feat: Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address
#8451
Conversation
|
I will reformat the title to use the proper commit message syntax. |
parse-github-assistant
bot
changed the title
Thanks for opening this pull request! |
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## alpha #8451 +/- ##
==========================================
- Coverage 94.34% 94.19% -0.15%
==========================================
Files 183 183
Lines 14576 14579 +3
==========================================
- Hits 13751 13732 -19
- Misses 825 847 +22
☔ View full report in Codecov by Sentry. |
|
Currently the response is 201 success and with the PR the response will be a 400 error? Isn't that a breaking change? |
|
Is it considered a breaking change if it's a bug in the expected behaviour? |
|
There's no fixed rule. Generally, if it's incorrect behavior but the feature is usable, then we can assume developers found a workaround. Breaking that workaround would make it a breaking change, even if it's just correcting the incorrect behavior. If there is no practical workaround then it's not a breaking change. If the bug exists only in an alpha or beta pre-release then it's also not a breaking change, because we can fix that before official release. For security fixes there are other additional considerations. Here, if the http response code is 201 instead of 400, and developers work around this by checking for an existing session token, then I guess it would be breaking. Technically it should be 400, but with some imagination one could say it can be 201 because an object ID is assigned, there's just no session token. What do you think? I guess a simple test is always to imagine your own app is using the feature and depending on the status quo. Then you upgrade Parse Server and millions of clients expecting hard-codedly a 201 response will suddenly break. Would you have wanted this to be communicated as a breaking change? |
|
It is a breaking change, so should we wait for a major release? How do you think we should approach this? If we leave it as a status 200, but return a response with no session token, the client SDKs will think the login was successful, assign a const user = new Parse.User();
user.setPassword('asdf');
user.setUsername('zxcv');
user.set('email', 'testInvalidConfig@example.com');
await user.signUp(null);
console.log(Parse.User.current()) // is defined
user.set('foo', 'bar');
await user.save(); // cannot modify userThe current work around is: const user = new Parse.User();
user.setPassword('asdf');
user.setUsername('zxcv');
user.set('email', 'testInvalidConfig@example.com');
await user.signUp(null);
await Parse.User.logOut() |
|
If we say this is breaking then we can
The challenge with this correction is that it's not just server side code that needs to be updated, but possibly clients. That often mans a long-winding migration process over +1 year. So we could:
|
|
Refactored this to be a Parse Server option: |
dblythy
changed the title
mtrezza
changed the title
preventSignupWithUnverifiedEmail to reject sign-up with unverified email address
mtrezza
changed the title
preventSignupWithUnverifiedEmail to reject sign-up with unverified email addresspreventSignupWithUnverifiedEmail to prevent creating a user without session token on sign-up with unverified email address
mtrezza
changed the title
preventSignupWithUnverifiedEmail to prevent creating a user without session token on sign-up with unverified email addresspreventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address
|
The new PR title is somewhat long, but I thought "prevent sign-up with unverified email" sounds strange because an email address is always unverified on sign-up. |
Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> Signed-off-by: Daniel <daniel-blyth@live.com.au>
|
Sounds good to me! |
|
Yep! |
# [6.1.0-alpha.17](6.1.0-alpha.16...6.1.0-alpha.17) (2023-06-07) ### Features * Add new Parse Server option `preventSignupWithUnverifiedEmail` to prevent returning a user without session token on sign-up with unverified email address ([#8451](#8451)) ([82da308](82da308))
|
🎉 This change has been released in version 6.1.0-alpha.17 |
