python/fastapi-users
1
0
Fork 0
mirror of https://github.com/fastapi-users/fastapi-users.git synced 2025-08-14 18:58:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix #609: make behavior more consistent on request verify token

Browse Source 
Now, it always returns 202 even if the user is already verified
This commit is contained in:
François Voron
2021-04-20 13:54:50 +02:00
parent 461e84acae
commit d184d7e90c
3 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/usage/routes.md
View File

@ -121,9 +121,9 @@ Reset a password. Requires the token generated by the `/forgot-password` route.
### `POST /request-verify-token` ### `POST /request-verify-token`
Request a user to verify their e-mail. Will generate a temporary token and call the `after_verification_request` [handler](../configuration/routers/verify.md#after-verification-request) if the user exists. Request a user to verify their e-mail. Will generate a temporary token and call the `after_verification_request` [handler](../configuration/routers/verify.md#after-verification-request) if the user **exists**, **active** and **not already verified**.
To prevent malicious users from guessing existing users in your database, the route will always return a `202 Accepted` response, even if the user requested does not exist. To prevent malicious users from guessing existing users in your database, the route will always return a `202 Accepted` response, even if the user requested does not exist, not active or already verified.
!!! abstract "Payload" !!! abstract "Payload"
```json ```json

7
fastapi_users/router/verify.py
View File

@ -36,12 +36,7 @@ def get_verify_router(
): ):
try: try:
user = await get_user(email) user = await get_user(email)
if user.is_verified: if not user.is_verified and user.is_active:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ErrorCode.VERIFY_USER_ALREADY_VERIFIED,
)
elif user.is_active:
token_data = { token_data = {
"user_id": str(user.id), "user_id": str(user.id),
"email": email, "email": email,

4
tests/test_router_verify.py
View File

@ -126,10 +126,8 @@ class TestVerifyTokenRequest:
input_user = verified_user input_user = verified_user
json = {"email": input_user.email} json = {"email": input_user.email}
response = await test_app_client.post("/request-verify-token", json=json) response = await test_app_client.post("/request-verify-token", json=json)
assert response.status_code == status.HTTP_202_ACCEPTED
assert after_verification_request.called is False assert after_verification_request.called is False
assert response.status_code == status.HTTP_400_BAD_REQUEST
data = cast(Dict[str, Any], response.json())
assert data["detail"] == ErrorCode.VERIFY_USER_ALREADY_VERIFIED
async def test_user_inactive_valid_request( async def test_user_inactive_valid_request(
self, self,