Downcase email before using it to generate confirmation token
What does this MR do and why?
Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/428
Problem:
- Before the user record is persisted, unlock_token is generated using the email (mixed case) entered by the user in the registration form
- Email is downcased when the user record is persisted
- User tries to use the confirmation token generated in (1) that is sent to their email
- Confirmation token sent to the user does not match the generated token generated using the persisted user's email (downcased)
- Identity verification fails
To fix the problem we downcase the unpersisted user's email before generating the confirmation token.
Screenshots or screen recordings
Before | After |
---|---|
Screen_Recording_2023-08-04_at_4.11.56_PM | Screen_Recording_2023-08-04_at_4.03.12_PM |
How to set up and validate locally
Replicate
- Enable
identity_verification
FF$ rails console > FeatureFlag.enable(:identity_verification)
- Sign up using a mixed case email (e.g.
myFancyEmail@example.com
) - Get the confirmation token from http://localhost:3000/rails/letter_opener/
- Validate that the identity verification (email) step succeeds
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Eugie Limpin