fix: user sanitization should clean up email change info too

supabase / auth

A JWT based API for managing users and issuing JWT tokens

https://supabase.com/docs/guides/auth

MIT License

1.56k stars 376 forks source link

fix: user sanitization should clean up email change info too #1759

Closed staaldraad closed 2 months ago

staaldraad commented 2 months ago

The sanitizeUser function did not cleanup the EmailChange and EmailChangeSentAt properties on a User. If a User had a pending email address change, the new address could be leaked via a crafted signUp request.

coveralls commented 2 months ago

Pull Request Test Coverage Report for Build 10684300632

Details

2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 57.92%

Totals
Change from base Build 10667529749:	0.0%
Covered Lines:	9138
Relevant Lines:	15777

supabase / auth

fix: user sanitization should clean up email change info too #1759

Pull Request Test Coverage Report for Build 10684300632

Details

💛 - Coveralls