DEV: Hash tokens stored from email_tokens (#14493)

This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2025-06-01 09:08:10 +08:00 · 2021-11-25 09:34:39 +02:00
parent 4c46c7e334
commit fa8cd629f1
34 changed files with 482 additions and 599 deletions
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@ -567,11 +567,13 @@ describe 'users' do
        expected_response_schema = nil

        let(:user) { Fabricate(:user) }
-        let(:token) { user.email_tokens.create(email: user.email).token }
-        let(:params) { {
-          'username' => user.username,
-          'password' => 'NH8QYbxYS5Zv5qEFzA4jULvM'
-        } }
+        let(:token) { Fabricate(:email_token, user: user, scope: EmailToken.scopes[:password_reset]).token }
+        let(:params) do
+          {
+            'username' => user.username,
+            'password' => 'NH8QYbxYS5Zv5qEFzA4jULvM'
+          }
+        end

        it_behaves_like "a JSON endpoint", 200 do
          let(:expected_response_schema) { expected_response_schema }