throws an error in case user tries to update email / password of a third party user (#249)

Co-authored-by: Rishabh <[email protected]>

Author: rishabhpoddar

CHANGELOG.md

@@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+-   Fixes https://github.com/supertokens/supertokens-node/issues/244 - throws an error if a user tries to update email / password of a third party login user.
+
 ## [8.5.0] - 2022-01-14
 
 ### Added

lib/build/recipe/thirdpartyemailpassword/recipeImplementation/index.js

@@ -125,6 +125,14 @@ function getRecipeInterface(emailPasswordQuerier, thirdPartyQuerier) {
         },
         updateEmailOrPassword: function (input) {
             return __awaiter(this, void 0, void 0, function* () {
+                let user = yield this.getUserById({ userId: input.userId });
+                if (user === undefined) {
+                    return {
+                        status: "UNKNOWN_USER_ID_ERROR",
+                    };
+                } else if (user.thirdParty !== undefined) {
+                    throw new Error("Cannot update email or password of a user who signed up using third party login.");
+                }
                 return originalEmailPasswordImplementation.updateEmailOrPassword.bind(
                     emailPasswordRecipeImplementation_1.default(this)
                 )(input);

lib/ts/recipe/thirdpartyemailpassword/recipeImplementation/index.ts

@@ -103,11 +103,22 @@ export default function getRecipeInterface(
             return originalEmailPasswordImplementation.resetPasswordUsingToken.bind(DerivedEP(this))(input);
         },
 
-        updateEmailOrPassword: async function (input: {
-            userId: string;
-            email?: string;
-            password?: string;
-        }): Promise<{ status: "OK" | "UNKNOWN_USER_ID_ERROR" | "EMAIL_ALREADY_EXISTS_ERROR" }> {
+        updateEmailOrPassword: async function (
+            this: RecipeInterface,
+            input: {
+                userId: string;
+                email?: string;
+                password?: string;
+            }
+        ): Promise<{ status: "OK" | "UNKNOWN_USER_ID_ERROR" | "EMAIL_ALREADY_EXISTS_ERROR" }> {
+            let user = await this.getUserById({ userId: input.userId });
+            if (user === undefined) {
+                return {
+                    status: "UNKNOWN_USER_ID_ERROR",
+                };
+            } else if (user.thirdParty !== undefined) {
+                throw new Error("Cannot update email or password of a user who signed up using third party login.");
+            }
             return originalEmailPasswordImplementation.updateEmailOrPassword.bind(DerivedEP(this))(input);
         },
     };

test/thirdpartyemailpassword/signupFeature.test.js

@@ -819,4 +819,121 @@ describe(`signupTest: ${printPath("[test/thirdpartyemailpassword/signupFeature.t
         assert(usersNewest2.users[0].recipeId === "emailpassword");
         assert(usersNewest2.users[0].user.email === "[email protected]");
     });
+
+    it("updateEmailOrPassword function test for third party login", async function () {
+        await startST();
+
+        STExpress.init({
+            supertokens: {
+                connectionURI: "http://localhost:8080",
+            },
+            appInfo: {
+                apiDomain: "api.supertokens.io",
+                appName: "SuperTokens",
+                websiteDomain: "supertokens.io",
+            },
+            recipeList: [
+                ThirdPartyEmailPassword.init({
+                    providers: [this.customProvider1],
+                }),
+                Session.init(),
+            ],
+        });
+
+        let thirdPartyRecipe = ThirdPartyEmailPasswordRecipe.getInstanceOrThrowError();
+
+        assert.strictEqual(await ThirdPartyEmailPassword.getUserByThirdPartyInfo("custom", "user"), undefined);
+
+        const app = express();
+
+        app.use(middleware());
+
+        app.use(errorHandler());
+
+        nock("https://test.com").post("/oauth/token").reply(200, {});
+
+        {
+            let response = await new Promise((resolve) =>
+                request(app)
+                    .post("/auth/signinup")
+                    .send({
+                        thirdPartyId: "custom",
+                        code: "32432432",
+                        redirectURI: "http://localhost.org",
+                    })
+                    .end((err, res) => {
+                        if (err) {
+                            resolve(undefined);
+                        } else {
+                            resolve(res);
+                        }
+                    })
+            );
+            assert.strictEqual(response.statusCode, 200);
+
+            let signUpUserInfo = response.body.user;
+            let userInfo = await ThirdPartyEmailPassword.getUserByThirdPartyInfo("custom", "user");
+
+            assert.strictEqual(userInfo.email, signUpUserInfo.email);
+            assert.strictEqual(userInfo.id, signUpUserInfo.id);
+
+            try {
+                await ThirdPartyEmailPassword.updateEmailOrPassword({
+                    userId: userInfo.id,
+                    email: "[email protected]",
+                });
+                throw new Error("test failed");
+            } catch (err) {
+                if (
+                    err.message !== "Cannot update email or password of a user who signed up using third party login."
+                ) {
+                    throw err;
+                }
+            }
+        }
+
+        {
+            let response = await new Promise((resolve) =>
+                request(app)
+                    .post("/auth/signup")
+                    .send({
+                        formFields: [
+                            {
+                                id: "email",
+                                value: "[email protected]",
+                            },
+                            {
+                                id: "password",
+                                value: "pass@123",
+                            },
+                        ],
+                    })
+                    .end((err, res) => {
+                        if (err) {
+                            resolve(undefined);
+                        } else {
+                            resolve(res);
+                        }
+                    })
+            );
+            assert.strictEqual(response.statusCode, 200);
+
+            let signUpUserInfo = response.body.user;
+
+            let r = await ThirdPartyEmailPassword.updateEmailOrPassword({
+                userId: signUpUserInfo.id,
+                email: "[email protected]",
+                password: "haha@1234",
+            });
+
+            assert(r.status === "OK");
+
+            let r2 = await ThirdPartyEmailPassword.updateEmailOrPassword({
+                userId: signUpUserInfo.id + "123",
+                email: "[email protected]",
+            });
+
+            assert(r2.status === "UNKNOWN_USER_ID_ERROR");
+        }
+    });
 });