Auth: Fix email verification bypass when using basic authentication (#82914)

2025-02-25 18:55:37 -06:00 · 2024-02-16 18:54:59 +01:00
parent fabaff9a24
commit 46c26bbd0b
27 changed files with 1403 additions and 22 deletions
--- a/pkg/services/temp_user/tempuserimpl/store.go
+++ b/pkg/services/temp_user/tempuserimpl/store.go
@@ -16,6 +16,8 @@ type store interface {
 	GetTempUsersQuery(ctx context.Context, query *tempuser.GetTempUsersQuery) ([]*tempuser.TempUserDTO, error)
 	GetTempUserByCode(ctx context.Context, query *tempuser.GetTempUserByCodeQuery) (*tempuser.TempUserDTO, error)
 	ExpireOldUserInvites(ctx context.Context, cmd *tempuser.ExpireTempUsersCommand) error
+	ExpireOldVerifications(ctx context.Context, cmd *tempuser.ExpireTempUsersCommand) error
+	ExpirePreviousVerifications(ctx context.Context, cmd *tempuser.ExpirePreviousVerificationsCommand) error
 }

 type xormStore struct {
@@ -175,3 +177,27 @@ func (ss *xormStore) ExpireOldUserInvites(ctx context.Context, cmd *tempuser.Exp
 		return nil
 	})
 }
+
+func (ss *xormStore) ExpireOldVerifications(ctx context.Context, cmd *tempuser.ExpireTempUsersCommand) error {
+	return ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
+		var rawSQL = "UPDATE temp_user SET status = ?, updated = ? WHERE created <= ? AND status = ?"
+		if result, err := sess.Exec(rawSQL, string(tempuser.TmpUserEmailUpdateExpired), time.Now().Unix(), cmd.OlderThan.Unix(), string(tempuser.TmpUserEmailUpdateStarted)); err != nil {
+			return err
+		} else if cmd.NumExpired, err = result.RowsAffected(); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+func (ss *xormStore) ExpirePreviousVerifications(ctx context.Context, cmd *tempuser.ExpirePreviousVerificationsCommand) error {
+	return ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
+		var rawSQL = "UPDATE temp_user SET status = ?, updated = ? WHERE invited_by_user_id = ? AND status = ?"
+		if result, err := sess.Exec(rawSQL, string(tempuser.TmpUserEmailUpdateExpired), time.Now().Unix(), cmd.InvitedByUserID, string(tempuser.TmpUserEmailUpdateStarted)); err != nil {
+			return err
+		} else if cmd.NumExpired, err = result.RowsAffected(); err != nil {
+			return err
+		}
+		return nil
+	})
+}
--- a/pkg/services/temp_user/tempuserimpl/store_test.go
+++ b/pkg/services/temp_user/tempuserimpl/store_test.go
@@ -117,7 +117,32 @@ func TestIntegrationTempUserCommandsAndQueries(t *testing.T) {
 		require.False(t, queryResult[0].EmailSentOn.UTC().Before(queryResult[0].Created.UTC()))
 	})

-	t.Run("Should be able expire temp user", func(t *testing.T) {
+	t.Run("Should be able expire all pending verifications from a user", func(t *testing.T) {
+		userID := int64(99)
+		verifications := 5
+		cmd := tempuser.CreateTempUserCommand{
+			OrgID:           -1,
+			Name:            "email-update",
+			Code:            "asd",
+			Email:           "e@as.co",
+			Status:          tempuser.TmpUserEmailUpdateStarted,
+			InvitedByUserID: userID,
+		}
+		db := db.InitTestDB(t)
+		store = &xormStore{db: db, cfg: db.Cfg}
+
+		for i := 0; i < verifications; i++ {
+			tempUser, err = store.CreateTempUser(context.Background(), &cmd)
+			require.Nil(t, err)
+		}
+
+		cmd2 := tempuser.ExpirePreviousVerificationsCommand{InvitedByUserID: userID}
+		err := store.ExpirePreviousVerifications(context.Background(), &cmd2)
+		require.Nil(t, err)
+		require.Equal(t, int64(verifications), cmd2.NumExpired)
+	})
+
+	t.Run("Should be able expire temp user related to org invite", func(t *testing.T) {
 		setup(t)
 		createdAt := time.Unix(tempUser.Created, 0)
 		cmd2 := tempuser.ExpireTempUsersCommand{OlderThan: createdAt.Add(1 * time.Second)}
@@ -133,4 +158,34 @@ func TestIntegrationTempUserCommandsAndQueries(t *testing.T) {
 			require.Equal(t, int64(0), cmd2.NumExpired)
 		})
 	})
+
+	t.Run("Should be able expire temp user related to email verification", func(t *testing.T) {
+		cmd := tempuser.CreateTempUserCommand{
+			OrgID:           2256,
+			Name:            "email-update",
+			Code:            "asd",
+			Email:           "e@as.co",
+			Status:          tempuser.TmpUserEmailUpdateStarted,
+			InvitedByUserID: 99,
+		}
+		db := db.InitTestDB(t)
+		store = &xormStore{db: db, cfg: db.Cfg}
+
+		tempUser, err = store.CreateTempUser(context.Background(), &cmd)
+		require.Nil(t, err)
+
+		createdAt := time.Unix(tempUser.Created, 0)
+		cmd2 := tempuser.ExpireTempUsersCommand{OlderThan: createdAt.Add(1 * time.Second)}
+		err := store.ExpireOldVerifications(context.Background(), &cmd2)
+		require.Nil(t, err)
+		require.Equal(t, int64(1), cmd2.NumExpired)
+
+		t.Run("Should do nothing when no temp users to expire", func(t *testing.T) {
+			createdAt := time.Unix(tempUser.Created, 0)
+			cmd2 := tempuser.ExpireTempUsersCommand{OlderThan: createdAt.Add(1 * time.Second)}
+			err := store.ExpireOldVerifications(context.Background(), &cmd2)
+			require.Nil(t, err)
+			require.Equal(t, int64(0), cmd2.NumExpired)
+		})
+	})
 }
--- a/pkg/services/temp_user/tempuserimpl/temp_user.go
+++ b/pkg/services/temp_user/tempuserimpl/temp_user.go
@@ -68,3 +68,19 @@ func (s *Service) ExpireOldUserInvites(ctx context.Context, cmd *tempuser.Expire
 	}
 	return nil
 }
+
+func (s *Service) ExpireOldVerifications(ctx context.Context, cmd *tempuser.ExpireTempUsersCommand) error {
+	err := s.store.ExpireOldVerifications(ctx, cmd)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Service) ExpirePreviousVerifications(ctx context.Context, cmd *tempuser.ExpirePreviousVerificationsCommand) error {
+	err := s.store.ExpirePreviousVerifications(ctx, cmd)
+	if err != nil {
+		return err
+	}
+	return nil
+}