From e3e89ef7bd26aaf63665a9e046dc841e4a2d0a5c Mon Sep 17 00:00:00 2001 From: thomas-br <46727578+thomas-br@users.noreply.github.com> Date: Sun, 23 Jan 2022 14:02:12 +0100 Subject: [PATCH 1/5] Fixing double hashing issue (core entity-service transform) --- .../users-permissions/server/content-types/user/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/users-permissions/server/content-types/user/index.js b/packages/plugins/users-permissions/server/content-types/user/index.js index d31322a14c..14c9362d5f 100644 --- a/packages/plugins/users-permissions/server/content-types/user/index.js +++ b/packages/plugins/users-permissions/server/content-types/user/index.js @@ -34,7 +34,7 @@ module.exports = { configurable: false, }, password: { - type: 'password', + type: 'string', minLength: 6, configurable: false, private: true, From efcaa982d3d145fe011896a05f569d8ef351252b Mon Sep 17 00:00:00 2001 From: thomas-br Date: Sun, 23 Jan 2022 14:35:31 +0100 Subject: [PATCH 2/5] relying on core password-hashing --- .../server/content-types/user/index.js | 2 +- .../users-permissions/server/services/user.js | 31 ------------------- 2 files changed, 1 insertion(+), 32 deletions(-) diff --git a/packages/plugins/users-permissions/server/content-types/user/index.js b/packages/plugins/users-permissions/server/content-types/user/index.js index 14c9362d5f..d31322a14c 100644 --- a/packages/plugins/users-permissions/server/content-types/user/index.js +++ b/packages/plugins/users-permissions/server/content-types/user/index.js @@ -34,7 +34,7 @@ module.exports = { configurable: false, }, password: { - type: 'string', + type: 'password', minLength: 6, configurable: false, private: true, diff --git a/packages/plugins/users-permissions/server/services/user.js b/packages/plugins/users-permissions/server/services/user.js index de599bb602..98d4185493 100644 --- a/packages/plugins/users-permissions/server/services/user.js +++ b/packages/plugins/users-permissions/server/services/user.js @@ -35,10 +35,6 @@ module.exports = ({ strapi }) => ({ * @return {Promise} */ async add(values) { - if (values.password) { - values.password = await getService('user').hashPassword(values); - } - return strapi .query('plugin::users-permissions.user') .create({ data: values, populate: ['role'] }); @@ -51,10 +47,6 @@ module.exports = ({ strapi }) => ({ * @return {Promise} */ async edit(userId, params = {}) { - if (params.password) { - params.password = await getService('user').hashPassword(params); - } - return strapi.entityService.update('plugin::users-permissions.user', userId, { data: params, populate: ['role'], @@ -87,29 +79,6 @@ module.exports = ({ strapi }) => ({ return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate }); }, - hashPassword(user = {}) { - return new Promise((resolve, reject) => { - if (!user.password || this.isHashed(user.password)) { - resolve(null); - } else { - bcrypt.hash(`${user.password}`, 10, (err, hash) => { - if (err) { - return reject(err); - } - resolve(hash); - }); - } - }); - }, - - isHashed(password) { - if (typeof password !== 'string' || !password) { - return false; - } - - return password.split('$').length === 4; - }, - /** * Promise to remove a/an user. * @return {Promise} From 5ae82c0edf84cf698c29e7d1ac3de6857eb050aa Mon Sep 17 00:00:00 2001 From: thomas-br Date: Thu, 27 Jan 2022 10:15:04 +0100 Subject: [PATCH 3/5] correcting entity create --- packages/plugins/users-permissions/server/services/user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/plugins/users-permissions/server/services/user.js b/packages/plugins/users-permissions/server/services/user.js index 98d4185493..94ee17730c 100644 --- a/packages/plugins/users-permissions/server/services/user.js +++ b/packages/plugins/users-permissions/server/services/user.js @@ -35,9 +35,10 @@ module.exports = ({ strapi }) => ({ * @return {Promise} */ async