@budibase/worker 2.4.44 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@budibase/worker",
|
|
3
3
|
"email": "hi@budibase.com",
|
|
4
|
-
"version": "2.
|
|
4
|
+
"version": "2.5.1",
|
|
5
5
|
"description": "Budibase background service",
|
|
6
6
|
"main": "src/index.ts",
|
|
7
7
|
"repository": {
|
|
@@ -36,10 +36,10 @@
|
|
|
36
36
|
"author": "Budibase",
|
|
37
37
|
"license": "GPL-3.0",
|
|
38
38
|
"dependencies": {
|
|
39
|
-
"@budibase/backend-core": "^2.
|
|
40
|
-
"@budibase/pro": "2.
|
|
41
|
-
"@budibase/string-templates": "^2.
|
|
42
|
-
"@budibase/types": "^2.
|
|
39
|
+
"@budibase/backend-core": "^2.5.1",
|
|
40
|
+
"@budibase/pro": "2.5.0",
|
|
41
|
+
"@budibase/string-templates": "^2.5.1",
|
|
42
|
+
"@budibase/types": "^2.5.1",
|
|
43
43
|
"@koa/router": "8.0.8",
|
|
44
44
|
"@sentry/node": "6.17.7",
|
|
45
45
|
"@techpass/passport-openidconnect": "0.3.2",
|
|
@@ -101,5 +101,5 @@
|
|
|
101
101
|
"typescript": "4.7.3",
|
|
102
102
|
"update-dotenv": "1.1.1"
|
|
103
103
|
},
|
|
104
|
-
"gitHead": "
|
|
104
|
+
"gitHead": "2726f2a3fa10e66838f89d8d35d974bd6420a114"
|
|
105
105
|
}
|
|
@@ -126,9 +126,8 @@ describe("/api/global/auth", () => {
|
|
|
126
126
|
it("should prevent user from logging in", async () => {
|
|
127
127
|
user = await config.createUser()
|
|
128
128
|
const account = structures.accounts.ssoAccount() as CloudAccount
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
)
|
|
129
|
+
account.email = user.email
|
|
130
|
+
mocks.accounts.getAccountByTenantId.mockResolvedValueOnce(account)
|
|
132
131
|
|
|
133
132
|
await testSSOUser()
|
|
134
133
|
})
|
|
@@ -186,9 +185,8 @@ describe("/api/global/auth", () => {
|
|
|
186
185
|
it("should prevent user from generating password reset email", async () => {
|
|
187
186
|
user = await config.createUser(structures.users.user())
|
|
188
187
|
const account = structures.accounts.ssoAccount() as CloudAccount
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
)
|
|
188
|
+
account.email = user.email
|
|
189
|
+
mocks.accounts.getAccountByTenantId.mockResolvedValueOnce(account)
|
|
192
190
|
|
|
193
191
|
await testSSOUser()
|
|
194
192
|
})
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { structures } from "../../../tests"
|
|
2
2
|
import { mocks } from "@budibase/backend-core/tests"
|
|
3
|
-
import { env } from "@budibase/backend-core"
|
|
3
|
+
import { env, context } from "@budibase/backend-core"
|
|
4
4
|
import * as users from "../users"
|
|
5
5
|
import { CloudAccount } from "@budibase/types"
|
|
6
6
|
import { isPreventPasswordActions } from "../users"
|
|
@@ -16,32 +16,50 @@ describe("users", () => {
|
|
|
16
16
|
|
|
17
17
|
describe("isPreventPasswordActions", () => {
|
|
18
18
|
it("returns false for non sso user", async () => {
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
19
|
+
await context.doInTenant(structures.tenant.id(), async () => {
|
|
20
|
+
const user = structures.users.user()
|
|
21
|
+
const result = await users.isPreventPasswordActions(user)
|
|
22
|
+
expect(result).toBe(false)
|
|
23
|
+
})
|
|
22
24
|
})
|
|
23
25
|
|
|
24
26
|
it("returns true for sso account user", async () => {
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
27
|
+
await context.doInTenant(structures.tenant.id(), async () => {
|
|
28
|
+
const user = structures.users.user()
|
|
29
|
+
const account = structures.accounts.ssoAccount() as CloudAccount
|
|
30
|
+
account.email = user.email
|
|
31
|
+
mocks.accounts.getAccountByTenantId.mockResolvedValueOnce(account)
|
|
32
|
+
const result = await users.isPreventPasswordActions(user)
|
|
33
|
+
expect(result).toBe(true)
|
|
34
|
+
})
|
|
35
|
+
})
|
|
36
|
+
|
|
37
|
+
it("returns false when account doesn't match user email", async () => {
|
|
38
|
+
await context.doInTenant(structures.tenant.id(), async () => {
|
|
39
|
+
const user = structures.users.user()
|
|
40
|
+
