Bug: email verifications not working when clicking on "verify email" button

[ccostino]

Who discovered this?

carlo.costino@gsa.gov

What happened?

When a user is asked to verify their email address after the 90 day window and clicks on the link in the email, they're taking to the page to click a button that says verify email.

Clicking that button results in a Page Not Found error, and the email is not verified.

Environment

production

What pages did this appear on?

https://beta.notify.gov/email-auth/.

Notice the . at the start of the email auth code - in the email it's encoded as %2E - is that supposed to be there?

This also results in a 404 in the admin server logs.

Detail the steps for someone to reproduce

@sheevdave and I have both experienced this so far this week. I'm not sure if it's related to the Login.gov work or not.

What browsers are you seeing the problem on?

No response

Relevant log output

No response

[ccostino]

After checking this over locally, I think this is related to the Login.gov updates that need to be pushed out. It appears to be working fine again, and likely is related to the same issue as the user invites.

[ccostino]

We've traced this issue down to a bug with the email verification token checking itself; it's not with the Login.gov changes.

We've disabled this for the time being and are awaiting guidance from our ISSO on how we should proceed forward from here, either with active verifications or fixing the existing check. Once we know which path we should take we'll create a new issue for the work.