1
0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-06 00:07:44 +01:00
unleash.unleash/src/lib/services/account-service.ts
Nuno Góis c0bcc50b28
fix: add confirmation to disable password login (#3829)
https://linear.app/unleash/issue/2-1071/prevent-users-from-disabling-password-authentication-when-there-are-no

Improves the behavior of disabling password based login by adding some
relevant information and a confirmation dialog with a warning. This felt
better than trying to disable the toggle, by still allowing the end
users to make the decision, except now it should be a properly informed
decision with confirmation.


![image](https://github.com/Unleash/unleash/assets/14320932/2ca754d8-cfa2-4fda-984d-0c34b89750f3)

- **Password based administrators**: Admin accounts that have a password
set;
- **Other administrators**: Other admin users that do not have a
password. May be SSO, but may also be users that did not set a password
yet;
- **Admin service accounts**: Service accounts that have the admin root
role. Depending on how you're using the SA this may not necessarily mean
locking yourself out of an admin account, especially if you secured its
token beforehand;
- **Admin API tokens**: Similar to the above. If you secured an admin
API token beforehand, you still have access to all features through the
API;

Each one of them link to the respective page inside Unleash (e.g. users
page, service accounts page, tokens page...);

If you try to disable and press "save", and only in that scenario, you
are presented with the following confirmation dialog:


![image](https://github.com/Unleash/unleash/assets/14320932/5ad6d105-ad47-4d31-a1df-04737aed4e00)
2023-05-23 15:56:34 +01:00

82 lines
2.5 KiB
TypeScript

import { Logger } from '../logger';
import { IUser } from '../types/user';
import { IUnleashConfig } from '../types/option';
import { IAccountStore, IUnleashStores } from '../types/stores';
import { minutesToMilliseconds } from 'date-fns';
import { AccessService } from './access-service';
import { RoleName } from '../types/model';
import { IAdminCount } from 'lib/types/stores/account-store';
interface IUserWithRole extends IUser {
rootRole: number;
}
export class AccountService {
private logger: Logger;
private store: IAccountStore;
private accessService: AccessService;
private seenTimer: NodeJS.Timeout;
private lastSeenSecrets: Set<string> = new Set<string>();
constructor(
stores: Pick<IUnleashStores, 'accountStore' | 'eventStore'>,
{ getLogger }: Pick<IUnleashConfig, 'getLogger'>,
services: {
accessService: AccessService;
},
) {
this.logger = getLogger('service/account-service.ts');
this.store = stores.accountStore;
this.accessService = services.accessService;
this.updateLastSeen();
}
async getAll(): Promise<IUserWithRole[]> {
const accounts = await this.store.getAll();
const defaultRole = await this.accessService.getRootRole(
RoleName.VIEWER,
);
const userRoles = await this.accessService.getRootRoleForAllUsers();
const accountsWithRootRole = accounts.map((u) => {
const rootRole = userRoles.find((r) => r.userId === u.id);
const roleId = rootRole ? rootRole.roleId : defaultRole.id;
return { ...u, rootRole: roleId };
});
return accountsWithRootRole;
}
async getAccountByPersonalAccessToken(secret: string): Promise<IUser> {
return this.store.getAccountByPersonalAccessToken(secret);
}
async getAdminCount(): Promise<IAdminCount> {
return this.store.getAdminCount();
}
async updateLastSeen(): Promise<void> {
if (this.lastSeenSecrets.size > 0) {
const toStore = [...this.lastSeenSecrets];
this.lastSeenSecrets = new Set<string>();
await this.store.markSeenAt(toStore);
}
this.seenTimer = setTimeout(
async () => this.updateLastSeen(),
minutesToMilliseconds(3),
).unref();
}
addPATSeen(secret: string): void {
this.lastSeenSecrets.add(secret);
}
destroy(): void {
clearTimeout(this.seenTimer);
this.seenTimer = null;
}
}