Add REST API for creating an account (#9572)

* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
This commit is contained in:
Eugen Rochko 2018-12-24 19:12:38 +01:00 committed by GitHub
parent acf9358c52
commit 5d2fc6de32
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 171 additions and 20 deletions

View file

@ -68,7 +68,7 @@ class Api::BaseController < ApplicationController
end end
def require_user! def require_user!
if current_user && !current_user.disabled? if current_user && !current_user.disabled? && current_user.confirmed?
set_user_activity set_user_activity
elsif current_user elsif current_user
render json: { error: 'Your login is currently disabled' }, status: 403 render json: { error: 'Your login is currently disabled' }, status: 403

View file

@ -1,14 +1,16 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::AccountsController < Api::BaseController class Api::V1::AccountsController < Api::BaseController
before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:follow, :unfollow, :block, :unblock, :mute, :unmute] before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:create, :follow, :unfollow, :block, :unblock, :mute, :unmute]
before_action -> { doorkeeper_authorize! :follow, :'write:follows' }, only: [:follow, :unfollow] before_action -> { doorkeeper_authorize! :follow, :'write:follows' }, only: [:follow, :unfollow]
before_action -> { doorkeeper_authorize! :follow, :'write:mutes' }, only: [:mute, :unmute] before_action -> { doorkeeper_authorize! :follow, :'write:mutes' }, only: [:mute, :unmute]
before_action -> { doorkeeper_authorize! :follow, :'write:blocks' }, only: [:block, :unblock] before_action -> { doorkeeper_authorize! :follow, :'write:blocks' }, only: [:block, :unblock]
before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:create]
before_action :require_user!, except: [:show] before_action :require_user!, except: [:show, :create]
before_action :set_account before_action :set_account, except: [:create]
before_action :check_account_suspension, only: [:show] before_action :check_account_suspension, only: [:show]
before_action :check_enabled_registrations, only: [:create]
respond_to :json respond_to :json
@ -16,6 +18,16 @@ class Api::V1::AccountsController < Api::BaseController
render json: @account, serializer: REST::AccountSerializer render json: @account, serializer: REST::AccountSerializer
end end
def create
token = AppSignUpService.new.call(doorkeeper_token.application, account_params)
response = Doorkeeper::OAuth::TokenResponse.new(token)
headers.merge!(response.headers)
self.response_body = Oj.dump(response.body)
self.status = response.status
end
def follow def follow
FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs)) FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs))
@ -62,4 +74,12 @@ class Api::V1::AccountsController < Api::BaseController
def check_account_suspension def check_account_suspension
gone if @account.suspended? gone if @account.suspended?
end end
def account_params
params.permit(:username, :email, :password, :agreement)
end
def check_enabled_registrations
forbidden if single_user_mode? || !Setting.open_registrations
end
end end

View file

@ -6,9 +6,9 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
before_action :set_body_classes before_action :set_body_classes
before_action :set_user, only: [:finish_signup] before_action :set_user, only: [:finish_signup]
# GET/PATCH /users/:id/finish_signup
def finish_signup def finish_signup
return unless request.patch? && params[:user] return unless request.patch? && params[:user]
if @user.update(user_params) if @user.update(user_params)
@user.skip_reconfirmation! @user.skip_reconfirmation!
bypass_sign_in(@user) bypass_sign_in(@user)
@ -31,4 +31,12 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
def user_params def user_params
params.require(:user).permit(:email) params.require(:user).permit(:email)
end end
def after_confirmation_path_for(_resource_name, user)
if user.created_by_application && truthy_param?(:redirect_to_app)
user.created_by_application.redirect_uri
else
super
end
end
end end

View file

@ -26,6 +26,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
resource.locale = I18n.locale resource.locale = I18n.locale
resource.invite_code = params[:invite_code] if resource.invite_code.blank? resource.invite_code = params[:invite_code] if resource.invite_code.blank?
resource.agreement = true
resource.build_account if resource.account.nil? resource.build_account if resource.account.nil?
end end

