Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Email validation tokens #26893

Merged
merged 11 commits into from
Dec 15, 2024
Merged

fix: Email validation tokens #26893

merged 11 commits into from
Dec 15, 2024

Conversation

benjackwhite
Copy link
Contributor

@benjackwhite benjackwhite commented Dec 13, 2024

Problem

Some investigation around email resetting revealed a few less-than-perfect things. Nothing major from what I can see but confusing APIs that make it look like you can do bad things (which you can't)

Changes

  • Adds some missing tests to verify a bunch of things such as not being able to use someone else's token or re-use a token for verifying a pending email (there were some tests here but not enough to immediately confirm some security doubts)
  • Fix an issue with the login_timestamp not being included in the token validation (which is what was allowing an email verification to be used multiple times) - this anyway had a 24 hour limit but now it is even more restrictive
  • Makes the unauthenticated endpoints non-detail specific which fixes confusion around where the uuid was coming from.

👉 Stay up-to-date with PostHog coding conventions for a smoother review.

Does this work well for both Cloud and self-hosted?

How did you test this code?

@benjackwhite benjackwhite marked this pull request as ready for review December 13, 2024 12:15
Copy link
Contributor

github-actions bot commented Dec 13, 2024

Size Change: 0 B

Total Size: 1.11 MB

ℹ️ View Unchanged
Filename Size
frontend/dist/toolbar.js 1.11 MB

compressed-size-action

@posthog-bot
Copy link
Contributor

📸 UI snapshots have been updated

1 snapshot changes in total. 0 added, 1 modified, 0 deleted:

  • chromium: 0 added, 1 modified, 0 deleted (diff for shard 1)
  • webkit: 0 added, 0 modified, 0 deleted

Triggered by this commit.

👉 Review this PR's diff of snapshots.

Copy link
Contributor

@zlwaterfield zlwaterfield left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good - thanks for making this change.

One thing to note: this will invalidate all existing tokens, which is mildly annoying to users - we may get increased support requests related to this in the next 24 hours.

@posthog-bot
Copy link
Contributor

📸 UI snapshots have been updated

1 snapshot changes in total. 0 added, 1 modified, 0 deleted:

  • chromium: 0 added, 1 modified, 0 deleted (diff for shard 1)
  • webkit: 0 added, 0 modified, 0 deleted

Triggered by this commit.

👉 Review this PR's diff of snapshots.

@benjackwhite benjackwhite merged commit e1d346e into master Dec 15, 2024
96 checks passed
@benjackwhite benjackwhite deleted the fix/validate-tokens-check branch December 15, 2024 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants