Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address #8451

Merged
merged 12 commits into from
Jun 7, 2023
101 changes: 51 additions & 50 deletions spec/ValidationAndPasswordsReset.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -242,8 +242,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});

it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', done => {
const user = new Parse.User();
it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', async () => {
let sendEmailOptions;
const emailAdapter = {
sendVerificationEmail: options => {
Expand All @@ -252,59 +251,32 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {},
};
reconfigureServer({
await reconfigureServer({
appName: 'emailing app',
verifyUserEmails: true,
preventLoginWithUnverifiedEmail: true,
emailAdapter: emailAdapter,
publicServerURL: 'http://localhost:8378/1',
})
.then(() => {
user.setPassword('other-password');
user.setUsername('user');
user.set('email', '[email protected]');
return user.signUp();
})
.then(() => {
expect(sendEmailOptions).not.toBeUndefined();
request({
url: sendEmailOptions.link,
followRedirects: false,
}).then(response => {
expect(response.status).toEqual(302);
expect(response.text).toEqual(
'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
);
user
.fetch({ useMasterKey: true })
.then(
() => {
expect(user.get('emailVerified')).toEqual(true);

Parse.User.logIn('user', 'other-password').then(
user => {
expect(typeof user).toBe('object');
expect(user.get('emailVerified')).toBe(true);
done();
},
() => {
fail('login should have succeeded');
done();
}
);
},
err => {
jfail(err);
fail('this should not fail');
done();
}
)
.catch(err => {
jfail(err);
done();
});
});
});
});
let user = new Parse.User();
user.setPassword('other-password');
user.setUsername('user');
user.set('email', '[email protected]');
await user.signUp();
expect(sendEmailOptions).not.toBeUndefined();
const response = await request({
url: sendEmailOptions.link,
followRedirects: false,
});
expect(response.status).toEqual(302);
expect(response.text).toEqual(
'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
);
user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
expect(user.get('emailVerified')).toEqual(true);
user = await Parse.User.logIn('user', 'other-password');
expect(typeof user).toBe('object');
expect(user.get('emailVerified')).toBe(true);
});

it('allows user to login if email is not verified but preventLoginWithUnverifiedEmail is set to false', done => {
Expand Down Expand Up @@ -345,6 +317,35 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});

it('does not allow signup with preventSignupWithUnverified', async () => {
let sendEmailOptions;
const emailAdapter = {
sendVerificationEmail: options => {
sendEmailOptions = options;
},
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {},
};
await reconfigureServer({
appName: 'test',
publicServerURL: 'http://localhost:1337/1',
verifyUserEmails: true,
preventLoginWithUnverifiedEmail: true,
preventSignupWithUnverifiedEmail: true,
emailAdapter,
});
const newUser = new Parse.User();
newUser.setPassword('asdf');
newUser.setUsername('zxcv');
newUser.set('email', '[email protected]');
await expectAsync(newUser.signUp()).toBeRejectedWith(
new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.')
);
const user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
expect(user).toBeDefined();
expect(sendEmailOptions).toBeDefined();
});

it('fails if you include an emailAdapter, set a publicServerURL, but have no appName and send a password reset email', done => {
reconfigureServer({
appName: undefined,
Expand Down
40 changes: 17 additions & 23 deletions spec/VerifyUserPassword.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -353,8 +353,9 @@ describe('Verify User Password', () => {
done();
});
});
it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', done => {
reconfigureServer({

it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', async () => {
await reconfigureServer({
publicServerURL: 'http://localhost:8378/',
appName: 'emailVerify',
verifyUserEmails: true,
Expand All @@ -364,28 +365,21 @@ describe('Verify User Password', () => {
apiKey: 'k',
domain: 'd',
}),
})
.then(() => {
const user = new Parse.User();
return user.save({
username: 'unverified-user',
password: 'mypass',
email: '[email protected]',
});
})
.then(() => {
return verifyPassword('[email protected]', 'mypass', true);
})
.then(res => {
expect(res.status).toBe(400);
expect(res.text).toMatch('{"code":205,"error":"User email is not verified."}');
done();
})
.catch(err => {
fail(err);
done();
});
});
const user = new Parse.User();
await user.save({
username: 'unverified-user',
password: 'mypass',
email: '[email protected]',
});
const res = await verifyPassword('[email protected]', 'mypass', true);
expect(res.status).toBe(400);
expect(res.data).toEqual({
code: Parse.Error.EMAIL_NOT_FOUND,
error: 'User email is not verified.',
});
});

it('verify password lock account if failed verify password attempts are above threshold', done => {
reconfigureServer({
appName: 'lockout threshold',
Expand Down
7 changes: 7 additions & 0 deletions src/Options/Definitions.js
Original file line number Diff line number Diff line change
Expand Up @@ -412,6 +412,13 @@ module.exports.ParseServerOptions = {
action: parsers.booleanParser,
default: false,
},
preventSignupWithUnverifiedEmail: {
env: 'PARSE_SERVER_PREVENT_SIGNUP_WITH_UNVERIFIED_EMAIL',
help:
"If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.",
action: parsers.booleanParser,
default: false,
},
protectedFields: {
env: 'PARSE_SERVER_PROTECTED_FIELDS',
help: 'Protected fields that should be treated with extra security when fetching details.',
Expand Down
1 change: 1 addition & 0 deletions src/Options/docs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions src/Options/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,13 @@ export interface ParseServerOptions {
Requires option `verifyUserEmails: true`.
:DEFAULT: false */
preventLoginWithUnverifiedEmail: ?boolean;
/* If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
<br><br>
Default is `false`.
<br>
Requires option `verifyUserEmails: true`.
:DEFAULT: false */
preventSignupWithUnverifiedEmail: ?boolean;
/* Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.
<br><br>
For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).
Expand Down
6 changes: 5 additions & 1 deletion src/RestWrite.js
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,9 @@ RestWrite.prototype.execute = function () {
this.response.response.authDataResponse = this.authDataResponse;
}
}
if (this.storage.rejectSignup && this.config.preventSignupWithUnverifiedEmail) {
throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
}
return this.response;
});
};
Expand Down Expand Up @@ -879,7 +882,8 @@ RestWrite.prototype.createSessionTokenIfNeeded = function () {
this.config.verifyUserEmails
) {
// verification is on
return; // do not create the session token in that case!
this.storage.rejectSignup = true;
return;
}
return this.createSessionToken();
};
Expand Down