mirror of
https://github.com/outline/outline.git
synced 2026-06-13 03:14:59 +03:00
Tom Moor
b23a39bd39
* Add email verification check during sign-in flow * Add support for Entra External ID with OIDC standard verification claim
487 lines
16 KiB
TypeScript
487 lines
16 KiB
TypeScript
import { faker } from "@faker-js/faker";
|
|
import { randomUUID } from "node:crypto";
|
|
import { UserRole } from "@shared/types";
|
|
import { AuthenticationProvider, TeamDomain } from "@server/models";
|
|
import { randomString } from "@shared/random";
|
|
import {
|
|
buildUser,
|
|
buildTeam,
|
|
buildInvite,
|
|
buildAdmin,
|
|
} from "@server/test/factories";
|
|
import userProvisioner from "./userProvisioner";
|
|
import { createContext } from "@server/context";
|
|
|
|
describe("userProvisioner", () => {
|
|
const ip = faker.internet.ip();
|
|
const ctx = createContext({ ip });
|
|
|
|
it("should update existing user and authentication", async () => {
|
|
const existing = await buildUser();
|
|
const authentications = await existing.$get("authentications");
|
|
const existingAuth = authentications[0];
|
|
const newEmail = "test@example.com";
|
|
const result = await userProvisioner(ctx, {
|
|
name: existing.name,
|
|
email: newEmail,
|
|
avatarUrl: existing.avatarUrl,
|
|
teamId: existing.teamId,
|
|
authentication: {
|
|
authenticationProviderId: existingAuth.authenticationProviderId,
|
|
providerId: existingAuth.providerId,
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
expect(user.email).toEqual(newEmail);
|
|
expect(isNewUser).toEqual(false);
|
|
});
|
|
|
|
it("should add authentication provider to existing users", async () => {
|
|
const team = await buildTeam({ inviteRequired: true });
|
|
const teamAuthProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = teamAuthProviders[0];
|
|
|
|
const email = "mynam@email.com";
|
|
const existing = await buildUser({
|
|
email,
|
|
teamId: team.id,
|
|
authentications: [],
|
|
});
|
|
|
|
const result = await userProvisioner(ctx, {
|
|
name: existing.name,
|
|
email,
|
|
emailVerified: true,
|
|
avatarUrl: existing.avatarUrl,
|
|
teamId: existing.teamId,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: randomUUID(),
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
|
|
const authentications = await user.$get("authentications");
|
|
expect(authentications.length).toEqual(1);
|
|
expect(isNewUser).toEqual(false);
|
|
});
|
|
|
|
it("should not match an existing user by email when email is unverified", async () => {
|
|
const team = await buildTeam();
|
|
const teamAuthProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = teamAuthProviders[0];
|
|
|
|
const email = "mynam@email.com";
|
|
await buildUser({
|
|
email,
|
|
teamId: team.id,
|
|
authentications: [],
|
|
});
|
|
|
|
await expect(
|
|
userProvisioner(ctx, {
|
|
name: "Imposter",
|
|
email,
|
|
emailVerified: false,
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: randomUUID(),
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
})
|
|
).rejects.toThrow("has not been verified by");
|
|
});
|
|
|
|
it("should add authentication provider to invited users", async () => {
|
|
const team = await buildTeam({ inviteRequired: true });
|
|
const teamAuthProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = teamAuthProviders[0];
|
|
|
|
const email = "mynam@email.com";
|
|
const existing = await buildInvite({
|
|
email,
|
|
teamId: team.id,
|
|
});
|
|
|
|
const result = await userProvisioner(ctx, {
|
|
name: existing.name,
|
|
email,
|
|
emailVerified: true,
|
|
avatarUrl: existing.avatarUrl,
|
|
teamId: existing.teamId,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: randomUUID(),
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
|
|
const authentications = await user.$get("authentications");
|
|
expect(authentications.length).toEqual(1);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should create user with deleted user matching providerId", async () => {
|
|
const existing = await buildUser();
|
|
const authentications = await existing.$get("authentications");
|
