From 28604a0571365e9d5b91d74edf86418bea665d44 Mon Sep 17 00:00:00 2001 From: Timothee Groleau Date: Fri, 12 Apr 2024 21:41:48 +0800 Subject: [PATCH 1/3] fix: only allow suffix matches for domains NOT emails --- src/services/identity/UsersService.ts | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/services/identity/UsersService.ts b/src/services/identity/UsersService.ts index 6a1cfbf9f..425fff324 100644 --- a/src/services/identity/UsersService.ts +++ b/src/services/identity/UsersService.ts @@ -154,7 +154,7 @@ class UsersService { } async canSendEmailOtp(email: string) { - const parsedEmail = email.toLowerCase() + const normalizedEmail = email.toLowerCase() const whitelistEntries = await this.whitelist.findAll({ attributes: ["email"], where: { @@ -165,8 +165,15 @@ class UsersService { }) const whitelistDomains = whitelistEntries.map((entry) => entry.email) const hasMatchDomain = - whitelistDomains.filter((domain) => parsedEmail.endsWith(domain)).length > - 0 + whitelistDomains.filter((domain) => { + // if domain is really just a domain (does not include a @ OR starts with a @), we can do a prefix match + if (/^@|^[^@]+$/.test(domain)) { + return normalizedEmail.endsWith(domain) + } + + return normalizedEmail === domain + // otherwise we can ONLY do an exact match + }).length > 0 return hasMatchDomain } From 5a14d7295e052d7136506fa9a9b953922a200e3a Mon Sep 17 00:00:00 2001 From: Timothee Groleau Date: Fri, 12 Apr 2024 21:51:45 +0800 Subject: [PATCH 2/3] feat: add a test to verify suffix match is not applied for full emails --- .../identity/__tests__/UsersService.spec.ts | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/services/identity/__tests__/UsersService.spec.ts b/src/services/identity/__tests__/UsersService.spec.ts index c0f8a0537..7ebf635a5 100644 --- a/src/services/identity/__tests__/UsersService.spec.ts +++ b/src/services/identity/__tests__/UsersService.spec.ts @@ -170,4 +170,21 @@ describe("User Service", () => { // Assert expect(actual).toBe(expected) }) + + it("should not allow suffix match if the whitelist entry is a full email", async () => { + // Arrange + const expected = false + const mockWhitelistEntries = [ + { + email: "foo@accenture.com", + }, + ] + MockWhitelist.findAll.mockResolvedValueOnce(mockWhitelistEntries) + + // Act + const actual = await UsersService.canSendEmailOtp("bar.foo@accenture.com") + + // Assert + expect(actual).toBe(expected) + }) }) From 11d63cf3768534eba2a0089a70a422d7615f9a26 Mon Sep 17 00:00:00 2001 From: Timothee Groleau Date: Fri, 12 Apr 2024 22:02:39 +0800 Subject: [PATCH 3/3] build: increase version --- CHANGELOG.md | 8 ++++++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 376283d1c..0c58fb182 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,15 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [v0.78.1](https://github.com/isomerpages/isomercms-backend/compare/v0.78.0...v0.78.1) + +- feat: add a test to verify suffix match is not applied for full emails [`5a14d72`](https://github.com/isomerpages/isomercms-backend/commit/5a14d7295e052d7136506fa9a9b953922a200e3a) +- fix: only allow suffix matches for domains NOT emails [`28604a0`](https://github.com/isomerpages/isomercms-backend/commit/28604a0571365e9d5b91d74edf86418bea665d44) + #### [v0.78.0](https://github.com/isomerpages/isomercms-backend/compare/v0.77.0...v0.78.0) +> 11 April 2024 + - refactor(OTP): simplify code by using upsert() [`#1283`](https://github.com/isomerpages/isomercms-backend/pull/1283) - refactor(UserService): simplify login by using findOrCreate() [`#1281`](https://github.com/isomerpages/isomercms-backend/pull/1281) - build(deps): bump @aws-sdk/client-amplify from 3.540.0 to 3.549.0 [`#1289`](https://github.com/isomerpages/isomercms-backend/pull/1289) @@ -20,6 +27,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). - build(deps): bump marked from 11.2.0 to 12.0.1 [`#1219`](https://github.com/isomerpages/isomercms-backend/pull/1219) - chore(ci): enhance mergify [`#1245`](https://github.com/isomerpages/isomercms-backend/pull/1245) - backport v0.77.0 [`#1277`](https://github.com/isomerpages/isomercms-backend/pull/1277) +- chore: bump version to v0.78.0 [`72f39bd`](https://github.com/isomerpages/isomercms-backend/commit/72f39bdc25f6afe82021ebbc630c6d3850ece1ae) #### [v0.77.0](https://github.com/isomerpages/isomercms-backend/compare/v0.76.0...v0.77.0) diff --git a/package-lock.json b/package-lock.json index b8fa017fd..6a99f716d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "isomercms", - "version": "0.78.0", + "version": "0.78.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "isomercms", - "version": "0.78.0", + "version": "0.78.1", "hasInstallScript": true, "dependencies": { "@aws-sdk/client-amplify": "^3.549.0", diff --git a/package.json b/package.json index 5addc62de..4bfcfd166 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "isomercms", - "version": "0.78.0", + "version": "0.78.1", "private": true, "scripts": { "build": "tsc -p tsconfig.build.json",