diff --git a/changelogs/CHANGELOG_alpha.md b/changelogs/CHANGELOG_alpha.md
index 3002b21d26..b16a0daac2 100644
--- a/changelogs/CHANGELOG_alpha.md
+++ b/changelogs/CHANGELOG_alpha.md
@@ -1,3 +1,10 @@
+# [6.1.0-alpha.17](https://github.com/parse-community/parse-server/compare/6.1.0-alpha.16...6.1.0-alpha.17) (2023-06-07)
+
+
+### Features
+
+* Add new Parse Server option `preventSignupWithUnverifiedEmail` to prevent returning a user without session token on sign-up with unverified email address ([#8451](https://github.com/parse-community/parse-server/issues/8451)) ([82da308](https://github.com/parse-community/parse-server/commit/82da30842a55980aa90cb7680fbf6db37ee16dab))
+
# [6.1.0-alpha.16](https://github.com/parse-community/parse-server/compare/6.1.0-alpha.15...6.1.0-alpha.16) (2023-05-28)
diff --git a/package-lock.json b/package-lock.json
index 5ddc19b436..ae2c1bdf3c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
{
"name": "parse-server",
- "version": "6.1.0-alpha.16",
+ "version": "6.1.0-alpha.17",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "parse-server",
- "version": "6.1.0-alpha.16",
+ "version": "6.1.0-alpha.17",
"hasInstallScript": true,
"license": "Apache-2.0",
"dependencies": {
diff --git a/package.json b/package.json
index 5d30586d4a..785845e7f0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "parse-server",
- "version": "6.1.0-alpha.16",
+ "version": "6.1.0-alpha.17",
"description": "An express module providing a Parse-compatible API server",
"main": "lib/index.js",
"repository": {
diff --git a/spec/ValidationAndPasswordsReset.spec.js b/spec/ValidationAndPasswordsReset.spec.js
index 3272f07fc3..ab944e14c1 100644
--- a/spec/ValidationAndPasswordsReset.spec.js
+++ b/spec/ValidationAndPasswordsReset.spec.js
@@ -242,8 +242,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});
- it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', done => {
- const user = new Parse.User();
+ it('allows user to login only after user clicks on the link to confirm email address if preventLoginWithUnverifiedEmail is set to true', async () => {
let sendEmailOptions;
const emailAdapter = {
sendVerificationEmail: options => {
@@ -252,59 +251,32 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
sendPasswordResetEmail: () => Promise.resolve(),
sendMail: () => {},
};
- reconfigureServer({
+ await reconfigureServer({
appName: 'emailing app',
verifyUserEmails: true,
preventLoginWithUnverifiedEmail: true,
emailAdapter: emailAdapter,
publicServerURL: 'http://localhost:8378/1',
- })
- .then(() => {
- user.setPassword('other-password');
- user.setUsername('user');
- user.set('email', 'user@parse.com');
- return user.signUp();
- })
- .then(() => {
- expect(sendEmailOptions).not.toBeUndefined();
- request({
- url: sendEmailOptions.link,
- followRedirects: false,
- }).then(response => {
- expect(response.status).toEqual(302);
- expect(response.text).toEqual(
- 'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
- );
- user
- .fetch({ useMasterKey: true })
- .then(
- () => {
- expect(user.get('emailVerified')).toEqual(true);
-
- Parse.User.logIn('user', 'other-password').then(
- user => {
- expect(typeof user).toBe('object');
- expect(user.get('emailVerified')).toBe(true);
- done();
- },
- () => {
- fail('login should have succeeded');
- done();
- }
- );
- },
- err => {
- jfail(err);
- fail('this should not fail');
- done();
- }
- )
- .catch(err => {
- jfail(err);
- done();
- });
- });
- });
+ });
+ let user = new Parse.User();
+ user.setPassword('other-password');
+ user.setUsername('user');
+ user.set('email', 'user@example.com');
+ await user.signUp();
+ expect(sendEmailOptions).not.toBeUndefined();
+ const response = await request({
+ url: sendEmailOptions.link,
+ followRedirects: false,
+ });
+ expect(response.status).toEqual(302);
+ expect(response.text).toEqual(
+ 'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
+ );
+ user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
+ expect(user.get('emailVerified')).toEqual(true);
+ user = await Parse.User.logIn('user', 'other-password');
+ expect(typeof user).toBe('object');
+ expect(user.get('emailVerified')).toBe(true);
});
it('allows user to login if email is not verified but preventLoginWithUnverifiedEmail is set to false', done => {
@@ -345,6 +317,35 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
});
});
+ it('does not allow signup with preventSignupWithUnverified', async () => {
+ let sendEmailOptions;
+ const emailAdapter = {
+ sendVerificationEmail: options => {
+ sendEmailOptions = options;
+ },
+ sendPasswordResetEmail: () => Promise.resolve(),
+ sendMail: () => {},
+ };
+ await reconfigureServer({
+ appName: 'test',
+ publicServerURL: 'http://localhost:1337/1',
+ verifyUserEmails: true,
+ preventLoginWithUnverifiedEmail: true,
+ preventSignupWithUnverifiedEmail: true,
+ emailAdapter,
+ });
+ const newUser = new Parse.User();
+ newUser.setPassword('asdf');
+ newUser.setUsername('zxcv');
+ newUser.set('email', 'test@example.com');
+ await expectAsync(newUser.signUp()).toBeRejectedWith(
+ new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.')