View file

@ -36,6 +36,7 @@
# invite_id :bigint(8) # invite_id :bigint(8)
# remember_token :string # remember_token :string
# chosen_languages :string is an Array # chosen_languages :string is an Array
# created_by_application_id :bigint(8)
# #
class User < ApplicationRecord class User < ApplicationRecord
@ -66,6 +67,7 @@ class User < ApplicationRecord
belongs_to :account, inverse_of: :user belongs_to :account, inverse_of: :user
belongs_to :invite, counter_cache: :uses, optional: true belongs_to :invite, counter_cache: :uses, optional: true
belongs_to :created_by_application, class_name: 'Doorkeeper::Application', optional: true
accepts_nested_attributes_for :account accepts_nested_attributes_for :account
has_many :applications, class_name: 'Doorkeeper::Application', as: :owner has_many :applications, class_name: 'Doorkeeper::Application', as: :owner
@ -74,6 +76,7 @@ class User < ApplicationRecord
validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale? validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale?
validates_with BlacklistedEmailValidator, if: :email_changed? validates_with BlacklistedEmailValidator, if: :email_changed?
validates_with EmailMxValidator, if: :validate_email_dns? validates_with EmailMxValidator, if: :validate_email_dns?
validates :agreement, acceptance: { allow_nil: false, accept: [true, 'true', '1'] }, on: :create
scope :recent, -> { order(id: :desc) } scope :recent, -> { order(id: :desc) }
scope :admins, -> { where(admin: true) } scope :admins, -> { where(admin: true) }
@ -294,7 +297,7 @@ class User < ApplicationRecord
end end
if resource.blank? if resource.blank?
resource = new(email: attributes[:email]) resource = new(email: attributes[:email], agreement: true)
if Devise.check_at_sign && !resource[:email].index('@') if Devise.check_at_sign && !resource[:email].index('@')
resource[:email] = Rpam2.getenv(resource.find_pam_service, attributes[:email], attributes[:password], 'email', false) resource[:email] = Rpam2.getenv(resource.find_pam_service, attributes[:email], attributes[:password], 'email', false)
resource[:email] = "#{attributes[:email]}@#{resource.find_pam_suffix}" unless resource[:email] resource[:email] = "#{attributes[:email]}@#{resource.find_pam_suffix}" unless resource[:email]
@ -307,7 +310,7 @@ class User < ApplicationRecord
resource = joins(:account).find_by(accounts: { username: attributes[Devise.ldap_uid.to_sym].first }) resource = joins(:account).find_by(accounts: { username: attributes[Devise.ldap_uid.to_sym].first })
if resource.blank? if resource.blank?
resource = new(email: attributes[:mail].first, account_attributes: { username: attributes[Devise.ldap_uid.to_sym].first }) resource = new(email: attributes[:mail].first, agreement: true, account_attributes: { username: attributes[Devise.ldap_uid.to_sym].first })
resource.ldap_setup(attributes) resource.ldap_setup(attributes)
end end

View file

@ -0,0 +1,23 @@
# frozen_string_literal: true
class AppSignUpService < BaseService
def call(app, params)
return unless allowed_registrations?
user_params = params.slice(:email, :password, :agreement)
account_params = params.slice(:username)
user = User.create!(user_params.merge(created_by_application: app, password_confirmation: user_params[:password], account_attributes: account_params))
Doorkeeper::AccessToken.create!(application: app,
resource_owner_id: user.id,
scopes: app.scopes,
expires_in: Doorkeeper.configuration.access_token_expires_in,
use_refresh_token: Doorkeeper.configuration.refresh_token_enabled?)
end
private
def allowed_registrations?
Setting.open_registrations && !Rails.configuration.x.single_user_mode
end
end

View file

@ -55,8 +55,12 @@
%tbody %tbody
%tr %tr
%td.button-primary %td.button-primary
= link_to confirmation_url(@resource, confirmation_token: @token) do - if @resource.created_by_application
%span= t 'devise.mailer.confirmation_instructions.action' = link_to confirmation_url(@resource, confirmation_token: @token, redirect_to_app: 'true') do
%span= t 'devise.mailer.confirmation_instructions.action_with_app', app: @resource.created_by_application.name
- else
= link_to confirmation_url(@resource, confirmation_token: @token) do
%span= t 'devise.mailer.confirmation_instructions.action'
%table.email-table{ cellspacing: 0, cellpadding: 0 } %table.email-table{ cellspacing: 0, cellpadding: 0 }
%tbody %tbody

View file

@ -4,7 +4,7 @@
<%= t 'devise.mailer.confirmation_instructions.explanation', host: site_hostname %> <%= t 'devise.mailer.confirmation_instructions.explanation', host: site_hostname %>
=> <%= confirmation_url(@resource, confirmation_token: @token) %> => <%= confirmation_url(@resource, confirmation_token: @token, redirect_to_app: @resource.created_by_application ? 'true' : nil) %>
<%= strip_tags(t('devise.mailer.confirmation_instructions.extra_html', terms_path: about_more_url, policy_path: terms_url)) %> <%= strip_tags(t('devise.mailer.confirmation_instructions.extra_html', terms_path: about_more_url, policy_path: terms_url)) %>

View file

@ -57,6 +57,10 @@ class Rack::Attack
req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media') req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media')
end end
throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
req.ip if req.post? && req.path == '/api/v1/accounts'
end
throttle('protected_paths', limit: 25, period: 5.minutes) do |req| throttle('protected_paths', limit: 25, period: 5.minutes) do |req|
req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX
end end

