feat: Add autoSignupLogin to signup when user doesn't already exist

coratgerl · coratgerl · commit c183da65d6a6 · 2025-12-05T20:51:59.000+01:00
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -210,6 +210,109 @@ describe('Parse.User testing', () => {
     done();
   });
 
+  describe('autoSignupOnLogin option', () => {
+    it('does not auto sign up when disabled', async () => {
+      await reconfigureServer({ autoSignupOnLogin: false });
+      await expectAsync(Parse.User.logIn('ghost-user', 'hunter2')).toBeRejectedWith(
+        jasmine.objectContaining({ code: Parse.Error.OBJECT_NOT_FOUND })
+      );
+      const count = await new Parse.Query(Parse.User)
+        .equalTo('username', 'ghost-user')
+        .count({ useMasterKey: true });
+      expect(count).toBe(0);
+    });
+
+    it('creates user on login when enabled (username + password)', async () => {
+      await reconfigureServer({ autoSignupOnLogin: true });
+      const user = await Parse.User.logIn('auto-login-user', 'pass1234');
+      expect(user.id).toBeDefined();
+      expect(user.getSessionToken()).toBeDefined();
+      const stored = await new Parse.Query(Parse.User)
+        .equalTo('username', 'auto-login-user')
+        .first({ useMasterKey: true });
+      expect(stored).toBeTruthy();
+      expect(stored.id).toBe(user.id);
+    });
+
+    it('creates user on login when enabled with email + password', async () => {
+      await reconfigureServer({ autoSignupOnLogin: true });
+      const email = 'auto-email@example.com';
+      const res = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/login',
+        headers: {
+          'X-Parse-Application-Id': Parse.applicationId,
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: {
+          email,
+          password: 'pass1234',
+        },
+      });
+      expect(res.data.username).toBe(email);
+      expect(res.data.email).toBe(email);
+      expect(res.data.sessionToken).toBeDefined();
+      const stored = await new Parse.Query(Parse.User)
+        .equalTo('email', email)
+        .first({ useMasterKey: true });
+      expect(stored).toBeTruthy();
+      expect(stored.get('username')).toBe(email);
+    });
+
+    it('uses existing user when present and does not duplicate', async () => {
+      await reconfigureServer({ autoSignupOnLogin: true });
+      const existing = new Parse.User();
+      existing.setUsername('existing-login');
+      existing.setPassword('pass123');
+      await existing.signUp();
+
+      const logged = await Parse.User.logIn('existing-login', 'pass123');
+      expect(logged.id).toBe(existing.id);
+      const count = await new Parse.Query(Parse.User)
+        .equalTo('username', 'existing-login')
+        .count({ useMasterKey: true });
+      expect(count).toBe(1);
+    });
+
+    it('respects preventLoginWithUnverifiedEmail when auto-signing up', async () => {
+      await reconfigureServer({
+        appName: 'preventLoginWithUnverifiedEmail',
+        autoSignupOnLogin: true,
+        verifyUserEmails: true,
+        preventLoginWithUnverifiedEmail: true,
+        emailAdapter: {
+          sendVerificationMail: () => Promise.resolve(),
+          sendMail: () => Promise.resolve(),
+        },
+        publicServerURL: 'http://localhost:8378/1',
+      });
+      const email = 'unverified@example.com';
+      await expectAsync(
+        request({
+          method: 'POST',
+          url: 'http://localhost:8378/1/login',
+          headers: {
+            'X-Parse-Application-Id': Parse.applicationId,
+            'X-Parse-REST-API-Key': 'rest',
+          },
+          body: {
+            email,
+            password: 'pass1234',
+          },
+        })
+      ).toBeRejectedWith(
+        jasmine.objectContaining({
+          data: jasmine.objectContaining({ code: Parse.Error.EMAIL_NOT_FOUND }),
+        })
+      );
+      const stored = await new Parse.Query(Parse.User)
+        .equalTo('email', email)
+        .first({ useMasterKey: true });
+      expect(stored).toBeTruthy();
+      expect(stored.get('emailVerified')).toBe(false);
+    });
+  });
+
   it('should respect ACL without locking user out', done => {
     const user = new Parse.User();
     const ACL = new Parse.ACL();
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -113,6 +113,13 @@ module.exports.ParseServerOptions = {
       'Configuration for your authentication providers, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication',
     action: parsers.objectParser,
   },
+  autoSignupOnLogin: {
+    env: 'PARSE_SERVER_AUTO_SIGNUP_ON_LOGIN',
+    help:
+      'Set to `true` to allow the login endpoint to automatically create a user with the provided username/email and password when no existing user is found. Default is `false`.',
+    action: parsers.booleanParser,
+    default: false,
+  },
   cacheAdapter: {
     env: 'PARSE_SERVER_CACHE_ADAPTER',
     help: 'Adapter module for the cache',
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -193,6 +193,9 @@ export interface ParseServerOptions {
   Requires option `verifyUserEmails: true`.
   :DEFAULT: false */
   preventSignupWithUnverifiedEmail: ?boolean;
+  /* Set to `true` to allow the login endpoint to automatically create a user with the provided username/email and password when no existing user is found. Default is `false`.
+  :DEFAULT: false */
+  autoSignupOnLogin: ?boolean;
   /* Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.
   <br><br>
   For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -61,38 +61,47 @@ export class UsersRouter extends ClassesRouter {
     }
   }
 
