From f0ab02e6f5c2f8ca8625d30ea72510997cc7b0f3 Mon Sep 17 00:00:00 2001 From: Coby Tamayo Date: Wed, 15 Apr 2026 20:18:40 -0700 Subject: [PATCH 1/4] fix invitation hash --- plugins/auth/systems/bread/alpha/plugin/invitations.cljc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/plugins/auth/systems/bread/alpha/plugin/invitations.cljc b/plugins/auth/systems/bread/alpha/plugin/invitations.cljc index 13352bd7..9edfab3e 100644 --- a/plugins/auth/systems/bread/alpha/plugin/invitations.cljc +++ b/plugins/auth/systems/bread/alpha/plugin/invitations.cljc @@ -115,12 +115,12 @@ :message message}]})) (defmethod bread/effect [::invite :send] send-invitation - [{:keys [conn params]} {:keys [user] [valid? error-key] :validation}] + [{:keys [conn params secret-key]} {:keys [user] [valid? error-key] :validation}] (if valid? (let [email (:email params) code (random/url-part 32) now (t/now) - invitation-tx {:invitation/code (sha-512 code) + invitation-tx {:invitation/code (sha-512 (str secret-key ":" code)) :invitation/invited-by (:db/id user) :invitation/email {:email/address email :thing/created-at now @@ -144,13 +144,13 @@ {:flash {:error-key error-key}})) (defmethod bread/effect [::invite :resend] resend-invitation - [{:keys [conn params]} {:keys [user] [valid? error-key] :validation}] + [{:keys [conn params secret-key]} {:keys [user] [valid? error-key] :validation}] (if valid? (let [id (->int (:id params)) code (random/url-part 32) now (t/now) invitation-tx {:db/id id - :invitation/code (sha-512 code) + :invitation/code (sha-512 (str secret-key ":" code)) :thing/updated-at now} invitation (first (filter #(= id (:db/id %)) (:invitation/_invited-by user))) to (:email/address (:invitation/email invitation)) @@ -218,6 +218,7 @@ :effect/description "Email an invitation, pending validation." :effect/key action :params params + :secret-key (bread/config req :auth/secret-key) :conn (db/connection req)}] :hooks {::bread/render From ee5e374d4913d2f81ae52bdcfdca5bc635541f69 Mon Sep 17 00:00:00 2001 From: Coby Tamayo Date: Wed, 15 Apr 2026 20:51:23 -0700 Subject: [PATCH 2/4] test ::signup/enact-valid-signup --- .../systems/bread/alpha/plugin/signup.cljc | 2 +- .../bread/alpha/plugin/signup_test.clj | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/plugins/auth/systems/bread/alpha/plugin/signup.cljc b/plugins/auth/systems/bread/alpha/plugin/signup.cljc index fe12942b..7ea71432 100644 --- a/plugins/auth/systems/bread/alpha/plugin/signup.cljc +++ b/plugins/auth/systems/bread/alpha/plugin/signup.cljc @@ -64,7 +64,7 @@ :invitation/redeemer user}]}]}) {:effects [{:effect/name ::db/transact :conn conn - :effect/description "Create user" + :effect/description "Create user." :txs [user]}]}))) (defmethod bread/action ::render diff --git a/test/cms/systems/bread/alpha/plugin/signup_test.clj b/test/cms/systems/bread/alpha/plugin/signup_test.clj index 409085a7..06c48471 100644 --- a/test/cms/systems/bread/alpha/plugin/signup_test.clj +++ b/test/cms/systems/bread/alpha/plugin/signup_test.clj @@ -358,6 +358,56 @@ ,)) +(deftest test-enact-valid-signup + (let [!now (Date.)] + (are + [expected effect data] + (= expected (binding [t/*now* !now] + (bread/effect effect data))) + + nil {:effect/name ::signup/enact-valid-signup} nil + nil {:effect/name ::signup/enact-valid-signup} {} + nil {:effect/name ::signup/enact-valid-signup} {:validation nil} + nil {:effect/name ::signup/enact-valid-signup} {:validation []} + nil {:effect/name ::signup/enact-valid-signup} {:validation [false]} + nil {:effect/name ::signup/enact-valid-signup} {:validation [false :whatever]} + + ;; Open signup - not by invite. + {:effects [{:effect/name ::db/transact + :effect/description "Create user." + :txs [{:user/username "test" + :user/password "" + :thing/created-at !now}] + :conn ::DBCONN}]} + {:effect/name ::signup/enact-valid-signup + :user {:user/username "test" + :user/password "" + :thing/created-at !now} + :conn ::DBCONN} + {:validation [true nil]} + + ;; By invitation. + {:effects [{:effect/name ::db/transact + :effect/description "Redeem invitation and create user." + :txs [{:invitation/code "" + :invitation/redeemer + {:user/username "test" + :user/password "" + :user/emails [{:email/address "user@example.com" + :email/confirmed-at !now}] + :thing/created-at ::NOW}}] + :conn ::DBCONN}]} + {:effect/name ::signup/enact-valid-signup + :user {:user/username "test" + :user/password "" + :thing/created-at ::NOW} + :conn ::DBCONN} + {:validation [true nil] + :invitation {:invitation/code "" + :invitation/email {:email/address "user@example.com"}}} + + ,))) + (deftest test-signup-render (are [expected action res] From e4d392eacecacb2b3775ce6ed3a46fd853a40557 Mon Sep 17 00:00:00 2001 From: Coby Tamayo Date: Wed, 15 Apr 2026 20:55:21 -0700 Subject: [PATCH 3/4] mark email as primary upon redemption --- plugins/auth/systems/bread/alpha/plugin/signup.cljc | 4 +++- test/cms/systems/bread/alpha/plugin/signup_test.clj | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/auth/systems/bread/alpha/plugin/signup.cljc b/plugins/auth/systems/bread/alpha/plugin/signup.cljc index 7ea71432..4193654b 100644 --- a/plugins/auth/systems/bread/alpha/plugin/signup.cljc +++ b/plugins/auth/systems/bread/alpha/plugin/signup.cljc @@ -53,7 +53,9 @@ (when valid? (if invitation (let [email (when-let [email (:invitation/email invitation)] - (assoc email :email/confirmed-at (t/now))) + (assoc email + :email/confirmed-at (t/now) + :email/primary? true)) user (if email (assoc user :user/emails [email]) user)] diff --git a/test/cms/systems/bread/alpha/plugin/signup_test.clj b/test/cms/systems/bread/alpha/plugin/signup_test.clj index 06c48471..ca6bb398 100644 --- a/test/cms/systems/bread/alpha/plugin/signup_test.clj +++ b/test/cms/systems/bread/alpha/plugin/signup_test.clj @@ -394,7 +394,8 @@ {:user/username "test" :user/password "" :user/emails [{:email/address "user@example.com" - :email/confirmed-at !now}] + :email/confirmed-at !now + :email/primary? true}] :thing/created-at ::NOW}}] :conn ::DBCONN}]} {:effect/name ::signup/enact-valid-signup From 2b573c9a15457dfc58c6dd13b1eb292cc248e317 Mon Sep 17 00:00:00 2001 From: Coby Tamayo Date: Wed, 15 Apr 2026 20:56:08 -0700 Subject: [PATCH 4/4] lint --- plugins/auth/systems/bread/alpha/plugin/invitations.cljc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/auth/systems/bread/alpha/plugin/invitations.cljc b/plugins/auth/systems/bread/alpha/plugin/invitations.cljc index 9edfab3e..16af8fcf 100644 --- a/plugins/auth/systems/bread/alpha/plugin/invitations.cljc +++ b/plugins/auth/systems/bread/alpha/plugin/invitations.cljc @@ -185,7 +185,7 @@ {:flash {:error-key error-key}})) (defmethod bread/dispatch ::invitations=> - [{:keys [::bread/dispatcher params request-method server-name] + [{:keys [::bread/dispatcher params request-method] {:keys [user]} :session :as req}] "Invitations page in the account section"