Skip to content

fix: prevent session issuance on already-verified verify-email calls#20

Closed
study8677 wants to merge 1 commit into
mainfrom
codex/propose-fix-for-email-verification-vulnerability
Closed

fix: prevent session issuance on already-verified verify-email calls#20
study8677 wants to merge 1 commit into
mainfrom
codex/propose-fix-for-email-verification-vulnerability

Conversation

@study8677
Copy link
Copy Markdown
Owner

@study8677 study8677 commented May 20, 2026

Motivation

  • The public POST /api/v1/auth/verify-email handler could issue a valid session for any already-verified user_id without checking a code or credentials, enabling account takeover when users were backfilled as verified.
  • The change prevents an unauthenticated caller from obtaining a session cookie for another account while preserving the normal verify flow for unverified users.

Description

  • Replace the idempotent sign-in branch in src/opencmo/web/app.py so that an already-verified user returns {"ok": false, "error": "already_verified"} with status 400 instead of calling _json_with_session and setting a session cookie.
  • Add a regression test tests/test_email_verification.py::test_verify_email_already_verified_requires_login_flow that confirms a first valid verify signs in and a second unauthenticated verify for the same user returns already_verified and does not set opencmo_session.
  • Changes are limited to the verify-email handler and the new test to minimize behavioral impact.

Testing

  • Ran pytest tests/test_email_verification.py -q which initially failed collection in this environment due to ModuleNotFoundError: No module named 'opencmo' when PYTHONPATH was not set.
  • Re-ran with PYTHONPATH=src pytest tests/test_email_verification.py -q; collection succeeded but the local environment skips optional test setup so the suite reported skipped tests and no functional failures (collection validated the new regression test).
  • The new test is included and will run in CI where the test environment is fully provisioned; the change is minimal and focused on removing the session issuance vector.

Codex Task

@study8677 study8677 mentioned this pull request May 21, 2026
Merged
2 tasks
study8677 added a commit that referenced this pull request May 21, 2026
@study8677
security: 5 vulnerability fixes (#20, #21, #22, #23, #25) (#27)
146290d 
* fix: validate and dedupe geo ask platforms

* fix: bind docker compose port to localhost by default

* fix: prevent verify-email auth bypass for verified users

* fix: fail closed for account-scoped publish credentials

* fix: prevent admin privilege escalation via signup

* test: update admin/publisher tests for security fixes

- test_publishers.py: replace env vars with llm.set_request_keys() since
  publish credentials no longer fall back to os.environ (account-scoped).
- test_trial_platform.py: add _seed_admin() helper that activates the
  bootstrapped !unusable admin row directly, since signup can no longer
  claim that row to prevent admin privilege escalation.

* test: fix ruff I001 import order
@study8677
Copy link
Copy Markdown
Owner Author

study8677 commented May 21, 2026

Incorporated via #27 → main.

@study8677 study8677 closed this May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@study8677