Problem with email change workflow

[rolurq]

Issue Description

There's a problem in the current way parse handles email changes for users. The problem is that when an user changes his email, parse sends a verification email, but changes the user email in the database, this can lead to a malicious access block from an user to another.

If a user changes his email to one not being used yet (which he can know by trying to change the email and not receiving the 'Email address already in use') then, without needing to verify the new one, the email address is changed, preventing the person that really owns that address from registering because would get the 'Email address already in use' error.

This error is prevented easily by making the email address change along with the verification accept. At the same time the emailVerified value is set to true so will be for the new email address. If the person that changed the email, owns the new address, then the verification can be performed successfully, if not, then the email wont be changed and the user owning the email address can register without problem.

Steps to reproduce

With a registered account perform an user email change to an email that's not registered yet. Then, try to register with that email.

Expected Results

That the registration succeeds as the other email change is not verified.

Actual Outcome

The registration fails with 'Email address already in use'

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 3.1.3
  • Operating System: Linux Ubuntu 18.10
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): both

• Database

  • MongoDB version: 3.4.4
  • Storage engine: default
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): both

[acinader]

Hi @rolurq

Thanks for the issue. Something similar has been discussed and it appears that there has been a pr opened and worked on extensively.

#5147

The issue is valid and it would be nice to have a solid, covered solution out of the box.

Are you interested in reviewing the closed bug and the pr to get the ball rolling?

[rolurq]

@acinader
Yeah, sure
I tried finding a similar issue but it didn't show up the issue nor the pr you mentioned 😞

[TomWFox]

@rolurq are you still working on this? - if not I’ll add the ‘up for grabs’ tag

[rolurq]

@rolurq are you still working on this? - if not I’ll add the ‘up for grabs’ tag

Not right now, I need it for my current project but as there are other essential features that I need to finish before, I'm not working on this right now. So please feel free to make it available for anyone to take the issue.

[acinader]

@rolurq the pr I mentioned is here: #5147

[dblythy]

I'm not sure if this is still an issue. Users are free to sign up with any email, and existing users are free to change their email to whatever they like, providing it doesn't clash with existing users. We have test cases for emailVerified should be set to false after changing from an already verified email, which I think is enough.

[mtrezza]

It's an interesting scenario though. I guess the issue described here is that we remove the original (verified) email address before the user verified the new email address.

What happens if a user can only change their email address from within an app, and they do that, but enter an incorrect email address, and then log out. They would not be able to verify the email address and not be able to log in because it's not verified?

[dblythy]

Right, I understand. So the solution would be to not change the users' email until they have successfully verified it?

[mtrezza]

I think that was the suggested solution.