Improved user creation handlers

N2D4 · N2D4 · commit 5b9ee575f805 · 2024-08-10T09:45:48.000-07:00
diff --git a/apps/backend/src/app/api/v1/auth/otp/send-sign-in-code/route.tsx b/apps/backend/src/app/api/v1/auth/otp/send-sign-in-code/route.tsx
@@ -5,6 +5,7 @@ import { adaptSchema, clientOrHigherAuthTypeSchema, emailOtpSignInCallbackUrlSch
 import { StackAssertionError, StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 import { usersCrudHandlers } from "../../../users/crud";
 import { signInVerificationCodeHandler } from "../sign-in/verification-code-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
 
 export const POST = createSmartRouteHandler({
   metadata: {
@@ -54,6 +55,7 @@ export const POST = createSmartRouteHandler({
           primary_email: email,
           primary_email_verified: false,
         },
+        allowedErrorTypes: [KnownErrors.UserEmailAlreadyExists],
       });
       userObj = {
         projectUserId: createdUser.id,
diff --git a/apps/backend/src/app/api/v1/auth/password/sign-up/route.tsx b/apps/backend/src/app/api/v1/auth/password/sign-up/route.tsx
@@ -45,19 +45,6 @@ export const POST = createSmartRouteHandler({
       throw passwordError;
     }
 
-    // TODO: make this a transaction
-    const users = await prismaClient.projectUser.findMany({
-      where: {
-        projectId: project.id,
-        primaryEmail: email,
-        authWithEmail: true,
-      },
-    });
-
-    if (users.length > 0) {
-      throw new KnownErrors.UserEmailAlreadyExists();
-    }
-
     const createdUser = await usersCrudHandlers.adminCreate({
       project,
       data: {
@@ -66,6 +53,7 @@ export const POST = createSmartRouteHandler({
         primary_email_verified: false,
         password,
       },
+      allowedErrorTypes: [KnownErrors.UserEmailAlreadyExists],
     });
 
     await contactChannelVerificationCodeHandler.sendCode({
diff --git a/apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx b/apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx
@@ -6,6 +6,7 @@ import { VerificationCodeType } from "@prisma/client";
 import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
 import { yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { teamsCrudHandlers } from "../../teams/crud";
+import { KnownErrors } from "@stackframe/stack-shared";
 
 export const teamInvitationCodeHandler = createVerificationCodeHandler({
   metadata: {
diff --git a/apps/backend/src/app/api/v1/users/crud.tsx b/apps/backend/src/app/api/v1/users/crud.tsx
@@ -5,11 +5,12 @@ import { KnownErrors } from "@stackframe/stack-shared";
 import { currentUserCrud } from "@stackframe/stack-shared/dist/interface/crud/current-user";
 import { UsersCrud, usersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
 import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
-import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { StackAssertionError, StatusError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { hashPassword } from "@stackframe/stack-shared/dist/utils/password";
 import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
 import { teamPrismaToCrud } from "../teams/crud";
 import { sendUserCreatedWebhook, sendUserDeletedWebhook, sendUserUpdatedWebhook } from "@/lib/webhooks";
+import { getPasswordError } from "@stackframe/stack-shared/dist/helpers/password";
 
