Regenerate Email Verification Token on Email Request (#4439)

* regenerate email verification token & expiration in /verificationEmailRequest

* Remove password field when saving on postgres

spec/EmailVerificationToken.spec.js

@@ -487,6 +487,7 @@ describe("Email Verification Token Expiration: ", () => {
     var user = new Parse.User();
     var sendEmailOptions;
     var sendVerificationEmailCallCount = 0;
+    let userBeforeRequest;
     var emailAdapter = {
       sendVerificationEmail: options => {
         sendEmailOptions = options;
@@ -509,6 +510,15 @@ describe("Email Verification Token Expiration: ", () => {
         return user.signUp();
       })
       .then(() => {
+        const config = Config.get('test');
+        return config.database.find('_User', {username: 'resends_verification_token'}).then((results) => {
+          return results[0];
+        });
+      })
+      .then((newUser) => {
+        // store this user before we make our email request
+        userBeforeRequest = newUser;
+
         expect(sendVerificationEmailCallCount).toBe(1);
 
         return requestp.post({
@@ -523,13 +533,25 @@ describe("Email Verification Token Expiration: ", () => {
           json: true,
           resolveWithFullResponse: true,
           simple: false // this promise is only rejected if the call itself failed
-        })
+        });
-          .then((response) => {
+      })
-            expect(response.statusCode).toBe(200);
+      .then((response) => {
-            expect(sendVerificationEmailCallCount).toBe(2);
+        expect(response.statusCode).toBe(200);
-            expect(sendEmailOptions).toBeDefined();
+        expect(sendVerificationEmailCallCount).toBe(2);
-            done();
+        expect(sendEmailOptions).toBeDefined();
-          });
+
+        // query for this user again
+        const config = Config.get('test');
+        return config.database.find('_User', {username: 'resends_verification_token'}).then((results) => {
+          return results[0];
+        });
+      })
+      .then((userAfterRequest) => {
+        // verify that our token & expiration has been changed for this new request
+        expect(typeof userAfterRequest).toBe('object');
+        expect(userBeforeRequest._email_verify_token).not.toEqual(userAfterRequest._email_verify_token);
+        expect(userBeforeRequest._email_verify_token_expires_at).not.toEqual(userAfterRequest.__email_verify_token_expires_at);
+        done();
       })
       .catch(error => {
         jfail(error);

src/Controllers/UserController.js

@@ -135,13 +135,23 @@ export class UserController extends AdaptableController {
     });
   }
 
+  /**
+   * Regenerates the given user's email verification token
+   *
+   * @param user
+   * @returns {*}
+   */
+  regenerateEmailVerifyToken(user) {
+    this.setEmailVerifyToken(user);
+    return this.config.database.update('_User', { username: user.username }, user);
+  }
+
   resendVerificationEmail(username) {
     return this.getUserIfNeeded({username: username}).then((aUser) => {
       if (!aUser || aUser.emailVerified) {
         throw undefined;
       }
-      this.setEmailVerifyToken(aUser);
+      return this.regenerateEmailVerifyToken(aUser).then(() => {
-      return this.config.database.update('_User', {username}, aUser).then(() => {
         this.sendVerificationEmail(aUser);
       });
     });

src/Routers/UsersRouter.js

@@ -269,13 +269,18 @@ export class UsersRouter extends ClassesRouter {
       }
       const user = results[0];
       
+      // remove password field, messes with saving on postgres
+      delete user.password;
+
       if (user.emailVerified) {
         throw new Parse.Error(Parse.Error.OTHER_CAUSE, `Email ${email} is already verified.`);
       }
 
       const userController = req.config.userController;
-      userController.sendVerificationEmail(user);
+      return userController.regenerateEmailVerifyToken(user).then(() => {
-      return { response: {} };
+        userController.sendVerificationEmail(user);
+        return { response: {} };
+      });
     });
   }