Send verification code email to verified email addresses
What does this MR do and why?
This MR seeks to help users self-serve account recovery without having to engage with Administrators (Or the Support Team on GitLab.com)
Main changes:
- Send verification code email to all verified email addresses in addition to any
unconfirmed
primary email address. - No longer confirm a unconfirmed primary email address on login with a verification code (as the code could have been retrived from a secondary email address)
- No longer redirect users to the account page on successful login. Instead, we show some text to guide users to check that their Linked Emails are up to date.
Closes Allow verification code to be sent to any of a ... (#416451 - closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Testing
In GDK:
- Create new user and add a secondary email to the user via rails console:
# Enable feature flag
Feature.enable(:require_email_verification)
# Due to https://gitlab.com/gitlab-org/gitlab/-/issues/439166, we create a
# namespace first
n = Namespace.new(name: 'test_user', description: 'test_user namespace')
# Create new user
u = User.new(username: 'test_user', email: 'test@example.com', name: 'Test User', password: 'password@123', password_confirmation: 'password@123', namespace: n)
u.skip_confirmation!
u.save!
# Add secondary email to user
Emails::CreateService.new(User.find(1), email: 'test2@example.com', user: u ).execute(confirmed_at: DateTime.now)
Emails::CreateService.new(User.find(1), email: 'test3@example.com', user: u ).execute(confirmed_at: DateTime.now)
- Sign out of GDK.
- Open up
http://localhost:3000/rails/letter_opener/
in a new tab. - Attempt to sign in with
test_user
with an incorrect password 3 times to trigger account verification on next login. - Sign in as
test_user
with the correct passwordpassword@123
- Observe in
letter_opener
that a verification email is sent to all 3 emails addresses.
Testing unconfirmed primary email address user + no longer confirming email on sign in
# Create a user with an unconfirmed primary email address
n = Namespace.new(name: 'unconfirmed_user', description: 'unconfirmed_user namespace')
u = User.new(username: 'unconfirmed_user', email: 'unconfirmed@example.com', name: 'Unconfirmed User', password: 'password@123', password_confirmation: 'password@123', namespace: n)
u.save!
- Attempt to sign in with
unconfirmed_user
with an incorrect password 3 times to trigger account verification on next login. - Open up
http://localhost:3000/rails/letter_opener/
in a new tab. - Sign in as
unconfirmed_user
with the correct passwordpassword@123
- Observe in
letter_opener
, that a verification email is sent tounconfirmed@example.com
- Login with the verification code.
- Check under
https://localhost:3000/-/profile/emails
the primary email address is not confirmed.