Greenfield: Users API fixes (#6425)

* Do not crash when creatuing users without password * More precise error message for user approval toggling
2025-12-18 14:34:23 +01:00 · 2024-11-25 01:38:44 +01:00
parent 76f87011a2
commit d6211327db
2 changed files with 34 additions and 13 deletions
--- a/BTCPayServer.Tests/GreenfieldAPITests.cs
+++ b/BTCPayServer.Tests/GreenfieldAPITests.cs
@@ -1052,6 +1052,13 @@ namespace BTCPayServer.Tests
                IsAdministrator = true
            });
            // Create user without password
            await adminClient.CreateUser(new CreateApplicationUserRequest
            {
                Email = "nopassword@gmail.com"
            });
            // Regular user
            var user1Acc = tester.NewAccount();
            user1Acc.UserId = user1.Id;
            user1Acc.IsAdmin = false;
@@ -4168,6 +4175,11 @@ namespace BTCPayServer.Tests
            Assert.True((await adminClient.GetUserByIdOrEmail(unapprovedUser.UserId)).Approved);
            Assert.True((await unapprovedUserApiKeyClient.GetCurrentUser()).Approved);
            Assert.True((await unapprovedUserBasicAuthClient.GetCurrentUser()).Approved);
            var err = await AssertAPIError("invalid-state", async () =>
            {
                await adminClient.ApproveUser(unapprovedUser.UserId, true, CancellationToken.None);
            });
            Assert.Equal("User is already approved", err.APIError.Message);
            // un-approve
            Assert.True(await adminClient.ApproveUser(unapprovedUser.UserId, false, CancellationToken.None));
@@ -4180,6 +4192,11 @@ namespace BTCPayServer.Tests
            {
                await unapprovedUserBasicAuthClient.GetCurrentUser();
            });
            err = await AssertAPIError("invalid-state", async () =>
            {
                await adminClient.ApproveUser(unapprovedUser.UserId, false, CancellationToken.None);
            });
            Assert.Equal("User is already unapproved", err.APIError.Message);
            // reset policies to not require approval
            await settings.UpdateSetting(new PoliciesSettings { LockSubscription = false, RequiresUserApproval = false });
@@ -4196,10 +4213,11 @@ namespace BTCPayServer.Tests
            Assert.Single(await adminClient.GetNotifications(false));
            // try unapproving user which does not have the RequiresApproval flag
-            await AssertAPIError("invalid-state", async () =>
+            err = await AssertAPIError("invalid-state", async () =>
            {
                await adminClient.ApproveUser(newUser.UserId, false, CancellationToken.None);
            });
            Assert.Equal("Unapproving user failed: No approval required", err.APIError.Message);
        }
        [Fact(Timeout = 60 * 2 * 1000)]
--- a/BTCPayServer/Controllers/GreenField/GreenfieldUsersController.cs
+++ b/BTCPayServer/Controllers/GreenField/GreenfieldUsersController.cs
@@ -112,14 +112,13 @@ namespace BTCPayServer.Controllers.Greenfield
                return this.UserNotFound();
            }
            var success = false;
            if (user.RequiresApproval)
            {
-                success = await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri());
+                return await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri())
                    ? Ok()
                    : this.CreateAPIError("invalid-state", $"User is already {(request.Approved ? "approved" : "unapproved")}");
            }
-
+            return this.CreateAPIError("invalid-state", $"{(request.Approved ? "Approving" : "Unapproving")} user failed: No approval required");
            return success ? Ok() : this.CreateAPIError("invalid-state",
                $"{(request.Approved ? "Approving" : "Unapproving")} user failed");
        }
        [Authorize(Policy = Policies.CanViewUsers, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
@@ -350,7 +349,10 @@ namespace BTCPayServer.Controllers.Greenfield
            blob.Name = request.Name;
            blob.ImageUrl = request.ImageUrl;
            user.SetBlob(blob);
-            var passwordValidation = await this._passwordValidator.ValidateAsync(_userManager, user, request.Password);
+            var hasPassword = !string.IsNullOrEmpty(request.Password);
            if (hasPassword)
            {
                var passwordValidation = await _passwordValidator.ValidateAsync(_userManager, user, request.Password);
                if (!passwordValidation.Succeeded)
                {
                    foreach (var error in passwordValidation.Errors)
@@ -359,12 +361,13 @@ namespace BTCPayServer.Controllers.Greenfield
                    }
                    return this.CreateValidationError(ModelState);
                }
            }
            if (!isAdmin)
            {
                if (!await _throttleService.Throttle(ZoneLimits.Register, this.HttpContext.Connection.RemoteIpAddress, cancellationToken))
                    return new TooManyRequestsResult(ZoneLimits.Register);
            }
-            var identityResult = await _userManager.CreateAsync(user, request.Password);
+            var identityResult = hasPassword ? await _userManager.CreateAsync(user, request.Password) : await _userManager.CreateAsync(user);
            if (!identityResult.Succeeded)
            {
                foreach (var error in identityResult.Errors)