[#5964] refresh the token key on email change

2025-11-23 22:55:37 +02:00 · 2024-12-17 11:32:28 +02:00
parent 0d720c3c9d
commit 76b9051011
7 changed files with 78 additions and 38 deletions
--- a/apis/record_auth_email_change_confirm.go
+++ b/apis/record_auth_email_change_confirm.go
@@ -38,9 +38,8 @@ func recordConfirmEmailChange(e *core.RequestEvent) error {
 	event.NewEmail = newEmail

 	return e.App.OnRecordConfirmEmailChangeRequest().Trigger(event, func(e *core.RecordConfirmEmailChangeRequestEvent) error {
-		authRecord.Set(core.FieldNameEmail, e.NewEmail)
-		authRecord.Set(core.FieldNameVerified, true)
-		authRecord.RefreshTokenKey() // invalidate old tokens
+		e.Record.SetEmail(e.NewEmail)
+		e.Record.SetVerified(true)

 		if err := e.App.Save(e.Record); err != nil {
 			return firstApiError(err, e.BadRequestError("Failed to confirm email change.", err))
--- a/apis/record_auth_password_reset_confirm.go
+++ b/apis/record_auth_password_reset_confirm.go
@@ -47,12 +47,12 @@ func recordConfirmPasswordReset(e *core.RequestEvent) error {
 			}
 		}

-		err = form.app.Save(authRecord)
+		err = e.App.Save(authRecord)
 		if err != nil {
 			return firstApiError(err, e.BadRequestError("Failed to set new password.", err))
 		}

-		form.app.Store().Remove(getPasswordResetResendKey(authRecord))
+		e.App.Store().Remove(getPasswordResetResendKey(authRecord))

 		return e.NoContent(http.StatusNoContent)
 	})
--- a/apis/record_auth_password_reset_confirm_test.go
+++ b/apis/record_auth_password_reset_confirm_test.go
@@ -186,11 +186,20 @@ func TestRecordConfirmPasswordReset(t *testing.T) {
 					t.Fatal("Expected the user to be unverified")
 				}

+				oldTokenKey := user.TokenKey()
+
 				// manually change the email to check whether the verified state will be updated
 				user.SetEmail("test_update@example.com")
-				if err := app.Save(user); err != nil {
+				if err = app.Save(user); err != nil {
 					t.Fatalf("Failed to update user test email: %v", err)
 				}
+
+				// resave with the old token key since the email change above
+				// would change it and will make the password token invalid
+				user.SetTokenKey(oldTokenKey)
+				if err = app.Save(user); err != nil {
+					t.Fatalf("Failed to restore original user tokenKey: %v", err)
+				}
 			},
 			AfterTestFunc: func(t testing.TB, app *tests.TestApp, res *http.Response) {
 				_, err := app.FindAuthRecordByToken(
--- a/apis/record_auth_with_oauth2_test.go
+++ b/apis/record_auth_with_oauth2_test.go
@@ -558,12 +558,21 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 					t.Fatalf("Expected password %q to be valid", "1234567890")
 				}

+				oldTokenKey := user.TokenKey()
+
 				// manually unset the user email
 				user.SetEmail("")
-				if err := app.Save(user); err != nil {
+				if err = app.Save(user); err != nil {
 					t.Fatal(err)
 				}

+				// resave with the old token key since the email change above
+				// would change it and will make the password token invalid
+				user.SetTokenKey(oldTokenKey)
+				if err = app.Save(user); err != nil {
+					t.Fatalf("Failed to restore original user tokenKey: %v", err)
+				}
+
 				// register the test provider
 				auth.Providers["test"] = func() auth.Provider {
 					return &oauth2MockProvider{