Send email to current email address on request to update email

This would ensure unintended email address update don't go unnoticed.
rubygems · Jul 11, 2020 · c4fa27e · c4fa27e
1 parent 59ac1d2
commit c4fa27e
Show file tree

Hide file tree

Showing 14 changed files with 107 additions and 0 deletions.
diff --git a/app/jobs/email_reset_mailer.rb b/app/jobs/email_reset_mailer.rb
@@ -3,6 +3,7 @@ def perform
     user = User.find(user_id)
 
     if user.confirmation_token
+      Mailer.email_reset_update(user).deliver
       Mailer.email_reset(user).deliver
     else
       Rails.logger.info("[jobs:email_reset_mailer] confirmation token not found. skipping sending mail for #{user.handle}")

diff --git a/app/mailers/mailer.rb b/app/mailers/mailer.rb
@@ -13,6 +13,12 @@ def email_reset(user)
           default: "Please confirm your email address with RubyGems.org")
   end
 
+  def email_reset_update(user)
+    @user = user
+    mail to: @user.email,
+         subject: I18n.t("mailer.email_reset_update.subject")
+  end
+
   def email_confirmation(user)
     @user = user
     mail to: @user.email,

diff --git a/app/views/mailer/email_reset_update.erb b/app/views/mailer/email_reset_update.erb
@@ -0,0 +1,36 @@
+<% @title = t(".title") %>
+<% @sub_title = "Hi #{@user.handle}" %>
+
+<!-- Body -->
+<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#ffffff">
+  <tr>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+    <td>
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <div class="h3-1-center" style="color:#1e1e1e; font-family:Georgia, serif; min-width:auto !important; font-size:20px; line-height:26px;">
+        <p>
+          You have requested email update on RubyGems.org. Once you click on confirmation link sent to your new email address, your account will be disassociated from
+          <%= @user.email %>.
+        </p>
+        <p>
+          New email address: <strong><%= @user.unconfirmed_email %></strong>
+        </p>
+        <br/>
+        <p>If this email update is expected, you do not need to take further action.</p>
+        <p>
+          <strong>Only if this email update is unexpected</strong>
+          please take immediate steps to secure your account and gems:
+        </p>
+        <%= render "compromised_instructions"  %>
+      </div>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="30" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+    </td>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+  </tr>
+</table>
+<!-- END Body -->
diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -147,6 +147,9 @@ de:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title:

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -155,6 +155,9 @@ en:
       subject: RubyGems.org API key was reset
       title: API KEY RESET
       subtitle: Hi %{handle}
+    email_reset_update:
+      subject: You have requested email address update on RubyGems.org
+      title: EMAIL UPDATE REQUESTED
   news:
     show:
       title: New Releases — All Gems

diff --git a/config/locales/es.yml b/config/locales/es.yml
@@ -155,6 +155,9 @@ es:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Nuevos lanzamientos — Todas las Gemas

diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -147,6 +147,9 @@ fr:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Nouvelles Versions - Toutes les Gems

diff --git a/config/locales/ja.yml b/config/locales/ja.yml
@@ -147,6 +147,9 @@ ja:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 新しくリリースされたGem

diff --git a/config/locales/nl.yml b/config/locales/nl.yml
@@ -147,6 +147,9 @@ nl:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title:

diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
@@ -147,6 +147,9 @@ pt-BR:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Novos Releases - Todas as Gems

diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
@@ -147,6 +147,9 @@ zh-CN:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 全部新发布 Gems

diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml
@@ -147,6 +147,9 @@ zh-TW:
       subject:
       title:
       subtitle:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 最新發佈

diff --git a/test/functional/profiles_controller_test.rb b/test/functional/profiles_controller_test.rb
@@ -165,7 +165,40 @@ class ProfilesControllerTest < ActionController::TestCase
           refute_equal "cannotchange@tothis.com", @user.unconfirmed_email
         end
       end
+
+      context "updating email" do
+        context "yet to verify the updated email" do
+          setup do
+            @current_email = "john@doe.com"
+            @user = create(:user, email: @current_email)
+            sign_in_as(@user)
+            @new_email = "change@tothis.com"
+          end
+
+          should "set unconfirmed email and confirmation token" do
+            put :update, params: { user: { email: @new_email, password: @user.password } }
+            assert_equal @new_email, @user.unconfirmed_email
+            assert @user.confirmation_token
+          end
+
+          should "not update the current email" do
+            put :update, params: { user: { email: @new_email, password: @user.password } }
+            assert_equal @current_email, @user.email
+          end
+
+          should "send email reset mails to new and current email addresses" do
+            mailer = mock
+            mailer.stubs(:deliver)
+
+            Mailer.expects(:email_reset).returns(mailer).times(1)
+            Mailer.expects(:email_reset_update).returns(mailer).times(1)
+            put :update, params: { user: { email: @new_email, password: @user.password } }
+            Delayed::Worker.new.work_off
+          end
+        end
+      end
     end
+
     context "on DELETE to destroy" do
       context "correct password" do
         should "enqueue deletion request" do

diff --git a/test/mailers/previews/mailer_preview.rb b/test/mailers/previews/mailer_preview.rb
@@ -3,6 +3,10 @@ def email_reset
     Mailer.email_reset(User.last)
   end
 
+  def email_reset_update
+    Mailer.email_reset_update(User.last)
+  end
+
   def email_confirmation
     Mailer.email_confirmation(User.last)
   end