From 346d6438f874fb53980c1f6864ea7af5d46c7a2b Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 23 Mar 2021 16:38:37 +0100 Subject: [PATCH] Fix changing changing email and validating new email with bad token Signed-off-by: Thomas Citharel --- js/src/views/User/EmailValidate.vue | 1 + lib/graphql/resolvers/user.ex | 5 ++- test/graphql/resolvers/user_test.exs | 53 ++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) diff --git a/js/src/views/User/EmailValidate.vue b/js/src/views/User/EmailValidate.vue index 1a3fd435b..f6085314b 100644 --- a/js/src/views/User/EmailValidate.vue +++ b/js/src/views/User/EmailValidate.vue @@ -47,6 +47,7 @@ export default class Validate extends Vue { this.loading = false; await this.$router.push({ name: RouteName.HOME }); } catch (err) { + this.loading = false; console.error(err); this.failed = true; } diff --git a/lib/graphql/resolvers/user.ex b/lib/graphql/resolvers/user.ex index 1893bab0d..f08c7e813 100644 --- a/lib/graphql/resolvers/user.ex +++ b/lib/graphql/resolvers/user.ex @@ -389,7 +389,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do end def validate_email(_parent, %{token: token}, _resolution) do - with %User{} = user <- Users.get_user_by_activation_token(token), + with {:get, %User{} = user} <- {:get, Users.get_user_by_activation_token(token)}, {:ok, %User{} = user} <- user |> User.changeset(%{ @@ -400,6 +400,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do }) |> Repo.update() do {:ok, user} + else + {:get, nil} -> + {:error, dgettext("errors", "Invalid activation token")} end end diff --git a/test/graphql/resolvers/user_test.exs b/test/graphql/resolvers/user_test.exs index 46b2a8cde..b0e4fc5c2 100644 --- a/test/graphql/resolvers/user_test.exs +++ b/test/graphql/resolvers/user_test.exs @@ -1113,6 +1113,59 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do assert user.unconfirmed_email == nil end + test "change_email/3 with valid email but invalid token", %{conn: conn} do + {:ok, %User{} = user} = Users.register(%{email: @old_email, password: @password}) + + # Hammer time ! + {:ok, %User{} = _user} = + Users.update_user(user, %{ + confirmed_at: Timex.shift(user.confirmation_sent_at, hours: -3), + confirmation_sent_at: nil, + confirmation_token: nil + }) + + res = + conn + |> AbsintheHelpers.graphql_query( + query: @login_mutation, + variables: %{email: @old_email, password: @password} + ) + + login = res["data"]["login"] + assert Map.has_key?(login, "accessToken") && not is_nil(login["accessToken"]) + + res = + conn + |> auth_conn(user) + |> AbsintheHelpers.graphql_query( + query: @change_email_mutation, + variables: %{email: @new_email, password: @password} + ) + + assert res["errors"] == nil + assert res["data"]["changeEmail"]["id"] == to_string(user.id) + + user = Users.get_user!(user.id) + assert user.email == @old_email + assert user.unconfirmed_email == @new_email + + assert_delivered_email(Email.User.send_email_reset_old_email(user)) + assert_delivered_email(Email.User.send_email_reset_new_email(user)) + + res = + conn + |> AbsintheHelpers.graphql_query( + query: @validate_email_mutation, + variables: %{token: "some token"} + ) + + assert hd(res["errors"])["message"] == "Invalid activation token" + + user = Users.get_user!(user.id) + assert user.email == @old_email + assert user.unconfirmed_email == @new_email + end + test "change_email/3 with invalid password", %{conn: conn} do {:ok, %User{} = user} = Users.register(%{email: @old_email, password: @password})