added onlyVerified auth collection option

CHANGELOG.md

@@ -63,6 +63,10 @@
 - Minor JSVM updates and fixes:
   - updated `$security.parseUnverifiedJWT(token)` and `$security.parseJWT(token, key)` to return the payload result as plain object
 
+- Removed incorrectly imported empty `local('')` font-face declarations.
+
+- Added `onlyVerified` auth collection option to globally disallow authentication requests for unverified users.
+
 
 ## v0.20.0-rc3
 

apis/collection_test.go

@@ -425,7 +425,7 @@ func TestCollectionCreate(t *testing.T) {
 				`"type":"auth"`,
 				`"system":false`,
 				`"schema":[{"system":false,"id":"12345789","name":"test","type":"text","required":false,"presentable":false,"unique":false,"options":{"min":null,"max":null,"pattern":""}}]`,
-				`"options":{"allowEmailAuth":false,"allowOAuth2Auth":false,"allowUsernameAuth":false,"exceptEmailDomains":null,"manageRule":null,"minPasswordLength":0,"onlyEmailDomains":null,"requireEmail":false}`,
+				`"options":{"allowEmailAuth":false,"allowOAuth2Auth":false,"allowUsernameAuth":false,"exceptEmailDomains":null,"manageRule":null,"minPasswordLength":0,"onlyEmailDomains":null,"onlyVerified":false,"requireEmail":false}`,
 			},
 			ExpectedEvents: map[string]int{
 				"OnModelBeforeCreate":             1,
@@ -1141,7 +1141,7 @@ func TestCollectionsImport(t *testing.T) {
 			},
 			ExpectedEvents: map[string]int{
 				"OnCollectionsBeforeImportRequest": 1,
-				"OnModelBeforeDelete":              3,
+				"OnModelBeforeDelete":              2,
 			},
 			AfterTestFunc: func(t *testing.T, app *tests.TestApp, res *http.Response) {
 				collections := []*models.Collection{}

apis/record_auth_test.go

@@ -212,7 +212,7 @@ func TestRecordAuthWithPassword(t *testing.T) {
 			},
 		},
 		{
-			Name:   "valid email and valid password in allowed collection",
+			Name:   "valid email (unverified) and valid password in allowed collection",
 			Method: http.MethodPost,
 			Url:    "/api/collections/users/auth-with-password",
 			Body: strings.NewReader(`{
@@ -225,6 +225,48 @@ func TestRecordAuthWithPassword(t *testing.T) {
 				`"token":"`,
 				`"id":"4q1xlclmfloku33"`,
 				`"email":"[email protected]"`,
+				`"verified":false`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnRecordBeforeAuthWithPasswordRequest": 1,
+				"OnRecordAfterAuthWithPasswordRequest":  1,
+				"OnRecordAuthRequest":                   1,
+			},
+		},
+
+		// onlyVerified collection check
+		{
+			Name:   "unverified user in onlyVerified collection",
+			Method: http.MethodPost,
+			Url:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identity":"[email protected]",
+				"password":"1234567890"
+			}`),
+			ExpectedStatus: 403,
+			ExpectedContent: []string{
+				`"data":{}`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnRecordBeforeAuthWithPasswordRequest": 1,
+				"OnRecordAfterAuthWithPasswordRequest":  1,
+			},
+		},
+		{
+			Name:   "verified user in onlyVerified collection",
+			Method: http.MethodPost,
+			Url:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identity":"[email protected]",
+				"password":"1234567890"
+			}`),
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"record":{`,
+				`"token":"`,
+				`"id":"gk390qegs4y47wn"`,
+				`"email":"[email protected]"`,
+				`"verified":true`,
 			},
 			ExpectedEvents: map[string]int{
 				"OnRecordBeforeAuthWithPasswordRequest": 1,
@@ -377,6 +419,41 @@ func TestRecordAuthRefresh(t *testing.T) {
 				"OnRecordAfterAuthRefreshRequest":  1,
 			},
 		},
+		{
+			Name:   "unverified auth record in onlyVerified collection",
+			Method: http.MethodPost,
+			Url:    "/api/collections/clients/auth-refresh",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6Im8xeTBkZDBzcGQ3ODZtZCIsInR5cGUiOiJhdXRoUmVjb3JkIiwiY29sbGVjdGlvbklkIjoidjg1MXE0cjc5MHJoa25sIiwiZXhwIjoyMjA4OTg1MjYxfQ.-JYlrz5DcGzvb0nYx-xqnSFMu9dupyKY7Vg_FUm0OaM",
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents: map[string]int{
+				"OnRecordBeforeAuthRefreshRequest": 1,
+				"OnRecordAfterAuthRefreshRequest":  1,
+			},
+		},
+		{
+			Name:   "verified auth record in onlyVerified collection",
+			Method: http.MethodPost,
+			Url:    "/api/collections/clients/auth-refresh",
+			RequestHeaders: map[string]string{
+				"Authorization": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImdrMzkwcWVnczR5NDd3biIsInR5cGUiOiJhdXRoUmVjb3JkIiwiY29sbGVjdGlvbklkIjoidjg1MXE0cjc5MHJoa25sIiwiZXhwIjoyMjA4OTg1MjYxfQ.q34IWXrRWsjLvbbVNRfAs_J4SoTHloNBfdGEiLmy-D8",
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":`,
+				`"record":`,
+				`"id":"gk390qegs4y47wn"`,
+				`"verified":true`,
+				`"email":"[email protected]"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnRecordBeforeAuthRefreshRequest": 1,
+				"OnRecordAuthRequest":              1,
+				"OnRecordAfterAuthRefreshRequest":  1,
+			},
+		},
 		{
 			Name:   "OnRecordAfterAuthRefreshRequest error response",
 			Method: http.MethodPost,

