accept proof of invitation from a new user only if the userId is unique among team members

michaelkamphausen · michaelkamphausen · commit 299a94177d18 · 2024-08-30T15:09:45.000+02:00
diff --git a/packages/auth/src/team/Team.ts b/packages/auth/src/team/Team.ts
@@ -554,8 +554,13 @@ export class Team extends EventEmitter<TeamEvents> {
     return invitations.validate(proof, invitation)
   }
 
-  /** Check if username is not used by any other person within the team. */
-  public validateUserName = (userName: string) => {
+  /** Check if userId and userName are not used by any other member within the team. */
+  public validateUser = (userId: string, userName: string) => {
+    const memberWithSameUserId = this.members().find(member => member.userId == userId)
+    if (memberWithSameUserId != undefined) {
+      return invitations.fail('userId is not unique within the team.')
+    }
+
     const memberWithSameUserName = this.members().find(member =>
       member.userName.toLowerCase() == userName.toLowerCase()
     )
@@ -575,8 +580,8 @@ export class Team extends EventEmitter<TeamEvents> {
     const invitationValidation = this.validateInvitation(proof)
     if (!invitationValidation.isValid) throw invitationValidation.error
 
-    const userNameValidation = this.validateUserName(userName)
-    if (!userNameValidation.isValid) throw userNameValidation.error
+    const userValidation = this.validateUser(memberKeys.name, userName)
+    if (!userValidation.isValid) throw userValidation.error
 
     const { id } = proof
 
diff --git a/packages/auth/src/team/test/invitations.test.ts b/packages/auth/src/team/test/invitations.test.ts
@@ -274,13 +274,42 @@ describe('Team', () => {
           alice.team.admitMember(proofOfInvitation, bob.user.keys, alice.user.userName)
         }
 
-        // 👎 But the invitation is rejected because it the username is not unique
+        // 👎 But the invitation is rejected because the username is not unique
         expect(tryToAdmitBob).toThrowError('Username is not unique within the team.')
 
         // ❌ 👨🏻‍🦲 Bob is not on the team
         expect(alice.team.has(bob.userId)).toBe(false)
       })
 
+      it("won't accept proof of invitation with a userId that is not unique", () => {
+        const { alice, eve } = setup('alice', { user: 'eve', member: false })
+
+        // 👩🏾 Alice invites 🦹‍♀️ Eve by sending her a random secret key
+        const { seed } = alice.team.inviteMember()
+
+        // 🦹‍♀️ Eve accepts the invitation
+        const proofOfInvitation = generateProof(seed)
+
+        // 🦹‍♀️ Eve prepares keys using Alice's userId
+        const keysWithAliceUserId = {
+          ...eve.user.keys,
+          name: alice.userId
+        }
+
+        // 🦹‍♀️ Eve shows 👩🏾 Alice her proof of invitation, but uses Alice's userId
+        const tryToAdmitEve = () => {
+          alice.team.admitMember(proofOfInvitation, keysWithAliceUserId, eve.user.userName)
+        }
+
+        // 👎 But the invitation is rejected because the userId is not unique
+        expect(tryToAdmitEve).toThrowError('userId is not unique within the team.')
+
+        // ❌ 🦹‍♀️ Eve is not on the team
+        expect(alice.team.has(eve.userId)).toBe(false)
+        expect(alice.team.state.members.filter(({ userId }) => alice.userId)).toHaveLength(1)
+        expect(alice.team.members(alice.userId).userName == alice.userName).toBe(true)
+      })
+
       describe('devices', () => {
         it('creates and accepts an invitation for a device', () => {
           const { alice: aliceLaptop } = setup('alice')
diff --git a/packages/auth/src/team/validate.ts b/packages/auth/src/team/validate.ts
@@ -113,11 +113,19 @@ const validators: TeamStateValidatorSet = {
     return VALID
   },
 
-  /** Check if the username is not used by any other person within the team */
-  mustBeUniqueUsername(...args) {
+  /** Check if userId and userName are not used by any other member within the team */
+  mustBeUniqueUserNameAndUserId(...args) {
     const [previousState, link] = args
     if (link.body.type === 'ADMIT_MEMBER') {
-      const { userName } = link.body.payload
+      const { userName, memberKeys } = link.body.payload
+
+      const memberWithSameUserId = previousState.members.find(member => 
+        member.userId == memberKeys.name
+      )
+      if (memberWithSameUserId != undefined) {
+        return fail('userId is not unique within the team.', ...args)
+      }
+
       const memberWithSameUserName = previousState.members.find(member => 
         member.userName.toLowerCase() == userName.toLowerCase()
       )
