templates/InviteEmail";
import env from "@server/env";
import { ValidationError } from "@server/errors";
@@ -23,6 +25,7 @@ import {
import pagination from "./middlewares/pagination";
const router = new Router();
const emailEnabled = !!(env.SMTP_HOST || env.ENVIRONMENT === "development");
router.post("users.list", auth(), pagination(), async (ctx) => {
let { direction } = ctx.body;
@@ -367,19 +370,43 @@ router.post("users.resendInvite", auth(), async (ctx) => {
};
});
router.post("users.delete", auth(), async (ctx) => {
const { id } = ctx.body;
const actor = ctx.state.user;
let user = actor;
router.post("users.requestDelete", auth(), async (ctx) => {
const { user } = ctx.state;
authorize(user, "delete", user);
if (id) {
user = await User.findByPk(id);
if (emailEnabled) {
await ConfirmUserDeleteEmail.schedule({
to: user.email,
deleteConfirmationCode: user.deleteConfirmationCode,
});
}
ctx.body = {
success: true,
};
});
router.post("users.delete", auth(), async (ctx) => {
const { code = "" } = ctx.body;
const { user } = ctx.state;
authorize(user, "delete", user);
const deleteConfirmationCode = user.deleteConfirmationCode;
if (
emailEnabled &&
(code.length !== deleteConfirmationCode.length ||
!crypto.timingSafeEqual(
Buffer.from(code),
Buffer.from(deleteConfirmationCode)
))
) {
throw ValidationError("The confirmation code was incorrect");
}
authorize(actor, "delete", user);
await userDestroyer({
user,
actor,
actor: user,
ip: ctx.request.ip,
});