Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Email validation tokens #26893

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

fix: Email validation tokens #26893

wants to merge 11 commits into from
+110 −14

Conversation

benjackwhite
Copy link
Contributor

@benjackwhite benjackwhite commented Dec 13, 2024
edited
Loading

Problem

Some investigation around email resetting revealed a few less-than-perfect things. Nothing major from what I can see but confusing APIs that make it look like you can do bad things (which you can't)

Changes

  • Adds some missing tests to verify a bunch of things such as not being able to use someone else's token or re-use a token for verifying a pending email (there were some tests here but not enough to immediately confirm some security doubts)
  • Fix an issue with the login_timestamp not being included in the token validation (which is what was allowing an email verification to be used multiple times) - this anyway had a 24 hour limit but now it is even more restrictive
  • Makes the unauthenticated endpoints non-detail specific which fixes confusion around where the uuid was coming from.

👉 Stay up-to-date with PostHog coding conventions for a smoother review.

Does this work well for both Cloud and self-hosted?

How did you test this code?

@benjackwhite benjackwhite marked this pull request as ready for review December 13, 2024 12:15
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 13, 2024
edited
Loading

Size Change: 0 B

Total Size: 1.11 MB

ℹ️ View Unchanged
Filename Size
frontend/dist/toolbar.js 1.11 MB

compressed-size-action

@posthog-bot
Copy link
Contributor

📸 UI snapshots have been updated

1 snapshot changes in total. 0 added, 1 modified, 0 deleted:

  • chromium: 0 added, 1 modified, 0 deleted (diff for shard 1)
  • webkit: 0 added, 0 modified, 0 deleted

Triggered by this commit.

👉 Review this PR's diff of snapshots.

zlwaterfield
zlwaterfield approved these changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@zlwaterfield zlwaterfield left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good - thanks for making this change.

One thing to note: this will invalidate all existing tokens, which is mildly annoying to users - we may get increased support requests related to this in the next 24 hours.

@posthog-bot
Copy link
Contributor

📸 UI snapshots have been updated

1 snapshot changes in total. 0 added, 1 modified, 0 deleted:

  • chromium: 0 added, 1 modified, 0 deleted (diff for shard 1)
  • webkit: 0 added, 0 modified, 0 deleted

Triggered by this commit.

👉 Review this PR's diff of snapshots.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichaelKutsch-ph MichaelKutsch-ph MichaelKutsch-ph approved these changes

@zlwaterfield zlwaterfield zlwaterfield approved these changes

@timgl timgl Awaiting requested review from timgl

@raquelmsmith raquelmsmith Awaiting requested review from raquelmsmith

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@benjackwhite @posthog-bot @zlwaterfield @MichaelKutsch-ph