letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Don't error out if there is no email associated to the registration

Browse Source 
In case an email is required for password auth, we create a user
authentication which we force the user to complete. We used to
double-check that the email is required before completing the
registration, which was only really useful when the config flipped from
not being required to being required, in the 1h window in which running
registrations were still valid. We think this is a fine trade-off.
This commit is contained in:
Quentin Gliech
2025-11-21 19:36:04 +01:00
parent c9b89c2f8d
commit 5a9fbcb98e
1 changed files with 42 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
crates/handlers/src/views/register/steps/finish.rs
View File

@@ -154,59 +154,53 @@ pub(crate) async fn get(
// If there is an email authentication, we need to check that the email
// address was verified. If there is no email authentication attached, we
// need to make sure the server doesn't require it
let email_authentication = if let Some(email_authentication_id) =
registration.email_authentication_id
{
let email_authentication = repo
.user_email()
.lookup_authentication(email_authentication_id)
.await?
.context("Could not load the email authentication")
.map_err(InternalError::from_anyhow)?;
let email_authentication =
if let Some(email_authentication_id) = registration.email_authentication_id {
let email_authentication = repo
.user_email()
.lookup_authentication(email_authentication_id)
.await?
.context("Could not load the email authentication")
.map_err(InternalError::from_anyhow)?;
// Check that the email authentication has been completed
if email_authentication.completed_at.is_none() {
return Ok((
cookie_jar,
url_builder.redirect(&mas_router::RegisterVerifyEmail::new(id)),
)
.into_response());
}
// Check that the email authentication has been completed
if email_authentication.completed_at.is_none() {
return Ok((
cookie_jar,
url_builder.redirect(&mas_router::RegisterVerifyEmail::new(id)),
)
.into_response());
}
// Check that the email address isn't already used
// It is important to do that here, as we we're not checking during the
// registration, because we don't want to disclose whether an email is
// already being used or not before we verified it
if repo
.user_email()
.count(UserEmailFilter::new().for_email(&email_authentication.email))
.await?
> 0
{
let action = registration
.post_auth_action
.map(serde_json::from_value)
.transpose()?;
// Check that the email address isn't already used
// It is important to do that here, as we we're not checking during the
// registration, because we don't want to disclose whether an email is
// already being used or not before we verified it
if repo
.user_email()
.count(UserEmailFilter::new().for_email(&email_authentication.email))
.await?
> 0
{
let action = registration
.post_auth_action
.map(serde_json::from_value)
.transpose()?;
let ctx = RegisterStepsEmailInUseContext::new(email_authentication.email, action)
.with_language(lang);
let ctx = RegisterStepsEmailInUseContext::new(email_authentication.email, action)
.with_language(lang);
return Ok((
cookie_jar,
Html(templates.render_register_steps_email_in_use(&ctx)?),
)
.into_response());
}
return Ok((
cookie_jar,
Html(templates.render_register_steps_email_in_use(&ctx)?),
)
.into_response());
}
Some(email_authentication)
} else if site_config.password_registration_email_required {
// This could only happen in theory during a configuration change
return Err(InternalError::from_anyhow(anyhow::anyhow!(
"Server requires an email address to complete the registration, but no email authentication was attached to the user registration"
)));
} else {
None
};
Some(email_authentication)
} else {
None
};
// Check that the display name is set
if registration.display_name.is_none() {