Auth/PM-10130 - Registration with Email Verification - Respect Self-hosted Disable Open Registration flag (#4561)

* PM-10130 - Registration with email verification - respect self hosted disable open registration setting properly in non-org invite scenarios. * PM-10130 - Fix unit tests. * PM-10130 - Update integration tests.
2024-11-21 12:05:42 +01:00 · 2024-07-26 13:30:47 -04:00 · 2024-07-26 13:30:47 -04:00 · 54bd5fa894
commit 54bd5fa894
parent f9017f8e8c
6 changed files with 113 additions and 4 deletions
--- a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
+++ b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
@ -37,6 +37,8 @@ public class RegisterUserCommand : IRegisterUserCommand
    private readonly IUserService _userService;
    private readonly IMailService _mailService;

+    private readonly string _disabledUserRegistrationExceptionMsg = "Open registration has been disabled by the system administrator.";
+
    public RegisterUserCommand(
        IGlobalSettings globalSettings,
        IOrganizationUserRepository organizationUserRepository,
@ -124,8 +126,6 @@ public class RegisterUserCommand : IRegisterUserCommand

    private void ValidateOrgInviteToken(string orgInviteToken, Guid? orgUserId, User user)
    {
-        const string disabledUserRegistrationExceptionMsg = "Open registration has been disabled by the system administrator.";
-
        var orgInviteTokenProvided = !string.IsNullOrWhiteSpace(orgInviteToken);

        if (orgInviteTokenProvided && orgUserId.HasValue)
@ -140,7 +140,7 @@ public class RegisterUserCommand : IRegisterUserCommand

            if (_globalSettings.DisableUserRegistration)
            {
-                throw new BadRequestException(disabledUserRegistrationExceptionMsg);
+                throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
            }

            throw new BadRequestException("Organization invite token is invalid.");
@ -152,7 +152,7 @@ public class RegisterUserCommand : IRegisterUserCommand
        // as you can't register without them.
        if (_globalSettings.DisableUserRegistration)
        {
-            throw new BadRequestException(disabledUserRegistrationExceptionMsg);
+            throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
        }

        // Open registration is allowed
@ -233,6 +233,14 @@ public class RegisterUserCommand : IRegisterUserCommand
    public async Task<IdentityResult> RegisterUserViaEmailVerificationToken(User user, string masterPasswordHash,
        string emailVerificationToken)
    {
+        // We validate open registration on send of initial email and here b/c a user could technically start the
+        // account creation process while open registration is enabled and then finish it after it has been
+        // disabled by the self hosted admin.
+        if (_globalSettings.DisableUserRegistration)
+        {
+            throw new BadRequestException(_disabledUserRegistrationExceptionMsg);
+        }
+
        var tokenable = ValidateRegistrationEmailVerificationTokenable(emailVerificationToken, user.Email);

        user.EmailVerified = true;
--- a/src/Core/Auth/UserFeatures/Registration/Implementations/SendVerificationEmailForRegistrationCommand.cs
+++ b/src/Core/Auth/UserFeatures/Registration/Implementations/SendVerificationEmailForRegistrationCommand.cs
@ -39,6 +39,11 @@ public class SendVerificationEmailForRegistrationCommand : ISendVerificationEmai

    public async Task<string?> Run(string email, string? name, bool receiveMarketingEmails)
    {
+        if (_globalSettings.DisableUserRegistration)
+        {
+            throw new BadRequestException("Open registration has been disabled by the system administrator.");
+        }
+
        if (string.IsNullOrWhiteSpace(email))
        {
            throw new ArgumentNullException(nameof(email));
--- a/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
@ -367,4 +367,18 @@ public class RegisterUserCommandTests

    }

+    [Theory]
+    [BitAutoData]
+    public async Task RegisterUserViaEmailVerificationToken_DisabledOpenRegistration_ThrowsBadRequestException(SutProvider<RegisterUserCommand> sutProvider, User user, string masterPasswordHash, string emailVerificationToken)
+    {
+        // Arrange
+        sutProvider.GetDependency<IGlobalSettings>()
+            .DisableUserRegistration = true;
+
+        // Act & Assert
+        var result = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.RegisterUserViaEmailVerificationToken(user, masterPasswordHash, emailVerificationToken));
+        Assert.Equal("Open registration has been disabled by the system administrator.", result.Message);
+
+    }
+
 }
--- a/test/Core.Test/Auth/UserFeatures/Registration/SendVerificationEmailForRegistrationCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/Registration/SendVerificationEmailForRegistrationCommandTests.cs
@ -31,6 +31,9 @@ public class SendVerificationEmailForRegistrationCommandTests
        sutProvider.GetDependency<GlobalSettings>()
            .EnableEmailVerification = true;

+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = false;
+
        sutProvider.GetDependency<IMailService>()
            .SendRegistrationVerificationEmailAsync(email, Arg.Any<string>())
            .Returns(Task.CompletedTask);
@ -63,6 +66,9 @@ public class SendVerificationEmailForRegistrationCommandTests
        sutProvider.GetDependency<GlobalSettings>()
            .EnableEmailVerification = true;

+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = false;
+
        var mockedToken = "token";
        sutProvider.GetDependency<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>()
            .Protect(Arg.Any<RegistrationEmailVerificationTokenable>())
@ -91,6 +97,9 @@ public class SendVerificationEmailForRegistrationCommandTests
        sutProvider.GetDependency<GlobalSettings>()
            .EnableEmailVerification = false;

