From 664f24eb74193389113798796abb1003241fd109 Mon Sep 17 00:00:00 2001 From: Otavio Jacobi Date: Tue, 4 Jun 2024 15:58:47 -0300 Subject: [PATCH] Enforce user has auth.credentials_login to be able to login Change-type: minor --- src/features/auth/login.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/features/auth/login.ts b/src/features/auth/login.ts index d1e9ca3eb7..f0c606b15e 100644 --- a/src/features/auth/login.ts +++ b/src/features/auth/login.ts @@ -3,6 +3,7 @@ import { errors, sbvrUtils } from '@balena/pinejs'; import { comparePassword, findUser } from '../../infra/auth/auth.js'; import { loginUserXHR } from '../../infra/auth/jwt.js'; import { captureException } from '../../infra/error-handling/index.js'; +import { permissions } from '@balena/pinejs'; import type { SetupOptions } from '../../index.js'; @@ -23,6 +24,11 @@ export const login = if (!user) { throw new NotFoundError('User not found.'); } + const userPermissions = await permissions.getUserPermissions(user.id); + + if (!userPermissions.includes('auth.credentials_login')) { + throw new BadRequestError('User not allowed to login.'); + } const matches = await comparePassword(password, user.password); if (!matches) {