diff --git a/CHANGELOG.MD b/CHANGELOG.MD index ee6e23d4c..70f5a67c1 100644 --- a/CHANGELOG.MD +++ b/CHANGELOG.MD @@ -1,4 +1,9 @@ ## May 23, 2024 + +- **Bugfix** Security issue with email verification [🎟️ DESENG-618](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-618) + - Removed verification token from the response object + - Updated the test to reflect the change + - **Bugfix** Add try catch block around snowplow call [🎟️ DESENG-621](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-621) - Added a try catch block to all snowplow calls diff --git a/met-api/src/met_api/services/email_verification_service.py b/met-api/src/met_api/services/email_verification_service.py index 3b40d33e0..9f3cb7956 100644 --- a/met-api/src/met_api/services/email_verification_service.py +++ b/met-api/src/met_api/services/email_verification_service.py @@ -62,12 +62,13 @@ def create(cls, email_verification: EmailVerificationSchema, email_verification['created_by'] = email_verification.get( 'participant_id') - email_verification['verification_token'] = uuid.uuid4() - EmailVerification.create(email_verification, session) + verification_token = uuid.uuid4() + EmailVerification.create({**email_verification, 'verification_token': verification_token}, session) # TODO: remove this once email logic is brought over from submission service to here if email_verification.get('type', None) != EmailVerificationType.RejectedComment: - cls._send_verification_email(email_verification, subscription_type) + cls._send_verification_email( + {**email_verification, 'verification_token': verification_token}, subscription_type) return email_verification diff --git a/met-api/tests/unit/api/test_email_verification_service.py b/met-api/tests/unit/api/test_email_verification_service.py index 55a3061aa..8f3c4418d 100644 --- a/met-api/tests/unit/api/test_email_verification_service.py +++ b/met-api/tests/unit/api/test_email_verification_service.py @@ -140,13 +140,6 @@ def test_post_subscription_email_verification(client, jwt, session, notify_mock, headers=headers, content_type=ContentType.JSON.value) assert rv.status_code == 200 - verification_token = rv.json.get('verification_token') - - rv = client.get(f'/api/email_verification/{verification_token}', - headers=headers, content_type=ContentType.JSON.value) - - assert rv.status_code == 200 - assert rv.json.get('type') == EmailVerificationType.Subscribe with patch.object(EmailVerificationService, 'create', side_effect=side_effect): rv = client.post(f'/api/email_verification/{SubscriptionTypes.PROJECT.value}/subscribe',