This repository was archived by the owner on Sep 30, 2024. It is now read-only.
passwords: also verify email when resetting passwords#46307
Merged
Conversation
Bundle size report 📦
Look at the Statoscope report for a full comparison between the commits f26ecc5 and b897993 or learn more. Open explanation
|
evict
approved these changes
Jan 11, 2023
bobheadxi
referenced
this pull request
Jan 25, 2023
Today, users created with `mutation { createUser }` automatically have their emails marked as verified, even if the email is bogus. This could cause us to automatically send potentially large numbers of emails automatically to nonexistent email addresses (see sourcegraph/customer#1790). To mitigate this, this change marks the emails of created users as unverified if SMTP is configured.
This has implications for Cloud instances, where `mutation { createUser }` is frequently used to create initial admin users. After this change, these users may receive a more limited set of emails (i.e. https://github.com/sourcegraph/sourcegraph/pull/46184) and have limited capabilities (i.e. unable to link account via external service) until they verify their email by:
1. using a "set password" or "reset password" link delivered by email (https://github.com/sourcegraph/sourcegraph/pull/46307)
1. using "verify email" in user settings to send an email verification
3. a site admin verifying the user email manually via `setUserEmailVerified` mutation or UI
## Test plan
<!-- All pull requests REQUIRE a test plan: https://docs.sourcegraph.com/dev/background-information/testing_principles -->
I've added new unit tests that cover the old and new set password behaviour on the mutation.
Manual test:
1. `sg start`, configured with SMTP in `dev-private`
2. Site admin -> users -> create `testuser` with email
3. Site admin -> users -> `testuser` -> emails -> primary email is unverified
4. Log out
5. CLick password reset link in email
6. Log in
7. User -> emails -> primary email is verified
Co-authored-by: Joe Chen <joe@sourcegraph.com>
Co-authored-by: Milan Freml <kopancek@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With this change, when setting and resetting passwords, if the primary email is not verified the emailed link (not the copy-paste-able one) will now also verify the email when a user resets their password.
Addresses https://github.com/sourcegraph/sourcegraph/pull/46187#issuecomment-1373337503 as part of https://github.com/sourcegraph/customer/issues/1790.
Test plan
sg startwith SMTP configuration