feat: unconfirmed user login error fix (#3949)

* feat: unconfirmed user login error fix * fix: unconfirmed user attempting to login, public user logging into partner site, seeding es * updates per cade * fix: undefined check * Merge remote-tracking branch 'origin/main' into security-patch-2 * fix: merge mistakes were made --------- Co-authored-by: Cade Wolcott <[email protected]>
bloom-housing · Mar 14, 2024 · 5801e31 · 5801e31
1 parent 18df523
commit 5801e31
Show file tree

Hide file tree

Showing 11 changed files with 233 additions and 177 deletions.
diff --git a/api/Procfile b/api/Procfile
@@ -1 +1 @@
-web: yarn start:prod
+web: yarn db:migration:run && yarn start:prod
diff --git a/api/prisma/migrations/05_single_use_code_translation_updates/migration.sql b/api/prisma/migrations/05_single_use_code_translation_updates/migration.sql
@@ -5,6 +5,8 @@ SET translations = jsonb_set(translations, '{singleUseCodeEmail}', '{"greeting":
 WHERE jurisdiction_id IS NULL
     and language = 'en';
 
+
 UPDATE translations
-    SET translations = jsonb_set(translations, '{mfaCodeEmail, mfaCode}', '{"mfaCode": "Your access code is: %{singleUseCode}"}')
+SET translations = jsonb_set(translations, '{mfaCodeEmail, mfaCode}', '"Your access code is: %{singleUseCode}"')
 WHERE language = 'en';
+
diff --git a/api/prisma/seed-helpers/translation-factory.ts b/api/prisma/seed-helpers/translation-factory.ts
diff --git a/api/prisma/seed-staging.ts b/api/prisma/seed-staging.ts
@@ -1,6 +1,7 @@
 import {
   ApplicationAddressTypeEnum,
   ApplicationMethodsTypeEnum,
+  LanguagesEnum,
   ListingsStatusEnum,
   MultiselectQuestions,
   MultiselectQuestionsApplicationSectionEnum,
@@ -92,6 +93,9 @@ export const stagingSeed = async (
   await prismaClient.translations.create({
     data: translationFactory(jurisdiction.id, jurisdiction.name),
   });
+  await prismaClient.translations.create({
+    data: translationFactory(undefined, undefined, LanguagesEnum.es),
+  });
   await prismaClient.translations.create({
     data: translationFactory(),
   });

diff --git a/api/src/passports/mfa.strategy.ts b/api/src/passports/mfa.strategy.ts
@@ -63,7 +63,18 @@ export class MfaStrategy extends PassportStrategy(Strategy, 'mfa') {
       Number(process.env.AUTH_LOCK_LOGIN_AFTER_FAILED_ATTEMPTS),
       Number(process.env.AUTH_LOCK_LOGIN_COOLDOWN),
     );
-    if (!rawUser.confirmedAt) {
+    if (!(await isPasswordValid(rawUser.passwordHash, dto.password))) {
+      // if incoming password does not match
+      await this.updateFailedLoginCount(
+        rawUser.failedLoginAttemptsCount + 1,
+        rawUser.id,
+      );
+      throw new UnauthorizedException({
+        failureCountRemaining:
+          Number(process.env.AUTH_LOCK_LOGIN_AFTER_FAILED_ATTEMPTS) -
+          rawUser.failedLoginAttemptsCount,
+      });
+    } else if (!rawUser.confirmedAt) {
       // if user is not confirmed already
       throw new UnauthorizedException(
         `user ${rawUser.id} attempted to login, but is not confirmed`,
@@ -78,17 +89,6 @@ export class MfaStrategy extends PassportStrategy(Strategy, 'mfa') {
       throw new UnauthorizedException(
         `user ${rawUser.id} attempted to login, but password is no longer valid`,
       );
-    } else if (!(await isPasswordValid(rawUser.passwordHash, dto.password))) {
-      // if incoming password does not match
-      await this.updateFailedLoginCount(
-        rawUser.failedLoginAttemptsCount + 1,
-        rawUser.id,
-      );
-      throw new UnauthorizedException({
-        failureCountRemaining:
-          Number(process.env.AUTH_LOCK_LOGIN_AFTER_FAILED_ATTEMPTS) -
-          rawUser.failedLoginAttemptsCount,
-      });
     }
 
