fix: ensures users cannot be created without confirming pw (#7583)

2024-08-16 11:44:27 -04:00
parent aec3f5e308
commit 6f8604e18c
3 changed files with 36 additions and 7 deletions
--- a/packages/next/src/views/Edit/Default/Auth/index.tsx
+++ b/packages/next/src/views/Edit/Default/Auth/index.tsx
@@ -149,8 +149,10 @@ export const Auth: React.FC<Props> = (props) => {
          {(showPasswordFields || requirePassword) && (
            <div className={`${baseClass}__changing-password`}>
              <PasswordField
+                autoComplete="new-password"
                field={{
                  name: 'password',
+                  _path: 'password',
                  admin: {
                    disabled,
                  },
--- a/packages/next/src/views/Edit/Default/index.tsx
+++ b/packages/next/src/views/Edit/Default/index.tsx
@@ -98,14 +98,18 @@ export const DefaultEditView: React.FC = () => {
  if (globalSlug) classes.push(`global-edit--${globalSlug}`)
  if (collectionSlug) classes.push(`collection-edit--${collectionSlug}`)

-  const [schemaPath, setSchemaPath] = React.useState(entitySlug)
+  const [schemaPath, setSchemaPath] = React.useState(() => {
+    if (operation === 'create' && auth && !auth.disableLocalStrategy) {
+      return `_${entitySlug}.auth`
+    }
+
+    return entitySlug
+  })
  const [validateBeforeSubmit, setValidateBeforeSubmit] = useState(() => {
-    if (
-      operation === 'create' &&
-      collectionConfig.auth &&
-      !collectionConfig.auth.disableLocalStrategy
-    )
+    if (operation === 'create' && auth && !auth.disableLocalStrategy) {
      return true
+    }
+
    return false
  })

--- a/test/auth/e2e.spec.ts
+++ b/test/auth/e2e.spec.ts
@@ -120,7 +120,7 @@ describe('auth', () => {
    await ensureCompilationIsDone({ page, serverURL })
  })

-  describe('authenticated users', () => {
+  describe('passwords', () => {
    beforeAll(() => {
      url = new AdminUrlUtil(serverURL, slug)
    })
@@ -155,6 +155,29 @@ describe('auth', () => {
      await expect(page.locator('#field-email')).toHaveValue(emailBeforeSave)
    })

+    test('should prevent new user creation without confirm password', async () => {
+      await page.goto(url.create)
+      await page.locator('#field-email').fill('dev2@payloadcms.com')
+      await page.locator('#field-password').fill('password')
+      // should fail to save without confirm password
+      await page.locator('#action-save').click()
+      await expect(
+        page.locator('.field-type.confirm-password .tooltip--show', {
+          hasText: exactText('This field is required.'),
+        }),
+      ).toBeVisible()
+
+      // should succeed with matching confirm password
+      await page.locator('#field-confirm-password').fill('password')
+      await saveDocAndAssert(page, '#action-save')
+    })
+  })
+
+  describe('authenticated users', () => {
+    beforeAll(() => {
+      url = new AdminUrlUtil(serverURL, slug)
+    })
+
    test('should have up-to-date user in `useAuth` hook', async () => {
      await page.goto(url.account)
      await page.waitForURL(url.account)