fix(admin): log the user out when account is locked out on pass change (

#11997)
botpress · Jul 18, 2022 · 5ba4d32 · 5ba4d32
1 parent 9ac31fb
commit 5ba4d32
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 10 deletions.
diff --git a/packages/bp/src/core/security/strategy-basic.ts b/packages/bp/src/core/security/strategy-basic.ts
@@ -172,14 +172,8 @@ export class StrategyBasic {
       debug('login failed; user does not exist %o', { email, ipAddress })
       throw new InvalidCredentialsError()
     }
-    const strategyOptions = _.get(await this.authService.getStrategy(strategy), 'options') as AuthStrategyBasic
-    if (!validateHash(password || '', user.password!, user.salt!)) {
-      debug('login failed; wrong password %o', { email, ipAddress })
-      // this.stats.track('auth', 'login', 'fail')
 
-      await this._incrementWrongPassword(user, strategyOptions)
-      throw new InvalidCredentialsError()
-    }
+    const strategyOptions = _.get(await this.authService.getStrategy(strategy), 'options') as AuthStrategyBasic
     const { locked_out, last_login_attempt, password_expiry_date, password_expired } = user.attributes
 
     if (locked_out) {
@@ -192,6 +186,14 @@ export class StrategyBasic {
       }
     }
 
+    if (!validateHash(password || '', user.password!, user.salt!)) {
+      debug('login failed; wrong password %o', { email, ipAddress })
+      // this.stats.track('auth', 'login', 'fail')
+
+      await this._incrementWrongPassword(user, strategyOptions)
+      throw new InvalidCredentialsError()
+    }
+
     const isDateExpired = password_expiry_date && moment().isAfter(password_expiry_date)
     if ((password_expired || isDateExpired) && !newPassword) {
       throw new PasswordExpiredError()

diff --git a/packages/ui-admin/src/user/UpdatePassword.tsx b/packages/ui-admin/src/user/UpdatePassword.tsx
@@ -1,5 +1,5 @@
 import { Button, Classes, Dialog, FormGroup, InputGroup, Intent } from '@blueprintjs/core'
-import { lang, toast } from 'botpress/shared'
+import { lang, toast, auth } from 'botpress/shared'
 import { UserProfile } from 'common/typings'
 import React, { FC, useState } from 'react'
 import api from '~/app/api'
@@ -20,14 +20,25 @@ const UpdatePassword: FC<Props> = props => {
     event.preventDefault()
 
     const { strategyType, strategy, email } = props.profile
+    const client = api.getSecured()
 
     try {
-      await api.getSecured().post(`/admin/auth/login/${strategyType}/${strategy}`, { email, password, newPassword })
+      await client.post(`/admin/auth/login/${strategyType}/${strategy}`, { email, password, newPassword })
 
       props.toggle()
       toast.success(lang.tr('admin.passwordUpdatedSuccessfully'))
     } catch (err) {
-      toast.failure(lang.tr('admin.errorUpdatingPassword', { msg: err.message }))
+      const { errorCode, message } = err
+
+      toast.failure(lang.tr('admin.errorUpdatingPassword', { msg: message }))
+
+      // BP_0011 = LockedOutError
+      if (errorCode === 'BP_0011') {
+        // Let the user see the toast before logging him out
+        setTimeout(() => {
+          auth.logout(() => client)
+        }, 1000)
+      }
     }
   }