chore: Fix user email re-confirmation flow (#3581)

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem. So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation. Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/
2021-12-16 06:02:49 -08:00
parent e0c9687f5e
commit 5ee209c079
6 changed files with 51 additions and 8 deletions
--- a/spec/controllers/api/v1/profiles_controller_spec.rb
+++ b/spec/controllers/api/v1/profiles_controller_spec.rb
@@ -42,10 +42,9 @@ RSpec.describe 'Profile API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, password: 'Test123!', account: account, role: :agent) }

-      it 'updates the name & email' do
-        new_email = Faker::Internet.email
+      it 'updates the name' do
        put '/api/v1/profile',
-            params: { profile: { name: 'test', email: new_email } },
+            params: { profile: { name: 'test' } },
            headers: agent.create_new_auth_token,
            as: :json

@@ -53,8 +52,8 @@ RSpec.describe 'Profile API', type: :request do
        json_response = JSON.parse(response.body)
        agent.reload
        expect(json_response['id']).to eq(agent.id)
-        expect(json_response['email']).to eq(agent.email)
-        expect(agent.email).to eq(new_email)
+        expect(json_response['name']).to eq(agent.name)
+        expect(agent.name).to eq('test')
      end

      it 'updates the password when current password is provided' do
@@ -100,6 +99,23 @@ RSpec.describe 'Profile API', type: :request do
        expect(json_response['ui_settings']['is_contact_sidebar_open']).to eq(false)
      end
    end
+
+    context 'when an authenticated user updates email' do
+      let(:agent) { create(:user, password: 'Test123!', account: account, role: :agent) }
+
+      it 'populates the unconfirmed email' do
+        new_email = Faker::Internet.email
+        put '/api/v1/profile',
+            params: { profile: { email: new_email } },
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        agent.reload
+
+        expect(agent.unconfirmed_email).to eq(new_email)
+      end
+    end
  end

  describe 'DELETE /api/v1/profile/avatar' do
--- a/spec/mailers/confirmation_instructions_spec.rb
+++ b/spec/mailers/confirmation_instructions_spec.rb
@@ -47,5 +47,19 @@ RSpec.describe 'Confirmation Instructions', type: :mailer do
        expect(mail.body).not_to include('app/auth/confirmation')
      end
    end
+
+    context 'when user updates the email' do
+      before do
+        confirmable_user.update!(email: 'user@example.com')
+      end
+
+      it 'sends a confirmation link' do
+        confirmation_mail = Devise::Mailer.confirmation_instructions(confirmable_user.reload, nil, {})
+
+        expect(confirmation_mail.body).to include('app/auth/confirmation?confirmation_token')
+        expect(confirmation_mail.body).not_to include('app/auth/password/edit')
+        expect(confirmable_user.unconfirmed_email.blank?).to be false
+      end
+    end
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -80,4 +80,11 @@ RSpec.describe User do
      expect(token_count).to eq(1)
    end
  end
+
+  context 'when user changes the email' do
+    it 'mutates the value' do
+      user.email = 'user@example.com'
+      expect(user.will_save_change_to_email?).to be true
+    end
+  end
 end