Skip to content

Commit f81d1c0

Browse files
fomalhautbfomalhautb
committed
fix creator id (stack-auth#449)
1 parent ef7e666 commit f81d1c0

File tree

3 files changed

+24
-60
lines changed

3 files changed

+24
-60
lines changed

apps/backend/src/app/api/latest/teams/crud.tsx

Lines changed: 23 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -35,24 +35,37 @@ export const teamsCrudHandlers = createLazyProxy(() => createCrudHandlers(teamsC
3535
team_id: yupString().uuid().defined(),
3636
}),
3737
onCreate: async ({ query, auth, data }) => {
38+
let addUserId = data.creator_user_id;
39+
3840
if (data.creator_user_id && query.add_current_user) {
3941
throw new StatusError(StatusError.BadRequest, "Cannot use both creator_user_id and add_current_user. add_current_user is deprecated, please only use creator_user_id in the body.");
4042
}
4143

42-
if (auth.type === 'client' && !auth.user) {
43-
throw new KnownErrors.UserAuthenticationRequired;
44-
}
44+
if (auth.type === 'client') {
45+
if (!auth.user) {
46+
throw new KnownErrors.UserAuthenticationRequired;
47+
}
4548

46-
if (auth.type === 'client' && !auth.tenancy.config.client_team_creation_enabled) {
47-
throw new StatusError(StatusError.Forbidden, 'Client team creation is disabled for this project');
48-
}
49+
if (!auth.tenancy.config.client_team_creation_enabled) {
50+
throw new StatusError(StatusError.Forbidden, 'Client team creation is disabled for this project');
51+
}
4952

50-
if (auth.type === 'client' && data.profile_image_url && !validateBase64Image(data.profile_image_url)) {
51-
throw new StatusError(400, "Invalid profile image URL");
53+
if (data.profile_image_url && !validateBase64Image(data.profile_image_url)) {
54+
throw new StatusError(400, "Invalid profile image URL");
55+
}
56+
57+
if (!data.creator_user_id) {
58+
addUserId = auth.user.id;
59+
} else if (data.creator_user_id !== auth.user.id) {
60+
throw new StatusError(StatusError.Forbidden, "You cannot create a team as a user that is not yourself. Make sure you set the creator_user_id to 'me'.");
61+
}
5262
}
5363

54-
if (auth.type === 'client' && (!data.creator_user_id || data.creator_user_id !== auth.user?.id)) {
55-
throw new StatusError(StatusError.Forbidden, "You cannot create a team as a user that is not yourself. Make sure you set the creator_user_id to 'me'.");
64+
if (query.add_current_user === 'true') {
65+
if (!auth.user) {
66+
throw new StatusError(StatusError.Unauthorized, "You must be logged in to create a team with the current user as a member.");
67+
}
68+
addUserId = auth.user.id;
5669
}
5770

5871
const db = await retryTransaction(async (tx) => {
@@ -69,22 +82,6 @@ export const teamsCrudHandlers = createLazyProxy(() => createCrudHandlers(teamsC
6982
},
7083
});
7184

72-
let addUserId: string | undefined;
73-
if (data.creator_user_id) {
74-
if (auth.type === 'client') {
75-
const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
76-
if (data.creator_user_id !== currentUserId) {
77-
throw new StatusError(StatusError.Forbidden, "You cannot add a user to the team as the creator that is not yourself on the client.");
78-
}
79-
}
80-
addUserId = data.creator_user_id;
81-
} else if (query.add_current_user === 'true') {
82-
if (!auth.user) {
83-
throw new StatusError(StatusError.Unauthorized, "You must be logged in to create a team with the current user as a member.");
84-
}
85-
addUserId = auth.user.id;
86-
}
87-
8885
if (addUserId) {
8986
await ensureUserExists(tx, { tenancyId: auth.tenancy.id, userId: addUserId });
9087
await addUserToTeam(tx, {

apps/e2e/tests/backend/endpoints/api/v1/teams.test.ts

Lines changed: 0 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -113,39 +113,6 @@ it("does not allow creating a team when not signed in", async ({ expect }) => {
113113
`);
114114
});
115115

116-
it("does not allow creating teams on the client without a creator", async ({ expect }) => {
117-
await Auth.Otp.signIn();
118-
const response = await niceBackendFetch("/api/v1/teams", {
119-
accessType: "client",
120-
method: "POST",
121-
body: {
122-
display_name: "New Team",
123-
},
124-
});
125-
expect(response).toMatchInlineSnapshot(`
126-
NiceResponse {
127-
"status": 400,
128-
"body": {
129-
"code": "SCHEMA_ERROR",
130-
"details": {
131-
"message": deindent\`
132-
Request validation failed on POST /api/v1/teams:
133-
- body.creator_user_id must be defined
134-
\`,
135-
},
136-
"error": deindent\`
137-
Request validation failed on POST /api/v1/teams:
138-
- body.creator_user_id must be defined
139-
\`,
140-
},
141-
"headers": Headers {
142-
"x-stack-known-error": "SCHEMA_ERROR",
143-
<some fields may have been hidden>,
144-
},
145-
}
146-
`);
147-
});
148-
149116
it("does not allow creating teams on the client for a different creator", async ({ expect }) => {
150117
const { userId: userId1 } = await Auth.Otp.signIn();
151118
await bumpEmailAddress();

packages/stack-shared/src/interface/crud/teams.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ export const teamsCrudServerUpdateSchema = teamsCrudClientUpdateSchema.concat(yu
3030
// Create
3131
export const teamsCrudClientCreateSchema = teamsCrudClientUpdateSchema.concat(yupObject({
3232
display_name: fieldSchema.teamDisplayNameSchema.defined(),
33-
creator_user_id: fieldSchema.teamCreatorUserIdSchema.defined(),
33+
creator_user_id: fieldSchema.teamCreatorUserIdSchema.optional(),
3434
}).defined());
3535
export const teamsCrudServerCreateSchema = teamsCrudServerUpdateSchema.concat(yupObject({
3636
display_name: fieldSchema.teamDisplayNameSchema.defined(),

0 commit comments

Comments
 (0)