[Feature] Normalize OSF Verification Key [#OSF-6560]

[cslzchen]

Update

• Fix merge conflicts
• Do not reveal user emails in email links
• Normalize verification key
  • forgot and reset password
  • claim contributor-ship
  • confirm registration or email
  • update tests
• Temporary Fix for OSF-6673
• Several minor improvements
• The following will be moved to a new feature ticket: https://openscience.atlassian.net/browse/OSF-6998.
  • Users can resend confirmation email for contributor claim
  • Bug fixing for OSF-6673

Purpose

Issue

When user forgets and resets password, verification key never gets deleted unless overwritten. In addition, validation only checks the key. Neither the user to whom it belongs nor whether it has expired is checked. Furthermore, verification key are used twice instead of "one-time" for several tasks.

Fix

Add User.verification_key_v2 which contains both the token string and an expiration time. Validation now checks username, token and expiration time. Renew the key once used.

Further Fix

There are two other functionality "User Claim Contributor-ship" and "Send/Resend Registration Confirmation Email" that have similar issue. Although they have their own way of verification, both are fixed with the same idea.

Changes

Normalized Verification Key

### defaults.py
# Expiration time for verification key
EXPIRATION_TIME_DICT = {
    'password': 30,         # 30 minutes for forgot and reset password
    'confirm': 24 * 60,     # 24 hours in minutes for confirm account and email
    'claim': 30 * 24 * 60    # 30 days in minutes for claim contributor-ship
}

### core.py
# generate verification key
def generate_verification_key(verification_type=None):
    """
    Generate a one-time verification key with an optional expiration time.
    The type of the verification key determines the expiration time defined in `website.settings.EXPIRATION_TIME_DICT`.

    :param verification_type: None, verify, confirm or claim
    :return: a string or a dictionary
    """
    token = security.random_string(30)
    # v1 with only the token
    if not verification_type:
        return token
    # v2 with a token and the expiration time
    expires = dt.datetime.utcnow() + dt.timedelta(minutes=settings.EXPIRATION_TIME_DICT[verification_type])
    return {
        'token': token,
        'expires': expires,
    }

### core.py/User
    verification_key = fields.StringField()

    verification_key_v2 = fields.DictionaryField(default=dict)
    # Format: {
    #   'token': <the verification token>
    #   'expires': <the verification expiration time>
    # }

    unclaimed_records = fields.DictionaryField(required=False)
    # Format: {
    #   <project_id>: {
    #       'name': <name that referrer provided>,
    #       'referrer_id': <user ID of referrer>,
    #       'token': <the verification token>,
    #       'expires': <the verification expiration time>,
    #       'email': <email the referrer provided or None>,
    #       'claimer_email': <email the claimer entered or None>,
    #       'last_sent': <timestamp of last email sent to referrer or None>
    #   }
    #   ...
    # }

    email_verifications = fields.DictionaryField(default=dict)
    # Format: {
    #   <token> : {
    #       'email': <email address>,
    #       'expiration': <datetime>,
    #       'confirmed': whether user is confirmed or not,
    #       'external_identity': user's external identity,
    #   }
    # }

Other

• Resend confirmation will refresh the token.
• Update get_or_create_user() with verification key.
• Remove duplicated code get_claim_token() and get_confirm_token().
• Remove "lingering" code fragments due to previous merge conflicts.
• Update related routes, makos, factories and tests

Side effects

• Password reset link becomes one time only. No longer valid once clicked.

Ticket

https://openscience.atlassian.net/browse/OSF-6560
https://openscience.atlassian.net/browse/SEC-33

[cslzchen]

For CR: just updated the comments, no code change

[cslzchen]

[To CR] Deprecated Code

[cslzchen]

As discussed with @mfraezz , the resend claim confirmation will be handled in another improvement/feature ticket: https://openscience.atlassian.net/browse/OSF-6998, which takes care of https://openscience.atlassian.net/browse/OSF-6673 along the way.

[mfraezz]

?

[cslzchen]

Please ignore this # TODO, it was supposed to be added here https://github.com/CenterForOpenScience/osf.io/pull/5964/files#diff-9a64b4982d0bd80f7a498c65ddce2023R138.
As discussed on Friday, the decision is to log users out if they are already logged in instead of redirecting them to dashboard for both reset_password_get and forgot_password_get.

[mfraezz]

Can this be removed, then?

[cslzchen]

update: a better message from product @saradbowman. The message is more informative without leaking the exact failure.

[mfraezz]

LGTM 🌳

Dropping this RTM

[brianjgeiger]

@cslzchen There are some merge conflicts that need resolving.

[cslzchen]

add reset_password:

1. for new user from institution login, no need to ask user to reset password after creation, thus no verification key
2. for conference add_poster_by_email, create user and send user confirmation email to reset password, generate reset password verification key

[cslzchen]

set 30 days instead of 7 days claim token, change back to 7 days after resend claim confirmation is implemented: OSF-6998.

[cslzchen]

when user asks to resend confirmation email, refresh the token with renew = True

[cslzchen]

"log user out and redirect back" is more secure and less confusing than just "go to dashboard"
same for forgot_password_get

[cslzchen]

cas login with username and verification key still uses v1 given it is instant verification