Skip to content

Commit

Permalink
Enable updateEmail with no token & no app password (bluesky-social#1715)
Browse files Browse the repository at this point in the history
* dont allow updateEmail with an app password

* re-enable email updates
  • Loading branch information
dholms authored Oct 9, 2023
1 parent 3359c3d commit 8798632
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 31 deletions.
7 changes: 2 additions & 5 deletions packages/pds/src/api/com/atproto/server/updateEmail.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import disposable from 'disposable-email'

export default function (server: Server, ctx: AppContext) {
server.com.atproto.server.updateEmail({
auth: ctx.accessVerifierCheckTakedown,
auth: ctx.accessVerifierNotAppPassword,
handler: async ({ auth, input }) => {
const did = auth.credentials.did
const { token, email } = input.body
Expand All @@ -18,10 +18,7 @@ export default function (server: Server, ctx: AppContext) {
if (!user) {
throw new InvalidRequestError('user not found')
}
if (!user.emailConfirmedAt) {
throw new InvalidRequestError('email must be confirmed (temporary)')
}
// require valid token
// require valid token if user email is confirmed
if (user.emailConfirmedAt) {
if (!token) {
throw new InvalidRequestError(
Expand Down
30 changes: 4 additions & 26 deletions packages/pds/tests/email-confirmation.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -60,50 +60,28 @@ describe('email confirmation', () => {
expect(session.data.emailConfirmed).toEqual(false)
})

it('disallows email update when unverified', async () => {
it('allows email update without token when unverified', async () => {
const res = await agent.api.com.atproto.server.requestEmailUpdate(
undefined,
{ headers: sc.getHeaders(alice.did) },
)
expect(res.data.tokenRequired).toBe(false)

const attempt = agent.api.com.atproto.server.updateEmail(
await agent.api.com.atproto.server.updateEmail(
{
email: '[email protected]',
},
{ headers: sc.getHeaders(alice.did), encoding: 'application/json' },
)
await expect(attempt).rejects.toThrow()
const session = await agent.api.com.atproto.server.getSession(
{},
{ headers: sc.getHeaders(alice.did) },
)
expect(session.data.email).toEqual(alice.email)
expect(session.data.email).toEqual('new-alice@example.com')
expect(session.data.emailConfirmed).toEqual(false)
alice.email = session.data.email
})

// it('allows email update without token when unverified', async () => {
// const res = await agent.api.com.atproto.server.requestEmailUpdate(
// undefined,
// { headers: sc.getHeaders(alice.did) },
// )
// expect(res.data.tokenRequired).toBe(false)

// await agent.api.com.atproto.server.updateEmail(
// {
// email: '[email protected]',
// },
// { headers: sc.getHeaders(alice.did), encoding: 'application/json' },
// )
// const session = await agent.api.com.atproto.server.getSession(
// {},
// { headers: sc.getHeaders(alice.did) },
// )
// expect(session.data.email).toEqual('[email protected]')
// expect(session.data.emailConfirmed).toEqual(false)
// alice.email = session.data.email
// })

let confirmToken

it('requests email confirmation', async () => {
Expand Down

0 comments on commit 8798632

Please sign in to comment.