UNPKG

@cocalc/server

Version:

CoCalc server functionality: functions used by either the hub and the next.js server

github.com/sagemathinc/cocalc/tree/master/src/packages/server

sagemathinc/cocalc

58 lines (57 loc) 2.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
"use strict"; /* Function for unlinking a strategy from the user profile. We provide this rather than just allowing the user to directly edit the passports part of their account via a user_query entirely for security reasons. I don't specifically know of any issues with allowing such editing, but it seems potentially dangerous... and longterm it is nice to assume that we can trust the contents of the passports field of accounts came from the upstream SSO provider. */ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.isBlockedUnlinkStrategy = void 0; const pool_1 = __importDefault(require("@cocalc/database/pool")); const misc_1 = require("@cocalc/util/misc"); const check_required_sso_1 = require("./check-required-sso"); const get_strategies_1 = __importDefault(require("./get-strategies")); async function unlinkStrategy(opts) { const { account_id, name } = opts; if (typeof name !== "string" || name.length === 0) { throw new Error("name must be a nonempty string"); } if (!(0, misc_1.is_valid_uuid_string)(account_id)) { throw new Error("account_id must be a valid uuid"); } const strategyName = name.split("-")[0]; const pool = (0, pool_1.default)(); if (await isBlockedUnlinkStrategy({ strategyName, account_id })) { throw new Error("You are not allowed to unlink this SSO account"); } // if we can't find the strategy, we still let users unlink it – maybe no longer available? await pool.query("UPDATE accounts SET passports = passports - $2 WHERE account_id=$1", [account_id, name]); } exports.default = unlinkStrategy; async function isBlockedUnlinkStrategy(opts) { const { strategyName, account_id } = opts; // You're not allowed to unlink a strategy, if it is "exclusive" for your account. // Hence we check if your email addresses domain covered by in the info.exclusive_domains array of the strategy // Why is this blocked? This might make it possible for a user to detach their account from the control of that SSO provider. const pool = (0, pool_1.default)(); const emailQuery = await pool.query("SELECT email_address FROM accounts WHERE account_id=$1", [account_id]); const email = emailQuery.rows[0].email_address; if (email) { const strategies = await (0, get_strategies_1.default)(); const requiredStrategy = (0, check_required_sso_1.checkRequiredSSO)({ email, strategies, specificStrategy: strategyName, }); return requiredStrategy != null; } return false; } exports.isBlockedUnlinkStrategy = isBlockedUnlinkStrategy; //# sourceMappingURL=unlink-strategy.js.map