Disallow editing of user properties that come from Cognito

Enterprise-CMCS · Jan 21, 2025 · 29e5ea8 · 29e5ea8
1 parent 5c799ac
commit 29e5ea8
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 7 deletions.
diff --git a/services/app-api/handlers/users/post/updateUser.js b/services/app-api/handlers/users/post/updateUser.js
@@ -19,20 +19,20 @@ export const main = handler(async (event, context) => {
     await authorizeAdmin(event);
   }
 
+  assertPayloadIsValid(data);
+
   const params = {
     TableName:
       process.env.AUTH_USER_TABLE_NAME ?? process.env.AuthUserTableName,
     Key: {
       userId: currentUser["Items"][0].userId,
     },
     UpdateExpression:
-      "SET username = :username, #r = :role, states = :states, lastLogin = :lastLogin, usernameSub = :usernameSub",
+      "SET #r = :role, states = :states, lastLogin = :lastLogin",
     ExpressionAttributeValues: {
-      ":username": data.username,
       ":role": data.role,
       ":states": data.states ?? "",
       ":lastLogin": new Date().toISOString(),
-      ":usernameSub": data.usernameSub ?? null,
     },
     ExpressionAttributeNames: {
       "#r": "role",
@@ -51,3 +51,30 @@ function modifyingAnythingButAnEmptyStateList(incomingUser, existingUser) {
   if (existingUser.states.length > 0) return true;
   return false;
 }
+
+function assertPayloadIsValid (data) {
+  if (!data) {
+    throw new Error("User update payload is missing");
+  }
+
+  if (typeof data.role !== "string" || !data.role) {
+    throw new Error("Invalid user role - must be a nonempty string");
+  }
+  if (!["admin", "business", "state"].includes(data.role)) {
+    throw new Error("Invalid user role - must be an existing role");
+  }
+
+  if (data.states && data.states !== "null") {
+    if (!Array.isArray(data.states)) {
+      throw new Error("Invalid user states - must be an array");
+    }
+    for (let state of data.states) {
+      if (typeof state !== "string") {
+        throw new Error("Invalid user states - must be strings");
+      }
+      if (!/^[A-Z]{2}$/.test(state)) {
+        throw new Error("Invalid user states - must be 2-letter abbreviations");
+      }
+    }
+  }
+}
diff --git a/services/ui-src/src/components/EditUser/EditUser.jsx b/services/ui-src/src/components/EditUser/EditUser.jsx
@@ -176,6 +176,7 @@ const EditUser = ({ stateList }) => {
                     value={user.username}
                     type="text"
                     onChange={e => updateLocalUser(e, "username")}
+                    disabled={true}
                     name="username"
                     className="form-input"
                   />

diff --git a/services/ui-src/src/components/EditUser/EditUser.test.jsx b/services/ui-src/src/components/EditUser/EditUser.test.jsx
@@ -144,16 +144,17 @@ describe("Test EditUser.js", () => {
     renderComponent(mockUser);
     await waitFor(() => expect(getUserById).toHaveBeenCalled());
 
-    const table = screen.getByTestId("table");
-    const usernameInput = table.querySelector(".userName input");
-    userEvent.type(usernameInput, "TY");
+    const roleDropdown = screen.getByPlaceholderText("Select a Role");
+    userEvent.click(roleDropdown);
+    const adminOption = screen.getByText("Admin User");
+    userEvent.click(adminOption);
 
     const saveButton = screen.getByText("Update User", { selector: "button" });
     userEvent.click(saveButton);
 
     expect(updateUser).toHaveBeenCalledWith(
       expect.objectContaining({
-        username: "QWERTY"
+        role: "admin",
       })
     );
   });