mirror of
https://github.com/codeninjasllc/codecombat.git
synced 2025-03-14 07:00:01 -04:00
Guard against trial-requests and signups being done on the same computer but by different people
This commit is contained in:
parent
10d344504a
commit
2aa647fa29
2 changed files with 50 additions and 20 deletions
|
@ -13,6 +13,8 @@ User = require '../models/User'
|
|||
Classroom = require '../models/Classroom'
|
||||
facebook = require '../lib/facebook'
|
||||
gplus = require '../lib/gplus'
|
||||
TrialRequest = require '../models/TrialRequest'
|
||||
log = require 'winston'
|
||||
|
||||
module.exports =
|
||||
fetchByGPlusID: wrap (req, res, next) ->
|
||||
|
@ -133,16 +135,7 @@ module.exports =
|
|||
throw new errors.Conflict('Email already taken')
|
||||
|
||||
req.user.set({ password, email, anonymous: false })
|
||||
try
|
||||
yield req.user.save()
|
||||
catch e
|
||||
if e.code is 11000 # Duplicate key error
|
||||
throw new errors.Conflict('Email already taken')
|
||||
else
|
||||
throw e
|
||||
|
||||
req.user.sendWelcomeEmail()
|
||||
res.status(200).send(req.user.toObject({req: req}))
|
||||
yield module.exports.finishSignup(req, res)
|
||||
|
||||
signupWithFacebook: wrap (req, res) ->
|
||||
unless req.user.isAnonymous()
|
||||
|
@ -159,16 +152,7 @@ module.exports =
|
|||
throw new errors.UnprocessableEntity('Invalid facebookAccessToken')
|
||||
|
||||
req.user.set({ facebookID, email, anonymous: false })
|
||||
try
|
||||
yield req.user.save()
|
||||
catch e
|
||||
if e.code is 11000 # Duplicate key error
|
||||
throw new errors.Conflict('Email already taken')
|
||||
else
|
||||
throw e
|
||||
|
||||
req.user.sendWelcomeEmail()
|
||||
res.status(200).send(req.user.toObject({req: req}))
|
||||
yield module.exports.finishSignup(req, res)
|
||||
|
||||
signupWithGPlus: wrap (req, res) ->
|
||||
unless req.user.isAnonymous()
|
||||
|
@ -186,6 +170,9 @@ module.exports =
|
|||
throw new errors.UnprocessableEntity('Invalid gplusAccessToken')
|
||||
|
||||
req.user.set({ gplusID, email, anonymous: false })
|
||||
yield module.exports.finishSignup(req, res)
|
||||
|
||||
finishSignup: co.wrap (req, res) ->
|
||||
try
|
||||
yield req.user.save()
|
||||
catch e
|
||||
|
@ -194,5 +181,21 @@ module.exports =
|
|||
else
|
||||
throw e
|
||||
|
||||
# post-successful account signup tasks
|
||||
|
||||
req.user.sendWelcomeEmail()
|
||||
|
||||
# If person A creates a trial request without creating an account, then person B uses that computer
|
||||
# to create an account, then person A's trial request is associated with person B's account. To prevent
|
||||
# this, we check that the signup email matches the trial request email, for every signup. If they do
|
||||
# not match, the trial request applicant field is cleared, disassociating the trial request from this
|
||||
# account.
|
||||
trialRequest = yield TrialRequest.findOne({applicant: req.user._id})
|
||||
if trialRequest
|
||||
email = trialRequest.get('properties')?.email or ''
|
||||
emailLower = email.toLowerCase()
|
||||
if emailLower and emailLower isnt req.user.get('emailLower')
|
||||
log.warn('User submitted trial request and created account with different emails. Disassociating trial request.')
|
||||
yield trialRequest.update({$unset: {applicant: ''}})
|
||||
|
||||
res.status(200).send(req.user.toObject({req: req}))
|
||||
|
|
|
@ -3,6 +3,7 @@ utils = require '../utils'
|
|||
urlUser = '/db/user'
|
||||
User = require '../../../server/models/User'
|
||||
Classroom = require '../../../server/models/Classroom'
|
||||
TrialRequest = require '../../../server/models/TrialRequest'
|
||||
Prepaid = require '../../../server/models/Prepaid'
|
||||
request = require '../request'
|
||||
facebook = require '../../../server/lib/facebook'
|
||||
|
@ -706,6 +707,32 @@ describe 'POST /db/user/:handle/signup-with-password', ->
|
|||
[res, body] = yield request.postAsync({url, json})
|
||||
expect(res.statusCode).toBe(409)
|
||||
done()
|
||||
|
||||
it 'disassociates the user from their trial request if the trial request email and signup email do not match', utils.wrap (done) ->
|
||||
user = yield utils.becomeAnonymous()
|
||||
trialRequest = yield utils.makeTrialRequest({ properties: { email: 'one@email.com' } })
|
||||
expect(trialRequest.get('applicant').equals(user._id)).toBe(true)
|
||||
url = getURL("/db/user/#{user.id}/signup-with-password")
|
||||
email = 'two@email.com'
|
||||
json = { email, password: '12345' }
|
||||
[res, body] = yield request.postAsync({url, json})
|
||||
expect(res.statusCode).toBe(200)
|
||||
trialRequest = yield TrialRequest.findById(trialRequest.id)
|
||||
expect(trialRequest.get('applicant')).toBeUndefined()
|
||||
done()
|
||||
|
||||
it 'does NOT disassociate the user from their trial request if the trial request email and signup email DO match', utils.wrap (done) ->
|
||||
user = yield utils.becomeAnonymous()
|
||||
trialRequest = yield utils.makeTrialRequest({ properties: { email: 'one@email.com' } })
|
||||
expect(trialRequest.get('applicant').equals(user._id)).toBe(true)
|
||||
url = getURL("/db/user/#{user.id}/signup-with-password")
|
||||
email = 'one@email.com'
|
||||
json = { email, password: '12345' }
|
||||
[res, body] = yield request.postAsync({url, json})
|
||||
expect(res.statusCode).toBe(200)
|
||||
trialRequest = yield TrialRequest.findById(trialRequest.id)
|
||||
expect(trialRequest.get('applicant').equals(user._id)).toBe(true)
|
||||
done()
|
||||
|
||||
|
||||
describe 'POST /db/user/:handle/signup-with-facebook', ->
|
||||
|
|
Loading…
Reference in a new issue