QT/bigcapital
1
0
Fork 0
mirror of https://github.com/bigcapitalhq/bigcapital.git synced 2026-02-16 21:00:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(server): sign-up restrictions for self-hosted

Browse Source
This commit is contained in:
a.bouhuolia
2023-05-07 17:22:18 +02:00
parent 36611652da
commit ad3c9ebfe9
10 changed files with 171 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
packages/server/src/api/controllers/Authentication.ts
View File

@@ -49,6 +49,7 @@ export default class AuthenticationController extends BaseController {
asyncMiddleware(this.resetPassword.bind(this)),
this.handlerErrors
);
router.get('/meta', asyncMiddleware(this.getAuthMeta.bind(this)));
return router;
}
@@ -207,6 +208,23 @@ export default class AuthenticationController extends BaseController {
}
}
/**
* Retrieves the authentication meta for SPA.
* @param {Request} req
* @param {Response} res
* @param {Function} next
* @returns {Response|void}
*/
private async getAuthMeta(req: Request, res: Response, next: Function) {
try {
const meta = await this.authApplication.getAuthMeta();
return res.status(200).send({ meta });
} catch (error) {
next(error);
}
}
/**
* Handles the service errors.
*/
@@ -247,6 +265,42 @@ export default class AuthenticationController extends BaseController {
errors: [{ type: 'EMAIL.EXISTS', code: 600 }],
});
}
if (error.errorType === 'SIGNUP_RESTRICTED') {
return res.status(400).send({
errors: [
{
type: 'SIGNUP_RESTRICTED',
message:
'Sign-up is restricted no one can sign-up to the system.',
code: 700,
},
],
});
}
if (error.errorType === 'SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN') {
return res.status(400).send({
errors: [
{
type: 'SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN',
message:
'Sign-up is restricted the given email domain is not allowed to sign-up.',
code: 710,
},
],
});
}
if (error.errorType === 'SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS') {
return res.status(400).send({
errors: [
{
type: 'SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS',
message:
'The sign-up restricted the given email address is not allowed to sign-up.',
code: 720,
},
],
});
}
}
next(error);
}

14
packages/server/src/config/index.ts
View File

@@ -1,5 +1,6 @@
import dotenv from 'dotenv';
import path from 'path';
import { castCommaListEnvVarToArray, parseBoolean } from '@/utils';
dotenv.config();
@@ -146,6 +147,19 @@ module.exports = {
},
},
/**
* Sign-up restrictions
*/
signupRestrictions: {
disabled: parseBoolean<boolean>(process.env.SIGNUP_DISABLED, false),
allowedDomains: castCommaListEnvVarToArray(
process.env.SIGNUP_ALLOWED_DOMAINS
),
allowedEmails: castCommaListEnvVarToArray(
process.env.SIGNUP_ALLOWED_EMAILS
),
},
/**
* Puppeteer remote browserless connection.
*/

4
packages/server/src/interfaces/Authentication.ts
View File

@@ -74,4 +74,8 @@ export interface IAuthSendingResetPassword {
export interface IAuthSendedResetPassword {
user: ISystemUser,
token: string;
}
export interface IAuthGetMetaPOJO {
signupDisabled: boolean;
}

19
packages/server/src/services/Authentication/AuthApplication.ts
View File

@@ -1,8 +1,14 @@
import { Service, Inject, Container } from 'typedi';
import { IRegisterDTO, ISystemUser, IPasswordReset } from '@/interfaces';
import {
IRegisterDTO,
ISystemUser,
IPasswordReset,
IAuthGetMetaPOJO,
} from '@/interfaces';
import { AuthSigninService } from './AuthSignin';
import { AuthSignupService } from './AuthSignup';
import { AuthSendResetPassword } from './AuthSendResetPassword';
import { GetAuthMeta } from './GetAuthMeta';
@Service()
export default class AuthenticationApplication {
@@ -15,6 +21,9 @@ export default class AuthenticationApplication {
@Inject()
private authResetPasswordService: AuthSendResetPassword;
@Inject()
private authGetMeta: GetAuthMeta;
/**
* Signin and generates JWT token.
* @throws {ServiceError}
@@ -53,4 +62,12 @@ export default class AuthenticationApplication {
public async resetPassword(token: string, password: string): Promise<void> {
return this.authResetPasswordService.resetPassword(token, password);
}
/**
* Retrieves the authentication meta for SPA.
* @returns {Promise<IAuthGetMetaPOJO>}
*/
public async getAuthMeta(): Promise<IAuthGetMetaPOJO> {
return this.authGetMeta.getAuthMeta();
}
}

