Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(users): Email JWT blacklist #3659

Merged
merged 6 commits into from
Feb 15, 2024
Merged

feat(users): Email JWT blacklist #3659

merged 6 commits into from
Feb 15, 2024

Conversation

racnan
Copy link
Contributor

@racnan racnan commented Feb 15, 2024
edited
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

  • Adding blacklisting for email tokens, this will prevent use of same email token to be used twice.
  • Change Password & Reset Password logs out user from all open dashboard sessions.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Prevention of use of same email link to be used twice.
Forcing Users to re-enter password if password is changed.

How did you test it?

With Dashboard Frontend.
Following links should not work twice:

  • Magic Link
    To generate magic link email use dashboard frontend or below curl.
curl --location --request POST '<URL>/user/connect_account' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": ""
}'
  • Reset Password
    To generate reset password email use dashboard frontend or below curl.
curl --location --request POST '<URL>/user/forgot_password' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": ""
}'

All sessions should be logged out after change password or reset password.

Expected error response for the use of email token twice

{
    "error": {
        "type": "invalid_request",
        "message": "Invalid or expired link",
        "code": "UR_04"
    }
}

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible
  • I added a CHANGELOG entry if applicable

@racnan racnan added S-waiting-on-review Status: This PR has been implemented and needs to be reviewed A-users Area: Users labels Feb 15, 2024
@racnan racnan self-assigned this Feb 15, 2024
@racnan racnan requested review from a team as code owners February 15, 2024 12:21
@racnan racnan linked an issue Feb 15, 2024 that may be closed by this pull request
feat: Email blacklist #3658
Closed
ThisIsMani
ThisIsMani reviewed Feb 15, 2024
View reviewed changes
Copy link
Contributor

@ThisIsMani ThisIsMani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestions

crates/router/src/core/user.rs Outdated Show resolved Hide resolved
crates/router/src/core/user.rs Outdated Show resolved Hide resolved
ThisIsMani
ThisIsMani previously approved these changes Feb 15, 2024
View reviewed changes
NishantJoshi00
NishantJoshi00 approved these changes Feb 15, 2024
View reviewed changes
crates/router/src/services/authentication/blacklist.rs
let redis_conn = get_redis_connection(state).change_context(UserErrors::InternalServerError)?;
let blacklist_key = format!("{}{token}", EMAIL_TOKEN_BLACKLIST_PREFIX);
let key_exists = redis_conn
.exists::<()>(blacklist_key.as_str())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this

@likhinbopanna likhinbopanna removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label Feb 15, 2024
@likhinbopanna likhinbopanna added this pull request to the merge queue Feb 15, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Feb 15, 2024
@likhinbopanna likhinbopanna added this pull request to the merge queue Feb 15, 2024
Merged via the queue into main with commit a9e3d74 Feb 15, 2024
16 of 18 checks passed
@likhinbopanna likhinbopanna deleted the impl-email-blacklist branch February 15, 2024 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThisIsMani ThisIsMani ThisIsMani approved these changes

@NishantJoshi00 NishantJoshi00 NishantJoshi00 approved these changes

Assignees

@racnan racnan

Labels
A-users Area: Users
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: Email blacklist
4 participants
@racnan @NishantJoshi00 @ThisIsMani @likhinbopanna