fix #1087: don't require active session to verify
This commit is contained in:
Luke Crouch
Родитель
21123768c3
Коммит
73a54fe2b5
|
|
@ -15,14 +15,20 @@ const sha1 = require("../sha1-utils");
|
|||
const FXA_MONITOR_SCOPE = "https://identity.mozilla.com/apps/monitor";
|
||||
|
||||
|
||||
async function _getRequestSessionUser(req) {
|
||||
if (req.session && req.session.user) {
|
||||
// make sure the user object has all subscribers and email_addresses properties
|
||||
return DB.getSubscriberById(req.session.user.id);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
async function _requireSessionUser(req,res) {
|
||||
if (!req.session || !req.session.user) {
|
||||
// TODO: can we do a nice redirect to sign in instead of an error?
|
||||
throw new FluentError("error-must-be-signed-in");
|
||||
}
|
||||
// make sure the user object has all subscribers and email_addresses properties
|
||||
const sessionUser = await DB.getSubscriberById(req.session.user.id);
|
||||
return sessionUser;
|
||||
return _getRequestSessionUser(req);
|
||||
}
|
||||
|
||||
async function removeEmail(req, res) {
|
||||
|
|
@ -235,7 +241,6 @@ async function _verify(req) {
|
|||
|
||||
|
||||
async function verify(req, res) {
|
||||
const sessionUser = await _requireSessionUser(req);
|
||||
if (!req.query.token) {
|
||||
throw new FluentError("user-verify-token-error");
|
||||
}
|
||||
|
|
@ -245,8 +250,10 @@ async function verify(req, res) {
|
|||
throw new FluentError("error-not-subscribed");
|
||||
}
|
||||
|
||||
if (existingEmail.subscriber_id !== sessionUser.id) {
|
||||
const sessionUser = await _getRequestSessionUser(req);
|
||||
if (sessionUser && existingEmail.subscriber_id !== sessionUser.id) {
|
||||
// TODO: more specific error message?
|
||||
// e.g., "This email verification token is not valid for this account"
|
||||
throw new FluentError("user-verify-token-error");
|
||||
}
|
||||
|
||||
|
|
@ -254,7 +261,14 @@ async function verify(req, res) {
|
|||
await _verify(req);
|
||||
}
|
||||
|
||||
res.redirect("/user/dashboard");
|
||||
if (sessionUser) {
|
||||
res.redirect("/user/dashboard");
|
||||
return;
|
||||
}
|
||||
res.render("subpage", {
|
||||
title: "Email Verified",
|
||||
whichPartial: "subpages/confirm",
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -187,7 +187,7 @@ test("user add request with invalid email throws error", async () => {
|
|||
});
|
||||
|
||||
|
||||
test("user verify request with valid token but no session throws error", async () => {
|
||||
test("user verify request with valid token but no session renders email verified page", async () => {
|
||||
const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token;
|
||||
|
||||
const req = httpMocks.createRequest({
|
||||
|
|
@ -199,14 +199,15 @@ test("user verify request with valid token but no session throws error", async (
|
|||
const resp = httpMocks.createResponse();
|
||||
|
||||
// Call code-under-test
|
||||
await expect(user.verify(req, resp)).rejects.toThrow("error-must-be-signed-in");
|
||||
await user.verify(req, resp);
|
||||
|
||||
expect(resp.statusCode).toEqual(200);
|
||||
const emailAddress = await DB.getEmailByToken(validToken);
|
||||
expect(emailAddress.verified).toBeFalsy();
|
||||
expect(emailAddress.verified).toBeTruthy();
|
||||
});
|
||||
|
||||
|
||||
test("user verify request with valid token verifies user", async () => {
|
||||
test("user verify request with valid token verifies user and redirects to dashboard", async () => {
|
||||
const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token;
|
||||
const testSubscriberEmail = "firefoxaccount@test.com";
|
||||
const testSubscriber = await DB.getSubscriberByEmail(testSubscriberEmail);
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче