Ability to expire email verify token

[cherukumilli]

Fixes #2198

Notes for this PR:

• Provides an additional setting / config variables
  • emailVerifyTokenValidityDuration (not set by default)

if emailVerifyTokenValidityDuration is set to a number greater than 0 and verifyUserEmails is set to true then

• Saves _email_verify_token_expires_at in the _User class along with the _email_verify_token at SignUp time
  • sets _email_verify_token_expires_at = currentTime + emailVerifyTokenValidityDuration
• If the user clicks on the email verification link BEFORE _email_verify_token_expires_at then
  • update emailVerified to true in the User class (this code is already in place)
  • delete the _email_verify_token and _email_verify_token_expires_at fields for this user (new code)
  • respond back with a success (this code is already in place)
• If the user completed email verification successfully but clicks on the link for second time then return an error message (i.e., fail gracefully)
• If the user clicks on the email verification link AFTER the _email_verify_token_expires_at then
  • respond back with an error: email verification token expired.
  • user can try again and create a new account
    • deletion of rows in the _User class with expired verify email tokens is out of scope for this PR. Clean up should be handled by a job outside the normal auth flow.

Documentation updates

Updated README.md with the following:

   // if `verifyUserEmails` is `true` and
   //     if `emailVerifyTokenValidityDuration` is `undefined` then
   //        email verify token never expires
   //     else
   //        email verify token expires after `emailVerifyTokenValidityDuration`
   //
   // `emailVerifyTokenValidityDuration` defaults to `undefined`
   //
   // email verify token below expires in 2 hours (= 2 * 60 * 60 == 7200 seconds)
   emailVerifyTokenValidityDuration = 2 * 60 * 60, // in seconds (2 hours = 7200 seconds)

Testing

Added 10 new test cases in a new spec file EmailVerificationToken.spec.js

[cherukumilli]

@flovilmart
Is there anyway you can run the tests once more?
The tests ran fine on my local pc one of them seems to be failing on travis

[flovilmart]

Just restarted it :)

[cherukumilli]

@flovilmart
Did you get a chance to review this pull request?

[flovilmart]

Not yet, I'll do it before the weekend

[drew-gross]

I think we should only add 1 new setting, the emailVerifyTokenValidityDuration. If the user leaves that as unset, then we can assume they don't want the token to expire.

[drew-gross]

Instead of this, I'd suggest adding a condition to the update that the current time must be before the expiry date, then if that fails you can do a query for the object to find the reason why it failed. That way the happy path requires one less query, and it will be less racy.

[cherukumilli]

Sounds good. I will incorporate your suggestion. I will add _email_verify_expires_at checking in the query for the update statement.

btw: You may know this already...if there is a failure then we redirect the user to the invalid_link. We currently don't send the error message/failure reason back with the invalid_link. If there is a request to send the failure reason then I will take a shot at it in another PR.

[cherukumilli]

@flovilmart
In our earlier discussions, you indicated that it will be good if we have an additional setting like allowEmailVerifyTokenToExpire.

Are you ok if I change the code to use only one setting emailVerifyTokenValidityDuration as per the feedback from @drew-gross ?

If you are ok then I will:

1. remove following line from ParseServer.js to unset the value by default
   emailVerifyTokenValidityDuration = 31536000, // 1 Year in seconds
2. remove all references to allowEmailVerifyTokenToExpire
3. Refactor all the code
4. update test cases and documentation and
5. submit another pull request

Please let me know either way :)

[flovilmart]

IM all good with that :)

[ghost]

@cherukumilli updated the pull request.

[ghost]

@cherukumilli updated the pull request.

[ghost]

@cherukumilli updated the pull request.

[ghost]

@cherukumilli updated the pull request.

[drew-gross]

Doc needs update

[cherukumilli]

Updated doc

[ghost]

@cherukumilli updated the pull request.

[drew-gross]

Cool. I think is solid, but because it involves a new public API I'd like to give it a few more days for comments. We maya want to eg. discuss what happens to existing tokens when people enable this for the first time. Another alternative would be to store the time the token was created rather than the time it expires, then if someone shortens the validity duration, existing tokens will be valid for the length of the new duration, not the old one. Session expiry doesn't work that way, though, so it might be confusing.

[cherukumilli]

@drew-gross
Your feedback got me thinking on other ways to expire email verify tokens without adding a new Public API.

I wonder if the following is a better solution than this PR:

1. Developer maintains an internal setting called: emailVerifyTokenExpireDuration (either using a Config variable using Parse Dashboard or a constant in cloud code or a DB table entry, etc...)
2. Developer creates a job / cloud code to run every 5 minutes
3. Cloud code queries the Parse.User class to get all the Users with expired tokens using a query like:
   • emailVerified set to false
   • createdAt is less than currentTime - emailVerifyTokenExpireDuration
4. Clean up all the Users returned in step 3

Please let me know if you see any gaps in the logic above.

[drew-gross]

Hmm, I missed the context about deleting users who have not verified their email. I don't think thats a great idea, I think a better plan would be to resend the verification email (which can be done today by setting the email on the user. It will resend the email even if it's the same address). Then people could recover their account if they delete the original verification email.

That plan for doing user cleanup without a new public API seems solid, but adding expiry as a new API seems like it would be useful as well.

[cherukumilli]

I didn't know that setting the email on the user will trigger another verification email.

Based on the feedback, I will add the following new test cases:

1. clicking on the email verify link by an email VERIFIED user that was setup before enabling the expire email verify token should show an invalid link
2. clicking on the email verify link by an email UNVERIFIED user that was setup before enabling the expire email verify token should show an invalid link
3. setting the email on the user should set a new email verification token and new expiration date for the token when expire email verify token flag is set

[ghost]

@cherukumilli updated the pull request.

[ghost]

@cherukumilli updated the pull request.

[drew-gross]

Code looks super solid and very well tested. One more api decision which we should consider is whether to let the client see this field, and/or edit it via regular Parse Queries, or strip it and not allow the client to see it.

If we decided we do want to allow the client to see/edit this field, we can merge as is.

[flovilmart]

IMHO we should not (same as emailVerified)

[cherukumilli]

@drew-gross
When you say whether to let the client see this field, is the field that you are talking about _email_verify_token_expires_at ?

If it is then it is hidden. I made it to mimic the _email_verify_token field to a large extent.

[drew-gross]

I noticed in the tests you are using user.get('_email_verify_token_expires_at') though?

[cherukumilli]

Let me fix that and push another update with a test case to ensure that the client cannot see the _email_verify_token_expires_at field.

[facebook-github-bot]

@cherukumilli updated the pull request.

[ghost]

@cherukumilli updated the pull request.

[cherukumilli]

@flovilmart
can you please restart the build?

[flovilmart]

there you have it :)

[flovilmart]

👍

[flovilmart]

@cherukumilli just 1 micro nit on the environment variable otherwise that looks more than awesome

[ghost]

@cherukumilli updated the pull request.

[flovilmart]

Awesome, just a note for the future, there is no need to squash your commits as we squash them upon merging :)

[cherukumilli]

Thanks. I will not squash them going forward.

can you please re-run the build again?

[flovilmart]

@drew-gross I'll let you merge as you reviewed the code more extensively

[drew-gross]

Looks awesome to me. So many tests ❤️