Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: set hook for email change when only phone identity present #1865

Closed
wants to merge 4 commits into from
Closed

fix: set hook for email change when only phone identity present #1865

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4c7d8f9
fix: update conditions for setting token
J0 Dec 9, 2024
efa0f2d
fix: refactor checks
J0 Dec 17, 2024
409c941
fix: update the token inserted
J0 Dec 17, 2024
71213f7
fix: revert to using EmailChangeTokenCurrent
J0 Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 9 additions & 8 deletions internal/api/mail.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -650,21 +650,22 @@ func (a *API) sendEmail(r *http.Request, tx *storage.Connection, u *models.User,
}

if config.Hook.SendEmail.Enabled {
// When secure email change is disabled, we place the token for the new email on emailData.Token
if emailActionType == mail.EmailChangeVerification && !config.Mailer.SecureEmailChangeEnabled && u.GetEmail() != "" {
otp = otpNew
}

emailData := mail.EmailData{
Token: otp,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, there is no token passed in into the email hook when an email change is attempted right after a phone sign up.

what is the initial value of otp here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be "" if there's secure email change is not enabled. If it's enabled, and there's no phone linked to it it doesn't get set so it remains as "".

ref

EmailActionType: emailActionType,
RedirectTo: referrerURL,
SiteURL: externalURL.String(),
TokenHash: tokenHashWithPrefix,
}
if emailActionType == mail.EmailChangeVerification && config.Mailer.SecureEmailChangeEnabled && u.GetEmail() != "" {
emailData.TokenNew = otpNew
emailData.TokenHashNew = u.EmailChangeTokenCurrent
if emailActionType == mail.EmailChangeVerification {
// When secure email change is disabled, we place the token for the new email on emailData.Token
if !config.Mailer.SecureEmailChangeEnabled {
// Token Hash should already be set above
emailData.Token = otpNew
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this mean that the actual value in TokenHash will be different from the otpNew ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value in emailData.Token should be computed from otpNew in line 511 and should be the same I believe. Was tested locally by printing otpNew before sendEmail is called and by printing emailData.Token after

} else {
emailData.TokenNew = otpNew
emailData.TokenHashNew = u.EmailChangeTokenCurrent
}
}
input := hooks.SendEmailInput{
User: u,
Expand Down
Loading