|
const existingAuth = authentications[0];
|
|
const newEmail = "test@example.com";
|
|
await existing.destroy({ hooks: false });
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: "test@example.com",
|
|
teamId: existing.teamId,
|
|
authentication: {
|
|
authenticationProviderId: existingAuth.authenticationProviderId,
|
|
providerId: existingAuth.providerId,
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
expect(user.email).toEqual(newEmail);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should migrate user to new authentication provider when provider changes", async () => {
|
|
const existing = await buildUser();
|
|
const authentications = await existing.$get("authentications");
|
|
const existingAuth = authentications[0];
|
|
|
|
// Create a new authentication provider for the same team (simulates
|
|
// changing DISCORD_SERVER_ID or moving Google domains)
|
|
const newAuthProvider = await AuthenticationProvider.create({
|
|
name: "slack",
|
|
providerId: randomString(32),
|
|
teamId: existing.teamId,
|
|
});
|
|
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: "test@example.com",
|
|
teamId: existing.teamId,
|
|
authentication: {
|
|
authenticationProviderId: newAuthProvider.id,
|
|
providerId: existingAuth.providerId,
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(user.id).toEqual(existing.id);
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.authenticationProviderId).toEqual(
|
|
newAuthProvider.id
|
|
);
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(isNewUser).toEqual(false);
|
|
});
|
|
|
|
it("should create a new user", async () => {
|
|
const team = await buildTeam();
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: "test@example.com",
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
expect(user.email).toEqual("test@example.com");
|
|
expect(user.role).toEqual(UserRole.Member);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should prefer role argument over defaultUserRole", async () => {
|
|
const team = await buildTeam({
|
|
defaultUserRole: UserRole.Viewer,
|
|
});
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: "test@example.com",
|
|
teamId: team.id,
|
|
role: UserRole.Admin,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user } = result;
|
|
expect(user.role).toEqual(UserRole.Admin);
|
|
});
|
|
|
|
it("should prefer defaultUserRole when role is undefined or false", async () => {
|
|
const team = await buildTeam({
|
|
defaultUserRole: UserRole.Viewer,
|
|
});
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: "test@example.com",
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user: tname } = result;
|
|
expect(tname.role).toEqual(UserRole.Viewer);
|
|
const tname2Result = await userProvisioner(ctx, {
|
|
name: "Test2 Name",
|
|
email: "tes2@example.com",
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user: tname2 } = tname2Result;
|
|
expect(tname2.role).toEqual(UserRole.Viewer);
|
|
});
|
|
|
|
it("should create a user from an invited user", async () => {
|
|
const team = await buildTeam({ inviteRequired: true });
|
|
const invite = await buildInvite({
|
|
teamId: team.id,
|
|
email: "invite@example.com",
|
|
});
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const result = await userProvisioner(ctx, {
|
|
name: invite.name,
|
|
email: "invite@ExamPle.com",
|
|
emailVerified: true,
|
|
teamId: invite.teamId,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
expect(user.email).toEqual(invite.email);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should create a user from an invited user using email match", async () => {
|
|
const externalUser = await buildUser({
|
|
email: "external@example.com",
|
|
});
|
|
|
|
const team = await buildTeam({ inviteRequired: true });
|
|
const invite = await buildInvite({
|
|
teamId: team.id,
|
|
email: externalUser.email,
|
|
});
|
|
|
|
const result = await userProvisioner(ctx, {
|
|
name: invite.name,
|
|
email: "external@ExamPle.com", // ensure that email is case insensistive
|
|
emailVerified: true,
|
|
teamId: invite.teamId,
