fix: Email auth should allow same guest user on multiple subdomains (#2252)

* test: Add email auth tests to establish current state of system * fix: Update logic to account for dupe emails used between subdomains * test * test
2021-07-02 12:07:43 -07:00
parent 2ae74f2834
commit 1c0c694c22
5 changed files with 218 additions and 26 deletions
--- a/server/auth/providers/email.test.js
+++ b/server/auth/providers/email.test.js
@ -0,0 +1,156 @@
+// @flow
+import TestServer from "fetch-test-server";
+import app from "../../app";
+import mailer from "../../mailer";
+import { buildUser, buildGuestUser, buildTeam } from "../../test/factories";
+import { flushdb } from "../../test/support";
+
+const server = new TestServer(app.callback());
+
+jest.mock("../../mailer");
+
+beforeEach(async () => {
+  await flushdb();
+
+  // $FlowFixMe – does not understand Jest mocks
+  mailer.signin.mockReset();
+});
+afterAll(() => server.close());
+
+describe("email", () => {
+  it("should require email param", async () => {
+    const res = await server.post("/auth/email", {
+      body: {},
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(400);
+    expect(body.error).toEqual("validation_error");
+    expect(body.ok).toEqual(false);
+  });
+
+  it("should respond with redirect location when user is SSO enabled", async () => {
+    const user = await buildUser();
+
+    const res = await server.post("/auth/email", {
+      body: { email: user.email },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.redirect).toMatch("slack");
+    expect(mailer.signin).not.toHaveBeenCalled();
+  });
+
+  it("should respond with success when user is not SSO enabled", async () => {
+    const user = await buildGuestUser();
+
+    const res = await server.post("/auth/email", {
+      body: { email: user.email },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.success).toEqual(true);
+    expect(mailer.signin).toHaveBeenCalled();
+  });
+
+  it("should respond with success regardless of whether successful to prevent crawling email logins", async () => {
+    const res = await server.post("/auth/email", {
+      body: { email: "user@example.com" },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.success).toEqual(true);
+    expect(mailer.signin).not.toHaveBeenCalled();
+  });
+
+  describe("with multiple users matching email", () => {
+    it("should default to current subdomain with SSO", async () => {
+      process.env.URL = "http://localoutline.com";
+      process.env.SUBDOMAINS_ENABLED = "true";
+
+      const email = "sso-user@example.org";
+      const team = await buildTeam({
+        subdomain: "example",
+      });
+
+      await buildGuestUser({ email });
+      await buildUser({ email, teamId: team.id });
+
+      const res = await server.post("/auth/email", {
+        body: { email },
+        headers: { host: "example.localoutline.com" },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.redirect).toMatch("slack");
+      expect(mailer.signin).not.toHaveBeenCalled();
+    });
+
+    it("should default to current subdomain with guest email", async () => {
+      process.env.URL = "http://localoutline.com";
+      process.env.SUBDOMAINS_ENABLED = "true";
+
+      const email = "guest-user@example.org";
+      const team = await buildTeam({
+        subdomain: "example",
+      });
+
+      await buildUser({ email });
+      await buildGuestUser({ email, teamId: team.id });
+
+      const res = await server.post("/auth/email", {
+        body: { email },
+        headers: { host: "example.localoutline.com" },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.success).toEqual(true);
+      expect(mailer.signin).toHaveBeenCalled();
+    });
+
+    it("should default to custom domain with SSO", async () => {
+      const email = "sso-user-2@example.org";
+      const team = await buildTeam({
+        domain: "docs.mycompany.com",
+      });
+
+      await buildGuestUser({ email });
+      await buildUser({ email, teamId: team.id });
+
+      const res = await server.post("/auth/email", {
+        body: { email },
+        headers: { host: "docs.mycompany.com" },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.redirect).toMatch("slack");
+      expect(mailer.signin).not.toHaveBeenCalled();
+    });
+
+    it("should default to custom domain with guest email", async () => {
+      const email = "guest-user-2@example.org";
+      const team = await buildTeam({
+        domain: "docs.mycompany.com",
+      });
+
+      await buildUser({ email });
+      await buildGuestUser({ email, teamId: team.id });
+
+      const res = await server.post("/auth/email", {
+        body: { email },
+        headers: { host: "docs.mycompany.com" },
+      });
+      const body = await res.json();
+
+      expect(res.status).toEqual(200);
+      expect(body.success).toEqual(true);
+      expect(mailer.signin).toHaveBeenCalled();
+    });
+  });
+});