fix: Remove username from email verification and password reset process

[dblythy]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Currently, Parse Server exposes username via verification email urls. All that should be needed to perform a reset request is a valid token

Closes: #7137

Approach

Tasks

• Add tests

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

Thanks for opening this pull request!

[dblythy]

How should this handle expired tokens? With the old implementation the invalid verification link page could re-generate an email link.

I'm also wondering if removing the username parameter opens up to brute forcing, as previously to change a token you would need a valid username and token combination, whereas now you could brute for the endpoint with different tokens until one matches.

[codecov]

Codecov Report

Attention: Patch coverage is 97.33333% with 2 lines in your changes missing coverage. Please review.

Project coverage is 93.55%. Comparing base (bbc6bd4) to head (e0e094c).
Report is 3 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Routers/PagesRouter.js	88.23%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #8488      +/-   ##
==========================================
+ Coverage   93.53%   93.55%   +0.02%     
==========================================
  Files         186      186              
  Lines       14831    14834       +3     
==========================================
+ Hits        13872    13878       +6     
+ Misses        959      956       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mtrezza]

How should this handle expired tokens? With the old implementation the invalid verification link page could re-generate an email link.

What is the purpose of token expiration for email verification? If an expired token leads to a website where one can request a new token (sent via verification email) without login, the expiration seems useless. Is there any scenario in which expiration makes sense? Maybe the existing tests related to token expiration give clues about the intentions of expiration?

I'm also wondering if removing the username parameter opens up to brute forcing, as previously to change a token you would need a valid username and token combination, whereas now you could brute for the endpoint with different tokens until one matches.

The difference of brute forcing two fields (email + token) vs one field (token) is just the amount of possible combinations. If we make the token a longer string, the difficulty should be the same.

What happens in the following scenario:

1. User signs-up with email1
2. Verification is sent to email1
3. User changes email from email1 to email2
4. Another verification email is set to email2
5. Account of email1 is compromised
6. Attacker open email1 verification link

• Will the token for email1 be invalid?
• Will that validate email2 with the token from email1?
• Will that have any effect (changes) on the user object?

[dblythy]

This PR:

• Removes email from verification links
• Makes it possible to regenerate links with a valid expired token (as previously this flow could be invoked with the username)

This all feels like pretty breaking changes to me, which I think we would have to phase in @mtrezza thoughts?

[mtrezza]

Did you find out any hinds regarding:

What is the purpose of token expiration for email verification? If an expired token leads to a website where one can request a new token (sent via verification email) without login, the expiration seems useless. Is there any scenario in which expiration makes sense? Maybe the existing tests related to token expiration give clues about the intentions of expiration?

Regarding breaking change:

• I assume it would be breaking if someone has a verification email with an "old style" link and tried to open it after the developer upgraded Parse Server using the "new style" link. How should that be handled?
• Are there any other breaking changes?

[mathieulb]

@mtrezza , if there isn't any code that specifically checks that the username is not in the link, and if tokens still work the same way, passing an old link to a new server will succeed. That is, if all cases of req.params.username have been removed and nothing does something like Object.keys(req.params).includes("username"). Right ?

[mtrezza]

@mathieulb That makes sense. Given that the existing tests have been changed, we'd need to maintain a test legacy test that uses the old link with username query parameter in the URL. Even though the param should be ignored, it would be good to test it.

[dblythy]

What is the purpose of token expiration for email verification?

When you attempt to reset with an expired token, the server will throw. It's up to the client to request a renewal - previously you could do it with the email that is in the query params, but now that will no longer work (there is a new mechanism where you can submit the expired token for renewal)

[mtrezza]

I'm wondering; how long until an expired token is deleted from the DB? Or isn't it deleted at all? If it is deleted, then this logic probably fails and the correct approach would be to present a form with an email field where the user has to enter the email address. Or, just show a website which instructs the user on how to request a new verification email from within the app, if login with unverified email is enabled.

[dblythy]

The expired token isn't deleted, it is just overriden by a new token. So it will only succeed the first time a resend is request, but will fail the next time (unless with the newer expired token)

[mtrezza]

We have talked about the impact on email verification, but this PR removes the username also from the password reset process, right? Changed the PR title. Are there any additions in the migration guide necessary? Any additional HTML page form changes?

Could you please take a look at the migration guide, I've made some changes, if that all makes sense?

[dblythy]

Looks good. Only thing I would add is it only stores the most recent expired token. Previously with the username, multiple "expired links" could be re-validated. Now, we can only trigger the resend if the token was the most recent (as it is stored as a string)

[mtrezza]

Good point, that means with this change it is also recommended to set emailVerifyTokenReuseIfValid: true to reduce the likelihood of having to deal with expired tokens.

[dblythy]

Updated docs

[mtrezza]

BREAKING CHANGE: This removes the username from the email verification and password reset process. If you are using customized HTML pages or emails related to email verification and password reset, they may need to be adapted accordingly. See the migration guide for more details.

Migration Guide

This is a major release with breaking changes. We prepared a migration guide to help you migrating from Parse Server 8. For the full list of breaking changes see the section below.

[parseplatformorg]

🎉 This change has been released in version 8.0.0-alpha.13