chore: Fix user email re-confirmation flow (#3581)

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem. So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation. Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/
2021-12-16 06:02:49 -08:00
parent e0c9687f5e
commit 5ee209c079
6 changed files with 51 additions and 8 deletions
--- a/spec/mailers/confirmation_instructions_spec.rb
+++ b/spec/mailers/confirmation_instructions_spec.rb
@@ -47,5 +47,19 @@ RSpec.describe 'Confirmation Instructions', type: :mailer do
        expect(mail.body).not_to include('app/auth/confirmation')
      end
    end
+
+    context 'when user updates the email' do
+      before do
+        confirmable_user.update!(email: 'user@example.com')
+      end
+
+      it 'sends a confirmation link' do
+        confirmation_mail = Devise::Mailer.confirmation_instructions(confirmable_user.reload, nil, {})
+
+        expect(confirmation_mail.body).to include('app/auth/confirmation?confirmation_token')
+        expect(confirmation_mail.body).not_to include('app/auth/password/edit')
+        expect(confirmable_user.unconfirmed_email.blank?).to be false
+      end
+    end
  end
 end