View file

@ -18,6 +18,7 @@ en:
mailer: mailer:
confirmation_instructions: confirmation_instructions:
action: Verify email address action: Verify email address
action_with_app: Confirm and return to %{app}
explanation: You have created an account on %{host} with this email address. You are one click away from activating it. If this wasn't you, please ignore this email. explanation: You have created an account on %{host} with this email address. You are one click away from activating it. If this wasn't you, please ignore this email.
extra_html: Please also check out <a href="%{terms_path}">the rules of the instance</a> and <a href="%{policy_path}">our terms of service</a>. extra_html: Please also check out <a href="%{terms_path}">the rules of the instance</a> and <a href="%{policy_path}">our terms of service</a>.
subject: 'Mastodon: Confirmation instructions for %{instance}' subject: 'Mastodon: Confirmation instructions for %{instance}'

View file

@ -336,7 +336,7 @@ Rails.application.routes.draw do
resources :relationships, only: :index resources :relationships, only: :index
end end
resources :accounts, only: [:show] do resources :accounts, only: [:create, :show] do
resources :statuses, only: :index, controller: 'accounts/statuses' resources :statuses, only: :index, controller: 'accounts/statuses'
resources :followers, only: :index, controller: 'accounts/follower_accounts' resources :followers, only: :index, controller: 'accounts/follower_accounts'
resources :following, only: :index, controller: 'accounts/following_accounts' resources :following, only: :index, controller: 'accounts/following_accounts'

View file

@ -0,0 +1,8 @@
class AddCreatedByApplicationIdToUsers < ActiveRecord::Migration[5.2]
disable_ddl_transaction!
def change
add_reference :users, :created_by_application, foreign_key: { to_table: 'oauth_applications', on_delete: :nullify }, index: false
add_index :users, :created_by_application_id, algorithm: :concurrently
end
end

View file

@ -10,7 +10,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 2018_12_13_185533) do ActiveRecord::Schema.define(version: 2018_12_19_235220) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
@ -637,8 +637,10 @@ ActiveRecord::Schema.define(version: 2018_12_13_185533) do
t.bigint "invite_id" t.bigint "invite_id"
t.string "remember_token" t.string "remember_token"
t.string "chosen_languages", array: true t.string "chosen_languages", array: true
t.bigint "created_by_application_id"
t.index ["account_id"], name: "index_users_on_account_id" t.index ["account_id"], name: "index_users_on_account_id"
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
t.index ["created_by_application_id"], name: "index_users_on_created_by_application_id"
t.index ["email"], name: "index_users_on_email", unique: true t.index ["email"], name: "index_users_on_email", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
end end
@ -730,6 +732,7 @@ ActiveRecord::Schema.define(version: 2018_12_13_185533) do
add_foreign_key "subscriptions", "accounts", name: "fk_9847d1cbb5", on_delete: :cascade add_foreign_key "subscriptions", "accounts", name: "fk_9847d1cbb5", on_delete: :cascade
add_foreign_key "users", "accounts", name: "fk_50500f500d", on_delete: :cascade add_foreign_key "users", "accounts", name: "fk_50500f500d", on_delete: :cascade
add_foreign_key "users", "invites", on_delete: :nullify add_foreign_key "users", "invites", on_delete: :nullify
add_foreign_key "users", "oauth_applications", column: "created_by_application_id", on_delete: :nullify
add_foreign_key "web_push_subscriptions", "oauth_access_tokens", column: "access_token_id", on_delete: :cascade add_foreign_key "web_push_subscriptions", "oauth_access_tokens", column: "access_token_id", on_delete: :cascade
add_foreign_key "web_push_subscriptions", "users", on_delete: :cascade add_foreign_key "web_push_subscriptions", "users", on_delete: :cascade
add_foreign_key "web_settings", "users", name: "fk_11910667b2", on_delete: :cascade add_foreign_key "web_settings", "users", name: "fk_11910667b2", on_delete: :cascade

View file

@ -73,7 +73,7 @@ module Mastodon
def create(username) def create(username)
account = Account.new(username: username) account = Account.new(username: username)
password = SecureRandom.hex password = SecureRandom.hex
user = User.new(email: options[:email], password: password, admin: options[:role] == 'admin', moderator: options[:role] == 'moderator', confirmed_at: Time.now.utc) user = User.new(email: options[:email], password: password, agreement: true, admin: options[:role] == 'admin', moderator: options[:role] == 'moderator', confirmed_at: options[:confirmed] ? Time.now.utc : nil)
if options[:reattach] if options[:reattach]
account = Account.find_local(username) || Account.new(username: username) account = Account.find_local(username) || Account.new(username: username)

