Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Fix user email re-confirmation flow #3581

Merged
merged 4 commits into from Dec 16, 2021
Merged

chore: Fix user email re-confirmation flow #3581

merged 4 commits into from Dec 16, 2021

Conversation

aswindevps
Copy link
Contributor

@aswindevps aswindevps commented Dec 15, 2021
edited

Description

Users can change their email from profile settings. They will be logged out immediately. Users can log in again with the updated email without verifying the same. This is a security problem.

So this change enforce the user to reconfirm the email after changing it. Users can log in with the updated email only after the confirmation.

Fixes: https://huntr.dev/bounties/7afd04b4-232e-4907-8a3c-acf8bd4b5b22/

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Go to user profile settings.
  2. Update the email.
    a. User should be logged out.
    b. User should receive a confirmation link in the updated email.
  3. Confirm the updated email.
  4. Login with the updated email.
  5. Go to user profile settings and verify the updated email.

Checklist:

  • I have performed a self-review of my own code
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@pr-triage pr-triage bot added the PR: unreviewed This pull request is yet to be reviewed. label Dec 15, 2021
@aswindevps aswindevps changed the title Fix user email reconfirmation flow Fix user email re-confirmation flow Dec 15, 2021
@aswindevps aswindevps temporarily deployed to staging-chatwoot December 15, 2021 10:49 Inactive
@sojan-official sojan-official changed the title Fix user email re-confirmation flow chore: Fix user email re-confirmation flow Dec 15, 2021
tejaswinichile
tejaswinichile approved these changes Dec 16, 2021
View reviewed changes
Copy link
Contributor

@tejaswinichile tejaswinichile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

@pr-triage pr-triage bot added PR: partially-approved Not all reviewers have approved the PR and removed PR: unreviewed This pull request is yet to be reviewed. labels Dec 16, 2021
@sojan-official sojan-official merged commit 5ee209c into develop Dec 16, 2021
@sojan-official sojan-official deleted the email-confirmation-flow branch December 16, 2021 14:02
@pr-triage pr-triage bot added PR: merged The pull request is merged to another branch and removed PR: partially-approved Not all reviewers have approved the PR labels Dec 16, 2021
@github-actions
Copy link

github-actions bot commented Aug 9, 2022

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tejaswinichile tejaswinichile tejaswinichile approved these changes

@sojan-official sojan-official Awaiting requested review from sojan-official

Assignees

@sojan-official sojan-official

Labels
PR: merged The pull request is merged to another branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aswindevps @tejaswinichile @sojan-official