fix: Onboarding & other UI fixes, security improvements (#2036)

Co-authored-by: Štěpán Granát <granat.stepan@gmail.com>

backend/api/src/main/kotlin/io/tolgee/security/third_party/GithubOAuthDelegate.kt

@@ -4,11 +4,10 @@ import io.tolgee.configuration.tolgee.GithubAuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
-import io.tolgee.model.Invitation
 import io.tolgee.model.UserAccount
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
-import io.tolgee.service.InvitationService
+import io.tolgee.service.security.SignUpService
 import io.tolgee.service.security.UserAccountService
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
@@ -24,8 +23,8 @@ class GithubOAuthDelegate(
  private val jwtService: JwtService,
  private val userAccountService: UserAccountService,
  private val restTemplate: RestTemplate,
- private val properties: TolgeeProperties,
- private val invitationService: InvitationService
+ properties: TolgeeProperties,
+ private val signUpService: SignUpService
 ) {
  private val githubConfigurationProperties: GithubAuthenticationProperties = properties.authentication.github
 
@@ -72,25 +71,15 @@ class GithubOAuthDelegate(
  throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
  }
 
- var invitation: Invitation? = null
- if (invitationCode == null) {
- if (!properties.authentication.registrationsAllowed) {
- throw AuthenticationException(Message.REGISTRATIONS_NOT_ALLOWED)
- }
- } else {
- invitation = invitationService.getInvitation(invitationCode)
- }
-
  val newUserAccount = UserAccount()
  newUserAccount.username = githubEmail
  newUserAccount.name = userResponse.name ?: userResponse.login
  newUserAccount.thirdPartyAuthId = userResponse.id
  newUserAccount.thirdPartyAuthType = "github"
  newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
- userAccountService.createUser(newUserAccount)
- if (invitation != null) {
- invitationService.accept(invitation.code, newUserAccount)
- }
+
+ signUpService.signUp(newUserAccount, invitationCode, null)
+
  newUserAccount
  }
  val jwt = jwtService.emitToken(user.id)

backend/api/src/main/kotlin/io/tolgee/security/third_party/GoogleOAuthDelegate.kt

@@ -4,11 +4,10 @@ import io.tolgee.configuration.tolgee.GoogleAuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
-import io.tolgee.model.Invitation
 import io.tolgee.model.UserAccount
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
-import io.tolgee.service.InvitationService
+import io.tolgee.service.security.SignUpService
 import io.tolgee.service.security.UserAccountService
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
@@ -23,8 +22,8 @@ class GoogleOAuthDelegate(
  private val jwtService: JwtService,
  private val userAccountService: UserAccountService,
  private val restTemplate: RestTemplate,
- private val properties: TolgeeProperties,
- private val invitationService: InvitationService
+ properties: TolgeeProperties,
+ private val signUpService: SignUpService
 ) {
  private val googleConfigurationProperties: GoogleAuthenticationProperties = properties.authentication.google
 
@@ -78,26 +77,14 @@ class GoogleOAuthDelegate(
  throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
  }
 
- var invitation: Invitation? = null
- if (invitationCode == null) {
- if (!properties.authentication.registrationsAllowed) {
- throw AuthenticationException(Message.REGISTRATIONS_NOT_ALLOWED)
- }
- } else {
- invitation = invitationService.getInvitation(invitationCode)
- }
-
  val newUserAccount = UserAccount()
  newUserAccount.username = userResponse.email
  ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
  newUserAccount.name = userResponse.name ?: (userResponse.given_name + " " + userResponse.family_name)
  newUserAccount.thirdPartyAuthId = userResponse.sub
  newUserAccount.thirdPartyAuthType = "google"
  newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
- userAccountService.createUser(newUserAccount)
- if (invitation != null) {
- invitationService.accept(invitation.code, newUserAccount)
- }
+ signUpService.signUp(newUserAccount, invitationCode, null)
 
  newUserAccount
  }

backend/api/src/main/kotlin/io/tolgee/security/third_party/OAuth2Delegate.kt

@@ -4,11 +4,10 @@ import io.tolgee.configuration.tolgee.OAuth2AuthenticationProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.exceptions.AuthenticationException
-import io.tolgee.model.Invitation
 import io.tolgee.model.UserAccount
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
-import io.tolgee.service.InvitationService
+import io.tolgee.service.security.SignUpService
 import io.tolgee.service.security.UserAccountService
 import org.slf4j.LoggerFactory
 import org.springframework.http.HttpEntity
@@ -27,8 +26,8 @@ class OAuth2Delegate(
  private val jwtService: JwtService,
  private val userAccountService: UserAccountService,
  private val restTemplate: RestTemplate,
- private val properties: TolgeeProperties,
- private val invitationService: InvitationService
+ properties: TolgeeProperties,
+ private val signUpService: SignUpService
 ) {
  private val oauth2ConfigurationProperties: OAuth2AuthenticationProperties = properties.authentication.oauth2
  private val logger = LoggerFactory.getLogger(this::class.java)
@@ -96,15 +95,6 @@ class OAuth2Delegate(
  throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
  }
 