View file

@ -19,6 +19,40 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
end end
end end
describe 'POST #create' do
let(:app) { Fabricate(:application) }
let(:token) { Doorkeeper::AccessToken.find_or_create_for(app, nil, 'read write', nil, false) }
let(:agreement) { nil }
before do
post :create, params: { username: 'test', password: '12345678', email: 'hello@world.tld', agreement: agreement }
end
context 'given truthy agreement' do
let(:agreement) { 'true' }
it 'returns http success' do
expect(response).to have_http_status(200)
end
it 'returns a new access token as JSON' do
expect(body_as_json[:access_token]).to_not be_blank
end
it 'creates a user' do
user = User.find_by(email: 'hello@world.tld')
expect(user).to_not be_nil
expect(user.created_by_application_id).to eq app.id
end
end
context 'given no agreement' do
it 'returns http unprocessable entity' do
expect(response).to have_http_status(422)
end
end
end
describe 'GET #show' do describe 'GET #show' do
let(:scopes) { 'read:accounts' } let(:scopes) { 'read:accounts' }

View file

@ -3,4 +3,5 @@ Fabricator(:user) do
email { sequence(:email) { |i| "#{i}#{Faker::Internet.email}" } } email { sequence(:email) { |i| "#{i}#{Faker::Internet.email}" } }
password "123456789" password "123456789"
confirmed_at { Time.zone.now } confirmed_at { Time.zone.now }
agreement true
end end

View file

@ -106,19 +106,19 @@ RSpec.describe User, type: :model do
end end
it 'should allow a non-blacklisted user to be created' do it 'should allow a non-blacklisted user to be created' do
user = User.new(email: 'foo@example.com', account: account, password: password) user = User.new(email: 'foo@example.com', account: account, password: password, agreement: true)
expect(user.valid?).to be_truthy expect(user.valid?).to be_truthy
end end
it 'should not allow a blacklisted user to be created' do it 'should not allow a blacklisted user to be created' do
user = User.new(email: 'foo@mvrht.com', account: account, password: password) user = User.new(email: 'foo@mvrht.com', account: account, password: password, agreement: true)
expect(user.valid?).to be_falsey expect(user.valid?).to be_falsey
end end
it 'should not allow a subdomain blacklisted user to be created' do it 'should not allow a subdomain blacklisted user to be created' do
user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password) user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password, agreement: true)
expect(user.valid?).to be_falsey expect(user.valid?).to be_falsey
end end
@ -210,17 +210,17 @@ RSpec.describe User, type: :model do
end end
it 'should not allow a user to be created unless they are whitelisted' do it 'should not allow a user to be created unless they are whitelisted' do
user = User.new(email: 'foo@example.com', account: account, password: password) user = User.new(email: 'foo@example.com', account: account, password: password, agreement: true)
expect(user.valid?).to be_falsey expect(user.valid?).to be_falsey
end end
it 'should allow a user to be created if they are whitelisted' do it 'should allow a user to be created if they are whitelisted' do
user = User.new(email: 'foo@mastodon.space', account: account, password: password) user = User.new(email: 'foo@mastodon.space', account: account, password: password, agreement: true)
expect(user.valid?).to be_truthy expect(user.valid?).to be_truthy
end end
it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password) user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password, agreement: true)
expect(user.valid?).to be_falsey expect(user.valid?).to be_falsey
end end
@ -242,7 +242,7 @@ RSpec.describe User, type: :model do
it_behaves_like 'Settings-extended' do it_behaves_like 'Settings-extended' do
def create! def create!
User.create!(account: Fabricate(:account), email: 'foo@mastodon.space', password: 'abcd1234') User.create!(account: Fabricate(:account), email: 'foo@mastodon.space', password: 'abcd1234', agreement: true)
end end
def fabricate def fabricate

View file

@ -0,0 +1,41 @@
require 'rails_helper'
RSpec.describe AppSignUpService, type: :service do
let(:app) { Fabricate(:application, scopes: 'read write') }
let(:good_params) { { username: 'alice', password: '12345678', email: 'good@email.com', agreement: true } }
subject { described_class.new }
describe '#call' do
it 'returns nil when registrations are closed' do
Setting.open_registrations = false
expect(subject.call(app, good_params)).to be_nil
end
it 'raises an error when params are missing' do
expect { subject.call(app, {}) }.to raise_error ActiveRecord::RecordInvalid
end
it 'creates an unconfirmed user with access token' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
user = User.find_by(id: access_token.resource_owner_id)
expect(user).to_not be_nil
expect(user.confirmed?).to be false
end
it 'creates access token with the app\'s scopes' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
expect(access_token.scopes.to_s).to eq 'read write'
end
it 'creates an account' do
access_token = subject.call(app, good_params)
expect(access_token).to_not be_nil
user = User.find_by(id: access_token.resource_owner_id)
expect(user).to_not be_nil
expect(user.account).to_not be_nil
end
end
end