chore: Fix user email re-confirmation flow (#3581)

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem. So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation. Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/
2021-12-16 06:02:49 -08:00
parent e0c9687f5e
commit 5ee209c079
6 changed files with 51 additions and 8 deletions
--- a/spec/controllers/api/v1/profiles_controller_spec.rb
+++ b/spec/controllers/api/v1/profiles_controller_spec.rb
@@ -42,10 +42,9 @@ RSpec.describe 'Profile API', type: :request do
    context 'when it is an authenticated user' do
      let(:agent) { create(:user, password: 'Test123!', account: account, role: :agent) }

-      it 'updates the name & email' do
-        new_email = Faker::Internet.email
+      it 'updates the name' do
        put '/api/v1/profile',
-            params: { profile: { name: 'test', email: new_email } },
+            params: { profile: { name: 'test' } },
            headers: agent.create_new_auth_token,
            as: :json

@@ -53,8 +52,8 @@ RSpec.describe 'Profile API', type: :request do
        json_response = JSON.parse(response.body)
        agent.reload
        expect(json_response['id']).to eq(agent.id)
-        expect(json_response['email']).to eq(agent.email)
-        expect(agent.email).to eq(new_email)
+        expect(json_response['name']).to eq(agent.name)
+        expect(agent.name).to eq('test')
      end

      it 'updates the password when current password is provided' do
@@ -100,6 +99,23 @@ RSpec.describe 'Profile API', type: :request do
        expect(json_response['ui_settings']['is_contact_sidebar_open']).to eq(false)
      end
    end
+
+    context 'when an authenticated user updates email' do
+      let(:agent) { create(:user, password: 'Test123!', account: account, role: :agent) }
+
+      it 'populates the unconfirmed email' do
+        new_email = Faker::Internet.email
+        put '/api/v1/profile',
+            params: { profile: { email: new_email } },
+            headers: agent.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        agent.reload
+
+        expect(agent.unconfirmed_email).to eq(new_email)
+      end
+    end
  end

  describe 'DELETE /api/v1/profile/avatar' do