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toEqual(null);
|
|
expect(user.id).toEqual(invite.id);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should reject an uninvited user when invites are required", async () => {
|
|
const team = await buildTeam({ inviteRequired: true });
|
|
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
|
|
await expect(
|
|
userProvisioner(ctx, {
|
|
name: "Uninvited User",
|
|
email: "invite@ExamPle.com",
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
})
|
|
).rejects.toThrow("You need an invite to join this team");
|
|
});
|
|
|
|
it("should create a user from allowed domain", async () => {
|
|
const team = await buildTeam();
|
|
const admin = await buildAdmin({ teamId: team.id });
|
|
const domain = faker.internet.domainName();
|
|
await TeamDomain.create({
|
|
teamId: team.id,
|
|
name: domain,
|
|
createdById: admin.id,
|
|
});
|
|
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const email = faker.internet.email({ provider: domain });
|
|
const result = await userProvisioner(ctx, {
|
|
name: faker.person.fullName(),
|
|
email,
|
|
emailVerified: true,
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeDefined();
|
|
expect(authentication?.accessToken).toEqual("123");
|
|
expect(authentication?.scopes.length).toEqual(1);
|
|
expect(authentication?.scopes[0]).toEqual("read");
|
|
expect(user.email).toEqual(email);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should reject an unverified email when the team has allowed domains", async () => {
|
|
const team = await buildTeam();
|
|
const admin = await buildAdmin({ teamId: team.id });
|
|
const domain = faker.internet.domainName();
|
|
await TeamDomain.create({
|
|
teamId: team.id,
|
|
name: domain,
|
|
createdById: admin.id,
|
|
});
|
|
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
const email = faker.internet.email({ provider: domain });
|
|
|
|
await expect(
|
|
userProvisioner(ctx, {
|
|
name: faker.person.fullName(),
|
|
email,
|
|
emailVerified: false,
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
})
|
|
).rejects.toThrow("has not been verified by");
|
|
});
|
|
|
|
it("should create a user from allowed domain with emailMatchOnly", async () => {
|
|
const team = await buildTeam();
|
|
const admin = await buildAdmin({ teamId: team.id });
|
|
const domain = faker.internet.domainName();
|
|
const email = faker.internet.email({ provider: domain });
|
|
|
|
await TeamDomain.create({
|
|
teamId: team.id,
|
|
name: domain,
|
|
createdById: admin.id,
|
|
});
|
|
|
|
const result = await userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email,
|
|
emailVerified: true,
|
|
teamId: team.id,
|
|
});
|
|
const { user, authentication, isNewUser } = result;
|
|
expect(authentication).toBeUndefined();
|
|
expect(user.email).toEqual(email);
|
|
expect(isNewUser).toEqual(true);
|
|
});
|
|
|
|
it("should not create a user with emailMatchOnly when no allowed domains are set", async () => {
|
|
const team = await buildTeam();
|
|
|
|
await expect(
|
|
userProvisioner(ctx, {
|
|
name: "Test Name",
|
|
email: faker.internet.email(),
|
|
teamId: team.id,
|
|
})
|
|
).rejects.toThrow("No matching user for email or allowed domain");
|
|
});
|
|
|
|
it("should reject an user when the domain is not allowed", async () => {
|
|
const team = await buildTeam();
|
|
const admin = await buildAdmin({ teamId: team.id });
|
|
await TeamDomain.create({
|
|
teamId: team.id,
|
|
name: faker.internet.domainName(),
|
|
createdById: admin.id,
|
|
});
|
|
|
|
const authenticationProviders = await team.$get("authenticationProviders");
|
|
const authenticationProvider = authenticationProviders[0];
|
|
|
|
await expect(
|
|
userProvisioner(ctx, {
|
|
name: "Bad Domain User",
|
|
email: faker.internet.email(),
|
|
emailVerified: true,
|
|
teamId: team.id,
|
|
authentication: {
|
|
authenticationProviderId: authenticationProvider.id,
|
|
providerId: "fake-service-id",
|
|
accessToken: "123",
|
|
scopes: ["read"],
|
|
},
|
|
})
|
|
).rejects.toThrow("The domain is not allowed for this workspace");
|
|
});
|
|
});
|