Oops, forgot to have verification tokens expire

This commit is contained in:
Daniel Krol 2022-08-25 13:32:14 -04:00
parent b86687a0c5
commit f244dab036
3 changed files with 27 additions and 5 deletions

View file

@ -440,9 +440,9 @@ func TestUpdateVerifyAccountSuccess(t *testing.T) {
defer StoreTestCleanup(sqliteTmpFile) defer StoreTestCleanup(sqliteTmpFile)
verifyTokenString := auth.VerifyTokenString("abcd1234abcd1234abcd1234abcd1234") verifyTokenString := auth.VerifyTokenString("abcd1234abcd1234abcd1234abcd1234")
time1 := time.Time{} verifyExpiration := time.Now().Add(time.Second * 10).UTC() // expires in one second
_, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &time1) _, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &verifyExpiration)
// we're not testing normalization features so we'll just use this here // we're not testing normalization features so we'll just use this here
normEmail := email.Normalize() normEmail := email.Normalize()
@ -462,3 +462,23 @@ func TestStoreVerifyAccountTokenNotExists(t *testing.T) {
t.Fatalf(`VerifyAccount error for nonexistant token: wanted "%+v", got "%+v."`, ErrNoTokenForUser, err) t.Fatalf(`VerifyAccount error for nonexistant token: wanted "%+v", got "%+v."`, ErrNoTokenForUser, err)
} }
} }
// Test VerifyAccount for expired token
func TestUpdateVerifyAccountTokenExpired(t *testing.T) {
s, sqliteTmpFile := StoreTestInit(t)
defer StoreTestCleanup(sqliteTmpFile)
verifyTokenString := auth.VerifyTokenString("abcd1234abcd1234abcd1234abcd1234")
verifyExpiration := time.Now().Add(time.Second * (-1)).UTC() // expired one second ago
_, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &verifyExpiration)
// we're not testing normalization features so we'll just use this here
normEmail := email.Normalize()
if err := s.VerifyAccount(verifyTokenString); err != ErrNoTokenForUser {
t.Fatalf(`VerifyAccount error for expired token: wanted "%+v", got "%+v."`, ErrNoTokenForUser, err)
}
expectAccountMatch(t, &s, normEmail, email, password, createdSeed, &verifyTokenString, &verifyExpiration, time.Now().UTC(), time.Now().UTC())
}

View file

@ -310,7 +310,7 @@ func TestStoreGetToken(t *testing.T) {
} }
// Update the token to be expired // Update the token to be expired
expirationOld := time.Now().Add(time.Second * (-1)) expirationOld := time.Now().Add(time.Second * (-1)).UTC()
if err := s.updateToken(&authToken, expirationOld); err != nil { if err := s.updateToken(&authToken, expirationOld); err != nil {
t.Fatalf("Unexpected error in updateToken: %+v", err) t.Fatalf("Unexpected error in updateToken: %+v", err)
} }

View file

@ -464,9 +464,11 @@ func (s *Store) UpdateVerifyTokenString(email auth.Email, verifyTokenString auth
} }
func (s *Store) VerifyAccount(verifyTokenString auth.VerifyTokenString) (err error) { func (s *Store) VerifyAccount(verifyTokenString auth.VerifyTokenString) (err error) {
expirationCutoff := time.Now().UTC()
res, err := s.db.Exec( res, err := s.db.Exec(
"UPDATE accounts SET verify_token=null, verify_expiration=null, updated=datetime('now') WHERE verify_token=?", "UPDATE accounts SET verify_token=null, verify_expiration=null, updated=datetime('now') WHERE verify_token=? AND verify_expiration>?",
verifyTokenString, verifyTokenString, expirationCutoff,
) )
if err != nil { if err != nil {
return return