Fix changing changing email and validating new email with bad token

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-03-23 16:38:37 +01:00 · 2021-03-23 16:38:37 +01:00 · 346d6438f8
parent faa92aebd9
commit 346d6438f8
3 changed files with 58 additions and 1 deletions
--- a/js/src/views/User/EmailValidate.vue
+++ b/js/src/views/User/EmailValidate.vue
@ -47,6 +47,7 @@ export default class Validate extends Vue {
      this.loading = false;
      await this.$router.push({ name: RouteName.HOME });
    } catch (err) {
+      this.loading = false;
      console.error(err);
      this.failed = true;
    }
--- a/lib/graphql/resolvers/user.ex
+++ b/lib/graphql/resolvers/user.ex
@ -389,7 +389,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  end

  def validate_email(_parent, %{token: token}, _resolution) do
-    with %User{} = user <- Users.get_user_by_activation_token(token),
+    with {:get, %User{} = user} <- {:get, Users.get_user_by_activation_token(token)},
         {:ok, %User{} = user} <-
           user
           |> User.changeset(%{
@ -400,6 +400,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
           })
           |> Repo.update() do
      {:ok, user}
+    else
+      {:get, nil} ->
+        {:error, dgettext("errors", "Invalid activation token")}
    end
  end

--- a/test/graphql/resolvers/user_test.exs
+++ b/test/graphql/resolvers/user_test.exs
@ -1113,6 +1113,59 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
      assert user.unconfirmed_email == nil
    end

+    test "change_email/3 with valid email but invalid token", %{conn: conn} do
+      {:ok, %User{} = user} = Users.register(%{email: @old_email, password: @password})
+
+      # Hammer time !
+      {:ok, %User{} = _user} =
+        Users.update_user(user, %{
+          confirmed_at: Timex.shift(user.confirmation_sent_at, hours: -3),
+          confirmation_sent_at: nil,
+          confirmation_token: nil
+        })
+
+      res =
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @login_mutation,
+          variables: %{email: @old_email, password: @password}
+        )
+
+      login = res["data"]["login"]
+      assert Map.has_key?(login, "accessToken") && not is_nil(login["accessToken"])
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: @change_email_mutation,
+          variables: %{email: @new_email, password: @password}
+        )
+
+      assert res["errors"] == nil
+      assert res["data"]["changeEmail"]["id"] == to_string(user.id)
+
+      user = Users.get_user!(user.id)
+      assert user.email == @old_email
+      assert user.unconfirmed_email == @new_email
+
+      assert_delivered_email(Email.User.send_email_reset_old_email(user))
+      assert_delivered_email(Email.User.send_email_reset_new_email(user))
+
+      res =
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @validate_email_mutation,
+          variables: %{token: "some token"}
+        )
+
+      assert hd(res["errors"])["message"] == "Invalid activation token"
+
+      user = Users.get_user!(user.id)
+      assert user.email == @old_email
+      assert user.unconfirmed_email == @new_email
+    end
+
    test "change_email/3 with invalid password", %{conn: conn} do
      {:ok, %User{} = user} = Users.register(%{email: @old_email, password: @password})