chore: Fix user email re-confirmation flow (#3581)

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem. So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation. Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/
2021-12-16 06:02:49 -08:00
parent e0c9687f5e
commit 5ee209c079
6 changed files with 51 additions and 8 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -177,4 +177,10 @@ class User < ApplicationRecord
      type: 'user'
    }
  end
+
+  # https://github.com/lynndylanhurley/devise_token_auth/blob/6d7780ee0b9750687e7e2871b9a1c6368f2085a9/app/models/devise_token_auth/concerns/user.rb#L45
+  # Since this method is overriden in devise_token_auth it breaks the email reconfirmation flow.
+  def will_save_change_to_email?
+    mutations_from_database.changed?('email')
+  end
 end