fix: Remove username from email verification and password reset emails

8.0.0.md

@@ -0,0 +1,30 @@
+# Parse Server 8 Migration Guide <!-- omit in toc -->
+
+This document highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 8, please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+
+- [Invalid Link Page Changes](#invalid-link-page-changes)
+
+---
+
+## Invalid Link Page Changes
+
+In Parse Server 8, the invalid link page will no longer provide the `username` URL parameter. Instead, the URL parameter will now be `expiredToken`. This change affects how expired verification emails are handled.
+
+### Regenerating a Verification Email Request
+
+To regenerate a verification email request, send a `POST` request to the following endpoint:
+
+```
+HTTP
+Method: POST
+URL: {{server url}}/resend_verification_email
+
+Headers:
+Content-Type: application/x-www-form-urlencoded
+
+Body:
+expiredToken={token}
+```
+

public/de-AT/email_verification_link_expired.html

@@ -15,7 +15,7 @@
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
   <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="username" type="hidden" value="{{{username}}}">
+    <input name="expiredToken" type="hidden" value="{{{expiredToken}}}">
     <input name="locale" type="hidden" value="{{{locale}}}">
     <button type="submit">Resend Link</button>
   </form>

public/de/email_verification_link_expired.html

@@ -15,7 +15,7 @@
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
   <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="username" type="hidden" value="{{{username}}}">
+    <input name="expiredToken" type="hidden" value="{{{expiredToken}}}">
     <input name="locale" type="hidden" value="{{{locale}}}">
     <button type="submit">Resend Link</button>
   </form>

public/email_verification_link_expired.html

@@ -15,7 +15,7 @@
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
   <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="username" type="hidden" value="{{{username}}}">
+    <input name="expiredToken" type="hidden" value="{{{expiredToken}}}">
     <input name="locale" type="hidden" value="{{{locale}}}">
     <button type="submit">Resend Link</button>
   </form>

public_html/invalid_verification_link.html

@@ -47,8 +47,8 @@
     window.onload = addDataToForm;
 
     function addDataToForm() {
-      var username = getUrlParameter("username");
-      document.getElementById("usernameField").value = username;
+      const expiredToken = getUrlParameter("expiredToken");
+      document.getElementById("expiredToken").value = expiredToken;
 
       var appId = getUrlParameter("appId");
       document.getElementById("resendForm").action = '/apps/' + appId + '/resend_verification_email'
@@ -60,7 +60,7 @@
     <div class="container">
       <h1>Invalid Verification Link</h1>
         <form id="resendForm" method="POST" action="/resend_verification_email">
-          <input id="usernameField" class="form-control" name="username" type="hidden" value="">
+          <input id="expiredToken" class="form-control" name="expiredToken" type="hidden" value="">
           <button type="submit" class="btn btn-default">Resend Link</button>
         </form>
     </div> 

spec/AccountLockoutPolicy.spec.js

@@ -419,7 +419,7 @@ describe('lockout with password reset option', () => {
     await request({
       method: 'POST',
       url: `${config.publicServerURL}/apps/test/request_password_reset`,
-      body: `new_password=${newPassword}&token=${token}&username=${username}`,
+      body: `new_password=${newPassword}&token=${token}`,
       headers: {
         'Content-Type': 'application/x-www-form-urlencoded',
       },
@@ -454,7 +454,7 @@ describe('lockout with password reset option', () => {
     await request({
       method: 'POST',
       url: `${config.publicServerURL}/apps/test/request_password_reset`,
-      body: `new_password=${newPassword}&token=${token}&username=${username}`,
+      body: `new_password=${newPassword}&token=${token}`,
       headers: {
         'Content-Type': 'application/x-www-form-urlencoded',
       },

spec/EmailVerificationToken.spec.js

@@ -40,7 +40,7 @@ describe('Email Verification Token Expiration: ', () => {
           }).then(response => {
             expect(response.status).toEqual(302);
             expect(response.text).toEqual(
-              'Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?username=testEmailVerifyTokenValidity&appId=test'
+              `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&expiredToken=${sendEmailOptions.link.split('token=')[1]}`
             );
             done();
           });
@@ -135,7 +135,7 @@ describe('Email Verification Token Expiration: ', () => {
         }).then(response => {
           expect(response.status).toEqual(302);
           expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=testEmailVerifyTokenValidity'
+            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html'
           );
           done();
         });
@@ -292,6 +292,64 @@ describe('Email Verification Token Expiration: ', () => {
       });
   });
 