- var invitation: Invitation? = null
- if (invitationCode == null) {
- if (!properties.authentication.registrationsAllowed) {
- throw AuthenticationException(Message.REGISTRATIONS_NOT_ALLOWED)
- }
- } else {
- invitation = invitationService.getInvitation(invitationCode)
- }
-
  val newUserAccount = UserAccount()
  newUserAccount.username =
  userResponse.email ?: throw AuthenticationException(Message.THIRD_PARTY_AUTH_NO_EMAIL)
@@ -120,10 +110,8 @@ class OAuth2Delegate(
  newUserAccount.thirdPartyAuthId = userResponse.sub
  newUserAccount.thirdPartyAuthType = "oauth2"
  newUserAccount.accountType = UserAccount.AccountType.THIRD_PARTY
- userAccountService.createUser(newUserAccount)
- if (invitation != null) {
- invitationService.accept(invitation.code, newUserAccount)
- }
+ signUpService.signUp(newUserAccount, invitationCode, null)
+
  newUserAccount
  }
  val jwt = jwtService.emitToken(user.id)

backend/app/src/main/kotlin/io/tolgee/commandLineRunners/InitialUserCreatorCommandLineRunner.kt

@@ -2,7 +2,6 @@ package io.tolgee.commandLineRunners
 
 import io.tolgee.configuration.tolgee.InternalProperties
 import io.tolgee.configuration.tolgee.TolgeeProperties
-import io.tolgee.dtos.request.auth.SignUpDto
 import io.tolgee.dtos.request.organization.OrganizationDto
 import io.tolgee.model.UserAccount
 import io.tolgee.security.InitialPasswordManager
@@ -45,10 +44,29 @@ class InitialUserCreatorCommandLineRunner(
  fun createInitialUser() {
  logger.info("Creating initial user...")
  val initialUsername = properties.authentication.initialUsername
+
+ // Check if the account already exists.
+ // This can only be the case on Tolgee 3.x series and should be removed on Tolgee 4.
+ val candidate = userAccountService.findActive(initialUsername)
+ if (candidate != null) {
+ candidate.isInitialUser = true
+ userAccountService.save(candidate)
+ return
+ }
+
  val initialPassword = initialPasswordManager.initialPassword
- val user = userAccountService.createInitialUser(
- SignUpDto(email = initialUsername, password = initialPassword, name = initialUsername),
- )
+ val user = UserAccount(
+ username = initialUsername,
+ password = passwordEncoder.encode(initialPassword),
+ name = initialUsername,
+ role = UserAccount.Role.ADMIN,
+ ).apply {
+ passwordChanged = false
+ isInitialUser = true
+ }
+
+ userAccountService.createUser(userAccount = user)
+ userAccountService.transferLegacyNoAuthUser()
 
  // If the user was already existing, it may already have assigned orgs.
  // To avoid conflicts, we only create the org if the user doesn't have any.

backend/data/src/main/kotlin/io/tolgee/component/demoProject/DemoProjectCreator.kt

@@ -45,7 +45,7 @@ class DemoProjectCreator(
  val project = Project().apply {
  name = "Demo project"
  this@apply.organizationOwner = organization
- this.description = "This is a demo project of an packing list app"
+ this.description = "This is a demo project of a packing list app"
  }
  projectService.save(project)
  setAvatar(project)

backend/data/src/main/kotlin/io/tolgee/development/DbPopulatorReal.kt

@@ -2,7 +2,6 @@ package io.tolgee.development
 
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.dtos.request.LanguageDto
-import io.tolgee.dtos.request.auth.SignUpDto
 import io.tolgee.dtos.request.organization.OrganizationDto
 import io.tolgee.model.ApiKey
 import io.tolgee.model.Language
@@ -25,6 +24,7 @@ import io.tolgee.service.security.UserAccountService
 import io.tolgee.util.SlugGenerator
 import io.tolgee.util.executeInNewTransaction
 import jakarta.persistence.EntityManager
+import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.stereotype.Service
 import org.springframework.transaction.PlatformTransactionManager
 import org.springframework.transaction.annotation.Transactional
@@ -45,6 +45,7 @@ class DbPopulatorReal(
  private val apiKeyService: ApiKeyService,
  private val languageStatsService: LanguageStatsService,
  private val platformTransactionManager: PlatformTransactionManager,
+ private val passwordEncoder: PasswordEncoder
 ) {
  private lateinit var de: Language
  private lateinit var en: Language
@@ -59,12 +60,17 @@ class DbPopulatorReal(
 
  fun createUserIfNotExists(username: String, password: String? = null, name: String? = null): UserAccount {
  return userAccountService.findActive(username) ?: let {
- val signUpDto = SignUpDto(
- name = name ?: username, email = username,
- password = password
- ?: initialPasswordManager.initialPassword
+
+ val rawPassword = password
+ ?: initialPasswordManager.initialPassword
+
+ userAccountService.createUser(
+ UserAccount(
+ name = name ?: username,
+ username = username,
+ password = passwordEncoder.encode(rawPassword)
+ )
  )
- userAccountService.createUser(signUpDto)
  }
  }
 

backend/data/src/main/kotlin/io/tolgee/service/InvitationService.kt

@@ -21,21 +21,20 @@ import io.tolgee.service.organization.OrganizationRoleService
 import io.tolgee.service.security.PermissionService
 import io.tolgee.util.Logging
 import org.apache.commons.lang3.RandomStringUtils
-import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Service
 import org.springframework.transaction.annotation.Transactional
 import java.time.Duration
 import java.time.Instant
 import java.util.*
 
