From a660a0c25fb21cb69b099d826a094d1757d789a6 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florent@flovilmart.com>
Date: Mon, 11 Sep 2017 11:07:39 -0400
Subject: [PATCH] fix: Issue #4142 (#4144)

* Tweaks test in order to show the error

- Session is effectively created when it should not

* Do not create a session when users need verified accounts on signup
---
 spec/ValidationAndPasswordsReset.spec.js | 5 ++++-
 src/RestWrite.js                         | 5 +++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/spec/ValidationAndPasswordsReset.spec.js b/spec/ValidationAndPasswordsReset.spec.js
index 837010d0..18855a05 100644
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -258,7 +258,10 @@ describe("Custom Pages, Email Verification, Password Reset", () => {
         user.setUsername("zxcv");
         user.set("email", "testInvalidConfig@parse.com");
         user.signUp(null)
-          .then(() => Parse.User.logIn("zxcv", "asdf"))
+          .then((user) => {
+            expect(user.getSessionToken()).toBe(undefined);
+            return Parse.User.logIn("zxcv", "asdf");
+          })
           .then(() => {
             fail('login should have failed');
             done();
diff --git a/src/RestWrite.js b/src/RestWrite.js
index d2495e0e..81ff4250 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -548,6 +548,11 @@ RestWrite.prototype.createSessionTokenIfNeeded = function() {
   if (this.query) {
     return;
   }
+  if (!this.storage['authProvider'] // signup call, with
+      && this.config.preventLoginWithUnverifiedEmail // no login without verification
+      && this.config.verifyUserEmails) { // verification is on
+    return; // do not create the session token in that case!
+  }
   return this.createSessionToken();
 }