🎉 Add 'email-verification' flag enabled by default

The main idea is deprecating the `insecure-register` flag with the more general `email-verification` flag.
2025-05-11 06:06:38 +02:00 · 2022-09-14 12:39:20 +02:00 · 2022-09-14 12:39:20 +02:00 · 2348146f00
commit 2348146f00
parent 41134f22e9
7 changed files with 88 additions and 19 deletions
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@ -317,7 +317,8 @@
 (def default-flags
  [:enable-backend-api-doc
   :enable-backend-worker
-   :enable-secure-session-cookies])
+   :enable-secure-session-cookies
+   :enable-email-verification])

 (defn- parse-flags
  [config]
--- a/backend/src/app/main.clj
+++ b/backend/src/app/main.clj
@ -417,6 +417,7 @@
                                 (ig/prep)
                                 (ig/init))))
  (l/info :msg "welcome to penpot"
+          :worker? (contains? cf/flags :backend-worker)
          :version (:full cf/version)))

 (defn stop
--- a/backend/src/app/rpc/commands/auth.clj
+++ b/backend/src/app/rpc/commands/auth.clj
@ -324,17 +324,25 @@
        params    (merge params claims)]
    (check-profile-existence! conn params)
    (let [is-active  (or (:is-active params)
+                         (not (contains? cf/flags :email-verification))
+
+                         ;; DEPRECATED: v1.15
                         (contains? cf/flags :insecure-register))
+
          profile    (->> (assoc params :is-active is-active)
                          (create-profile conn)
                          (create-profile-relations conn)
                          (profile/decode-profile-row))
+
          invitation (when-let [token (:invitation-token params)]
                       (tokens/verify sprops {:token token :iss :team-invitation}))]
      (cond
-        ;; If invitation token comes in params, this is because the user comes from team-invitation process;
-        ;; in this case, regenerate token and send back to the user a new invitation token (and mark current
-        ;; session as logged). This happens only if the invitation email matches with the register email.
+        ;; If invitation token comes in params, this is because the
+        ;; user comes from team-invitation process; in this case,
+        ;; regenerate token and send back to the user a new invitation
+        ;; token (and mark current session as logged). This happens
+        ;; only if the invitation email matches with the register
+        ;; email.
        (and (some? invitation) (= (:email profile) (:member-email invitation)))
        (let [claims (assoc invitation :member-id  (:id profile))
              token  (tokens/generate sprops claims)
--- a/backend/src/app/rpc/mutations/teams.clj
+++ b/backend/src/app/rpc/mutations/teams.clj
@ -419,26 +419,51 @@
      (ex/raise :type :validation
                :code :member-is-muted
                :email email
-                :hint "looks like the profile has reported repeatedly as spam or has permanent bounces"))
+                :hint "the profile has reported repeatedly as spam or has bounces"))

    ;; Secondly check if the invited member email is part of the global spam/bounce report.
    (when (eml/has-bounce-reports? conn email)
      (ex/raise :type :validation
                :code :email-has-permanent-bounces
                :email email
-                :hint "looks like the email you invite has been repeatedly reported as spam or permanent bounce"))
+                :hint "the email you invite has been repeatedly reported as spam or bounce"))

-    (db/exec-one! conn [sql:upsert-team-invitation
-                        (:id team) (str/lower email) (name role) token-exp (name role) token-exp])
+    ;; When we have email verification disabled and invitation user is
+    ;; already present in the database, we proceed to add it to the
+    ;; team as-is, without email roundtrip.

-    (eml/send! {::eml/conn conn
-                ::eml/factory eml/invite-to-team
-                :public-uri (:public-uri cfg)
-                :to email
-                :invited-by (:fullname profile)
-                :team (:name team)
-                :token itoken
-                :extra-data ptoken})))
+    ;; TODO: if member does not exists and email verification is
+    ;; disabled, we should proceed to create the profile (?)
+    (if (and (not (contains? cf/flags :email-verification))
+             (some? member))
+      (let [params (merge {:team-id (:id team)
+                           :profile-id (:id member)}
+                          (role->params role))]
+
+        ;; Insert the invited member to the team
+        (db/insert! conn :team-profile-rel params {:on-conflict-do-nothing true})
+
+        ;; If profile is not yet verified, mark it as verified because
+        ;; accepting an invitation link serves as verification.
+        (when-not (:is-active member)
+          (db/update! conn :profile
+                      {:is-active true}
+                      {:id (:id member)}))
+
+        (assoc member :is-active true))
+
+      (do
+        (db/exec-one! conn [sql:upsert-team-invitation
+                            (:id team) (str/lower email) (name role)
+                            token-exp (name role) token-exp])
+        (eml/send! {::eml/conn conn
+                    ::eml/factory eml/invite-to-team
+                    :public-uri (:public-uri cfg)
+                    :to email
+                    :invited-by (:fullname profile)
+                    :team (:name team)
+                    :token itoken
+                    :extra-data ptoken})))))

 ;; --- Mutation: Create Team & Invite Members