Skip to content

Commit

Permalink
fix(user): fix email and password validation
Browse files Browse the repository at this point in the history 
If no email and password were passed to the authentication endpoints,
the authentication would still succeed even though there was no email
and password. This fixes that to make sure that we account for blank and
null email and passwords. Also it makes sure that email
and password are not required when using other oauth providers.
  • Loading branch information
@programmerdave
programmerdave committed Mar 25, 2016
1 parent 2997e34 commit 474a3a1
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 22 deletions.
4 changes: 2 additions & 2 deletions app/templates/gulpfile.babel(gulp).js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,7 @@ gulp.task('wiredep:client', () => {
/bootstrap\.css/<% if(filters.sass) { %>,
/bootstrap-sass-official/<% } if(filters.oauth) { %>,
/bootstrap-social\.css/<% }}} %>
]
],
ignorePath: clientPath
}))
.pipe(gulp.dest(`${clientPath}/`));
Expand All @@ -503,7 +503,7 @@ gulp.task('wiredep:test', () => {
/bootstrap\.css/<% if(filters.sass) { %>,
/bootstrap-sass-official/<% } if(filters.oauth) { %>,
/bootstrap-social\.css/<% }}} %>
]
],
devDependencies: true
}))
.pipe(gulp.dest('./'));
Expand Down
34 changes: 29 additions & 5 deletions app/templates/server/api/user(auth)/user.model(mongooseModels).js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,29 @@ var UserSchema = new Schema({
name: String,
email: {
type: String,
lowercase: true
lowercase: true,
required: <% if(filters.oauth) { %>function() {
if (authTypes.indexOf(this.provider) === -1) {
return true;
} else {
return false;
}
}<% } else { %>true<% } %>
},
role: {
type: String,
default: 'user'
},
password: String,
password: {
type: String,
required: <% if(filters.oauth) { %>function() {
if (authTypes.indexOf(this.provider) === -1) {
return true;
} else {
return false;
}
}<% } else { %>true<% } %>
},
provider: String,
salt: String<% if (filters.oauth) { %>,<% if (filters.facebookAuth) { %>
facebook: {},<% } %><% if (filters.twitterAuth) { %>
Expand Down Expand Up @@ -108,8 +124,12 @@ UserSchema
return next();
}

if (!validatePresenceOf(this.password)<% if (filters.oauth) { %> && authTypes.indexOf(this.provider) === -1<% } %>) {
return next(new Error('Invalid password'));
if (!validatePresenceOf(this.password)) {
<% if (filters.oauth) { %>if (authTypes.indexOf(this.provider) === -1) {
<% } %>return next(new Error('Invalid password'));<% if (filters.oauth) { %>
} else {
return next();
}<% } %>
}

// Make salt with a callback
Expand Down Expand Up @@ -203,7 +223,11 @@ UserSchema.methods = {
*/
encryptPassword(password, callback) {
if (!password || !this.salt) {
return null;
if (!callback) {
return null;
} else {
return callback('Missing password or salt');
}
}

var defaultIterations = 10000;
Expand Down
135 changes: 120 additions & 15 deletions app/templates/server/api/user(auth)/user.model.spec(mongooseModels).js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,32 +41,137 @@ describe('User Model', function() {
});

describe('#email', function() {
it('should fail when saving without an email', function() {
it('should fail when saving with a blank email', function() {
user.email = '';
return <%= expect() %>user.save()<%= to() %>.be.rejected;
});

it('should fail when saving without an email', function() {
user.email = null;
return <%= expect() %>user.save()<%= to() %>.be.rejected;
});<% if (filters.oauth && filters.googleAuth) { %>

context('given user provider is google', function() {
beforeEach(function() {
user.provider = 'google';
});

it('should succeed when saving without an email', function() {
user.email = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth && filters.facebookAuth) { %>

context('given user provider is facebook', function() {
beforeEach(function() {
user.provider = 'facebook';
});

it('should succeed when saving without an email', function() {
user.email = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth && filters.twitterAuth) { %>

context('given user provider is twitter', function() {
beforeEach(function() {
user.provider = 'twitter';
});

it('should succeed when saving without an email', function() {
user.email = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth) { %>

context('given user provider is github', function() {
beforeEach(function() {
user.provider = 'github';
});

it('should succeed when saving without an email', function() {
user.email = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %>
});

describe('#password', function() {
beforeEach(function() {
return user.save();
it('should fail when saving with a blank password', function() {
user.password = '';
return <%= expect() %>user.save()<%= to() %>.be.rejected;
});

it('should authenticate user if valid', function() {
<%= expect() %>user.authenticate('password')<%= to() %>.be.true;
it('should fail when saving without a password', function() {
user.password = null;
return <%= expect() %>user.save()<%= to() %>.be.rejected;
});

it('should not authenticate user if invalid', function() {
<%= expect() %>user.authenticate('blah')<%= to() %>.not.be.true;
});
context('given the user has been previously saved', function() {
beforeEach(function() {
return user.save();
});

it('should remain the same hash unless the password is updated', function() {
user.name = 'Test User';
return <%= expect() %>user.save()
.then(function(u) {
return u.authenticate('password');
})<%= to() %>.eventually.be.true;
});
it('should authenticate user if valid', function() {
<%= expect() %>user.authenticate('password')<%= to() %>.be.true;
});

it('should not authenticate user if invalid', function() {
<%= expect() %>user.authenticate('blah')<%= to() %>.not.be.true;
});

it('should remain the same hash unless the password is updated', function() {
user.name = 'Test User';
return <%= expect() %>user.save()
.then(function(u) {
return u.authenticate('password');
})<%= to() %>.eventually.be.true;
});
});<% if (filters.oauth && filters.googleAuth) { %>

context('given user provider is google', function() {
beforeEach(function() {
user.provider = 'google';
});

it('should succeed when saving without a password', function() {
user.password = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth && filters.facebookAuth) { %>

context('given user provider is facebook', function() {
beforeEach(function() {
user.provider = 'facebook';
});

it('should succeed when saving without a password', function() {
user.password = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth && filters.twitterAuth) { %>

context('given user provider is twitter', function() {
beforeEach(function() {
user.provider = 'twitter';
});

it('should succeed when saving without a password', function() {
user.password = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %><% if (filters.oauth) { %>

context('given user provider is github', function() {
beforeEach(function() {
user.provider = 'github';
});

it('should succeed when saving without a password', function() {
user.password = null;
return <%= expect() %>user.save()<%= to() %>.be.fulfilled;
});
});<% } %>
});

});

0 comments on commit 474a3a1

Please sign in to comment.