fix: user sanitization should clean up email change info too (#1759)

The `sanitizeUser` function did not cleanup the **EmailChange** and **EmailChangeSentAt** properties on a User. If a User had a pending email address change, the new address could be leaked via a crafted `signUp` request.
supabase · Sep 3, 2024 · 9d419b4 · 9d419b4
1 parent 7009202
commit 9d419b4
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/internal/api/signup.go b/internal/api/signup.go
@@ -336,9 +336,9 @@ func sanitizeUser(u *models.User, params *SignupParams) (*models.User, error) {
 
 	u.ID = uuid.Must(uuid.NewV4())
 
-	u.Role = ""
+	u.Role, u.EmailChange = "", ""
 	u.CreatedAt, u.UpdatedAt, u.ConfirmationSentAt = now, now, &now
-	u.LastSignInAt, u.ConfirmedAt, u.EmailConfirmedAt, u.PhoneConfirmedAt = nil, nil, nil, nil
+	u.LastSignInAt, u.ConfirmedAt, u.EmailChangeSentAt, u.EmailConfirmedAt, u.PhoneConfirmedAt = nil, nil, nil, nil, nil
 	u.Identities = make([]models.Identity, 0)
 	u.UserMetaData = params.Data
 	u.Aud = params.Aud