From 36bf52cc8a9b33b3bf755a0380a9f96bfd71c55b Mon Sep 17 00:00:00 2001
From: Rob Cameron <cannikin@fastmail.com>
Date: Wed, 14 Feb 2024 13:36:00 -0800
Subject: [PATCH] Remove hardcoded check for session.id when session data can
 contain any user data defined by `allowedUserFields` not only `id`

Closes #10005
---
 .../dbAuth/api/src/DbAuthHandler.ts           | 18 ++++----
 .../src/__tests__/DbAuthHandler.fetch.test.js | 42 +++++++++++++++++++
 .../api/src/__tests__/DbAuthHandler.test.js   | 40 ++++++++++++++++++
 3 files changed, 91 insertions(+), 9 deletions(-)

diff --git a/packages/auth-providers/dbAuth/api/src/DbAuthHandler.ts b/packages/auth-providers/dbAuth/api/src/DbAuthHandler.ts
index 772f49e60ab0..bbdb52b55c2d 100644
--- a/packages/auth-providers/dbAuth/api/src/DbAuthHandler.ts
+++ b/packages/auth-providers/dbAuth/api/src/DbAuthHandler.ts
@@ -295,15 +295,12 @@ type Params = AuthenticationResponseJSON &
     transports?: string // used by webAuthN for something
   }
 
-interface DbAuthSession<TIdType> {
-  id: TIdType
-}
+type DbAuthSession = Record<string, unknown>
 
 const DEFAULT_ALLOWED_USER_FIELDS = ['id', 'email']
 
 export class DbAuthHandler<
   TUser extends UserType,
-  TIdType = any,
   TUserAttributes = Record<string, unknown>
 > {
   event: Request | APIGatewayProxyEvent
@@ -316,7 +313,7 @@ export class DbAuthHandler<
   dbCredentialAccessor: any
   allowedUserFields: string[]
   hasInvalidSession: boolean
-  session: DbAuthSession<TIdType> | undefined
+  session: DbAuthSession | undefined
   sessionCsrfToken: string | undefined
   corsContext: CorsContext | undefined
   sessionExpiresDate: string
@@ -1208,8 +1205,8 @@ export class DbAuthHandler<
 
   // returns the set-cookie header to be returned in the request (effectively
   // creates the session)
-  _createSessionHeader<TIdType = any>(
-    data: DbAuthSession<TIdType>,
+  _createSessionHeader(
+    data: DbAuthSession,
     csrfToken: string
   ): SetCookieHeader {
     const session = JSON.stringify(data) + ';' + csrfToken
@@ -1384,7 +1381,7 @@ export class DbAuthHandler<
 
   // gets the user from the database and returns only its ID
   async _getCurrentUser() {
-    if (!this.session?.id) {
+    if (!this.session?.[this.options.authFields.id]) {
       throw new DbAuthError.NotLoggedInError()
     }
 
@@ -1401,7 +1398,10 @@ export class DbAuthHandler<
 
     try {
       user = await this.dbAccessor.findUnique({
-        where: { [this.options.authFields.id]: this.session?.id },
+        where: {
+          [this.options.authFields.id]:
+            this.session?.[this.options.authFields.id],
+        },
         select,
       })
     } catch (e: any) {
diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js
index 7f78bd11097f..82116c9f2eb6 100644
--- a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js
+++ b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js
@@ -2944,6 +2944,48 @@ describe('dbAuth', () => {
 
       expect(user.id).toEqual(dbUser.id)
     })
+
+    it('returns the user when id field is other than `id`', async () => {
+      const randomId = Math.floor(Math.random() * 1000000)
+      const dbUser = await createDbUser({ userId: randomId })
+      const options = {
+        authFields: {
+          id: 'userId',
+        },
+        authModelAccessor: 'user',
+        db: db,
+        forgotPassword: {
+          handler: () => {},
+        },
+        login: {
+          handler: () => {},
+          expires: 1,
+        },
+        resetPassword: {
+          handler: () => {},
+        },
+        signup: {
+          handler: () => {},
+        },
+      }
+      const headers = {
+        cookie: encryptToCookie(
+          JSON.stringify({ userId: dbUser.userId }) + ';' + 'token'
+        ),
+      }
+
+      const req = new Request('http://localhost:8910/_rw_mw', {
+        method: 'POST',
+        headers,
+      })
+
+      const dbAuth = new DbAuthHandler(req, context, options)
+      await dbAuth.init()
+
+      const user = await dbAuth._getCurrentUser()
+
+      expect(user.userId).toEqual(dbUser.userId)
+    })
   })
 
   describe('_createUser()', () => {
diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js
index 72ba44f25e9e..4eb2c75dd6da 100644
--- a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js
+++ b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js
@@ -2651,6 +2651,46 @@ describe('dbAuth', () => {
 
       expect(user.id).toEqual(dbUser.id)
     })
+
+    it('returns the user when id field is other than `id`', async () => {
+      const randomId = Math.floor(Math.random() * 1000000)
+      const dbUser = await createDbUser({ userId: randomId })
+
+      const event = {
+        headers: {
+          cookie: encryptToCookie(
+            JSON.stringify({ userId: dbUser.userId }) + ';' + 'token'
+          ),
+        },
+      }
+      const context = { foo: 'bar' }
+      const options = {
+        authFields: {
+          id: 'userId',
+        },
+        authModelAccessor: 'user',
+        db: db,
+        forgotPassword: {
+          handler: () => {},
+        },
+        login: {
+          handler: () => {},
+          expires: 1,
+        },
+        resetPassword: {
+          handler: () => {},
+        },
+        signup: {
+          handler: () => {},
+        },
+      }
+      const dbAuth = new DbAuthHandler(event, context, options)
+      await dbAuth.init()
+
+      const user = await dbAuth._getCurrentUser()
+
+      expect(user.userId).toEqual(dbUser.userId)
+    })
   })
 
   describe('_createUser()', () => {