fix: email change on account with unverified email

Changing the email address on an account that did not already have a confirmed email would result in the email_confirmed column never being set. This commit fixes that. Additionally, an SQL statement using the unconfirmed email to identify a row was changed so it now uses the user ID instead, which is safer. Resolves: 759
HeyPuter · Sep 10, 2024 · 33de981 · 33de981
1 parent d38fb9f
commit 33de981
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/src/backend/src/helpers.js b/src/backend/src/helpers.js
@@ -1379,7 +1379,7 @@ function is_valid_url ( url ) {
 function hyphenize_confirm_code(email_confirm_code){
     email_confirm_code = email_confirm_code.toString();
     email_confirm_code =
-        email_confirm_code[0] +
+        [0] +
         email_confirm_code[1] +
         email_confirm_code[2] +
         '-' +

diff --git a/src/backend/src/routers/change_email.js b/src/backend/src/routers/change_email.js
@@ -64,8 +64,8 @@ const CHANGE_EMAIL_CONFIRM = eggspress('/change_email/confirm', {
 
     // If other users have the same unconfirmed email, revoke it
     await db.write(
-        'UPDATE `user` SET `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `unconfirmed_change_email` = ?',
-        [rows[0].unconfirmed_change_email]
+        'UPDATE `user` SET `unconfirmed_change_email` = NULL, `email_confirmed`=1, `change_email_confirm_token` = NULL WHERE `id` = ?',
+        [user_id]
     );
 
     const new_email = rows[0].unconfirmed_change_email;