fix: Remove username from email verification and password reset process (#8488)

BREAKING CHANGE: This removes the username from the email verification and password reset process to prevent storing personally identifiable information (PII) in server and infrastructure logs. Customized HTML pages or emails related to email verification and password reset may need to be adapted accordingly. See the new templates that come bundled with Parse Server and the [migration guide](https://github.com/parse-community/parse-server/blob/alpha/8.0.0.md) for more details.
2025-03-02 12:32:43 +11:00
parent 6a6bc2a8cc
commit d21dd97336
21 changed files with 401 additions and 308 deletions
--- a/spec/EmailVerificationToken.spec.js
+++ b/spec/EmailVerificationToken.spec.js
@@ -39,8 +39,10 @@ describe('Email Verification Token Expiration: ', () => {
            followRedirects: false,
          }).then(response => {
            expect(response.status).toEqual(302);
+            const url = new URL(sendEmailOptions.link);
+            const token = url.searchParams.get('token');
            expect(response.text).toEqual(
-              'Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?username=testEmailVerifyTokenValidity&appId=test'
+              `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&token=${token}`
            );
            done();
          });
@@ -135,7 +137,7 @@ describe('Email Verification Token Expiration: ', () => {
        }).then(response => {
          expect(response.status).toEqual(302);
          expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=testEmailVerifyTokenValidity'
+            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html'
          );
          done();
        });
@@ -292,6 +294,64 @@ describe('Email Verification Token Expiration: ', () => {
      });
  });

+  it('can resend email using an expired token', async () => {
+    const user = new Parse.User();
+    const emailAdapter = {
+      sendVerificationEmail: () => {},
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => {},
+    };
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      emailVerifyTokenValidityDuration: 5, // 5 seconds
+      publicServerURL: 'http://localhost:8378/1',
+    });
+    user.setUsername('test');
+    user.setPassword('password');
+    user.set('email', 'user@example.com');
+    await user.signUp();
+
+    await Parse.Server.database.update(
+      '_User',
+      { objectId: user.id },
+      {
+        _email_verify_token_expires_at: Parse._encode(new Date('2000')),
+      }
+    );
+
+    const obj = await Parse.Server.database.find(
+      '_User',
+      { objectId: user.id },
+      {},
+      Auth.maintenance(Parse.Server)
+    );
+    const token = obj[0]._email_verify_token;
+
+    const res = await request({
+      url: `http://localhost:8378/1/apps/test/verify_email?token=${token}`,
+      method: 'GET',
+    });
+    expect(res.text).toEqual(
+      `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&token=${token}`
+    );
+
+    const formUrl = `http://localhost:8378/1/apps/test/resend_verification_email`;
+    const formResponse = await request({
+      url: formUrl,
+      method: 'POST',
+      body: {
+        token: token,
+      },
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      followRedirects: false,
+    });
+    expect(formResponse.text).toEqual(
+      `Found. Redirecting to http://localhost:8378/1/apps/link_send_success.html`
+    );
+  });
+
  it_id('9365c53c-b8b4-41f7-a3c1-77882f76a89c')(it)('can conditionally send emails', async () => {
    let sendEmailOptions;
    const emailAdapter = {
@@ -614,8 +674,10 @@ describe('Email Verification Token Expiration: ', () => {
          followRedirects: false,
        }).then(response => {
          expect(response.status).toEqual(302);
+          const url = new URL(sendEmailOptions.link);
+          const token = url.searchParams.get('token');
          expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=testEmailVerifyTokenValidity'
+            `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&token=${token}`
          );
          done();
        });
@@ -667,8 +729,10 @@ describe('Email Verification Token Expiration: ', () => {
          followRedirects: false,
        }).then(response => {
          expect(response.status).toEqual(302);
+          const url = new URL(sendEmailOptions.link);
+          const token = url.searchParams.get('token');
          expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?username=testEmailVerifyTokenValidity&appId=test'
+            `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&token=${token}`
          );
          done();
        });