apis/record_helpers.go

@@ -77,6 +77,10 @@ func RecordAuthResponse(
 	meta any,
 	finalizers ...func(token string) error,
 ) error {
+	if !authRecord.Verified() && authRecord.Collection().AuthOptions().OnlyVerified {
+		return NewForbiddenError("Please verify your email first.", nil)
+	}
+
 	token, tokenErr := tokens.NewRecordAuthToken(app, authRecord)
 	if tokenErr != nil {
 		return NewBadRequestError("Failed to create auth token.", tokenErr)

apis/record_helpers_test.go

@@ -83,6 +83,11 @@ func TestRecordAuthResponse(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	unverfiedAuthRecord, err := app.Dao().FindRecordById("clients", "o1y0dd0spd786md")
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	scenarios := []struct {
 		name               string
 		record             *models.Record
@@ -97,6 +102,11 @@ func TestRecordAuthResponse(t *testing.T) {
 			record:      nonAuthRecord,
 			expectError: true,
 		},
+		{
+			name:        "valid auth record but with unverified email in onlyVerified collection",
+			record:      unverfiedAuthRecord,
+			expectError: true,
+		},
 		{
 			name:        "valid auth record - without meta",
 			record:      authRecord,

forms/collections_import_test.go

@@ -206,7 +206,7 @@ func TestCollectionsImportSubmit(t *testing.T) {
 			expectError:            true,
 			expectCollectionsCount: totalCollections,
 			expectEvents: map[string]int{
-				"OnModelBeforeDelete": 3,
+				"OnModelBeforeDelete": 2,
 			},
 		},
 		{
@@ -418,44 +418,45 @@ func TestCollectionsImportSubmit(t *testing.T) {
 	}
 
 	for _, s := range scenarios {
-		testApp, _ := tests.NewTestApp()
-		defer testApp.Cleanup()
+		t.Run(s.name, func(t *testing.T) {
+			testApp, _ := tests.NewTestApp()
+			defer testApp.Cleanup()
 
-		form := forms.NewCollectionsImport(testApp)
+			form := forms.NewCollectionsImport(testApp)
 
-		// load data
-		loadErr := json.Unmarshal([]byte(s.jsonData), form)
-		if loadErr != nil {
-			t.Errorf("[%s] Failed to load form data: %v", s.name, loadErr)
-			continue
-		}
+			// load data
+			loadErr := json.Unmarshal([]byte(s.jsonData), form)
+			if loadErr != nil {
+				t.Fatalf("Failed to load form data: %v", loadErr)
+			}
 
-		err := form.Submit()
+			err := form.Submit()
 
-		hasErr := err != nil
-		if hasErr != s.expectError {
-			t.Errorf("[%s] Expected hasErr to be %v, got %v (%v)", s.name, s.expectError, hasErr, err)
-		}
+			hasErr := err != nil
+			if hasErr != s.expectError {
+				t.Fatalf("Expected hasErr to be %v, got %v (%v)", s.expectError, hasErr, err)
+			}
 
-		// check collections count
-		collections := []*models.Collection{}
-		if err := testApp.Dao().CollectionQuery().All(&collections); err != nil {
-			t.Fatal(err)
-		}
-		if len(collections) != s.expectCollectionsCount {
-			t.Errorf("[%s] Expected %d collections, got %d", s.name, s.expectCollectionsCount, len(collections))
-		}
+			// check collections count
+			collections := []*models.Collection{}
+			if err := testApp.Dao().CollectionQuery().All(&collections); err != nil {
+				t.Fatal(err)
+			}
+			if len(collections) != s.expectCollectionsCount {
+				t.Fatalf("Expected %d collections, got %d", s.expectCollectionsCount, len(collections))
+			}
 