 @Service
-class InvitationService @Autowired constructor(
+class InvitationService(
  private val invitationRepository: InvitationRepository,
  private val authenticationFacade: AuthenticationFacade,
  private val organizationRoleService: OrganizationRoleService,
  private val permissionService: PermissionService,
  private val invitationEmailSender: InvitationEmailSender,
- private val businessEventPublisher: BusinessEventPublisher
+ private val businessEventPublisher: BusinessEventPublisher,
 ) : Logging {
  @Transactional
  fun create(params: CreateProjectInvitationParams): Invitation {

backend/data/src/main/kotlin/io/tolgee/service/security/SignUpService.kt

@@ -3,14 +3,17 @@ package io.tolgee.service.security
 import io.tolgee.configuration.tolgee.TolgeeProperties
 import io.tolgee.constants.Message
 import io.tolgee.dtos.request.auth.SignUpDto
+import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.exceptions.BadRequestException
 import io.tolgee.model.Invitation
+import io.tolgee.model.UserAccount
 import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.payload.JwtAuthenticationResponse
 import io.tolgee.service.EmailVerificationService
 import io.tolgee.service.InvitationService
 import io.tolgee.service.QuickStartService
 import io.tolgee.service.organization.OrganizationService
+import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.stereotype.Service
 import org.springframework.transaction.annotation.Transactional
 
@@ -22,39 +25,56 @@ class SignUpService(
  private val jwtService: JwtService,
  private val emailVerificationService: EmailVerificationService,
  private val organizationService: OrganizationService,
- private val quickStartService: QuickStartService
+ private val quickStartService: QuickStartService,
+ private val passwordEncoder: PasswordEncoder
 ) {
  @Transactional
  fun signUp(dto: SignUpDto): JwtAuthenticationResponse? {
- var invitation: Invitation? = null
- if (dto.invitationCode == null) {
- tolgeeProperties.authentication.checkAllowedRegistrations()
- } else {
- invitation = invitationService.getInvitation(dto.invitationCode) // it throws an exception
- }
-
  userAccountService.findActive(dto.email)?.let {
  throw BadRequestException(Message.USERNAME_ALREADY_EXISTS)
  }
 
- val user = userAccountService.createUser(dto)
+ val user = dtoToEntity(dto)
+ signUp(user, dto.invitationCode, dto.organizationName)
+
+ if (!tolgeeProperties.authentication.needsEmailVerification) {
+ return JwtAuthenticationResponse(jwtService.emitToken(user.id, true))
+ }
+
+ emailVerificationService.createForUser(user, dto.callbackUrl)
+
+ return null
+ }
+
+ fun signUp(entity: UserAccount, invitationCode: String?, organizationName: String?): UserAccount {
+ val invitation = findAndCheckInvitationOnRegistration(invitationCode)
+ val user = userAccountService.createUser(entity)
  if (invitation != null) {
  invitationService.accept(invitation.code, user)
  }
 
  val canCreateOrganization = tolgeeProperties.authentication.userCanCreateOrganizations
- if (canCreateOrganization && (invitation == null || !dto.organizationName.isNullOrBlank())) {
- val name = if (dto.organizationName.isNullOrBlank()) user.name else dto.organizationName!!
+ if (canCreateOrganization && (invitation == null || !organizationName.isNullOrBlank())) {
+ val name = if (organizationName.isNullOrBlank()) user.name else organizationName
  val organization = organizationService.createPreferred(user, name)
  quickStartService.create(user, organization)
  }
+ return user
+ }
 
- if (!tolgeeProperties.authentication.needsEmailVerification) {
- return JwtAuthenticationResponse(jwtService.emitToken(user.id, true))
- }
-
- emailVerificationService.createForUser(user, dto.callbackUrl)
+ fun dtoToEntity(request: SignUpDto): UserAccount {
+ val encodedPassword = passwordEncoder.encode(request.password!!)
+ return UserAccount(name = request.name, username = request.email, password = encodedPassword)
+ }
 
- return null
+ @Transactional
+ fun findAndCheckInvitationOnRegistration(invitationCode: String?): Invitation? {
+ if (invitationCode == null) {
+ if (!tolgeeProperties.authentication.registrationsAllowed) {
+ throw AuthenticationException(Message.REGISTRATIONS_NOT_ALLOWED)
+ }
+ return null
+ }
+ return invitationService.getInvitation(invitationCode)
  }
 }