chore: Fix user email re-confirmation flow (#3581)

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem. So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation. Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/
2021-12-16 06:02:49 -08:00
parent e0c9687f5e
commit 5ee209c079
6 changed files with 51 additions and 8 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -133,7 +133,7 @@ Devise.setup do |config|
  # initial account confirmation) to be applied. Requires additional unconfirmed_email
  # db field (see migrations). Until confirmed, new email is stored in
  # unconfirmed_email column, and copied to email column on successful confirmation.
-  config.reconfirmable = false
+  config.reconfirmable = true

  # Defines which key will be used when confirming an account
  # config.confirmation_keys = [:email]