-		// check events
-		if len(testApp.EventCalls) > len(s.expectEvents) {
-			t.Errorf("[%s] Expected events %v, got %v", s.name, s.expectEvents, testApp.EventCalls)
-		}
-		for event, expectedCalls := range s.expectEvents {
-			actualCalls := testApp.EventCalls[event]
-			if actualCalls != expectedCalls {
-				t.Errorf("[%s] Expected event %s to be called %d, got %d", s.name, event, expectedCalls, actualCalls)
+			// check events
+			if len(testApp.EventCalls) > len(s.expectEvents) {
+				t.Fatalf("Expected events %v, got %v", s.expectEvents, testApp.EventCalls)
 			}
-		}
+			for event, expectedCalls := range s.expectEvents {
+				actualCalls := testApp.EventCalls[event]
+				if actualCalls != expectedCalls {
+					t.Fatalf("Expected event %s to be called %d, got %d", event, expectedCalls, actualCalls)
+				}
+			}
+		})
 	}
 }
 

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/aws/aws-sdk-go v1.47.9
 	github.com/disintegration/imaging v1.6.2
 	github.com/domodwyer/mailyak/v3 v3.6.2
-	github.com/dop251/goja v0.0.0-20230919151941-fc55792775de
-	github.com/dop251/goja_nodejs v0.0.0-20230914102007-198ba9a8b098
+	github.com/dop251/goja v0.0.0-20231027120936-b396bb4c349d
+	github.com/dop251/goja_nodejs v0.0.0-20231122114759-e84d9a924c5c
 	github.com/fatih/color v1.16.0
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/gabriel-vasile/mimetype v1.4.3
@@ -56,7 +56,7 @@ require (
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/pprof v0.0.0-20230912144702-c363fe2c2ed8 // indirect
+	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
 	github.com/google/uuid v1.4.0 // indirect
 	github.com/google/wire v0.5.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect

go.sum

@@ -85,10 +85,15 @@ github.com/dop251/goja v0.0.0-20211022113120-dc8c55024d06/go.mod h1:R9ET47fwRVRP
 github.com/dop251/goja v0.0.0-20230626124041-ba8a63e79201/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
 github.com/dop251/goja v0.0.0-20230919151941-fc55792775de h1:lA38Xtzr1Wo+iQdkN2E11ziKXJYRxLlzK/e2/fdxoEI=
 github.com/dop251/goja v0.0.0-20230919151941-fc55792775de/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
+github.com/dop251/goja v0.0.0-20231014103939-873a1496dc8e/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
+github.com/dop251/goja v0.0.0-20231027120936-b396bb4c349d h1:wi6jN5LVt/ljaBG4ue79Ekzb12QfJ52L9Q98tl8SWhw=
+github.com/dop251/goja v0.0.0-20231027120936-b396bb4c349d/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
 github.com/dop251/goja_nodejs v0.0.0-20210225215109-d91c329300e7/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y=
 github.com/dop251/goja_nodejs v0.0.0-20211022123610-8dd9abb0616d/go.mod h1:DngW8aVqWbuLRMHItjPUyqdj+HWPvnQe8V8y1nDpIbM=
 github.com/dop251/goja_nodejs v0.0.0-20230914102007-198ba9a8b098 h1:MdrnfFPrfMfxiwnoJU2vnJ9ucskslblk7UhNWZTO2Qo=
 github.com/dop251/goja_nodejs v0.0.0-20230914102007-198ba9a8b098/go.mod h1:phKgRwmVpHQiW0mh9HNXILv/e2MfH7kqAnDANHnpXdU=
+github.com/dop251/goja_nodejs v0.0.0-20231122114759-e84d9a924c5c h1:hLoodLRD4KLWIH8eyAQCLcH8EqIrjac7fCkp/fHnvuQ=
+github.com/dop251/goja_nodejs v0.0.0-20231122114759-e84d9a924c5c/go.mod h1:bhGPmCgCCTSRfiMYWjpS46IDo9EUZXlsuUaPXSWGbv0=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -154,6 +159,8 @@ github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3
 github.com/google/pprof v0.0.0-20230207041349-798e818bf904/go.mod h1:uglQLonpP8qtYCYyzA+8c/9qtqgA3qsXGYqCPKARAFg=
 github.com/google/pprof v0.0.0-20230912144702-c363fe2c2ed8 h1:gpptm606MZYGaMHMsB4Srmb6EbW/IVHnt04rcMXnkBQ=
 github.com/google/pprof v0.0.0-20230912144702-c363fe2c2ed8/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9RwLgmVFfReJN+KbQ8ExNEUUoQ=
+github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=

models/collection.go

@@ -179,6 +179,7 @@ type CollectionAuthOptions struct {
 	AllowEmailAuth     bool     `form:"allowEmailAuth" json:"allowEmailAuth"`
 	RequireEmail       bool     `form:"requireEmail" json:"requireEmail"`
 	ExceptEmailDomains []string `form:"exceptEmailDomains" json:"exceptEmailDomains"`
+	OnlyVerified       bool     `form:"onlyVerified" json:"onlyVerified"`
 	OnlyEmailDomains   []string `form:"onlyEmailDomains" json:"onlyEmailDomains"`
 	MinPasswordLength  int      `form:"minPasswordLength" json:"minPasswordLength"`
 }