Fix #609: make behavior more consistent on request verify token

Now, it always returns 202 even if the user is already verified
2025-08-14 18:58:10 +08:00 · 2021-04-20 13:54:50 +02:00
parent 461e84acae
commit d184d7e90c
3 changed files with 4 additions and 11 deletions
--- a/docs/usage/routes.md
+++ b/docs/usage/routes.md
@ -121,9 +121,9 @@ Reset a password. Requires the token generated by the `/forgot-password` route.

 ### `POST /request-verify-token`

-Request a user to verify their e-mail. Will generate a temporary token and call the `after_verification_request` [handler](../configuration/routers/verify.md#after-verification-request) if the user exists.
+Request a user to verify their e-mail. Will generate a temporary token and call the `after_verification_request` [handler](../configuration/routers/verify.md#after-verification-request) if the user **exists**, **active** and **not already verified**.

-To prevent malicious users from guessing existing users in your database, the route will always return a `202 Accepted` response, even if the user requested does not exist.
+To prevent malicious users from guessing existing users in your database, the route will always return a `202 Accepted` response, even if the user requested does not exist, not active or already verified.

 !!! abstract "Payload"
    ```json
--- a/fastapi_users/router/verify.py
+++ b/fastapi_users/router/verify.py
@ -36,12 +36,7 @@ def get_verify_router(
    ):
        try:
            user = await get_user(email)
-            if user.is_verified:
-                raise HTTPException(
-                    status_code=status.HTTP_400_BAD_REQUEST,
-                    detail=ErrorCode.VERIFY_USER_ALREADY_VERIFIED,
-                )
-            elif user.is_active:
+            if not user.is_verified and user.is_active:
                token_data = {
                    "user_id": str(user.id),
                    "email": email,
--- a/tests/test_router_verify.py
+++ b/tests/test_router_verify.py
@ -126,10 +126,8 @@ class TestVerifyTokenRequest:
        input_user = verified_user
        json = {"email": input_user.email}
        response = await test_app_client.post("/request-verify-token", json=json)
+        assert response.status_code == status.HTTP_202_ACCEPTED
        assert after_verification_request.called is False
-        assert response.status_code == status.HTTP_400_BAD_REQUEST
-        data = cast(Dict[str, Any], response.json())
-        assert data["detail"] == ErrorCode.VERIFY_USER_ALREADY_VERIFIED

    async def test_user_inactive_valid_request(
        self,