From bf4250babd3e5c684cfdea9d49a5e268db8867c8 Mon Sep 17 00:00:00 2001 From: Nicolai Ort Date: Tue, 22 Dec 2020 11:29:52 +0100 Subject: [PATCH] All things auth now check if the user is disabled ref #40 --- src/authchecker.ts | 4 +++- src/models/actions/CreateAuth.ts | 3 ++- src/models/actions/RefreshAuth.ts | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/authchecker.ts b/src/authchecker.ts index 36cb40b..54ef4d7 100644 --- a/src/authchecker.ts +++ b/src/authchecker.ts @@ -3,7 +3,7 @@ import * as jwt from "jsonwebtoken"; import { Action } from "routing-controllers"; import { getConnectionManager } from 'typeorm'; import { config } from './config'; -import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError'; +import { IllegalJWTError, NoPermissionError, UserDisabledError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError'; import { JwtCreator, JwtUser } from './jwtcreator'; import { User } from './models/entities/User'; @@ -31,6 +31,7 @@ const authchecker = async (action: Action, permissions: string[] | string) => { const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions'] }) if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() } + if (user.enabled == false) { throw new UserDisabledError(); } if (!jwtPayload["permissions"]) { throw new NoPermissionError(); } action.response.local = {} @@ -63,6 +64,7 @@ const refresh = async (action: Action) => { const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions', 'groups', 'groups.permissions'] }) if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() } + if (user.enabled == false) { throw new UserDisabledError(); } let newAccess = JwtCreator.createAccess(user); action.response.header("authorization", "Bearer " + newAccess); diff --git a/src/models/actions/CreateAuth.ts b/src/models/actions/CreateAuth.ts index dd9c3f3..6b22d7d 100644 --- a/src/models/actions/CreateAuth.ts +++ b/src/models/actions/CreateAuth.ts @@ -1,7 +1,7 @@ import * as argon2 from "argon2"; import { IsEmail, IsNotEmpty, IsOptional, IsString } from 'class-validator'; import { getConnectionManager } from 'typeorm'; -import { InvalidCredentialsError, PasswordNeededError, UserNotFoundError } from '../../errors/AuthError'; +import { InvalidCredentialsError, PasswordNeededError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError'; import { UsernameOrEmailNeededError } from '../../errors/UserErrors'; import { JwtCreator } from '../../jwtcreator'; import { User } from '../entities/User'; @@ -55,6 +55,7 @@ export class CreateAuth { if (!found_user) { throw new UserNotFoundError(); } + if (found_user.enabled == false) { throw new UserDisabledError(); } if (!(await argon2.verify(found_user.password, this.password + found_user.uuid))) { throw new InvalidCredentialsError(); } diff --git a/src/models/actions/RefreshAuth.ts b/src/models/actions/RefreshAuth.ts index 12470c7..bcc4fbb 100644 --- a/src/models/actions/RefreshAuth.ts +++ b/src/models/actions/RefreshAuth.ts @@ -2,7 +2,7 @@ import { IsOptional, IsString } from 'class-validator'; import * as jsonwebtoken from 'jsonwebtoken'; import { getConnectionManager } from 'typeorm'; import { config } from '../../config'; -import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError'; +import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError'; import { JwtCreator } from "../../jwtcreator"; import { User } from '../entities/User'; import { Auth } from '../responses/ResponseAuth'; @@ -39,6 +39,7 @@ export class RefreshAuth { if (!found_user) { throw new UserNotFoundError() } + if (found_user.enabled == false) { throw new UserDisabledError(); } if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) { throw new RefreshTokenCountInvalidError() }