Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix "reinvite" user action #968

Merged
merged 1 commit into from
Jul 20, 2022
Merged

Fix "reinvite" user action #968

merged 1 commit into from
Jul 20, 2022

Conversation

mcapeta
Copy link
Contributor

@mcapeta mcapeta commented May 24, 2022

Fixes #964

The user token from the URL is generated with the secret composed of server secret, user password, and user's "createdAt" timestamp (source). When the token is issued, the secret does not contain all of the above elements since the user instance was loaded without the password as per the default model scope. On the other hand, when the token is being checked, not the same secret is used because of fetching the "unscoped" user, i.e. user instance containing the password hash (source).

To ensure the same secret is used for both issuing and verifying the token, it's needed to load the "unscoped" user instance for creating the invitation email.

@mcapeta mcapeta added 👈 needs code review Code review label 🔍 needs QA Quality assurance needed labels May 24, 2022
@mcapeta mcapeta requested a review from abasic May 24, 2022 00:08
@abasic
Copy link
Member

abasic commented May 24, 2022

@mcapeta I believe this issue is also appearing on the release/5.0 branch. So please make that branch the base of this PR.

@mcapeta mcapeta force-pushed the feature/fix-user-reinvitation branch from 957193e to eb10b7a Compare May 24, 2022 15:27
@mcapeta mcapeta changed the base branch from develop to release/5.0 May 24, 2022 15:27
@snyk-bot snyk-bot mentioned this pull request Jul 2, 2022
Closed
@MiroDojkic MiroDojkic mentioned this pull request Jul 6, 2022
Closed
@underscope
Copy link
Collaborator

Thanks ❤️

@underscope underscope merged commit da1e580 into release/5.0 Jul 20, 2022
@underscope underscope deleted the feature/fix-user-reinvitation branch July 20, 2022 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abasic abasic Awaiting requested review from abasic

Assignees
No one assigned
Labels
🔍 needs QA Quality assurance needed 👈 needs code review Code review label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The reset password URL does not work correctly when the user is reinvited
3 participants
@mcapeta @abasic @underscope