From e364e31e25bd1d4b8d801c845a96d6be708f0a18 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 19 Jan 2023 09:27:16 +0100 Subject: Implement signup approval in server --- server/lib/auth/oauth.ts | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) (limited to 'server/lib/auth') diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts index 2905c79a2..887c4f7c9 100644 --- a/server/lib/auth/oauth.ts +++ b/server/lib/auth/oauth.ts @@ -11,20 +11,31 @@ import OAuth2Server, { import { randomBytesPromise } from '@server/helpers/core-utils' import { isOTPValid } from '@server/helpers/otp' import { CONFIG } from '@server/initializers/config' +import { UserRegistrationModel } from '@server/models/user/user-registration' import { MOAuthClient } from '@server/types/models' import { sha1 } from '@shared/extra-utils' -import { HttpStatusCode } from '@shared/models' +import { HttpStatusCode, ServerErrorCode, UserRegistrationState } from '@shared/models' import { OTP } from '../../initializers/constants' import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' class MissingTwoFactorError extends Error { code = HttpStatusCode.UNAUTHORIZED_401 - name = 'missing_two_factor' + name = ServerErrorCode.MISSING_TWO_FACTOR } class InvalidTwoFactorError extends Error { code = HttpStatusCode.BAD_REQUEST_400 - name = 'invalid_two_factor' + name = ServerErrorCode.INVALID_TWO_FACTOR +} + +class RegistrationWaitingForApproval extends Error { + code = HttpStatusCode.BAD_REQUEST_400 + name = ServerErrorCode.ACCOUNT_WAITING_FOR_APPROVAL +} + +class RegistrationApprovalRejected extends Error { + code = HttpStatusCode.BAD_REQUEST_400 + name = ServerErrorCode.ACCOUNT_APPROVAL_REJECTED } /** @@ -128,7 +139,17 @@ async function handlePasswordGrant (options: { } const user = await getUser(request.body.username, request.body.password, bypassLogin) - if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') + if (!user) { + const registration = await UserRegistrationModel.loadByEmailOrUsername(request.body.username) + + if (registration?.state === UserRegistrationState.REJECTED) { + throw new RegistrationApprovalRejected('Registration approval for this account has been rejected') + } else if (registration?.state === UserRegistrationState.PENDING) { + throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval') + } + + throw new InvalidGrantError('Invalid grant: user credentials are invalid') + } if (user.otpSecret) { if (!request.headers[OTP.HEADER_NAME]) { -- cgit v1.2.3