fix: password reset flows should allow some cases with no primary user and ep user existing #941
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r and ep user existing
Deploying supertokens-node-pr-check-for-edge-function-compat with
|
| Latest commit: |
64fdce3
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://aea07b58.supertokens-node-b95.pages.dev |
rishabhpoddar
requested changes
Oct 9, 2024
|
|
||
| // If there is no existing primary user and there is a single option to link | ||
| // we see if that user can become primary (and a candidate for linking) | ||
| if (linkingCandidate === undefined && users.length === 1) { |
There was a problem hiding this comment.
we should also allow linking in case there is more than 1 user. Same way as the other function which picks the oldest user and tries to link with that. Ideallyt we just reuse that function
| // If a primary user has the input email as verified or has no other emails: then it is always allowed to reset their password: | ||
| // - there is no risk of account takeover, because they have verified this email or haven't linked it to anything else | ||
| // - there will be no linking as a result of this action, so we do not need to check for linking. | ||
| // TODO: what happens if user M signs up with the email of the victim using a third-party provider that doesn't verify emails |
There was a problem hiding this comment.
Suggested change
| // TODO: what happens if user M signs up with the email of the victim using a third-party provider that doesn't verify emails |
| // extra security measure here to make sure that the input email in the primary user | ||
| // is verified, and if not, we need to make sure that there is no other email / phone number | ||
| // associated with the primary user account. If there is, then we do not proceed. | ||
|
|
||
| /* | ||
| This security measure helps prevent the following attack: |
There was a problem hiding this comment.
move this comment above as well
| ); | ||
| } | ||
|
|
||
| if (!existingUser.isPrimaryUser) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of change
(A few sentences about this PR)
Related issues
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work. Bonus points for screenshots and videos!)
Documentation changes
(If relevant, please create a PR in our docs repo, or create a checklist here highlighting the necessary changes)
Checklist for important updates
coreDriverInterfaceSupported.jsonfile has been updated (if needed)lib/ts/version.tsfrontendDriverInterfaceSupported.jsonfile has been updated (if needed)package.jsonpackage-lock.jsonlib/ts/version.tsnpm run build-prettyrecipe/thirdparty/providers/configUtils.tsfile,createProviderfunction.git tag) in the formatvX.Y.Z, and then find the latest branch (git branch --all) whoseX.Yis greater than the latest released tag.add-ts-no-check.jsfile to include thatsomeFunc: function () {..}).exportsinpackage.jsonRemaining TODOs for this PR