+  it('can resend email using an expired token', async () => {
+    const user = new Parse.User();
+    const emailAdapter = {
+      sendVerificationEmail: () => {},
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => {},
+    };
+    await reconfigureServer({
+      appName: 'emailVerifyToken',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      emailVerifyTokenValidityDuration: 5, // 5 seconds
+      publicServerURL: 'http://localhost:8378/1',
+    });
+    user.setUsername('test');
+    user.setPassword('password');
+    user.set('email', '[email protected]');
+    await user.signUp();
+
+    await Parse.Server.database.update(
+      '_User',
+      { objectId: user.id },
+      {
+        _email_verify_token_expires_at: Parse._encode(new Date('2000')),
+      }
+    );
+
+    const obj = await Parse.Server.database.find(
+      '_User',
+      { objectId: user.id },
+      {},
+      Auth.maintenance(Parse.Server)
+    );
+    const token = obj[0]._email_verify_token;
+
+    const res = await request({
+      url: `http://localhost:8378/1/apps/test/verify_email?token=${token}`,
+      method: 'GET',
+    });
+    expect(res.text).toEqual(
+      `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&expiredToken=${token}`
+    );
+
+    const formUrl = `http://localhost:8378/1/apps/test/resend_verification_email`;
+    const formResponse = await request({
+      url: formUrl,
+      method: 'POST',
+      body: {
+        expiredToken: token,
+      },
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      followRedirects: false,
+    });
+    expect(formResponse.text).toEqual(
+      `Found. Redirecting to http://localhost:8378/1/apps/link_send_success.html`
+    );
+  });
+
   it_id('9365c53c-b8b4-41f7-a3c1-77882f76a89c')(it)('can conditionally send emails', async () => {
     let sendEmailOptions;
     const emailAdapter = {
@@ -615,7 +673,7 @@ describe('Email Verification Token Expiration: ', () => {
         }).then(response => {
           expect(response.status).toEqual(302);
           expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=testEmailVerifyTokenValidity'
+            `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&expiredToken=${sendEmailOptions.link.split('token=')[1]}`
           );
           done();
         });
@@ -668,7 +726,7 @@ describe('Email Verification Token Expiration: ', () => {
         }).then(response => {
           expect(response.status).toEqual(302);
           expect(response.text).toEqual(
-            'Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?username=testEmailVerifyTokenValidity&appId=test'
+            `Found. Redirecting to http://localhost:8378/1/apps/invalid_verification_link.html?appId=test&expiredToken=${sendEmailOptions.link.split('token=')[1]}`
           );
           done();
         });

spec/PagesRouter.spec.js

@@ -108,7 +108,7 @@ describe('Pages Router', () => {
       const res = await request({
         method: 'POST',
         url: 'http://localhost:8378/1/apps/test/request_password_reset',
-        body: `new_password=user1&token=43634643&username=username`,
+        body: `new_password=user1&token=43634643`,
         headers: {
           'Content-Type': 'application/x-www-form-urlencoded',
           'X-Requested-With': 'XMLHttpRequest',
@@ -124,7 +124,7 @@ describe('Pages Router', () => {
         await request({
           method: 'POST',
           url: 'http://localhost:8378/1/apps/test/request_password_reset',
-          body: `new_password=&token=132414&username=Johnny`,
+          body: `new_password=&token=132414`,
           headers: {
             'Content-Type': 'application/x-www-form-urlencoded',
             'X-Requested-With': 'XMLHttpRequest',
@@ -137,30 +137,12 @@ describe('Pages Router', () => {
       }
     });
 
-    it('request_password_reset: responds with AJAX error on missing username', async () => {
-      try {
-        await request({
-          method: 'POST',
-          url: 'http://localhost:8378/1/apps/test/request_password_reset',
-          body: `new_password=user1&token=43634643&username=`,
-          headers: {
-            'Content-Type': 'application/x-www-form-urlencoded',
-            'X-Requested-With': 'XMLHttpRequest',
-          },
-          followRedirects: false,
-        });
-      } catch (error) {
-        expect(error.status).not.toBe(302);
-        expect(error.text).toEqual('{"code":200,"error":"Missing username"}');
-      }
-    });
-
     it('request_password_reset: responds with AJAX error on missing token', async () => {
       try {
         await request({
           method: 'POST',
           url: 'http://localhost:8378/1/apps/test/request_password_reset',
-          body: `new_password=user1&token=&username=Johnny`,
+          body: `new_password=user1&token=`,
           headers: {
             'Content-Type': 'application/x-www-form-urlencoded',
             'X-Requested-With': 'XMLHttpRequest',
@@ -577,7 +559,7 @@ describe('Pages Router', () => {
         spyOnProperty(Page.prototype, 'defaultFile').and.returnValue(jsonPageFile);
 
