Simplifies admin password role checks

2023-03-16 14:02:38 -07:00 · 2023-03-16 14:02:38 -07:00 · 5cbd334a42
parent 470ef737b5
commit 5cbd334a42
1 changed files with 14 additions and 16 deletions
--- a/packages/features/auth/lib/next-auth-options.ts
+++ b/packages/features/auth/lib/next-auth-options.ts
@ -21,6 +21,7 @@ import { clientSecretVerifier, hostedCal, isSAMLLoginEnabled } from "@calcom/fea
 import { APP_NAME, IS_TEAM_BILLING_ENABLED, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
 import { symmetricDecrypt } from "@calcom/lib/crypto";
 import { defaultCookies } from "@calcom/lib/default-cookies";
+import { isENVDev } from "@calcom/lib/env";
 import { randomString } from "@calcom/lib/random";
 import rateLimit from "@calcom/lib/rateLimit";
 import { serverConfig } from "@calcom/lib/serverConfig";
@ -165,28 +166,25 @@ const providers: Provider[] = [
        }).length > 0;

      // authentication success- but does it meet the minimum password requirements?
-      if (
-        user.role === "ADMIN" &&
-        ((user.identityProvider === IdentityProvider.CAL &&
-          !isPasswordValid(credentials.password, false, true)) ||
-          !user.twoFactorEnabled)
-      ) {
-        return {
-          id: user.id,
-          username: user.username,
-          email: user.email,
-          name: user.name,
-          role: "INACTIVE_ADMIN",
-          belongsToActiveTeam: hasActiveTeams,
-        };
-      }
+      const validateRole = (role: UserPermissionRole) => {
+        // User's role is not "ADMIN"
+        if (role !== "ADMIN") return role;
+        // User's identity provider is not "CAL"
+        if (user.identityProvider !== IdentityProvider.CAL) return role;
+        // User's password is valid and two-factor authentication is enabled
+        if (isPasswordValid(credentials.password, false, true) && user.twoFactorEnabled) return role;
+        // Code is running in a development environment
+        if (isENVDev) return role;
+        // By this point it is an ADMIN without valid security conditions
+        return "INACTIVE_ADMIN";
+      };

      return {
        id: user.id,
        username: user.username,
        email: user.email,
        name: user.name,
-        role: user.role,
+        role: validateRole(user.role),
        belongsToActiveTeam: hasActiveTeams,
      };
    },