Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login social: If a twitter account doesn't have an e-mail, JHipster sets the wrong user_id #4024

Closed
jodevan opened this issue Aug 24, 2016 · 4 comments
Closed

Login social: If a twitter account doesn't have an e-mail, JHipster sets the wrong user_id #4024

jodevan opened this issue Aug 24, 2016 · 4 comments
Milestone
3.7.0

Comments

@jodevan
Copy link

jodevan commented Aug 24, 2016
edited
Loading

yo-rc.json.zip

Overview of the issue

If a twitter account doesn't have an e-mail, JHipster sets the wrong user_id in the jhi_social_user_connection table. This user_id belongs to the wrong user.

Motivation for or Use Case

Setting the user_id that belongs to another user is a really bad thing :-)

Reproduce the error
  1. Have an existing non-social user in the database;
  2. Login with a twitter user that doesn't have an e-mail set;
  3. Once logged in, you'll see "You are logged in as user xxx.", where xxx is a pre-existing user.
Related issues

Not applicable

Suggest a Fix

The problem lays in the method createUserIfNotExist(UserProfile userProfile, String langKey, TipoUsuario tipoUsuario, String providerId), in class SocialService:

private User createUserIfNotExist(UserProfile userProfile, String langKey, TipoUsuario tipoUsuario, String providerId) {
    String email = userProfile.getEmail();
    String userName = userProfile.getUsername();
    if (!StringUtils.isBlank(userName)) {
        userName = userName.toLowerCase(Locale.ENGLISH);
    }
    if (StringUtils.isBlank(email) && StringUtils.isBlank(userName)) {
        log.error("Cannot create social user because email and login are null");
        throw new IllegalArgumentException("Email and login cannot be null");
    }
    if (StringUtils.isBlank(email) && userRepository.findOneByLogin(userName).isPresent()) {
        log.error("Cannot create social user because email is null and login already exist, login -> {}", userName);
        throw new IllegalArgumentException("Email cannot be null with an existing login");
    }

    // **********************************************************************************************************
    // If email is null or blank, this method will bring some arbitrary user from the database
    // **********************************************************************************************************
    Optional<User> user = userRepository.findOneByEmail(email);
    if (user.isPresent()) {
        log.info("User already exist associate the connection to this account");
        return user.get();
    }
// ...
}

Suggested fix: just test if the email address is not empty:

if (!StringUtils.isBlank(email)) {
    Optional<User> user = userRepository.findOneByEmail(email);
    if (user.isPresent()) {
        log.info("User already exist associate the connection to this account");
        return user.get();
    }
}
JHipster Version(s)

3.4.2

JHipster configuration, a .yo-rc.json file generated in the root folder

{
"generator-jhipster": {
"jhipsterVersion": "3.4.2",
"baseName": "tc",
"packageName": "com.tc",
"packageFolder": "com/tc",
"serverPort": "8080",
"authenticationType": "session",
"hibernateCache": "hazelcast",
"clusteredHttpSession": "hazelcast",
"websocket": "spring-websocket",
"databaseType": "sql",
"devDatabaseType": "mysql",
"prodDatabaseType": "mysql",
"searchEngine": "no",
"buildTool": "maven",
"enableSocialSignIn": true,
"rememberMeKey": "3f987da705ca593beefbc9c6ef079575463b6d01",
"useSass": false,
"applicationType": "monolith",
"testFrameworks": [
"protractor"
],
"jhiPrefix": "jhi",
"enableTranslation": false
}
}

Entity configuration(s) entityName.json files generated in the .jhipster directory

Not applicable

Browsers and Operating System

Not applicable
@jodevan jodevan changed the title Login social: If the twitter accounts doesn't have an e-mail, JHipster sets the wrong user_id Login social: If a twitter account doesn't have an e-mail, JHipster sets the wrong user_id Aug 24, 2016
@jdubois
Copy link
Member

jdubois commented Aug 25, 2016

Is this linked to #3511 ?

@jodevan
Copy link
Author

jodevan commented Aug 25, 2016

It's related to it, but it's slightly different. #3511 claims to allow the e-mail address to be null.
This current bug is more like a consequence of allowing it, because in this scenario the line Optional<User> user = userRepository.findOneByEmail(email); may return some unpredictable user. The fix seems to be simple though and is already included in the bug description.
Sounds fair?

ruddell added a commit to ruddell/generator-jhipster that referenced this issue Aug 25, 2016
@ruddell
dont link social users with null emails to users with null emails
de32e3f 
Fix jhipster#4024
@ruddell
Copy link
Member

ruddell commented Aug 25, 2016

In order to reproduce it without two Twitter accounts, you have to set admin's email to null. Then login with Twitter and it will say you logged in as admin! Definitely not good

@ruddell ruddell mentioned this issue Aug 25, 2016
Merged
@jdubois
Copy link
Member

jdubois commented Aug 25, 2016

Yes good catch!

@jdubois jdubois modified the milestone: v3.7.0 Sep 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.7.0
Development

No branches or pull requests
3 participants
@jdubois @ruddell @jodevan