         const response = await request({
-          url: `http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&username=exampleUsername&locale=${exampleLocale}`,
+          url: `http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&locale=${exampleLocale}`,
           followRedirects: false,
         }).catch(e => e);
         expect(response.status).toEqual(200);
@@ -626,7 +608,7 @@ describe('Pages Router', () => {
         await reconfigureServer(config);
         const response = await request({
           url:
-            'http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&username=exampleUsername&locale=de-AT',
+            'http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&locale=de-AT',
           followRedirects: false,
           method: 'POST',
         });
@@ -640,7 +622,7 @@ describe('Pages Router', () => {
         await reconfigureServer(config);
         const response = await request({
           url:
-            'http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&username=exampleUsername&locale=de-AT',
+            'http://localhost:8378/1/apps/test/request_password_reset?token=exampleToken&locale=de-AT',
           followRedirects: false,
           method: 'GET',
         });
@@ -676,13 +658,11 @@ describe('Pages Router', () => {
         const appId = linkResponse.headers['x-parse-page-param-appid'];
         const token = linkResponse.headers['x-parse-page-param-token'];
         const locale = linkResponse.headers['x-parse-page-param-locale'];
-        const username = linkResponse.headers['x-parse-page-param-username'];
         const publicServerUrl = linkResponse.headers['x-parse-page-param-publicserverurl'];
         const passwordResetPagePath = pageResponse.calls.all()[0].args[0];
         expect(appId).toBeDefined();
         expect(token).toBeDefined();
         expect(locale).toBeDefined();
-        expect(username).toBeDefined();
         expect(publicServerUrl).toBeDefined();
         expect(passwordResetPagePath).toMatch(
           new RegExp(`\/${exampleLocale}\/${pages.passwordReset.defaultFile}`)
@@ -696,7 +676,6 @@ describe('Pages Router', () => {
           body: {
             token,
             locale,
-            username,
             new_password: 'newPassword',
           },
           headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
@@ -793,15 +772,13 @@ describe('Pages Router', () => {
 
         const appId = linkResponse.headers['x-parse-page-param-appid'];
         const locale = linkResponse.headers['x-parse-page-param-locale'];
-        const username = linkResponse.headers['x-parse-page-param-username'];
         const publicServerUrl = linkResponse.headers['x-parse-page-param-publicserverurl'];
         const invalidVerificationPagePath = pageResponse.calls.all()[0].args[0];
         expect(appId).toBeDefined();
         expect(locale).toBe(exampleLocale);
-        expect(username).toBeDefined();
         expect(publicServerUrl).toBeDefined();
         expect(invalidVerificationPagePath).toMatch(
-          new RegExp(`\/${exampleLocale}\/${pages.emailVerificationLinkExpired.defaultFile}`)
+          new RegExp(`\/${exampleLocale}\/${pages.emailVerificationLinkInvalid.defaultFile}`)
         );
 
         const formUrl = `${publicServerUrl}/apps/${appId}/resend_verification_email`;
@@ -810,7 +787,7 @@ describe('Pages Router', () => {
           method: 'POST',
           body: {
             locale,
-            username,
+            username: 'exampleUsername',
           },
           headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
           followRedirects: false,
@@ -847,17 +824,15 @@ describe('Pages Router', () => {
 
         const appId = linkResponse.headers['x-parse-page-param-appid'];
         const locale = linkResponse.headers['x-parse-page-param-locale'];
-        const username = linkResponse.headers['x-parse-page-param-username'];
         const publicServerUrl = linkResponse.headers['x-parse-page-param-publicserverurl'];
         await jasmine.timeout();
 
         const invalidVerificationPagePath = pageResponse.calls.all()[0].args[0];
         expect(appId).toBeDefined();
         expect(locale).toBe(exampleLocale);
-        expect(username).toBeDefined();
         expect(publicServerUrl).toBeDefined();
         expect(invalidVerificationPagePath).toMatch(
-          new RegExp(`\/${exampleLocale}\/${pages.emailVerificationLinkExpired.defaultFile}`)
+          new RegExp(`\/${exampleLocale}\/${pages.emailVerificationLinkInvalid.defaultFile}`)
         );
 
         spyOn(UserController.prototype, 'resendVerificationEmail').and.callFake(() =>
@@ -870,7 +845,7 @@ describe('Pages Router', () => {
           method: 'POST',
           body: {
             locale,
-            username,
+            username: 'exampleUsername',
           },
           headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
           followRedirects: false,
@@ -1155,12 +1130,10 @@ describe('Pages Router', () => {
 
         const appId = linkResponse.headers['x-parse-page-param-appid'];
         const token = linkResponse.headers['x-parse-page-param-token'];
-        const username = linkResponse.headers['x-parse-page-param-username'];
         const publicServerUrl = linkResponse.headers['x-parse-page-param-publicserverurl'];
         const passwordResetPagePath = pageResponse.calls.all()[0].args[0];
         expect(appId).toBeDefined();
         expect(token).toBeDefined();
-        expect(username).toBeDefined();
         expect(publicServerUrl).toBeDefined();
         expect(passwordResetPagePath).toMatch(new RegExp(`\/${pages.passwordReset.defaultFile}`));
         pageResponse.calls.reset();
@@ -1171,7 +1144,6 @@ describe('Pages Router', () => {
           method: 'POST',
           body: {
             token,
-            username,
             new_password: 'newPassword',
           },
           headers: { 'Content-Type': 'application/x-www-form-urlencoded' },

spec/ParseLiveQuery.spec.js

@@ -969,7 +969,7 @@ describe('ParseLiveQuery', function () {
           const userController = new UserController(emailAdapter, 'test', {
             verifyUserEmails: true,
           });
-          userController.verifyEmail(foundUser.username, foundUser._email_verify_token);
+          userController.verifyEmail(foundUser._email_verify_token);
         });
     });
   });