feat: Add new Parse Server option preventSignupWithUnverifiedEmail …

…to prevent returning a user without session token on sign-up with unverified email address (#8451)

spec/ValidationAndPasswordsReset.spec.js

@@ -242,8 +242,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
       });
   });
 
-  it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', done => {
-    const user = new Parse.User();
+  it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', async () => {
     let sendEmailOptions;
     const emailAdapter = {
       sendVerificationEmail: options => {
@@ -252,59 +251,32 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
       sendPasswordResetEmail: () => Promise.resolve(),
       sendMail: () => {},
     };
-    reconfigureServer({
+    await reconfigureServer({
       appName: 'emailing app',
       verifyUserEmails: true,
       preventLoginWithUnverifiedEmail: true,
       emailAdapter: emailAdapter,
       publicServerURL: 'http://localhost:8378/1',
-    })
-      .then(() => {
-        user.setPassword('other-password');
-        user.setUsername('user');
-        user.set('email', 'user@parse.com');
-        return user.signUp();
-      })
-      .then(() => {
-        expect(sendEmailOptions).not.toBeUndefined();
-        request({
-          url: sendEmailOptions.link,
-          followRedirects: false,
-        }).then(response => {
-          expect(response.status).toEqual(302);
-          expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
-          );
-          user
-            .fetch({ useMasterKey: true })
-            .then(
-              () => {
-                expect(user.get('emailVerified')).toEqual(true);
-
-                Parse.User.logIn('user', 'other-password').then(
-                  user => {
-                    expect(typeof user).toBe('object');
-                    expect(user.get('emailVerified')).toBe(true);
-                    done();
-                  },
-                  () => {
-                    fail('login should have succeeded');
-                    done();
-                  }
-                );
-              },
-              err => {
-                jfail(err);
-                fail('this should not fail');
-                done();
-              }
-            )
-            .catch(err => {
-              jfail(err);
-              done();
-            });
-        });
-      });
+    });
+    let user = new Parse.User();
+    user.setPassword('other-password');
+    user.setUsername('user');
+    user.set('email', 'user@example.com');
+    await user.signUp();
+    expect(sendEmailOptions).not.toBeUndefined();
+    const response = await request({
+      url: sendEmailOptions.link,
+      followRedirects: false,
+    });
+    expect(response.status).toEqual(302);
+    expect(response.text).toEqual(
+      'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
+    );
+    user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
+    expect(user.get('emailVerified')).toEqual(true);
+    user = await Parse.User.logIn('user', 'other-password');
+    expect(typeof user).toBe('object');
+    expect(user.get('emailVerified')).toBe(true);
   });
 
   it('allows user to login if email is not verified but preventLoginWithUnverifiedEmail is set to false', done => {
@@ -345,6 +317,35 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
       });
   });
 
+  it('does not allow signup with preventSignupWithUnverified', async () => {
+    let sendEmailOptions;
+    const emailAdapter = {
+      sendVerificationEmail: options => {
+        sendEmailOptions = options;
+      },
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => {},
+    };
+    await reconfigureServer({
+      appName: 'test',
+      publicServerURL: 'http://localhost:1337/1',
+      verifyUserEmails: true,
+      preventLoginWithUnverifiedEmail: true,
+      preventSignupWithUnverifiedEmail: true,
+      emailAdapter,
+    });
+    const newUser = new Parse.User();
+    newUser.setPassword('asdf');
+    newUser.setUsername('zxcv');
+    newUser.set('email', 'test@example.com');
+    await expectAsync(newUser.signUp()).toBeRejectedWith(
+      new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.')
+    );
+    const user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
+    expect(user).toBeDefined();
+    expect(sendEmailOptions).toBeDefined();
+  });
+
   it('fails if you include an emailAdapter, set a publicServerURL, but have no appName and send a password reset email', done => {
     reconfigureServer({
       appName: undefined,

spec/VerifyUserPassword.spec.js

@@ -353,8 +353,9 @@ describe('Verify User Password', () => {
         done();
       });
   });
-  it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', done => {
-    reconfigureServer({
+
+  it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', async () => {
+    await reconfigureServer({
       publicServerURL: 'http://localhost:8378/',
       appName: 'emailVerify',
       verifyUserEmails: true,
@@ -364,28 +365,21 @@ describe('Verify User Password', () => {
         apiKey: 'k',
         domain: 'd',
       }),
-    })
-      .then(() => {
-        const user = new Parse.User();
-        return user.save({
-          username: 'unverified-user',
-          password: 'mypass',
-          email: 'unverified-email@user.com',
-        });
-      })
-      .then(() => {
-        return verifyPassword('unverified-email@user.com', 'mypass', true);
-      })
-      .then(res => {
-        expect(res.status).toBe(400);
-        expect(res.text).toMatch('{"code":205,"error":"User email is not verified."}');
-        done();
-      })
-      .catch(err => {
-        fail(err);
-        done();
-      });
+    });
+    const user = new Parse.User();
+    await user.save({
+      username: 'unverified-user',
+      password: 'mypass',
+      email: 'unverified-email@example.com',
+    });
+    const res = await verifyPassword('unverified-email@example.com', 'mypass', true);
+    expect(res.status).toBe(400);
+    expect(res.data).toEqual({
+      code: Parse.Error.EMAIL_NOT_FOUND,
+      error: 'User email is not verified.',
+    });
   });
+
   it('verify password lock account if failed verify password attempts are above threshold', done => {
     reconfigureServer({
       appName: 'lockout threshold',

src/Options/Definitions.js

@@ -412,6 +412,13 @@ module.exports.ParseServerOptions = {
     action: parsers.booleanParser,
     default: false,
   },
+  preventSignupWithUnverifiedEmail: {
+    env: 'PARSE_SERVER_PREVENT_SIGNUP_WITH_UNVERIFIED_EMAIL',
+    help:
+      "If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.<br><br>Default is `false`.<br>Requires option `verifyUserEmails: true`.",
+    action: parsers.booleanParser,
+    default: false,
+  },
   protectedFields: {
     env: 'PARSE_SERVER_PROTECTED_FIELDS',
     help: 'Protected fields that should be treated with extra security when fetching details.',

src/Options/index.js

@@ -165,6 +165,13 @@ export interface ParseServerOptions {
   Requires option `verifyUserEmails: true`.
   :DEFAULT: false */
   preventLoginWithUnverifiedEmail: ?boolean;
+  /* If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
+  <br><br>
+  Default is `false`.
+  <br>
+  Requires option `verifyUserEmails: true`.
+  :DEFAULT: false */
+  preventSignupWithUnverifiedEmail: ?boolean;
   /* Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.
   <br><br>
   For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).

src/RestWrite.js

@@ -160,6 +160,9 @@ RestWrite.prototype.execute = function () {
           this.response.response.authDataResponse = this.authDataResponse;
         }
       }
+      if (this.storage.rejectSignup && this.config.preventSignupWithUnverifiedEmail) {
+        throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
+      }
       return this.response;
     });
 };
@@ -879,7 +882,8 @@ RestWrite.prototype.createSessionTokenIfNeeded = function () {
     this.config.verifyUserEmails
   ) {
     // verification is on
-    return; // do not create the session token in that case!
+    this.storage.rejectSignup = true;
+    return;
   }
   return this.createSessionToken();
 };