Skip to content

Resend email verification code if the current code has expired

Ian Anderson requested to merge ia-resend-expired-email-token into master

What does this MR do and why?

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/855

Resend an email verification code if the current code has expired. There have been several support cases where users have claimed not receiving an email verification code. It seems, by examining the logs, some users have expired tokens and have not requested a new token be sent. This MR should help with these cases by automatically sending a new unlock token if the current unlock token has expired.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. In rails console enable email verification
    Feature.enable(:require_email_verification)
  2. Lock the account of a user.
     service = Users::EmailVerification::GenerateTokenService.new(attr: :unlock_token, user: user)
     raw_token, encrypted_token = service.execute
     user.unlock_token = encrypted_token
     user.lock_access!({ send_instructions: false })
     Notify.verification_instructions_email(user.email, token: raw_token).deliver_later
  3. Check the mail box (http://gdk.test:3000/rails/letter_opener/). An unlock token should have been delivered.
  4. Log in with the user that you locked. You should be prompted for a verification token. Check the mailbox again and verify that only one email verification message has been received.
  5. Expire the token for the user
    user.update!(locked_at: 3.hours.ago)
  6. Log in again with the user account. A new token should have been delivered and you should be able to successfully verify the new token.
Edited by Ian Anderson

Merge request reports

Loading