 const fullInclude = {
   projectUserOAuthAccounts: {
@@ -40,7 +41,7 @@ const prismaToCrud = (prisma: Prisma.ProjectUserGetPayload<{ include: typeof ful
     captureError("prismaToCrud", new StackAssertionError("User has authWithEmail but no primary email; this is an assertion error that should never happen", { prisma }));
   }
   const authMethods: UsersCrud["Admin"]["Read"]["auth_methods"] = [
-    ...prisma.passwordHash ? [{
+    ...prisma.authWithEmail && prisma.passwordHash ? [{
       type: 'password',
       identifier: prisma.primaryEmail ?? "",
     }] as const : [],
@@ -138,6 +139,28 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
     };
   },
   onCreate: async ({ auth, data }) => {
+    if (!data.primary_email && data.primary_email_auth_enabled) {
+      throw new StatusError(400, "primary_email_auth_enabled cannot be true without primary_email");
+    }
+    if (!data.primary_email_auth_enabled && data.password) {
+      throw new StatusError(400, "password cannot be set without primary_email_auth_enabled");
+    }
+    if (data.primary_email_auth_enabled) {
+      // TODO: make this a transaction
+      const users = await prismaClient.projectUser.findMany({
+        where: {
+          projectId: auth.project.id,
+          primaryEmail: data.primary_email,
+          authWithEmail: true,
+        },
+      });
+
+      if (users.length > 0) {
+        throw new KnownErrors.UserEmailAlreadyExists();
+      }
+    }
+
+
     const db = await prismaClient.projectUser.create({
       data: {
         projectId: auth.project.id,
diff --git a/apps/backend/src/route-handlers/crud-handler.tsx b/apps/backend/src/route-handlers/crud-handler.tsx
@@ -73,6 +73,7 @@ type CrudHandlerDirectByAccess<
     & {
       project: ProjectsCrud["Admin"]["Read"],
       user?: UsersCrud["Admin"]["Read"],
+      allowedErrorTypes?: (new (...args: any) => any)[],
     }
     & ({} extends yup.InferType<QS> ? {} : { query: yup.InferType<QS> })
     & (L extends "Create" | "List" ? Partial<yup.InferType<PS>> : yup.InferType<PS>)
@@ -231,11 +232,12 @@ export function createCrudHandlers<
           ...[...aat].map(([accessType, { invoke }]) => (
             [
               `${accessType}${crudOperation}`,
-              async ({ user, project, data, query, ...params }: yup.InferType<PS> & {
+              async ({ user, project, data, query, allowedErrorTypes, ...params }: yup.InferType<PS> & {
                 query?: yup.InferType<QS>,
                 project: ProjectsCrud["Admin"]["Read"],
                 user?: UsersCrud["Admin"]["Read"],
                 data: any,
+                allowedErrorTypes?: (new (...args: any) => any)[],
               }) => {
                 try {
                   return await invoke({
@@ -249,6 +251,9 @@ export function createCrudHandlers<
                     },
                   });
                 } catch (error) {
+                  if (allowedErrorTypes?.some((a) => error instanceof a)) {
+                    throw error;
+                  }
                   throw new CrudHandlerInvocationError(error);
                 }
               },
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/otp/sign-in.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/otp/sign-in.test.ts
@@ -1,5 +1,5 @@
 import { it } from "../../../../../../helpers";
-import { Auth } from "../../../../../backend-helpers";
+import { Auth, backendContext, niceBackendFetch } from "../../../../../backend-helpers";
 
 it("should sign up new users and sign in existing users", async ({ expect }) => {
   const res1 = await Auth.Otp.signIn();
@@ -30,6 +30,55 @@ it("should sign up new users and sign in existing users", async ({ expect }) =>
   `);
 });
 
+it("should sign in users created with the server API", async ({ expect }) => {
+  const response = await niceBackendFetch("/api/v1/users", {
+    accessType: "server",
+    method: "POST",
+    body: {
+      primary_email: backendContext.value.mailbox.emailAddress,
+      primary_email_auth_enabled: true,
+    },
+  });
+  const res2 = await Auth.Otp.signIn();
+  expect(res2.signInResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": {
+        "access_token": <stripped field 'access_token'>,
+        "is_new_user": false,
+        "refresh_token": <stripped field 'refresh_token'>,
+        "user_id": "<stripped UUID>",
+      },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("should sign up a new user even if one already exists with email auth disabled", async ({ expect }) => {
+  const response = await niceBackendFetch("/api/v1/users", {
+    accessType: "server",
+    method: "POST",
+    body: {
+      primary_email: backendContext.value.mailbox.emailAddress,
+      primary_email_auth_enabled: false,
+    },
+  });
+  const res2 = await Auth.Otp.signIn();
+  expect(res2.signInResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": {
+        "access_token": <stripped field 'access_token'>,
+        "is_new_user": true,
+        "refresh_token": <stripped field 'refresh_token'>,
+        "user_id": "<stripped UUID>",
+      },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+
 it.todo("should not sign in if primary e-mail changed since sign-in code was sent");
 
 it.todo("should verify primary e-mail");
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/users.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/users.test.ts