const account = structures.accounts.ssoAccount() as CloudAccount
|
|
41
|
+
mocks.accounts.getAccountByTenantId.mockResolvedValueOnce(account)
|
|
42
|
+
const result = await users.isPreventPasswordActions(user)
|
|
43
|
+
expect(result).toBe(false)
|
|
44
|
+
})
|
|
31
45
|
})
|
|
32
46
|
|
|
33
47
|
it("returns true for sso user", async () => {
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
48
|
+
await context.doInTenant(structures.tenant.id(), async () => {
|
|
49
|
+
const user = structures.users.ssoUser()
|
|
50
|
+
const result = await users.isPreventPasswordActions(user)
|
|
51
|
+
expect(result).toBe(true)
|
|
52
|
+
})
|
|
37
53
|
})
|
|
38
54
|
|
|
39
55
|
describe("enforced sso", () => {
|
|
40
56
|
it("returns true for all users when sso is enforced", async () => {
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
57
|
+
await context.doInTenant(structures.tenant.id(), async () => {
|
|
58
|
+
const user = structures.users.user()
|
|
59
|
+
pro.features.isSSOEnforced.mockResolvedValueOnce(true)
|
|
60
|
+
const result = await users.isPreventPasswordActions(user)
|
|
61
|
+
expect(result).toBe(true)
|
|
62
|
+
})
|
|
45
63
|
})
|
|
46
64
|
})
|
|
47
65
|
|
package/src/sdk/users/users.ts
CHANGED
|
@@ -31,6 +31,7 @@ import {
|
|
|
31
31
|
SearchUsersRequest,
|
|
32
32
|
User,
|
|
33
33
|
SaveUserOpts,
|
|
34
|
+
Account,
|
|
34
35
|
} from "@budibase/types"
|
|
35
36
|
import { sendEmail } from "../../utilities/email"
|
|
36
37
|
import { EmailTemplatePurpose } from "../../constants"
|
|
@@ -127,7 +128,8 @@ const buildUser = async (
|
|
|
127
128
|
requirePassword: true,
|
|
128
129
|
},
|
|
129
130
|
tenantId: string,
|
|
130
|
-
dbUser?: any
|
|
131
|
+
dbUser?: any,
|
|
132
|
+
account?: Account
|
|
131
133
|
): Promise<User> => {
|
|
132
134
|
let { password, _id } = user
|
|
133
135
|
|
|
@@ -138,7 +140,7 @@ const buildUser = async (
|
|
|
138
140
|
|
|
139
141
|
let hashedPassword
|
|
140
142
|
if (password) {
|
|
141
|
-
if (await isPreventPasswordActions(user)) {
|
|
143
|
+
if (await isPreventPasswordActions(user, account)) {
|
|
142
144
|
throw new HTTPError("Password change is disabled for this user", 400)
|
|
143
145
|
}
|
|
144
146
|
hashedPassword = opts.hashPassword ? await utils.hash(password) : password
|
|
@@ -209,7 +211,7 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
|
|
|
209
211
|
}
|
|
210
212
|
}
|
|
211
213
|
|
|
212
|
-
export async function isPreventPasswordActions(user: User) {
|
|
214
|
+
export async function isPreventPasswordActions(user: User, account?: Account) {
|
|
213
215
|
// when in maintenance mode we allow sso users with the admin role
|
|
214
216
|
// to perform any password action - this prevents lockout
|
|
215
217
|
if (coreEnv.ENABLE_SSO_MAINTENANCE_MODE && user.admin?.global) {
|
|
@@ -227,8 +229,10 @@ export async function isPreventPasswordActions(user: User) {
|
|
|
227
229
|
}
|
|
228
230
|
|
|
229
231
|
// Check account sso
|
|
230
|
-
|
|
231
|
-
|
|
232
|
+
if (!account) {
|
|
233
|
+
account = await accountSdk.api.getAccountByTenantId(tenancy.getTenantId())
|
|
234
|
+
}
|
|
235
|
+
return !!(account && account.email === user.email && isSSOAccount(account))
|
|
232
236
|
}
|
|
233
237
|
|
|
234
238
|
export const save = async (
|
|
@@ -439,6 +443,7 @@ export const bulkCreate = async (
|
|
|
439
443
|
newUsers.push(newUser)
|
|
440
444
|
}
|
|
441
445
|
|
|
446
|
+
const account = await accountSdk.api.getAccountByTenantId(tenantId)
|
|
442
447
|
// create the promises array that will be called by bulkDocs
|
|
443
448
|
newUsers.forEach((user: any) => {
|
|
444
449
|
usersToSave.push(
|
|
@@ -448,7 +453,9 @@ export const bulkCreate = async (
|
|
|
448
453
|
hashPassword: true,
|
|
449
454
|
requirePassword: user.requirePassword,
|
|
450
455
|
},
|
|
451
|
-
tenantId
|
|
456
|
+
tenantId,
|
|
457
|
+
undefined, // no dbUser
|
|
458
|
+
account
|
|
452
459
|
)
|
|
453
460
|
)
|
|
454
461
|
})
|