+6 -2

lib/ATProto/PDS/API/Repo.pm

reviewed

··· 162 162 make_path($blob_dir); 163 163 my $path = File::Spec->catfile($blob_dir, $cid); 164 164 open(my $fh, '>:raw', $path) or xrpc_error(500, 'StorageFailure', "Unable to write blob $cid"); 165 165 - print {$fh} $bytes; 166 166 - close($fh); 165 165 + my $write_ok = print {$fh} $bytes; 166 166 + my $close_ok = close($fh); 167 167 + unless ($write_ok && $close_ok) { 168 168 + unlink $path if -e $path; 169 169 + xrpc_error(500, 'StorageFailure', "Unable to write blob $cid"); 170 170 + } 167 171 168 172 my $mime_type = $c->req->headers->content_type || 'application/octet-stream'; 169 173 $c->observe_blob_ingress($mime_type, length($bytes));

+10 -5

lib/ATProto/PDS/API/Server.pm

reviewed

··· 375 375 376 376 $registry->register('com.atproto.server.confirmEmail', sub ($c, $endpoint) { 377 377 my $body = $c->req->json || {}; 378 378 - my $account = $c->store->get_account_by_email($body->{email} // q()); 379 379 - xrpc_error(404, 'AccountNotFound', 'Account was not found') unless $account; 380 378 my $token = _require_action_token($c, 381 379 token => $body->{token}, 382 380 purpose => 'email_confirm', 383 381 ); 382 382 + my $account = $c->store->get_account_by_did($token->{did}); 383 383 + xrpc_error(404, 'AccountNotFound', 'Account was not found') unless $account; 384 384 + my $email = $body->{email} // q(); 384 385 xrpc_error(400, 'InvalidEmail', 'Token was not issued for that email') 385 385 - unless ($token->{email} // q()) eq ($body->{email} // q()); 386 386 - $c->store->update_account($account->{did}, email_confirmed_at => time); 387 387 - $c->store->consume_action_token($token->{token}); 386 386 + unless length($email) 387 387 + && ($token->{email} // q()) eq $email 388 388 + && ($account->{email} // q()) eq $email; 389 389 + $c->store->txn(sub ($dbh) { 390 390 + $c->store->update_account($account->{did}, email_confirmed_at => time); 391 391 + $c->store->consume_action_token($token->{token}); 392 392 + }); 388 393 return {}; 389 394 }); 390 395

+76

t/email-confirmation.t

reviewed

··· 1 1 + use v5.34; 2 2 + use warnings; 3 3 + 4 4 + use Config (); 5 5 + use File::Spec; 6 6 + use File::Temp qw(tempdir); 7 7 + use FindBin qw($Bin); 8 8 + use Test::More; 9 9 + 10 10 + BEGIN { 11 11 + require lib; 12 12 + my $root = File::Spec->rel2abs(File::Spec->catdir($Bin, '..')); 13 13 + lib->import( 14 14 + File::Spec->catdir($root, 'lib'), 15 15 + File::Spec->catdir($root, 'local', 'lib', 'perl5'), 16 16 + File::Spec->catdir($root, 'local', 'lib', 'perl5', $Config::Config{archname}), 17 17 + ); 18 18 + } 19 19 + 20 20 + use Test::Mojo; 21 21 + use ATProto::PDS; 22 22 + 23 23 + my $root = File::Spec->rel2abs(File::Spec->catdir($Bin, '..')); 24 24 + my $tmp = tempdir(CLEANUP => 1); 25 25 + 26 26 + my $app = ATProto::PDS->new( 27 27 + project_root => $root, 28 28 + settings => { 29 29 + base_url => 'http://127.0.0.1:7755', 30 30 + service_handle_domain => 'example.test', 31 31 + service_did_method => 'did:web', 32 32 + jwt_secret => 'email-confirm-secret', 33 33 + data_dir => $tmp, 34 34 + db_path => File::Spec->catfile($tmp, 'perlsky.sqlite'), 35 35 + }, 36 36 + ); 37 37 + 38 38 + my $t = Test::Mojo->new($app); 39 39 + 40 40 + $t->post_ok('/xrpc/com.atproto.server.createAccount' => json => { 41 41 + handle => 'alice.example.test', 42 42 + email => 'alice@example.test', 43 43 + password => 'hunter22', 44 44 + })->status_is(200); 45 45 + my $alice = $t->tx->res->json; 46 46 + 47 47 + $app->store->update_account($alice->{did}, email_confirmed_at => undef); 48 48 + 49 49 + $t->post_ok('/xrpc/com.atproto.server.requestEmailConfirmation' => { 50 50 + Authorization => "Bearer $alice->{accessJwt}", 51 51 + } => json => {})->status_is(200); 52 52 + 53 53 + my $token = $app->store->latest_action_token( 54 54 + did => $alice->{did}, 55 55 + purpose => 'email_confirm', 56 56 + ); 57 57 + ok($token, 'email confirmation token was created'); 58 58 + 59 59 + $app->store->update_account( 60 60 + $alice->{did}, 61 61 + email => 'alice+new@example.test', 62 62 + email_confirmed_at => undef, 63 63 + ); 64 64 + 65 65 + $t->post_ok('/xrpc/com.atproto.server.confirmEmail' => json => { 66 66 + email => 'alice@example.test', 67 67 + token => $token->{token}, 68 68 + })->status_is(400) 69 69 + ->json_is('/error' => 'InvalidEmail'); 70 70 + 71 71 + ok( 72 72 + !defined $app->store->get_account_by_did($alice->{did})->{email_confirmed_at}, 73 73 + 'stale confirmation tokens cannot confirm a changed email address', 74 74 + ); 75 75 + 76 76 + done_testing;