# [6.3.0-beta.1](6.2.0...6.3.0-beta.1) (2023-06-10) ### Bug Fixes * Cloud Code Trigger `afterSave` executes even if not set ([#8520](#8520)) ([afd0515](afd0515)) * GridFS file storage doesn't work with certain `enableSchemaHooks` settings ([#8467](#8467)) ([d4cda4b](d4cda4b)) * Inaccurate table total row count for PostgreSQL ([#8511](#8511)) ([0823a02](0823a02)) * LiveQuery server is not shut down properly when `handleShutdown` is called ([#8491](#8491)) ([967700b](967700b)) * Rate limit feature is incompatible with Node 14 ([#8578](#8578)) ([f911f2c](f911f2c)) * Unnecessary log entries by `extendSessionOnUse` ([#8562](#8562)) ([fd6a007](fd6a007)) ### Features * `extendSessionOnUse` to automatically renew Parse Sessions ([#8505](#8505)) ([6f885d3](6f885d3)) * Add new Parse Server option `preventSignupWithUnverifiedEmail` to prevent returning a user without session token on sign-up with unverified email address ([#8451](#8451)) ([82da308](82da308)) * Add option to change the log level of logs emitted by Cloud Functions ([#8530](#8530)) ([2caea31](2caea31)) * Add support for `$eq` query constraint in LiveQuery ([#8614](#8614)) ([656d673](656d673)) * Add zones for rate limiting by `ip`, `user`, `session`, `global` ([#8508](#8508)) ([03fba97](03fba97)) * Allow `Parse.Object` pointers in Cloud Code arguments ([#8490](#8490)) ([28aeda3](28aeda3)) ### Reverts * fix: Inaccurate table total row count for PostgreSQL ([6722110](6722110))
|
🎉 This change has been released in version 6.3.0-beta.1 |
# [6.3.0-alpha.1](6.2.0...6.3.0-alpha.1) (2023-06-18) ### Bug Fixes * Cloud Code Trigger `afterSave` executes even if not set ([#8520](#8520)) ([afd0515](afd0515)) * GridFS file storage doesn't work with certain `enableSchemaHooks` settings ([#8467](#8467)) ([d4cda4b](d4cda4b)) * Inaccurate table total row count for PostgreSQL ([#8511](#8511)) ([0823a02](0823a02)) * LiveQuery server is not shut down properly when `handleShutdown` is called ([#8491](#8491)) ([967700b](967700b)) * Rate limit feature is incompatible with Node 14 ([#8578](#8578)) ([f911f2c](f911f2c)) * Unnecessary log entries by `extendSessionOnUse` ([#8562](#8562)) ([fd6a007](fd6a007)) ### Features * `extendSessionOnUse` to automatically renew Parse Sessions ([#8505](#8505)) ([6f885d3](6f885d3)) * Add new Parse Server option `preventSignupWithUnverifiedEmail` to prevent returning a user without session token on sign-up with unverified email address ([#8451](#8451)) ([82da308](82da308)) * Add option to change the log level of logs emitted by Cloud Functions ([#8530](#8530)) ([2caea31](2caea31)) * Add support for `$eq` query constraint in LiveQuery ([#8614](#8614)) ([656d673](656d673)) * Add zones for rate limiting by `ip`, `user`, `session`, `global` ([#8508](#8508)) ([03fba97](03fba97)) * Allow `Parse.Object` pointers in Cloud Code arguments ([#8490](#8490)) ([28aeda3](28aeda3)) ### Reverts * fix: Inaccurate table total row count for PostgreSQL ([6722110](6722110))
|
🎉 This change has been released in version 6.3.0-alpha.1 |
# [6.3.0](6.2.2...6.3.0) (2023-09-16) ### Bug Fixes * Cloud Code Trigger `afterSave` executes even if not set ([#8520](#8520)) ([afd0515](afd0515)) * GridFS file storage doesn't work with certain `enableSchemaHooks` settings ([#8467](#8467)) ([d4cda4b](d4cda4b)) * Inaccurate table total row count for PostgreSQL ([#8511](#8511)) ([0823a02](0823a02)) * LiveQuery server is not shut down properly when `handleShutdown` is called ([#8491](#8491)) ([967700b](967700b)) * Rate limit feature is incompatible with Node 14 ([#8578](#8578)) ([f911f2c](f911f2c)) * Unnecessary log entries by `extendSessionOnUse` ([#8562](#8562)) ([fd6a007](fd6a007)) ### Features * `extendSessionOnUse` to automatically renew Parse Sessions ([#8505](#8505)) ([6f885d3](6f885d3)) * Add new Parse Server option `preventSignupWithUnverifiedEmail` to prevent returning a user without session token on sign-up with unverified email address ([#8451](#8451)) ([82da308](82da308)) * Add option to change the log level of logs emitted by Cloud Functions ([#8530](#8530)) ([2caea31](2caea31)) * Add support for `$eq` query constraint in LiveQuery ([#8614](#8614)) ([656d673](656d673)) * Add zones for rate limiting by `ip`, `user`, `session`, `global` ([#8508](#8508)) ([03fba97](03fba97)) * Allow `Parse.Object` pointers in Cloud Code arguments ([#8490](#8490)) ([28aeda3](28aeda3)) ### Reverts * fix: Inaccurate table total row count for PostgreSQL ([6722110](6722110))
|
🎉 This change has been released in version 6.3.0 |
Pull Request
Issue
Current, when using
preventLoginWithUnverifiedEmail, the save response is a 201, and the JS SDK assignsParse.User.current()with an objectId, but no session token. Instead, the same response should return as a login, which is:new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.')Closes: #2863
Approach
All other operations should occur, just the response should throw. There will need to be some refactoring, as currently the feature is implemented as:
New:
Perhaps we could add an option to the JS SDK signup method such as
{login: false}that can determine whether signup can throwUser email is not verifiedTasks