self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2024-11-27 08:21:03 +02:00
Code Issues Releases Activity

Server: Prevent new user password from being hashed twice

Browse Source
This commit is contained in:
Laurent Cozic 2021-03-14 18:43:20 +00:00
parent f8b7d20255
commit 76c143e8b0
3 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
packages/server/src/models/UserModel.ts
View File

@ -100,12 +100,19 @@ export default class UserModel extends BaseModel<User> {
}, 'UserModel::delete');
}
// Note that when the "password" property is provided, it is going to be
// hashed automatically. It means that it is not safe to do:
//
// const user = await model.load(id);
// await model.save(user);
//
// Because the password would be hashed twice.
public async save(object: User, options: SaveOptions = {}): Promise<User> {
const isNew = await this.isNew(object, options);
let newUser = { ...object };
if (isNew && newUser.password) newUser.password = auth.hashPassword(newUser.password);
if (newUser.password) newUser.password = auth.hashPassword(newUser.password);
await this.withTransaction(async () => {
newUser = await super.save(newUser, options);

9
packages/server/src/routes/index/users.test.ts
View File

@ -92,6 +92,15 @@ describe('index_users', function() {
expect(!!rootFile.id).toBe(true);
});
test('new user should be able to login', async function() {
const { session } = await createUserAndSession(1, true);
await postUser(session.id, 'test@example.com', '123456');
const loggedInUser = await models().user().login('test@example.com', '123456');
expect(!!loggedInUser).toBe(true);
expect(loggedInUser.email).toBe('test@example.com');
});
test('should not create anything, neither user, root file nor permissions, if user creation fail', async function() {
const { user, session } = await createUserAndSession(1, true);

3
packages/server/src/routes/index/users.ts
View File

@ -7,7 +7,6 @@ import { User } from '../../db';
import config from '../../config';
import { View } from '../../services/MustacheService';
import defaultView from '../../utils/defaultView';
import { hashPassword } from '../../utils/auth';
function makeUser(isNew: boolean, fields: any): User {
const user: User = {};
@ -17,7 +16,7 @@ function makeUser(isNew: boolean, fields: any): User {
if (fields.password) {
if (fields.password !== fields.password2) throw new ErrorUnprocessableEntity('Passwords do not match');
user.password = hashPassword(fields.password);
user.password = fields.password;
}
if (!isNew) user.id = fields.id;