feat: allow the master key to bypass email verification (#8230)

mstniy · mstniy · commit 588b0f3ffe5c · 2022-10-14T14:31:51.000+03:00
diff --git a/spec/EmailVerificationToken.spec.js b/spec/EmailVerificationToken.spec.js
@@ -521,6 +521,82 @@ describe('Email Verification Token Expiration: ', () => {
       });
   });
 
+  it('master key can create users and change the email of a user without triggering a re-verification', done => {
+    const user = new Parse.User();
+
+    let sendEmailCount = 0;
+    const emailAdapter = {
+      sendVerificationEmail: () => {
+        sendEmailCount += 1;
+      },
+      sendPasswordResetEmail: () => {
+        sendEmailCount += 1;
+        return Promise.resolve();
+      },
+      sendMail: () => {
+        sendEmailCount += 1;
+      },
+    };
+    const serverConfig = {
+      appName: 'emailVerifyToken',
+      verifyUserEmails: true,
+      preventLoginWithUnverifiedEmail: true,
+      emailAdapter: emailAdapter,
+      emailVerifyTokenValidityDuration: 5, // 5 seconds
+      publicServerURL: 'http://localhost:8378/1',
+    };
+
+    reconfigureServer(serverConfig)
+      .then(() => {
+        user.setUsername('masterKeyBypassEmailVerification');
+        user.setPassword('expiringToken');
+        user.set('email', 'user@parse.com');
+        user.set('emailVerified', true);
+        return user.save(null, { useMasterKey: true });
+      })
+      .then(() => {
+        const config = Config.get('test');
+        return config.database
+          .find('_User', { username: 'masterKeyBypassEmailVerification' })
+          .then(results => {
+            return results[0];
+          });
+      })
+      .then(userFromDb => {
+        expect(typeof userFromDb).toBe('object');
+        expect(sendEmailCount).toBe(0);
+        expect(userFromDb['emailVerified']).toBe(true);
+        expect(userFromDb['email']).toBe('user@parse.com');
+        expect(user.getSessionToken()).toBeDefined();
+
+        // change the email
+        user.set('email', 'user2@parse.com');
+        user.set('emailVerified', true);
+        return new Promise(resolve => {
+          setTimeout(() => resolve(user.save(null, { useMasterKey: true })), 500);
+        });
+      })
+      .then(() => {
+        const config = Config.get('test');
+        return config.database
+          .find('_User', { username: 'masterKeyBypassEmailVerification' })
+          .then(results => {
+            return results[0];
+          });
+      })
+      .then(userAfterEmailReset => {
+        expect(typeof userAfterEmailReset).toBe('object');
+        expect(sendEmailCount).toBe(0);
+        expect(userAfterEmailReset['emailVerified']).toBe(true);
+        expect(userAfterEmailReset['email']).toBe('user2@parse.com');
+        done();
+      })
+      .catch(error => {
+        jfail(error);
+        done();
+      });
+  });
+
   it('should send a new verification email when a resend is requested and the user is UNVERIFIED', done => {
     const user = new Parse.User();
     let sendEmailOptions;
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -732,9 +732,11 @@ RestWrite.prototype._validateEmail = function () {
         (Object.keys(this.data.authData).length === 1 &&
           Object.keys(this.data.authData)[0] === 'anonymous')
       ) {
-        // We updated the email, send a new validation
-        this.storage['sendVerificationEmail'] = true;
-        this.config.userController.setEmailVerifyToken(this.data);
+        // We updated the email, send a new verification unless the master key explicitly suppresses it
+        if (!this.auth.isMaster || !this.data['emailVerified']) {
+          this.storage['sendVerificationEmail'] = true;
+          this.config.userController.setEmailVerifyToken(this.data);
+        }
       }
     });
 };
@@ -862,8 +864,10 @@ RestWrite.prototype.createSessionTokenIfNeeded = function () {
     this.config.preventLoginWithUnverifiedEmail && // no login without verification
     this.config.verifyUserEmails
   ) {
-    // verification is on
-    return; // do not create the session token in that case!
+    // verification is on and the master key has not explicitly suppressed verification
+    if (!this.auth.isMaster || !this.data['emailVerified']) {
+      return; // do not create the session token in that case!
+    }
   }
   return this.createSessionToken();
 };
