-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add create_user field to otp endpoint #318
Changes from all commits
177d2af
904825e
9f8c35a
74d617e
4185bdf
64583b3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -713,16 +713,20 @@ or show an account confirmed/welcome message in the case of `signup`, or direct | |
|
||
One-Time-Password. Will deliver a magiclink or sms otp to the user depending on whether the request body contains an "email" or "phone" key. | ||
|
||
If `"create_user": true`, user will not be automatically signed up if the user doesn't exist. | ||
|
||
```js | ||
{ | ||
"phone": "12345678" // follows the E.164 format | ||
"create_user": true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I read the discussion but still a bit confused about the use case, sorry. What is the default behavior if omitted? And the dev still has the ability to prevent signups on these endpoints via some config if they want to enforce login only, right? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if omitted, the default behaviour would be the current behaviour - which is that the user will be automatically signed up if they don't have an existing account, and logged in if they do. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This flag isn't to restrict signups globally in their app. I think the use case here is for developers to have 2 separate flows - one for sign-up and one for sign-in when using magiclinks / otps. |
||
} | ||
|
||
OR | ||
|
||
// exactly the same as /magiclink | ||
{ | ||
"email": "email@example.com" | ||
"create_user": true | ||
} | ||
``` | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
package api | ||
|
||
import ( | ||
"bytes" | ||
"encoding/json" | ||
"net/http" | ||
"net/http/httptest" | ||
"testing" | ||
|
||
"github.com/gofrs/uuid" | ||
"github.com/netlify/gotrue/conf" | ||
"github.com/netlify/gotrue/models" | ||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
"github.com/stretchr/testify/suite" | ||
) | ||
|
||
type OtpTestSuite struct { | ||
suite.Suite | ||
API *API | ||
Config *conf.Configuration | ||
|
||
instanceID uuid.UUID | ||
} | ||
|
||
func TestOtp(t *testing.T) { | ||
api, config, instanceID, err := setupAPIForTestForInstance() | ||
require.NoError(t, err) | ||
|
||
ts := &OtpTestSuite{ | ||
API: api, | ||
Config: config, | ||
instanceID: instanceID, | ||
} | ||
defer api.db.Close() | ||
|
||
suite.Run(t, ts) | ||
} | ||
|
||
func (ts *OtpTestSuite) SetupTest() { | ||
models.TruncateAll(ts.API.db) | ||
} | ||
|
||
func (ts *OtpTestSuite) TestOtp() { | ||
cases := []struct { | ||
desc string | ||
params OtpParams | ||
expected struct { | ||
code int | ||
response map[string]interface{} | ||
} | ||
}{ | ||
{ | ||
"Test Success Magiclink Otp", | ||
OtpParams{ | ||
Email: "test@example.com", | ||
CreateUser: true, | ||
}, | ||
struct { | ||
code int | ||
response map[string]interface{} | ||
}{ | ||
http.StatusOK, | ||
make(map[string]interface{}), | ||
}, | ||
}, | ||
{ | ||
"Test Failure Pass Both Email & Phone", | ||
OtpParams{ | ||
Email: "test@example.com", | ||
Phone: "123456789", | ||
CreateUser: true, | ||
}, | ||
struct { | ||
code int | ||
response map[string]interface{} | ||
}{ | ||
http.StatusBadRequest, | ||
map[string]interface{}{ | ||
"code": float64(http.StatusBadRequest), | ||
"msg": "Only an email address or phone number should be provided", | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
for _, c := range cases { | ||
ts.Run(c.desc, func() { | ||
var buffer bytes.Buffer | ||
require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.params)) | ||
|
||
req := httptest.NewRequest(http.MethodPost, "/otp", &buffer) | ||
req.Header.Set("Content-Type", "application/json") | ||
|
||
w := httptest.NewRecorder() | ||
|
||
ts.API.handler.ServeHTTP(w, req) | ||
|
||
require.Equal(ts.T(), c.expected.code, w.Code) | ||
|
||
data := make(map[string]interface{}) | ||
require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&data)) | ||
|
||
// response should be empty | ||
assert.Equal(ts.T(), data, c.expected.response) | ||
}) | ||
} | ||
} | ||
|
||
func (ts *OtpTestSuite) TestNoSignupsForOtp() { | ||
var buffer bytes.Buffer | ||
require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{ | ||
"email": "newuser@example.com", | ||
"create_user": false, | ||
})) | ||
|
||
req := httptest.NewRequest(http.MethodPost, "/otp", &buffer) | ||
req.Header.Set("Content-Type", "application/json") | ||
|
||
w := httptest.NewRecorder() | ||
|
||
ts.API.handler.ServeHTTP(w, req) | ||
|
||
require.Equal(ts.T(), http.StatusBadRequest, w.Code) | ||
|
||
data := make(map[string]interface{}) | ||
require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&data)) | ||
|
||
// response should be empty | ||
assert.Equal(ts.T(), data, map[string]interface{}{ | ||
"code": float64(http.StatusBadRequest), | ||
"msg": "Signups not allowed for otp", | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this right? If create_user == true, then user will not be signed up? seems counter intuitive
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah my bad. this is a typo error, it should be if
create_user == true
, then the user will be automatically signed up