fix(headless/socialaccount): Last SocialAccount vs unusable password

pennersr · Dec 12, 2024 · 842b0d9 · 842b0d9
1 parent f2c1dd6
commit 842b0d9
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -7,6 +7,9 @@ Fixes
 - Headless: When using email verification by code, you could incorrectly
   encounter a 409 when attempting to add a new email address while logged in.
 
+- Headless: In contrast to the headed version, it was possible to remove the
+  last 3rd party account from a user that has no usable password. Fixed.
+
 
 65.3.0 (2024-11-30)
 *******************

diff --git a/allauth/account/internal/flows/password_change.py b/allauth/account/internal/flows/password_change.py
@@ -48,7 +48,7 @@ def logout_on_password_change(request: HttpRequest, user: AbstractBaseUser) -> b
     # logout isn't desired.
     logged_out = True
     if not app_settings.LOGOUT_ON_PASSWORD_CHANGE:
-        update_session_auth_hash(request, user)
+        update_session_auth_hash(request, user)  # type: ignore[arg-type]
         logged_out = False
     else:
         logout(request)

diff --git a/allauth/headless/socialaccount/inputs.py b/allauth/headless/socialaccount/inputs.py
@@ -7,6 +7,7 @@
     get_adapter as get_socialaccount_adapter,
 )
 from allauth.socialaccount.forms import SignupForm
+from allauth.socialaccount.internal.flows.connect import validate_disconnect
 from allauth.socialaccount.models import SocialAccount, SocialApp
 from allauth.socialaccount.providers import registry
 from allauth.socialaccount.providers.base.constants import AuthProcess
@@ -36,7 +37,7 @@ def clean(self):
             ).first()
             if not account:
                 raise get_adapter().validation_error("account_not_found")
-            get_socialaccount_adapter().validate_disconnect(account, accounts)
+            validate_disconnect(context.request, account)
             self.cleaned_data["account"] = account
         return cleaned_data
 

diff --git a/allauth/headless/socialaccount/tests/test_views.py b/allauth/headless/socialaccount/tests/test_views.py
@@ -86,6 +86,25 @@ def test_disconnect_bad_request(auth_client, user, headless_reverse, provider_id
     }
 
 
+def test_disconnect_not_allowed(auth_client, user, headless_reverse, provider_id):
+    user.set_unusable_password()
+    user.save(update_fields=["password"])
+    auth_client.force_login(user)
+    account = SocialAccount.objects.create(user=user, uid="123", provider=provider_id)
+    resp = auth_client.delete(
+        headless_reverse("headless:socialaccount:manage_providers"),
+        data={"provider": provider_id, "account": account.uid},
+        content_type="application/json",
+    )
+    assert resp.status_code == 400
+    assert resp.json() == {
+        "status": 400,
+        "errors": [
+            {"code": "no_password", "message": "Your account has no password set up."}
+        ],
+    }
+
+
 def test_valid_token(client, headless_reverse, db):
     id_token = json.dumps(
         {