Verify email

packages/common/src/config.js

@@ -3,6 +3,8 @@ import { EMAIL_ONLY } from './passwordSignupFields';
 
 export default {
   sendVerificationEmail: false,
+  sendEnrollmentEmail: false,
+  sendWelcomeEmail: false,
   forbidClientAccountCreation: false,
   restrictCreationByEmailDomain: null,
   loginExpirationInDays: 90,

packages/common/src/types.js

@@ -4,7 +4,8 @@ export type UserObjectType = {
   username: ?string,
   email: ?string,
   id: ?string,
-  profile: ?Object
+  profile: ?Object,
+  services: ?Object
 };
 
 export type CreateUserType = {

packages/server/package.json

@@ -41,6 +41,7 @@
     "@accounts/common": "^0.0.2",
     "apollo-errors": "^1.2.1",
     "bcryptjs": "^2.4.0",
+    "crypto": "^0.0.3",
     "jsonwebtoken": "^7.2.1",
     "jwt-decode": "^2.1.0",
     "lodash": "^4.16.4"

packages/server/src/AccountsServer.js

@@ -1,6 +1,6 @@
 // @flow
 
-import { isString, isPlainObject } from 'lodash';
+import { isString, isPlainObject, find } from 'lodash';
 import jwt from 'jsonwebtoken';
 import {
   AccountsError,
@@ -242,8 +242,27 @@ export class AccountsServer {
   removeEmail(userId: string, email: string): Promise<void> {
     return this.db.removeEmail(userId, email);
   }
-  verifyEmail(userId: string, email: string): Promise<void> {
-    return this.db.verifyEmail(userId, email);
+  async verifyEmail(token: string): Promise<void> {
+    const user = await this.db.findUserByEmailVerificationToken();
+    if (!user) {
+      throw new AccountsError({
+        message: 'Verify email link expired',
+      });
+    }
+    const tokenRecord = find(user.services.email.verificationTokens,
+                             (t: Object) => t.token === token);
+    if (!tokenRecord) {
+      throw new AccountsError({
+        message: 'Verify email link expired',
+      });
+    }
+    const emailRecord = find(user.emails, (e: Object) => e.address === tokenRecord.address);
+    if (!emailRecord) {
+      throw new AccountsError({
+        message: 'Verify email link is for unknown address',
+      });
+    }
+    await this.db.verifyEmail(user.id, emailRecord);
   }
   setPassword(userId: string, newPassword: string): Promise<void> {
     return this.db.setPasssword(userId, newPassword);
@@ -303,8 +322,8 @@ const Accounts = {
   removeEmail(userId: string, newEmail: string): Promise<void> {
     return this.instance.removeEmail(userId, newEmail);
   },
-  verifyEmail(userId: string, email: string): Promise<void> {
-    return this.instance.verifyEmail(userId, email);
+  verifyEmail(token: string): Promise<void> {
+    return this.instance.verifyEmail(token);
   },
   setPassword(userId: string, newPassword: string): Promise<void> {
     return this.instance.setPassword(userId, newPassword);

packages/server/src/DBInterface.js

@@ -12,6 +12,7 @@ export interface DBInterface {
   findUserByEmail(email: string) : Promise<?UserObjectType>,
   findUserByUsername(username: string) : Promise<?UserObjectType>,
   findUserById(userId: string) : Promise<?UserObjectType>,
+  findUserByEmailVerificationToken(token: string) : Promise<?UserObjectType>,
   setUsername(userId: string, newUsername: string) : Promise<void>,
   addEmail(userId: string, newEmail: string, verified: boolean) : Promise<void>,
   removeEmail(userId: string, email: string) : Promise<void>,

packages/server/src/tokens.js

@@ -1,5 +1,8 @@
 // @flow
 import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+
+export const generateEmailToken = (length: Int = 43) => crypto.randomBytes(length).toString('hex');
 
 export const generateAccessToken = ({
   secret,