satellite/admin: check for existing user with given email

To prevent creating multiple users with the same email via API, we should check for an existing user with given email. Change-Id: Ie35b85c4f94a7ca72d42951dab8ff475d7f0dd7c
2020-07-16 14:17:30 +02:00 · 2020-07-16 14:17:30 +02:00 · 1a6e25579c
commit 1a6e25579c
parent 0534b91085
2 changed files with 58 additions and 1 deletions
--- a/satellite/admin/user.go
+++ b/satellite/admin/user.go
@ -45,6 +45,16 @@ func (server *Server) addUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	existingUser, err := server.db.Console().Users().GetByEmail(ctx, input.Email)
+	if err != nil && !errors.Is(sql.ErrNoRows, err) {
+		http.Error(w, fmt.Sprintf("failed to check for user email %q: %v", input.Email, err), http.StatusInternalServerError)
+		return
+	}
+	if existingUser != nil {
+		http.Error(w, fmt.Sprintf("user with email already exists %s", input.Email), http.StatusConflict)
+		return
+	}
+
 	hash, err := bcrypt.GenerateFromPassword([]byte(input.Password), 0)
 	if err != nil {
 		http.Error(w, "Unable to save password hash", http.StatusInternalServerError)
--- a/satellite/admin/user_test.go
+++ b/satellite/admin/user_test.go
@ -103,6 +103,53 @@ func TestAddUser(t *testing.T) {
 	})
 }

+func TestAddUserSameEmail(t *testing.T) {
+	testplanet.Run(t, testplanet.Config{
+		SatelliteCount:   1,
+		StorageNodeCount: 0,
+		UplinkCount:      1,
+		Reconfigure: testplanet.Reconfigure{
+			Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
+				config.Admin.Address = "127.0.0.1:0"
+			},
+		},
+	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
+		address := planet.Satellites[0].Admin.Admin.Listener.Addr()
+		email := "alice+2@mail.test"
+
+		body := strings.NewReader(fmt.Sprintf(`{"email":"%s","fullName":"Alice Test","password":"123a123"}`, email))
+		req, err := http.NewRequest(http.MethodPost, "http://"+address.String()+"/api/user", body)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", "very-secret-token")
+
+		response, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, response.StatusCode)
+		responseBody, err := ioutil.ReadAll(response.Body)
+		require.NoError(t, err)
+		require.NoError(t, response.Body.Close())
+
+		var output console.User
+
+		err = json.Unmarshal(responseBody, &output)
+		require.NoError(t, err)
+
+		user, err := planet.Satellites[0].DB.Console().Users().Get(ctx, output.ID)
+		require.NoError(t, err)
+		require.Equal(t, email, user.Email)
+
+		// Add same user again, this should fail
+		body = strings.NewReader(fmt.Sprintf(`{"email":"%s","fullName":"Alice Test","password":"123a123"}`, email))
+		req, err = http.NewRequest(http.MethodPost, "http://"+address.String()+"/api/user", body)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", "very-secret-token")
+
+		response, err = http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusConflict, response.StatusCode)
+	})
+}
+
 func TestUpdateUser(t *testing.T) {
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount:   1,
@ -186,4 +233,4 @@ func TestDeleteUser(t *testing.T) {
 		require.NoError(t, response.Body.Close())
 		require.Equal(t, len(responseBody), 0)
 	})
-}
+}