Merge pull request #3092 from appwrite/fix-allow-password-update-OAuth

Fix 'magic URL' accounts from not being able to create a new password.
2026-05-26 13:51:13 +00:00 · 2022-04-19 15:51:50 +02:00
parent e3c9041ca1 8ebe3ae7ca
commit 8a0c4c8ae8
3 changed files with 103 additions and 3 deletions
@@ -675,7 +675,7 @@ App::post('/v1/account/sessions/magic-url')
                'emailVerification' => false,
                'status' => true,
                'password' => null,
-                'passwordUpdate' => \time(),
+                'passwordUpdate' => 0,
                'registration' => \time(),
                'reset' => false,
                'prefs' => new \stdClass(),
@@ -946,7 +946,7 @@ App::post('/v1/account/sessions/anonymous')
            'emailVerification' => false,
            'status' => true,
            'password' => null,
-            'passwordUpdate' => \time(),
+            'passwordUpdate' => 0,
            'registration' => \time(),
            'reset' => false,
            'name' => null,
@@ -1 +1 @@
-Update currently logged in user password. For validation, user is required to pass in the new password, and the old password. For users created with OAuth and Team Invites, oldPassword is optional.
+Update currently logged in user password. For validation, user is required to pass in the new password, and the old password. For users created with OAuth, Team Invites and Magic URL, oldPassword is optional.
@@ -1327,6 +1327,7 @@ trait AccountBase

        $data['token'] = $token;
        $data['id'] = $userId;
+        $data['email'] = $email;

        return $data;
    }
@@ -1357,6 +1358,9 @@ trait AccountBase
        $this->assertNotEmpty($response['body']['$id']);
        $this->assertNotEmpty($response['body']['userId']);

+        $sessionId = $response['body']['$id'];
+        $session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']];
+
        /**
         * Test for FAILURE
         */
@@ -1382,6 +1386,102 @@ trait AccountBase

        $this->assertEquals(401, $response['headers']['status-code']);

+
+        $data['sessionId'] = $sessionId;
+        $data['session'] = $session;
+
        return $data;
    }
+
+    /**
+     * @depends testCreateSessionWithMagicUrl
+     */
+    public function testUpdateAccountPasswordWithMagicUrl($data):array
+    {
+        $email = $data['email'] ?? '';
+        $session = $data['session'] ?? '';
+
+        /**
+         * Test for SUCCESS
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/account/password', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]), [
+            'password' => 'new-password'
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 200);
+        $this->assertIsArray($response['body']);
+        $this->assertNotEmpty($response['body']);
+        $this->assertNotEmpty($response['body']['$id']);
+        $this->assertIsNumeric($response['body']['registration']);
+        $this->assertEquals($response['body']['email'], $email);
+
+        $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ]), [
+            'email' => $email,
+            'password' => 'new-password',
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 201);
+
+        /**
+         * Test for FAILURE
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/account/password', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ]));
+
+        $this->assertEquals($response['headers']['status-code'], 401);
+        
+        $response = $this->client->call(Client::METHOD_PATCH, '/account/password', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]), [
+        ]);
+        
+        $this->assertEquals($response['headers']['status-code'], 400);
+
+        /**
+         * Existing user tries to update password by passing wrong old password -> SHOULD FAIL
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/account/password', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]), [
+            'password' => 'new-password',
+            'oldPassword' => 'wrong-password',
+        ]);
+        $this->assertEquals($response['headers']['status-code'], 401);
+
+        /**
+         * Existing user tries to update password without passing old password -> SHOULD FAIL 
+         */
+        $response = $this->client->call(Client::METHOD_PATCH, '/account/password', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]), [
+            'password' => 'new-password'
+        ]);
+        $this->assertEquals($response['headers']['status-code'], 401);
+
+        $data['password'] = 'new-password';
+
+        return $data;
+    }
+
 }