lowered the default mfa duration and reorganized internal record pre/post handling
This commit is contained in:
Gani Georgiev
@@ -1427,10 +1427,7 @@ func onRecordValidate(e *RecordEvent) error {
|
||||
}
|
||||
|
||||
func onRecordSaveExecute(e *RecordEvent) error {
|
||||
var needToDeleteExternalAuths bool
|
||||
|
||||
if e.Record.Collection().IsAuth() {
|
||||
// auth resets to prevent (pre)hijacking vulnerabilities
|
||||
if !e.Record.IsNew() {
|
||||
lastSavedRecord, err := e.App.FindRecordById(e.Record.Collection(), e.Record.Id)
|
||||
if err != nil {
|
||||
@@ -1443,15 +1440,10 @@ func onRecordSaveExecute(e *RecordEvent) error {
|
||||
lastSavedRecord.Email() != e.Record.Email()) {
|
||||
e.Record.RefreshTokenKey()
|
||||
}
|
||||
|
||||
// in case upgrading from "unverified" -> "verified" mark all pre-existing OAuth2 links
|
||||
// for deletion since there is no reliable way to verify that they weren't created by an attacker
|
||||
if !lastSavedRecord.Verified() && e.Record.Verified() {
|
||||
needToDeleteExternalAuths = true
|
||||
}
|
||||
}
|
||||
|
||||
// cross-check that the auth record id is unique across all auth collections
|
||||
// loosely cross-check that the auth record id is unique across all auth collections
|
||||
// to minimize impact of mistakes in API rules when multiple auth collections are used
|
||||
authCollections, err := e.App.FindAllCollections(CollectionTypeAuth)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to fetch the auth collections for cross-id unique check: %w", err)
|
||||
@@ -1469,45 +1461,16 @@ func onRecordSaveExecute(e *RecordEvent) error {
|
||||
}
|
||||
}
|
||||
|
||||
finalizer := func() error {
|
||||
err := e.Next()
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
return validators.NormalizeUniqueIndexError(
|
||||
err,
|
||||
e.Record.Collection().Name,
|
||||
e.Record.Collection().Fields.FieldNames(),
|
||||
)
|
||||
err := e.Next()
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if needToDeleteExternalAuths {
|
||||
originalApp := e.App
|
||||
|
||||
return e.App.RunInTransaction(func(txApp App) error {
|
||||
e.App = txApp
|
||||
defer func() { e.App = originalApp }()
|
||||
|
||||
externalAuths, err := txApp.FindAllExternalAuthsByRecord(e.Record)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if len(externalAuths) > 0 {
|
||||
// delete all pre-existing external auths
|
||||
if err := txApp.DeleteAllExternalAuthsByRecord(e.Record); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// force refresh tokens reset (if not already)
|
||||
e.Record.RefreshTokenKey()
|
||||
}
|
||||
|
||||
return finalizer()
|
||||
})
|
||||
}
|
||||
|
||||
return finalizer()
|
||||
return validators.NormalizeUniqueIndexError(
|
||||
err,
|
||||
e.Record.Collection().Name,
|
||||
e.Record.Collection().Fields.FieldNames(),
|
||||
)
|
||||
}
|
||||
|
||||
func onRecordDeleteExecute(e *RecordEvent) error {
|
||||
|
||||
Reference in New Issue
Block a user