Skip to content

fix: create email identity when OAuth-only user sets a password via updateUser #2425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nancysangani wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: create email identity when OAuth-only user sets a password via updateUser #2425

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions internal/api/user.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,27 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
return terr
}

if user.GetEmail() != "" {
if _, terr = models.FindIdentityByIdAndProvider(tx, user.ID.String(), "email"); terr != nil {
if !models.IsNotFoundError(terr) {
return apierrors.NewInternalServerError("Error finding email identity").WithInternalError(terr)
}
emailIdentity, terr := models.NewIdentity(user, "email", map[string]interface{}{
Comment on lines +228 to +233
Copy link
Contributor

@depthfirst-app depthfirst-app bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Severity: MEDIUM

The code creates an email identity without verifying if the user's email is confirmed. This could allow users with unconfirmed emails from OAuth providers to gain email/password login capabilities without verification. A check for user.EmailConfirmedAt != nil should be added.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: Add a check for user.EmailConfirmedAt != nil alongside the existing user.GetEmail() != "" guard before creating the email identity. This ensures that only users with a verified/confirmed email address can have an email identity created for them. Without this check, an OAuth user whose email was never confirmed could obtain an email+password login capability for an unverified email address.

⚠️ Experimental Feature: This code suggestion is automatically generated. Please review carefully.

Suggested change
if user.GetEmail() != "" {
if _, terr = models.FindIdentityByIdAndProvider(tx, user.ID.String(), "email"); terr != nil {
if !models.IsNotFoundError(terr) {
return apierrors.NewInternalServerError("Error finding email identity").WithInternalError(terr)
}
emailIdentity, terr := models.NewIdentity(user, "email", map[string]interface{}{
if user.GetEmail() != "" && user.EmailConfirmedAt != nil {

"sub": user.ID.String(),
"email": user.GetEmail(),
})
if terr != nil {
return apierrors.NewInternalServerError("Error creating email identity").WithInternalError(terr)
}
if terr := tx.Create(emailIdentity); terr != nil {
return apierrors.NewInternalServerError("Error saving email identity").WithInternalError(terr)
}
if terr := user.UpdateAppMetaDataProviders(tx); terr != nil {
return apierrors.NewInternalServerError("Error updating providers").WithInternalError(terr)
}
}
Comment on lines +228 to +246
}

// send a Password Changed email notification to the user to inform them that their password has been changed
if config.Mailer.Notifications.PasswordChangedEnabled && user.GetEmail() != "" {
if err := a.sendPasswordChangedNotification(r, tx, user); err != nil {
Expand Down