accept proof of invitation from a new user only if the username is unique among team members

michaelkamphausen · michaelkamphausen · commit 96c3ad5a90b5 · 2024-08-30T15:09:07.000+02:00
diff --git a/packages/auth/src/team/Team.ts b/packages/auth/src/team/Team.ts
@@ -554,14 +554,29 @@ export class Team extends EventEmitter<TeamEvents> {
     return invitations.validate(proof, invitation)
   }
 
+  /** Check if username is not used by any other person within the team. */
+  public validateUserName = (userName: string) => {
+    const memberWithSameUserName = this.members().find(member =>
+      member.userName.toLowerCase() == userName.toLowerCase()
+    )
+    if (memberWithSameUserName != undefined) {
+      return invitations.fail('Username is not unique within the team.')
+    }
+
+    return VALID;
+  }
+
   /** An existing team member calls this to admit a new member & their device to the team based on proof of invitation */
   public admitMember = (
     proof: ProofOfInvitation,
     memberKeys: Keyset | KeysetWithSecrets, // We accept KeysetWithSecrets here to simplify testing - in practice we'll only receive Keyset
     userName: string // The new member's desired user-facing name
   ) => {
-    const validation = this.validateInvitation(proof)
-    if (!validation.isValid) throw validation.error
+    const invitationValidation = this.validateInvitation(proof)
+    if (!invitationValidation.isValid) throw invitationValidation.error
+
+    const userNameValidation = this.validateUserName(userName)
+    if (!userNameValidation.isValid) throw userNameValidation.error
 
     const { id } = proof
 
diff --git a/packages/auth/src/team/test/invitations.test.ts b/packages/auth/src/team/test/invitations.test.ts
@@ -80,7 +80,7 @@ describe('Team', () => {
         expect(bobsTeam.memberIsAdmin(bob.userId)).toBe(false)
 
         // 👳🏽‍♂️ Charlie shows 👨🏻‍🦲 Bob his proof of invitation
-        bobsTeam.admitMember(proofOfInvitation, charlie.user.keys, bob.user.userName)
+        bobsTeam.admitMember(proofOfInvitation, charlie.user.keys, charlie.user.userName)
 
         // 👍👳🏽‍♂️ Charlie is now on the team
         expect(bobsTeam.has(charlie.userId)).toBe(true)
@@ -260,6 +260,27 @@ describe('Team', () => {
         expect(submitBadProof).toThrow('Signature provided is not valid')
       })
 
+      it("won't accept proof of invitation with a username that is not unique", () => {
+        const { alice, bob } = setup('alice', { user: 'bob', member: false })
+
+        // 👩🏾 Alice invites 👨🏻‍🦲 Bob by sending him a random secret key
+        const { seed } = alice.team.inviteMember()
+
+        // 👨🏻‍🦲 Bob accepts the invitation
+        const proofOfInvitation = generateProof(seed)
+
+        // 👨🏻‍🦲 Bob shows 👩🏾 Alice his proof of invitation, but uses Alice's username
+        const tryToAdmitBob = () => {
+          alice.team.admitMember(proofOfInvitation, bob.user.keys, alice.user.userName)
+        }
+
+        // 👎 But the invitation is rejected because it the username is not unique
+        expect(tryToAdmitBob).toThrowError('Username is not unique within the team.')
+
+        // ❌ 👨🏻‍🦲 Bob is not on the team
+        expect(alice.team.has(bob.userId)).toBe(false)
+      })
+
       describe('devices', () => {
         it('creates and accepts an invitation for a device', () => {
           const { alice: aliceLaptop } = setup('alice')
diff --git a/packages/auth/src/team/validate.ts b/packages/auth/src/team/validate.ts
@@ -112,6 +112,22 @@ const validators: TeamStateValidatorSet = {
     }
     return VALID
   },
+
+  /** Check if the username is not used by any other person within the team */
+  mustBeUniqueUsername(...args) {
+    const [previousState, link] = args
+    if (link.body.type === 'ADMIT_MEMBER') {
+      const { userName } = link.body.payload
+      const memberWithSameUserName = previousState.members.find(member => 
+        member.userName.toLowerCase() == userName.toLowerCase()
+      )
+
+      if (memberWithSameUserName != undefined) {
+        return fail('Username is not unique within the team.', ...args)
+      }
+    }
+    return VALID
+  },
 }
 
 const fail = (message: string, previousState: TeamState, link: TeamLink) => {