+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = false;
+
        var mockedToken = "token";
        sutProvider.GetDependency<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>()
            .Protect(Arg.Any<RegistrationEmailVerificationTokenable>())
@ -103,6 +112,19 @@ public class SendVerificationEmailForRegistrationCommandTests
        Assert.Equal(mockedToken, result);
    }

+    [Theory]
+    [BitAutoData]
+    public async Task SendVerificationEmailForRegistrationCommand_WhenOpenRegistrationDisabled_ThrowsBadRequestException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
+        string email, string name, bool receiveMarketingEmails)
+    {
+        // Arrange
+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = true;
+
+        // Act & Assert
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Run(email, name, receiveMarketingEmails));
+    }
+
    [Theory]
    [BitAutoData]
    public async Task SendVerificationEmailForRegistrationCommand_WhenIsExistingUserAndEnableEmailVerificationFalse_ThrowsBadRequestException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
@ -125,6 +147,9 @@ public class SendVerificationEmailForRegistrationCommandTests
    public async Task SendVerificationEmailForRegistrationCommand_WhenNullEmail_ThrowsArgumentNullException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
   string name, bool receiveMarketingEmails)
    {
+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = false;
+
        await Assert.ThrowsAsync<ArgumentNullException>(async () => await sutProvider.Sut.Run(null, name, receiveMarketingEmails));
    }

@ -133,6 +158,8 @@ public class SendVerificationEmailForRegistrationCommandTests
    public async Task SendVerificationEmailForRegistrationCommand_WhenEmptyEmail_ThrowsArgumentNullException(SutProvider<SendVerificationEmailForRegistrationCommand> sutProvider,
   string name, bool receiveMarketingEmails)
    {
+        sutProvider.GetDependency<GlobalSettings>()
+            .DisableUserRegistration = false;
        await Assert.ThrowsAsync<ArgumentNullException>(async () => await sutProvider.Sut.Run("", name, receiveMarketingEmails));
    }
 }
--- a/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs
+++ b/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs
@ -62,6 +62,28 @@ public class AccountsControllerTests : IClassFixture<IdentityApplicationFactory>
        Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
    }

+    [Theory, BitAutoData]
+    public async Task PostRegisterSendEmailVerification_DisabledOpenRegistration_ThrowsBadRequestException(string name, bool receiveMarketingEmails)
+    {
+
+        // Localize substitutions to this test.
+        var localFactory = new IdentityApplicationFactory();
+        localFactory.UpdateConfiguration("globalSettings:disableUserRegistration", "true");
+
+        var email = $"test+register+{name}@email.com";
+        var model = new RegisterSendVerificationEmailRequestModel
+        {
+            Email = email,
+            Name = name,
+            ReceiveMarketingEmails = receiveMarketingEmails
+        };
+
+        var context = await localFactory.PostRegisterSendEmailVerificationAsync(model);
+
+        Assert.Equal(StatusCodes.Status400BadRequest, context.Response.StatusCode);
+    }
+
+
    [Theory]
    [BitAutoData(true)]
    [BitAutoData(false)]
@ -198,6 +220,38 @@ public class AccountsControllerTests : IClassFixture<IdentityApplicationFactory>
        Assert.Equal(kdfParallelism, user.KdfParallelism);
    }

+
+    [Theory, BitAutoData]
+    public async Task RegistrationWithEmailVerification_OpenRegistrationDisabled_ThrowsBadRequestException([Required] string name, string emailVerificationToken,
+       [StringLength(1000), Required] string masterPasswordHash, [StringLength(50)] string masterPasswordHint, [Required] string userSymmetricKey,
+       [Required] KeysRequestModel userAsymmetricKeys, int kdfMemory, int kdfParallelism)
+    {
+        // Localize substitutions to this test.
+        var localFactory = new IdentityApplicationFactory();
+        localFactory.UpdateConfiguration("globalSettings:disableUserRegistration", "true");
+
+        var email = $"test+register+{name}@email.com";
+
+        // Now we call the finish registration endpoint with the email verification token
+        var registerFinishReqModel = new RegisterFinishRequestModel
+        {
+            Email = email,
+            MasterPasswordHash = masterPasswordHash,
+            MasterPasswordHint = masterPasswordHint,
+            EmailVerificationToken = emailVerificationToken,
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            UserSymmetricKey = userSymmetricKey,
+            UserAsymmetricKeys = userAsymmetricKeys,
+            KdfMemory = kdfMemory,
+            KdfParallelism = kdfParallelism
+        };
+
+        var postRegisterFinishHttpContext = await localFactory.PostRegisterFinishAsync(registerFinishReqModel);
+
+        Assert.Equal(StatusCodes.Status400BadRequest, postRegisterFinishHttpContext.Response.StatusCode);
+    }
+
    [Theory, BitAutoData]
    public async Task RegistrationWithEmailVerification_WithOrgInviteToken_Succeeds(
         [StringLength(1000)] string masterPasswordHash, [StringLength(50)] string masterPasswordHint, string userSymmetricKey,
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@ -144,6 +144,7 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>

                // Email Verification
                { "globalSettings:enableEmailVerification", "true" },
+                { "globalSettings:disableUserRegistration", "false" },
                { "globalSettings:launchDarkly:flagValues:email-verification", "true" }
            });
        });