add(values) { - return strapi - .query('plugin::users-permissions.user') - .create({ data: values, populate: ['role'] }); + return strapi.entityService.create('plugin::users-permissions.user', { + data: values, + populate: ['role'], + }); }, /** From e602d645bea62288338548e832525fda55999d4c Mon Sep 17 00:00:00 2001 From: thomas-br Date: Sat, 29 Jan 2022 22:16:18 +0100 Subject: [PATCH 4/5] correcting entity update --- .../users-permissions/server/controllers/auth.js | 15 ++++++--------- .../users-permissions/server/services/user.js | 8 ++++++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/packages/plugins/users-permissions/server/controllers/auth.js b/packages/plugins/users-permissions/server/controllers/auth.js index 5ec43ae63f..bf5ee3573d 100644 --- a/packages/plugins/users-permissions/server/controllers/auth.js +++ b/packages/plugins/users-permissions/server/controllers/auth.js @@ -137,13 +137,8 @@ module.exports = { throw new ValidationError('Incorrect code provided'); } - const password = await getService('user').hashPassword({ password: params.password }); - + await getService('user').edit(user.id, { resetPasswordToken: null, password: params.password }); // Update the user. - await strapi - .query('plugin::users-permissions.user') - .update({ where: { id: user.id }, data: { resetPasswordToken: null, password } }); - ctx.send({ jwt: getService('jwt').issue({ id: user.id }), user: await sanitizeUser(user, ctx), @@ -322,7 +317,6 @@ module.exports = { } params.role = role.id; - params.password = await getService('user').hashPassword(params); const user = await strapi.query('plugin::users-permissions.user').findOne({ where: { email: params.email }, @@ -341,7 +335,7 @@ module.exports = { params.confirmed = true; } - const user = await strapi.query('plugin::users-permissions.user').create({ data: params }); + const user = await getService('user').add(params); const sanitizedUser = await sanitizeUser(user, ctx); @@ -364,8 +358,11 @@ module.exports = { } catch (err) { if (_.includes(err.message, 'username')) { throw new ApplicationError('Username already taken'); - } else { + } else if (_.includes(err.message, 'email')) { throw new ApplicationError('Email already taken'); + } else { + strapi.log.error(err); + throw new ApplicationError('An error occurred during account creation'); } } }, diff --git a/packages/plugins/users-permissions/server/services/user.js b/packages/plugins/users-permissions/server/services/user.js index 94ee17730c..e66fefc67a 100644 --- a/packages/plugins/users-permissions/server/services/user.js +++ b/packages/plugins/users-permissions/server/services/user.js @@ -87,6 +87,14 @@ module.exports = ({ strapi }) => ({ async remove(params) { return strapi.query('plugin::users-permissions.user').delete({ where: params }); }, + + isHashed(password) { + if (typeof password !== 'string' || !password) { + return false; + } + + return password.split('$').length === 4; + }, validatePassword(password, hash) { return bcrypt.compare(password, hash); From 0e65636013320330b294f1d5ead63da93038a8d6 Mon Sep 17 00:00:00 2001 From: thomas-br <46727578+thomas-br@users.noreply.github.com> Date: Sat, 29 Jan 2022 22:38:55 +0100 Subject: [PATCH 5/5] Removing whitespace --- packages/plugins/users-permissions/server/services/user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/plugins/users-permissions/server/services/user.js b/packages/plugins/users-permissions/server/services/user.js index e66fefc67a..777d4777e5 100644 --- a/packages/plugins/users-permissions/server/services/user.js +++ b/packages/plugins/users-permissions/server/services/user.js @@ -87,7 +87,6 @@ module.exports = ({ strapi }) => ({ async remove(params) { return strapi.query('plugin::users-permissions.user').delete({ where: params }); }, - isHashed(password) { if (typeof password !== 'string' || !password) { return false;