Skip to content

Parse Server option emailVerifyTokenReuseIfValid: true generates new token on every email verification request #8886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4 tasks done
mtrezza opened this issue Jan 13, 2024 · 4 comments · Fixed by #8885
Closed
4 tasks done

Parse Server option emailVerifyTokenReuseIfValid: true generates new token on every email verification request #8886

mtrezza opened this issue Jan 13, 2024 · 4 comments · Fixed by #8885
Labels
state:released Released as stable version state:released-alpha Released as alpha version state:released-beta Released as beta version type:bug Impaired feature or lacking behavior that is likely assumed

Comments

@mtrezza
Copy link
Member

mtrezza commented Jan 13, 2024
edited
Loading

New Issue Checklist

Issue Description

The Parse Server option emailVerifyTokenReuseIfValid: true generates a new token on every email verification request. This bug was likely introduced with #8212 where using the masterKey does not provide read access to fields of internal scope, in this case _email_verify_token, _email_verify_token_expires_at.

The bug has not been noticed due to a weak test case which compares the previous to the new token, but does not check whether a token and expiry date is defined at all; since these fields are not returned anymore by the masterKey, the test is comparing undefined values and passes, even if these values have changed in the DB.

parse-server/spec/EmailVerificationToken.spec.js

Lines 928 to 933 in 4aba66c

// verify that our token & expiration has been changed for this new request
expect(typeof userAfterRequest).toBe('object');
expect(userBeforeRequest._email_verify_token).toEqual(userAfterRequest._email_verify_token);
expect(userBeforeRequest._email_verify_token_expires_at).toEqual(
userAfterRequest._email_verify_token_expires_at
);

Steps to reproduce

See failing test in #8885.

Actual Outcome

Token and expiry date are modified.

Expected Outcome

Token and expiry date are not modified.

Environment

Server

  • Parse Server version: 7.0.0-alpha.5
@parse-github-assistant Parse GitHub Assistant
Copy link

parse-github-assistant bot commented Jan 13, 2024
edited
Loading

Thanks for opening this issue!

  • 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

@mtrezza mtrezza added the type:bug Impaired feature or lacking behavior that is likely assumed label Jan 13, 2024
@mtrezza mtrezza mentioned this issue Jan 13, 2024
Merged
1 task
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 7.0.0-alpha.6

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jan 14, 2024
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 7.0.0-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Mar 19, 2024
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 7.0.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state:released Released as stable version state:released-alpha Released as alpha version state:released-beta Released as beta version type:bug Impaired feature or lacking behavior that is likely assumed
Projects
None yet
Milestone
No milestone
2 participants
@mtrezza @parseplatformorg