+  /**
+   * Extract and validate login payload from request
+   * @param {Object} req The request
+   * @returns {{ username: string | void, email: string | void, password: string, ignoreEmailVerification: boolean | void }}
+   * @private
+   */
+  _getLoginPayload(req) {
+    let payload = req.body || {};
+    if (
+      (!payload.username && req.query && req.query.username) ||
+      (!payload.email && req.query && req.query.email)
+    ) {
+      payload = req.query;
+    }
+    const { username, email, password, ignoreEmailVerification } = payload;
+
+    if (!username && !email) {
+      throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'username/email is required.');
+    }
+    if (!password) {
+      throw new Parse.Error(Parse.Error.PASSWORD_MISSING, 'password is required.');
+    }
+    if (
+      typeof password !== 'string' ||
+      (email && typeof email !== 'string') ||
+      (username && typeof username !== 'string')
+    ) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
+    }
+
+    return { username, email, password, ignoreEmailVerification };
+  }
+
   /**
    * Validates a password request in login and verifyPassword
    * @param {Object} req The request
    * @returns {Object} User object
-   * @private
    */
   _authenticateUserFromRequest(req) {
     return new Promise((resolve, reject) => {
-      // Use query parameters instead if provided in url
-      let payload = req.body || {};
-      if (
-        (!payload.username && req.query && req.query.username) ||
-        (!payload.email && req.query && req.query.email)
-      ) {
-        payload = req.query;
-      }
-      const { username, email, password, ignoreEmailVerification } = payload;
-
-      // TODO: use the right error codes / descriptions.
-      if (!username && !email) {
-        throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'username/email is required.');
-      }
-      if (!password) {
-        throw new Parse.Error(Parse.Error.PASSWORD_MISSING, 'password is required.');
-      }
-      if (
-        typeof password !== 'string' ||
-        (email && typeof email !== 'string') ||
-        (username && typeof username !== 'string')
-      ) {
-        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
-      }
+      const { username, email, password, ignoreEmailVerification } = this._getLoginPayload(req);
 
       let user;
       let isValidPassword = false;
@@ -170,6 +179,58 @@ export class UsersRouter extends ClassesRouter {
     });
   }
 
+  /**
+   * Auto sign-up when login misses existing user and option is enabled
+   * @param {Object} req The request
+   * @returns {{ user: Object, authDataResponse: any }}
+   */
+  async _autoSignupOnLogin(req) {
+    const { username, email, password } = this._getLoginPayload(req);
+    const inferredUsername = username || email;
+    const data = { username: inferredUsername, password };
+    if (email) {
+      data.email = email;
+    }
+
+    const { response } = await new RestWrite(
+      req.config,
+      req.auth,
+      '_User',
+      null,
+      data,
+      null,
+      req.info.clientSDK,
+      req.info.context
+    ).execute();
+
+    // Fetch fresh user object to return a login-like response with username/email
+    const createdUserResults = await req.config.database.find(
+      '_User',
+      { objectId: response.objectId },
+      {},
+      Auth.master(req.config)
+    );
+    const createdUser = createdUserResults[0];
+    if (!createdUser) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
+    }
+    createdUser.sessionToken = response.sessionToken;
+
+    if (
+      req.config.verifyUserEmails &&
+      req.config.preventLoginWithUnverifiedEmail &&
+      createdUser.email &&
+      createdUser.emailVerified !== true
+    ) {
+      throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
+    }
+
+    UsersRouter.removeHiddenProperties(createdUser);
+    await req.config.filesController.expandFilesInObject(req.config, createdUser);
+
+    return { user: createdUser, authDataResponse: response.authDataResponse };
+  }
+
   handleMe(req) {
     if (!req.info || !req.info.sessionToken) {
       throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config);
@@ -201,8 +262,28 @@ export class UsersRouter extends ClassesRouter {
   }
 
   async handleLogIn(req) {
-    const user = await this._authenticateUserFromRequest(req);
+    let user;
+    let authDataResponse;
+    let validatedAuthData;
+
+    try {
+      user = await this._authenticateUserFromRequest(req);
+    } catch (error) {
+      if (
+        req.config.autoSignupOnLogin &&
+        error &&
+        error.code === Parse.Error.OBJECT_NOT_FOUND
+      ) {
+        const autoSignup = await this._autoSignupOnLogin(req);
+        user = autoSignup.user;
+        authDataResponse = autoSignup.authDataResponse;
+      } else {
+        throw error;
+      }
+    }
+
     const authData = req.body && req.body.authData;
+
     // Check if user has provided their required auth providers
     Auth.checkIfUserHasProvidedConfiguredProvidersForLogin(
       req,
@@ -211,8 +292,6 @@ export class UsersRouter extends ClassesRouter {
       req.config
     );
 
-    let authDataResponse;
-    let validatedAuthData;
     if (authData) {
       const res = await Auth.handleAuthDataValidation(
         authData,
