[FIX] Never-used imported accounts can be accessed without proper authentication. (#670)

f25081bc · Pierre Lehnen · Diego Sampaio · a56f5f0a · f25081bc · f25081bc
Unverified Commit f25081bc authored 1 year ago by Pierre Lehnen Committed by Diego Sampaio 1 year ago
--- a/.changeset/ten-games-roll.md
+++ b/.changeset/ten-games-roll.md
+---
+'@rocket.chat/meteor': patch
+---
+
+Removed an unused authentication flow
--- a/apps/meteor/server/methods/registerUser.ts
+++ b/apps/meteor/server/methods/registerUser.ts
@@ -95,15 +95,7 @@ Meteor.methods<ServerMethods>({

 		let userId;
 		try {
-			// Check if user has already been imported and never logged in. If so, set password and let it through
-			const importedUser = await Users.findOneByEmailAddress(formData.email);
-
-			if (importedUser?.importIds?.length && !importedUser.lastLogin) {
-				await Accounts.setPasswordAsync(importedUser._id, userData.password);
-				userId = importedUser._id;
-			} else {
-				userId = await Accounts.createUserAsync(userData);
-			}
+			userId = await Accounts.createUserAsync(userData);
 		} catch (e) {
 			if (e instanceof Meteor.Error) {
 				throw e;