Merge pull request #12276 from thomas-br/patch-1

Fixing double hashing issue for users-permissions passwords

packages/plugins/users-permissions/server/controllers/auth.js

@@ -137,13 +137,8 @@ module.exports = {
         throw new ValidationError('Incorrect code provided');
       }
 
-      const password = await getService('user').hashPassword({ password: params.password });
-
+      await getService('user').edit(user.id, { resetPasswordToken: null, password: params.password });
       // Update the user.
-      await strapi
-        .query('plugin::users-permissions.user')
-        .update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
-
       ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -325,7 +320,6 @@ module.exports = {
     }
 
     params.role = role.id;
-    params.password = await getService('user').hashPassword(params);
 
     const user = await strapi.query('plugin::users-permissions.user').findOne({
       where: { email: params.email },
@@ -344,7 +338,7 @@ module.exports = {
         params.confirmed = true;
       }
 
-      const user = await strapi.query('plugin::users-permissions.user').create({ data: params });
+    const user = await getService('user').add(params);
 
       const sanitizedUser = await sanitizeUser(user, ctx);
 
@@ -367,8 +361,11 @@ module.exports = {
     } catch (err) {
       if (_.includes(err.message, 'username')) {
         throw new ApplicationError('Username already taken');
-      } else {
+      } else if (_.includes(err.message, 'email')) {
         throw new ApplicationError('Email already taken');
+      } else {
+        strapi.log.error(err);
+        throw new ApplicationError('An error occurred during account creation');
       }
     }
   },

packages/plugins/users-permissions/server/services/user.js

@@ -35,13 +35,10 @@ module.exports = ({ strapi }) => ({
    * @return {Promise}
    */
   async add(values) {
-    if (values.password) {
-      values.password = await getService('user').hashPassword(values);
-    }
-
-    return strapi
-      .query('plugin::users-permissions.user')
-      .create({ data: values, populate: ['role'] });
+    return strapi.entityService.create('plugin::users-permissions.user', {
+      data: values,
+      populate: ['role'],
+    });
   },
 
   /**
@@ -51,10 +48,6 @@ module.exports = ({ strapi }) => ({
    * @return {Promise}
    */
   async edit(userId, params = {}) {
-    if (params.password) {
-      params.password = await getService('user').hashPassword(params);
-    }
-
     return strapi.entityService.update('plugin::users-permissions.user', userId, {
       data: params,
       populate: ['role'],
@@ -87,29 +80,6 @@ module.exports = ({ strapi }) => ({
     return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate });
   },
 
-  hashPassword(user = {}) {
-    return new Promise((resolve, reject) => {
-      if (!user.password || this.isHashed(user.password)) {
-        resolve(null);
-      } else {
-        bcrypt.hash(`${user.password}`, 10, (err, hash) => {
-          if (err) {
-            return reject(err);
-          }
-          resolve(hash);
-        });
-      }
-    });
-  },
-
-  isHashed(password) {
-    if (typeof password !== 'string' || !password) {
-      return false;
-    }
-
-    return password.split('$').length === 4;
-  },
-
   /**
    * Promise to remove a/an user.
    * @return {Promise}
@@ -117,6 +87,13 @@ module.exports = ({ strapi }) => ({
   async remove(params) {
     return strapi.query('plugin::users-permissions.user').delete({ where: params });
   },
+  isHashed(password) {
+    if (typeof password !== 'string' || !password) {
+      return false;
+    }
+
+    return password.split('$').length === 4;
+  },
 
   validatePassword(password, hash) {
     return bcrypt.compare(password, hash);