Greenfield: Users API fixes (#6425)

* Do not crash when creatuing users without password * More precise error message for user approval toggling
2025-12-18 06:24:24 +01:00 · 2024-11-25 01:38:44 +01:00
parent 76f87011a2
commit d6211327db
2 changed files with 34 additions and 13 deletions
--- a/BTCPayServer.Tests/GreenfieldAPITests.cs
+++ b/BTCPayServer.Tests/GreenfieldAPITests.cs
@@ -1052,6 +1052,13 @@ namespace BTCPayServer.Tests
                IsAdministrator = true
            });
            
+            // Create user without password
+            await adminClient.CreateUser(new CreateApplicationUserRequest
+            {
+                Email = "nopassword@gmail.com"
+            });
+
+            // Regular user
            var user1Acc = tester.NewAccount();
            user1Acc.UserId = user1.Id;
            user1Acc.IsAdmin = false;
@@ -4168,6 +4175,11 @@ namespace BTCPayServer.Tests
            Assert.True((await adminClient.GetUserByIdOrEmail(unapprovedUser.UserId)).Approved);
            Assert.True((await unapprovedUserApiKeyClient.GetCurrentUser()).Approved);
            Assert.True((await unapprovedUserBasicAuthClient.GetCurrentUser()).Approved);
+            var err = await AssertAPIError("invalid-state", async () =>
+            {
+                await adminClient.ApproveUser(unapprovedUser.UserId, true, CancellationToken.None);
+            });
+            Assert.Equal("User is already approved", err.APIError.Message);

            // un-approve
            Assert.True(await adminClient.ApproveUser(unapprovedUser.UserId, false, CancellationToken.None));
@@ -4180,6 +4192,11 @@ namespace BTCPayServer.Tests
            {
                await unapprovedUserBasicAuthClient.GetCurrentUser();
            });
+            err = await AssertAPIError("invalid-state", async () =>
+            {
+                await adminClient.ApproveUser(unapprovedUser.UserId, false, CancellationToken.None);
+            });
+            Assert.Equal("User is already unapproved", err.APIError.Message);

            // reset policies to not require approval
            await settings.UpdateSetting(new PoliciesSettings { LockSubscription = false, RequiresUserApproval = false });
@@ -4196,10 +4213,11 @@ namespace BTCPayServer.Tests
            Assert.Single(await adminClient.GetNotifications(false));

            // try unapproving user which does not have the RequiresApproval flag
-            await AssertAPIError("invalid-state", async () =>
+            err = await AssertAPIError("invalid-state", async () =>
            {
                await adminClient.ApproveUser(newUser.UserId, false, CancellationToken.None);
            });
+            Assert.Equal("Unapproving user failed: No approval required", err.APIError.Message);
        }

        [Fact(Timeout = 60 * 2 * 1000)]
--- a/BTCPayServer/Controllers/GreenField/GreenfieldUsersController.cs
+++ b/BTCPayServer/Controllers/GreenField/GreenfieldUsersController.cs
@@ -112,14 +112,13 @@ namespace BTCPayServer.Controllers.Greenfield
                return this.UserNotFound();
            }

-            var success = false;
            if (user.RequiresApproval)
            {
-                success = await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri());
+                return await _userService.SetUserApproval(user.Id, request.Approved, Request.GetAbsoluteRootUri())
+                    ? Ok()
+                    : this.CreateAPIError("invalid-state", $"User is already {(request.Approved ? "approved" : "unapproved")}");
            }
-
-            return success ? Ok() : this.CreateAPIError("invalid-state",
-                $"{(request.Approved ? "Approving" : "Unapproving")} user failed");
+            return this.CreateAPIError("invalid-state", $"{(request.Approved ? "Approving" : "Unapproving")} user failed: No approval required");
        }

        [Authorize(Policy = Policies.CanViewUsers, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
@@ -350,7 +349,10 @@ namespace BTCPayServer.Controllers.Greenfield
            blob.Name = request.Name;
            blob.ImageUrl = request.ImageUrl;
            user.SetBlob(blob);
-            var passwordValidation = await this._passwordValidator.ValidateAsync(_userManager, user, request.Password);
+            var hasPassword = !string.IsNullOrEmpty(request.Password);
+            if (hasPassword)
+            {
+                var passwordValidation = await _passwordValidator.ValidateAsync(_userManager, user, request.Password);
                if (!passwordValidation.Succeeded)
                {
                    foreach (var error in passwordValidation.Errors)
@@ -359,12 +361,13 @@ namespace BTCPayServer.Controllers.Greenfield
                    }
                    return this.CreateValidationError(ModelState);
                }
+            }
            if (!isAdmin)
            {
                if (!await _throttleService.Throttle(ZoneLimits.Register, this.HttpContext.Connection.RemoteIpAddress, cancellationToken))
                    return new TooManyRequestsResult(ZoneLimits.Register);
            }
-            var identityResult = await _userManager.CreateAsync(user, request.Password);
+            var identityResult = hasPassword ? await _userManager.CreateAsync(user, request.Password) : await _userManager.CreateAsync(user);
            if (!identityResult.Succeeded)
            {
                foreach (var error in identityResult.Errors)