+ );
+ const user = await new Parse.Query(Parse.User).first({ useMasterKey: true });
+ expect(user).toBeDefined();
+ expect(sendEmailOptions).toBeDefined();
+ });
+
it('fails if you include an emailAdapter, set a publicServerURL, but have no appName and send a password reset email', done => {
reconfigureServer({
appName: undefined,
diff --git a/spec/VerifyUserPassword.spec.js b/spec/VerifyUserPassword.spec.js
index 6734dcdb71..eef2485815 100644
--- a/spec/VerifyUserPassword.spec.js
+++ b/spec/VerifyUserPassword.spec.js
@@ -353,8 +353,9 @@ describe('Verify User Password', () => {
done();
});
});
- it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', done => {
- reconfigureServer({
+
+ it('fails to verify password when preventLoginWithUnverifiedEmail is set to true REST API', async () => {
+ await reconfigureServer({
publicServerURL: 'http://localhost:8378/',
appName: 'emailVerify',
verifyUserEmails: true,
@@ -364,28 +365,21 @@ describe('Verify User Password', () => {
apiKey: 'k',
domain: 'd',
}),
- })
- .then(() => {
- const user = new Parse.User();
- return user.save({
- username: 'unverified-user',
- password: 'mypass',
- email: 'unverified-email@user.com',
- });
- })
- .then(() => {
- return verifyPassword('unverified-email@user.com', 'mypass', true);
- })
- .then(res => {
- expect(res.status).toBe(400);
- expect(res.text).toMatch('{"code":205,"error":"User email is not verified."}');
- done();
- })
- .catch(err => {
- fail(err);
- done();
- });
+ });
+ const user = new Parse.User();
+ await user.save({
+ username: 'unverified-user',
+ password: 'mypass',
+ email: 'unverified-email@example.com',
+ });
+ const res = await verifyPassword('unverified-email@example.com', 'mypass', true);
+ expect(res.status).toBe(400);
+ expect(res.data).toEqual({
+ code: Parse.Error.EMAIL_NOT_FOUND,
+ error: 'User email is not verified.',
+ });
});
+
it('verify password lock account if failed verify password attempts are above threshold', done => {
reconfigureServer({
appName: 'lockout threshold',
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
index b0cf602bab..31700b4cc2 100644
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -412,6 +412,13 @@ module.exports.ParseServerOptions = {
action: parsers.booleanParser,
default: false,
},
+ preventSignupWithUnverifiedEmail: {
+ env: 'PARSE_SERVER_PREVENT_SIGNUP_WITH_UNVERIFIED_EMAIL',
+ help:
+ "If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
Default is `false`.
Requires option `verifyUserEmails: true`.",
+ action: parsers.booleanParser,
+ default: false,
+ },
protectedFields: {
env: 'PARSE_SERVER_PROTECTED_FIELDS',
help: 'Protected fields that should be treated with extra security when fetching details.',
diff --git a/src/Options/docs.js b/src/Options/docs.js
index 6e4d7671eb..b1bf31a5e7 100644
--- a/src/Options/docs.js
+++ b/src/Options/docs.js
@@ -77,6 +77,7 @@
* @property {Number} port The port to run the ParseServer, defaults to 1337.
* @property {Boolean} preserveFileName Enable (or disable) the addition of a unique hash to the file names
* @property {Boolean} preventLoginWithUnverifiedEmail Set to `true` to prevent a user from logging in if the email has not yet been verified and email verification is required.
Default is `false`.
Requires option `verifyUserEmails: true`.
+ * @property {Boolean} preventSignupWithUnverifiedEmail If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
Default is `false`.
Requires option `verifyUserEmails: true`.
* @property {ProtectedFields} protectedFields Protected fields that should be treated with extra security when fetching details.
* @property {String} publicServerURL Public URL to your parse server with http:// or https://.
* @property {Any} push Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications
diff --git a/src/Options/index.js b/src/Options/index.js
index 8588a1f7fe..492f4323e9 100644
--- a/src/Options/index.js
+++ b/src/Options/index.js
@@ -165,6 +165,13 @@ export interface ParseServerOptions {
Requires option `verifyUserEmails: true`.
:DEFAULT: false */
preventLoginWithUnverifiedEmail: ?boolean;
+ /* If set to `true` it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 `EMAIL_NOT_FOUND`. If set to `false` the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.
+
+ Default is `false`.
+
+ Requires option `verifyUserEmails: true`.
+ :DEFAULT: false */
+ preventSignupWithUnverifiedEmail: ?boolean;
/* Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to `undefined`, then the token never expires.
For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).
diff --git a/src/RestWrite.js b/src/RestWrite.js
index c703ee50bb..f7c6a53592 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -160,6 +160,9 @@ RestWrite.prototype.execute = function () {
this.response.response.authDataResponse = this.authDataResponse;
}
}
+ if (this.storage.rejectSignup && this.config.preventSignupWithUnverifiedEmail) {
+ throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.');
+ }
return this.response;
});
};
@@ -879,7 +882,8 @@ RestWrite.prototype.createSessionTokenIfNeeded = function () {
this.config.verifyUserEmails
) {
// verification is on
- return; // do not create the session token in that case!
+ this.storage.rejectSignup = true;
+ return;
}
return this.createSessionToken();
};