Skip to content

Send verification code email to verified email addresses

Kenneth Chu requested to merge kenneth_secondary_email_verification_code into master

What does this MR do and why?

This MR seeks to help users self-serve account recovery without having to engage with Administrators (Or the Support Team on GitLab.com)

Main changes:

  • Send verification code email to all verified email addresses in addition to any unconfirmed primary email address.
  • No longer confirm a unconfirmed primary email address on login with a verification code (as the code could have been retrived from a secondary email address)
  • No longer redirect users to the account page on successful login. Instead, we show some text to guide users to check that their Linked Emails are up to date.

Closes Allow verification code email to be sent to any... (#416451)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image
image image

How to set up and validate locally

Testing

In GDK:

  • Create new user and add a secondary email to the user via rails console:
# Enable feature flag
Feature.enable(:require_email_verification)

# Due to https://gitlab.com/gitlab-org/gitlab/-/issues/439166, we create a
# namespace first
n = Namespace.new(name: 'test_user', description: 'test_user namespace')

# Create new user
u = User.new(username: 'test_user', email: 'test@example.com', name: 'Test User', password: 'password@123', password_confirmation: 'password@123', namespace: n)
u.skip_confirmation!
u.save!

# Add secondary email to user
Emails::CreateService.new(User.find(1), email: 'test2@example.com', user: u ).execute(confirmed_at: DateTime.now)
Emails::CreateService.new(User.find(1), email: 'test3@example.com', user: u ).execute(confirmed_at: DateTime.now)
  • Sign out of GDK.
  • Open up http://localhost:3000/rails/letter_opener/ in a new tab.
  • Attempt to sign in with test_user with an incorrect password 3 times to trigger account verification on next login.
  • Sign in as test_user with the correct password password@123
  • Observe in letter_opener that a verification email is sent to all 3 emails addresses.

Testing unconfirmed primary email address user + no longer confirming email on sign in

# Create a user with an unconfirmed primary email address
n = Namespace.new(name: 'unconfirmed_user', description: 'unconfirmed_user namespace')
u = User.new(username: 'unconfirmed_user', email: 'unconfirmed@example.com', name: 'Unconfirmed User', password: 'password@123', password_confirmation: 'password@123', namespace: n)
u.save!
  • Attempt to sign in with unconfirmed_user with an incorrect password 3 times to trigger account verification on next login.
  • Open up http://localhost:3000/rails/letter_opener/ in a new tab.
  • Sign in as unconfirmed_user with the correct password password@123
  • Observe in letter_opener, that a verification email is sent to unconfirmed@example.com
  • Login with the verification code.
  • Check under https://localhost:3000/-/profile/emails the primary email address is not confirmed.

Merge request reports