Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔐 refactor: Unverified User Verification Logic #4482

Merged
merged 1 commit into from
Oct 21, 2024
Merged

🔐 refactor: Unverified User Verification Logic #4482

merged 1 commit into from
Oct 21, 2024

Conversation

danny-avila
Copy link
Owner

Summary

I implemented changes to refine the user verification logic, particularly focusing on the handling of unverified emails and user expiration. These modifications enhance the flexibility of our authentication system while maintaining security measures.

  • Updated AuthService.js to disable user TTL (Time To Live) when unverified emails are allowed, while still issuing verification emails if email services are enabled.
  • Modified the user creation process in registerUser function to consider the ALLOW_UNVERIFIED_EMAIL_LOGIN environment variable when setting the TTL.
  • Refactored the localStrategy.js to remove the expiresAt field from existing users if unverified emails are now allowed, ensuring consistency with the new logic.
  • Adjusted the email verification check in localStrategy.js to align with the updated unverified email allowance setting.

Testing

To test these changes:

  1. Set up different configurations of the ALLOW_UNVERIFIED_EMAIL_LOGIN environment variable.
  2. Attempt to register new users and verify that the TTL is set correctly based on the configuration.
  3. Test logging in with both verified and unverified email addresses to ensure the system behaves as expected.
  4. For existing users, verify that the expiresAt field is removed when logging in if unverified emails are now allowed.

Test Configuration:

  • Toggle ALLOW_UNVERIFIED_EMAIL_LOGIN between true and false
  • Test with email services both enabled and disabled

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • My changes do not introduce new warnings
  • I have tested the changes with various configurations to ensure proper functionality

@danny-avila
refactor: disable user TTL if unverified emails allowed, while still …
44dd8f4 
…issuing emails for verification if email services are enabled

- if user was created before this change and unverified emails are allowed, the localStrategy will check if the user has the `expiresAt` field and remove it
@danny-avila danny-avila mentioned this pull request Oct 21, 2024
Closed
1 task
@danny-avila danny-avila linked an issue Oct 21, 2024 that may be closed by this pull request
[Bug]: User accounts without finishing e-mail verification unintendedly removed #4473
Closed
1 task
@danny-avila danny-avila merged commit f121439 into main Oct 21, 2024
2 checks passed
@danny-avila danny-avila deleted the refactor/allow-unverified-behavior branch October 21, 2024 11:51
owengo pushed a commit to openwengo/LibreChat that referenced this pull request Oct 25, 2024
@danny-avila @olivierhub
🔐 refactor: Unverified User Verification Logic (danny-avila#4482)
13b9734
danny-avila added a commit that referenced this pull request Oct 27, 2024
@danny-avila
🔐 refactor: Unverified User Verification Logic (#4482)
d8defc6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: User accounts without finishing e-mail verification unintendedly removed
1 participant
@danny-avila