Downcase email before using it to generate confirmation token (!128457) · Merge requests · GitLab.org / GitLab

You need to sign in or sign up before continuing.

Eugie Limpin requested to merge el-fix-confirmation-token-generation into master Aug 04, 2023

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/428

Problem:

Before the user record is persisted, unlock_token is generated using the email (mixed case) entered by the user in the registration form
Email is downcased when the user record is persisted
User tries to use the confirmation token generated in (1) that is sent to their email
Confirmation token sent to the user does not match the generated token generated using the persisted user's email (downcased)
Identity verification fails

To fix the problem we downcase the unpersisted user's email before generating the confirmation token.

Screenshots or screen recordings

Before	After
Screen_Recording_2023-08-04_at_4.11.56_PM	Screen_Recording_2023-08-04_at_4.03.12_PM

How to set up and validate locally

Replicate

Enable identity_verification FF

$ rails console
> FeatureFlag.enable(:identity_verification)

Sign up using a mixed case email (e.g. myFancyEmail@example.com)
Get the confirmation token from http://localhost:3000/rails/letter_opener/
Validate that the identity verification (email) step succeeds

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 04, 2023 by Eugie Limpin

Downcase email before using it to generate confirmation token

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

Replicate

MR acceptance checklist

Merge request reports