42
packages/server/src/services/Authentication/AuthSignup.ts
View File

@@ -1,4 +1,4 @@
import { omit } from 'lodash';
import { isEmpty, omit } from 'lodash';
import moment from 'moment';
import { ServiceError } from '@/exceptions';
import {
@@ -13,6 +13,7 @@ import { EventPublisher } from '@/lib/EventPublisher/EventPublisher';
import TenantsManagerService from '../Tenancy/TenantsManager';
import events from '@/subscribers/events';
import { hashPassword } from '@/utils';
import config from '@/config';
export class AuthSignupService {
@Inject()
@@ -33,6 +34,9 @@ export class AuthSignupService {
public async signUp(signupDTO: IRegisterDTO): Promise<ISystemUser> {
const { systemUserRepository } = this.sysRepositories;
// Validates the signup disable restrictions.
await this.validateSignupRestrictions(signupDTO.email);
// Validates the given email uniqiness.
await this.validateEmailUniqiness(signupDTO.email);
@@ -74,4 +78,40 @@ export class AuthSignupService {
throw new ServiceError(ERRORS.EMAIL_EXISTS);
}
}
/**
* Validate sign-up disable restrictions.
* @param {string} email
*/
private async validateSignupRestrictions(email: string) {
// Can't continue if the signup is not disabled.
if (!config.signupRestrictions.disabled) return;
// Validate the allowed domains.
if (!isEmpty(config.signupRestrictions.allowedDomains)) {
const emailDomain = email.split('@').pop();
const isAllowed = config.signupRestrictions.allowedDomains.some(
(domain) => emailDomain === domain
);
if (!isAllowed) {
throw new ServiceError(ERRORS.SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN);
}
}
// Validate the allowed email addresses.
if (!isEmpty(config.signupRestrictions.allowedEmails)) {
const isAllowed =
config.signupRestrictions.allowedEmails.indexOf(email) !== -1;
if (!isAllowed) {
throw new ServiceError(ERRORS.SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS);
}
}
// Throw error if the signup is disabled with no exceptions.
if (
isEmpty(config.signupRestrictions.allowedDomains) &&
isEmpty(config.signupRestrictions.allowedEmails)
) {
throw new ServiceError(ERRORS.SIGNUP_RESTRICTED);
}
}
}

16
packages/server/src/services/Authentication/GetAuthMeta.ts Normal file
View File

@@ -0,0 +1,16 @@
import { Service } from 'typedi';
import { IAuthGetMetaPOJO } from '@/interfaces';
import config from '@/config';
@Service()
export class GetAuthMeta {
/**
* Retrieves the authentication meta for SPA.
* @returns {Promise<IAuthGetMetaPOJO>}
*/
public async getAuthMeta(): Promise<IAuthGetMetaPOJO> {
return {
signupDisabled: config.signupRestrictions.disabled,
};
}
}

4
packages/server/src/services/Authentication/_constants.ts
View File

@@ -7,4 +7,8 @@ export const ERRORS = {
TOKEN_EXPIRED: 'TOKEN_EXPIRED',
PHONE_NUMBER_EXISTS: 'PHONE_NUMBER_EXISTS',
EMAIL_EXISTS: 'EMAIL_EXISTS',
SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS: 'SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS',
SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN: 'SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN',
SIGNUP_RESTRICTED: 'SIGNUP_RESTRICTED',
};

5
packages/server/src/utils/index.ts
View File

@@ -467,6 +467,10 @@ const assocDepthLevelToObjectTree = (
return objects;
};
const castCommaListEnvVarToArray = (envVar: string): Array<string> => {
return envVar ? envVar?.split(',')?.map(_.trim) : [];
};
export {
templateRender,
accumSum,
@@ -499,4 +503,5 @@ export {
mergeObjectsBykey,
nestedArrayToFlatten,
assocDepthLevelToObjectTree,
castCommaListEnvVarToArray
};