zenstackhq
With v2, passwords are not hashed during upsert operations
Description and expected behavior We recently upgraded to V2. Our user creation request performs an upsert (using the same route for creating a user and updating some of their preferences). After upgrading to V2, passwords are no longer hashed when doing a prisma upsert.
I'm using the following code in the context of an admin panel where you can assume all authorization checks have been made prior to the enhancedPrisma object being used.
No longer hashes the password
const user = await ctx.enhancedPrisma.user.upsert({
where: { email: input.email },
create: { ...input.data, password },
update: input.data,
});
This works as intended
let user;
try {
user = await ctx.enhancedPrisma.user.create({
data: { ...input.data, password },
});
} catch (error) {
user = await ctx.enhancedPrisma.user.update({
where: { email: input.email },
data: input.data,
});
}
The relevant model looks like this:
model User {
id String @id @default(cuid()) @deny('update', true)
name String
email String @unique
emailVerified DateTime?
password String? @password @omit
accounts Account[]
sessions Session[]
// Write/Delete/Update operations are not allowed, except for admins
@@allow('read', auth() != null && ((auth() == this) || (endsWith(auth().email, '@acme.corp'))) )
@@allow('create', auth() != null && endsWith(auth().email, '@acme.corp'))
@@allow('update', auth() != null && endsWith(auth().email, '@acme.corp'))
@@allow('delete', auth() != null && endsWith(auth().email, '@acme.corp))
}
Environment (please complete the following information):
- ZenStack version: 2.2.1
- Prisma version: 5.7.0
- Database type: Postgresql
Hi @benjamintd , thanks for reporting this. I tried to reproduce it following your schema and couldn't see the issue. Do you mind sharing the full object that you passed to the upsert call? A repro project would be even better. If it's a problem, I'd like to fix it in the upcoming release. Thanks!