     if (!rawUser.mfaEnabled) {

diff --git a/api/test/unit/passports/mfa.strategy.spec.ts b/api/test/unit/passports/mfa.strategy.spec.ts
@@ -88,6 +88,7 @@ describe('Testing mfa strategy', () => {
       lastLoginAt: new Date(),
       failedLoginAttemptsCount: 0,
       confirmedAt: null,
+      passwordHash: await passwordToHash('abcdef'),
     });
 
     const request = {
@@ -127,6 +128,7 @@ describe('Testing mfa strategy', () => {
       passwordValidForDays: 0,
       passwordUpdatedAt: new Date(0),
       userRoles: { isAdmin: true },
+      passwordHash: await passwordToHash('abcdef'),
     });
 
     const request = {

diff --git a/shared-helpers/src/auth/AuthContext.ts b/shared-helpers/src/auth/AuthContext.ts
@@ -52,7 +52,8 @@ type ContextProps = {
     email: string,
     password: string,
     mfaCode?: string,
-    mfaType?: MfaType
+    mfaType?: MfaType,
+    forPartners?: boolean
   ) => Promise<User | undefined>
   resetPassword: (
     token: string,
@@ -223,16 +224,25 @@ export const AuthProvider: FunctionComponent<React.PropsWithChildren> = ({ child
       email,
       password,
       mfaCode: string | undefined = undefined,
-      mfaType: MfaType | undefined = undefined
+      mfaType: MfaType | undefined = undefined,
+      forPartners: boolean | undefined = undefined
     ) => {
       dispatch(startLoading())
       try {
         const response = await authService?.login({ body: { email, password, mfaCode, mfaType } })
         if (response) {
           const profile = await userService?.profile()
-          if (profile) {
+          if (
+            profile &&
+            (!forPartners ||
+              profile.userRoles?.isAdmin ||
+              profile.userRoles?.isJurisdictionalAdmin ||
+              profile.userRoles?.isPartner)
+          ) {
             dispatch(saveProfile(profile))
             return profile
+          } else {
+            throw Error("User cannot log in")
           }
         }
         return undefined

diff --git a/shared-helpers/src/auth/catchNetworkError.ts b/shared-helpers/src/auth/catchNetworkError.ts
@@ -38,7 +38,7 @@ export const useCatchNetworkError = () => {
   const [networkError, setNetworkError] = useState<NetworkStatusContent>(null)
 
   const check401Error = (message: string, error: AxiosError) => {
-    if (message.includes(NetworkErrorMessage.PasswordOutdated)) {
+    if (message?.includes(NetworkErrorMessage.PasswordOutdated)) {
       setNetworkError({
         title: t("authentication.signIn.passwordOutdated"),
         description: `${t(

diff --git a/sites/partners/src/lib/users/signInHelpers.ts b/sites/partners/src/lib/users/signInHelpers.ts
@@ -12,7 +12,7 @@ export const onSubmitEmailAndPassword =
   async (data: { email: string; password: string }) => {
     const { email, password } = data
     try {
-      await login(email, password)
+      await login(email, password, undefined, undefined, true)
       await router.push("/")
     } catch (error) {
       if (error?.response?.data?.name === "mfaCodeIsMissing") {
@@ -86,7 +86,7 @@ export const onSubmitMfaCode =
   async (data: { mfaCode: string }) => {
     const { mfaCode } = data
     try {
-      await login(email, password, mfaCode, mfaType)
+      await login(email, password, mfaCode, mfaType, true)
       resetNetworkError()
       await router.push("/")
     } catch (error) {

diff --git a/sites/partners/src/pages/sign-in.tsx b/sites/partners/src/pages/sign-in.tsx
@@ -93,7 +93,7 @@ const SignIn = () => {
   )
 
   useEffect(() => {
-    if (networkError?.error.response.data?.message === "accountConfirmed") {
+    if (networkError?.error.response?.data?.message === "accountConfirmed") {
       setConfirmationStatusModal(true)
     }
   }, [networkError])

diff --git a/sites/public/src/pages/sign-in.tsx b/sites/public/src/pages/sign-in.tsx
@@ -122,7 +122,7 @@ const SignIn = () => {
   })()
 
   useEffect(() => {
-    if (networkError?.error?.response?.data?.message === "accountNotConfirmed") {
+    if (networkError?.error?.response?.data?.message?.includes("but is not confirmed")) {
       setConfirmationStatusModal(true)
     }
   }, [networkError])
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		web: yarn start:prod
		web: yarn db:migration:run && yarn start:prod