DEV: Hash tokens stored from email_tokens (#14493)

This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2025-05-28 13:51:18 +08:00 · 2021-11-25 09:34:39 +02:00
parent 4c46c7e334
commit fa8cd629f1
34 changed files with 482 additions and 599 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -155,9 +155,8 @@ class Users::OmniauthCallbacksController < ApplicationController
        user.update!(password: SecureRandom.hex)

        # Ensure there is an active email token
-        unless EmailToken.where(email: user.email, confirmed: true).exists? ||
-          user.email_tokens.active.where(email: user.email).exists?
-          user.email_tokens.create!(email: user.email)
+        if !EmailToken.where(email: user.email, confirmed: true).exists? && !user.email_tokens.active.where(email: user.email).exists?
+          user.email_tokens.create!(email: user.email, scope: EmailToken.scopes[:signup])
        end

        user.activate