isEmailChangeAllowed now returns false for unverified addresses if input user is a primary user and there exists another user with the same email address and linking requires verification
Generating a password reset token is now denied if all of the following is true:
a linked email password user exists
the email address is not verified
the user has another email address or phone number associated with it
Account linking based on emails now require the email to be verified in both users if shouldRequireVerification is set to true instead of only requiring it for the recipe user.
Added tests to check that the cases mentioned in the linked issue are blocked
should not allow account takeover by updating to an unverified email address matching another user
This is checked when using EmailPassword & ThirdParty recipe functions and ThirdParty recipe apis
Added test to check the updated behaviours
calling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should fail if email is unverified and account linking is enabled
calling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should fail if email is unverified even if account linking is disabled
calling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should send email if email is verified
sign up fails when changed email belongs to a recipe user even though the new email is already associated with another primary user
sign up in succeeds when changed email belongs to a primary user even though the new email is already associated with another recipe user user if the email is verified
sign up in fails when changed email belongs to a primary user if the new email is already associated with another recipe user user and is not verified
Documentation changes
[ ] New error code ERR_CODE_024:
This happens during third party sign in, when the sign in updates to an unverified email if:
user is a primary user
and there exists another (non-primary) user with the same email address
and linking requires verification
This happens during third party sign in, when the sign in updates to an unverified email if:
user is not a primary user
there exists a primary user with the same email address
linking requires verification
This could be resolved by either not deleting the conflicting non-primary user or verifying the email address (on st or on the provider)
Checklist for important updates
[x] Changelog has been updated
[x] coreDriverInterfaceSupported.json file has been updated (if needed)
Along with the associated array in lib/ts/version.ts
[x] frontendDriverInterfaceSupported.json file has been updated (if needed)
[x] Changes to the version if needed
In package.json
In package-lock.json
In lib/ts/version.ts
[x] Had run npm run build-pretty
[x] Had installed and ran the pre-commit hook
[x] If new thirdparty provider is added,
[x] update switch statement in recipe/thirdparty/providers/configUtils.ts file, createProvider function.
[x] add an icon on the user management dashboard.
[x] Issue this PR against the latest non released version branch.
To know which one it is, run find the latest released tag (git tag) in the format vX.Y.Z, and then find the latest branch (git branch --all) whose X.Y is greater than the latest released tag.
If no such branch exists, then create one from the latest released branch.
[x] If have added a new web framework, update the add-ts-no-check.js file to include that
[x] If added a new recipe / api interface, then make sure that the implementation of it uses NON arrow functions only (like someFunc: function () {..}).
[x] If added a new recipe, then make sure to expose it inside the recipe folder present in the root of this repo. We also need to expose its types.
Summary of change
isEmailChangeAllowednow returns false for unverified addresses if input user is a primary user and there exists another user with the same email address and linking requires verificationshouldRequireVerificationis set totrueinstead of only requiring it for the recipe user.Related issues
Test Plan
should not allow account takeover by updating to an unverified email address matching another userEmailPassword&ThirdPartyrecipe functions andThirdPartyrecipe apiscalling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should fail if email is unverified and account linking is enabledcalling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should fail if email is unverified even if account linking is disabledcalling generatePasswordResetTokenPOST with primary user existing, and email password user existing, where both accounts are linked, should send email if email is verifiedsign up fails when changed email belongs to a recipe user even though the new email is already associated with another primary usersign up in succeeds when changed email belongs to a primary user even though the new email is already associated with another recipe user user if the email is verifiedsign up in fails when changed email belongs to a primary user if the new email is already associated with another recipe user user and is not verifiedDocumentation changes
ERR_CODE_024:Checklist for important updates
coreDriverInterfaceSupported.jsonfile has been updated (if needed)lib/ts/version.tsfrontendDriverInterfaceSupported.jsonfile has been updated (if needed)package.jsonpackage-lock.jsonlib/ts/version.tsnpm run build-prettyrecipe/thirdparty/providers/configUtils.tsfile,createProviderfunction.git tag) in the formatvX.Y.Z, and then find the latest branch (git branch --all) whoseX.Yis greater than the latest released tag.add-ts-no-check.jsfile to include thatsomeFunc: function () {..}).