Merge pull request #11078 from ChesterSng/11602-display-message-when-social-auth-acc-uses-password

Fixes #11062 Display information message when social authentication account uses password to login
2025-12-17 06:37:23 +01:00 · 2019-03-23 18:36:12 +01:00
parent 910a76db68 87d86ee632
commit abb8dc4dc1
5 changed files with 47 additions and 1 deletions
--- a/test/api/v3/integration/user/auth/POST-login-local.test.js
+++ b/test/api/v3/integration/user/auth/POST-login-local.test.js
@@ -110,4 +110,22 @@ describe('POST /user/auth/local/login', () => {
    let isValidPassword = await bcryptCompare(textPassword, user.auth.local.hashed_password);
    expect(isValidPassword).to.equal(true);
  });
+
+  it('user uses social authentication and has no password', async () => {
+    await user.unset({
+      'auth.local.hashed_password': 1,
+    });
+
+    await user.sync();
+    expect(user.auth.local.hashed_password).to.be.undefined;
+
+    await expect(api.post(endpoint, {
+      username: user.auth.local.username,
+      password: 'any-password',
+    })).to.eventually.be.rejected.and.eql({
+      code: 401,
+      error: 'NotAuthorized',
+      message: t('invalidLoginCredentialsLong'),
+    });
+  });
 });
--- a/test/helpers/api-integration/api-classes.js
+++ b/test/helpers/api-integration/api-classes.js
@@ -4,6 +4,7 @@ import { requester } from './requester';
 import {
  getDocument as getDocumentFromMongo,
  updateDocument as updateDocumentInMongo,
+  unsetDocument as unsetDocumentInMongo,
 } from '../mongo';
 import {
  assign,
@@ -29,6 +30,18 @@ class ApiObject {
    return this;
  }

+  async unset (options) {
+    if (isEmpty(options)) {
+      return;
+    }
+
+    await unsetDocumentInMongo(this._docType, this, options);
+
+    _updateLocalParameters((this, options));
+
+    return this;
+  }
+
  async sync () {
    let updatedDoc = await getDocumentFromMongo(this._docType, this);

--- a/test/helpers/mongo.js
+++ b/test/helpers/mongo.js
@@ -98,6 +98,19 @@ export async function updateDocument (collectionName, doc, update) {
  });
 }

+// Unset a property in the database.
+// Useful for testing.
+export async function unsetDocument (collectionName, doc, update) {
+  let collection = mongoose.connection.db.collection(collectionName);
+
+  return new Promise((resolve) => {
+    collection.updateOne({ _id: doc._id }, { $unset: update }, (updateErr) => {
+      if (updateErr) throw new Error(`Error updating ${collectionName}: ${updateErr}`);
+      resolve();
+    });
+  });
+}
+
 export async function getDocument (collectionName, doc) {
  let collection = mongoose.connection.db.collection(collectionName);

--- a/website/common/locales/en/front.json
+++ b/website/common/locales/en/front.json
@@ -276,7 +276,6 @@
  "usernameTOSRequirements": "Usernames must conform to our <a href='/static/terms' target='_blank'>Terms of Service</a> and <a href='/static/community-guidelines' target='_blank'>Community Guidelines</a>. If you didn’t previously set a login name, your username was auto-generated.",
  "usernameTaken": "Username already taken.",
  "passwordConfirmationMatch": "Password confirmation doesn't match password.",
-  "invalidLoginCredentials": "Incorrect username and/or email and/or password.",
  "passwordResetPage": "Reset Password",
  "passwordReset": "If we have your email on file, instructions for setting a new password have been sent to your email.",
  "passwordResetEmailSubject": "Password Reset for Habitica",
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -98,6 +98,9 @@ api.loginLocal = {
    // load the entire user because we may have to save it to convert the password to bcrypt
    let user = await User.findOne(login).exec();

+    // if user is using social login, then user will not have a hashed_password stored
+    if (!user.auth.local.hashed_password) throw new NotAuthorized(res.t('invalidLoginCredentialsLong'));
+
    let isValidPassword;

    if (!user) {