feat(users): Email JWT blacklist (#3659)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-11-02 21:07:58 +08:00 · 2024-02-15 21:35:47 +05:30
parent 2f473dd4e7
commit a9e3d74cc1
2 changed files with 72 additions and 12 deletions
--- a/crates/router/src/core/user.rs
+++ b/crates/router/src/core/user.rs
@ -311,6 +311,10 @@ pub async fn change_password(
        .await
        .change_context(UserErrors::InternalServerError)?;

+    let _ = auth::blacklist::insert_user_in_blacklist(&state, user.get_user_id())
+        .await
+        .map_err(|e| logger::error!(?e));
+
    #[cfg(not(feature = "email"))]
    {
        state
@ -372,10 +376,12 @@ pub async fn reset_password(
    state: AppState,
    request: user_api::ResetPasswordRequest,
 ) -> UserResponse<()> {
-    let token =
-        auth::decode_jwt::<email_types::EmailToken>(request.token.expose().as_str(), &state)
-            .await
-            .change_context(UserErrors::LinkInvalid)?;
+    let token = request.token.expose();
+    let email_token = auth::decode_jwt::<email_types::EmailToken>(&token, &state)
+        .await
+        .change_context(UserErrors::LinkInvalid)?;
+
+    auth::blacklist::check_email_token_in_blacklist(&state, &token).await?;

    let password = domain::UserPassword::new(request.password)?;

@ -384,7 +390,7 @@ pub async fn reset_password(
    let user = state
        .store
        .update_user_by_email(
-            token.get_email(),
+            email_token.get_email(),
            storage_user::UserUpdate::AccountUpdate {
                name: None,
                password: Some(hash_password),
@ -395,7 +401,7 @@ pub async fn reset_password(
        .await
        .change_context(UserErrors::InternalServerError)?;

-    if let Some(inviter_merchant_id) = token.get_merchant_id() {
+    if let Some(inviter_merchant_id) = email_token.get_merchant_id() {
        let update_status_result = state
            .store
            .update_user_role_by_user_id_merchant_id(
@ -403,13 +409,20 @@ pub async fn reset_password(
                inviter_merchant_id,
                UserRoleUpdate::UpdateStatus {
                    status: UserStatus::Active,
-                    modified_by: user.user_id,
+                    modified_by: user.user_id.clone(),
                },
            )
            .await;
        logger::info!(?update_status_result);
    }

+    let _ = auth::blacklist::insert_email_token_in_blacklist(&state, &token)
+        .await
+        .map_err(|e| logger::error!(?e));
+    let _ = auth::blacklist::insert_user_in_blacklist(&state, &user.user_id)
+        .await
+        .map_err(|e| logger::error!(?e));
+
    Ok(ApplicationResponse::StatusOk)
 }

@ -454,7 +467,13 @@ pub async fn invite_user(
                merchant_id: user_from_token.merchant_id,
                role_id: request.role_id,
                org_id: user_from_token.org_id,
-                status: UserStatus::Active,
+                status: {
+                    if cfg!(feature = "email") {
+                        UserStatus::InvitationSent
+                    } else {
+                        UserStatus::Active
+                    }
+                },
                created_by: user_from_token.user_id.clone(),
                last_modified_by: user_from_token.user_id,
                created_at: now,
@ -1050,12 +1069,14 @@ pub async fn verify_email_without_invite_checks(
    state: AppState,
    req: user_api::VerifyEmailRequest,
 ) -> UserResponse<user_api::DashboardEntryResponse> {
-    let token = auth::decode_jwt::<email_types::EmailToken>(&req.token.clone().expose(), &state)
+    let token = req.token.clone().expose();
+    let email_token = auth::decode_jwt::<email_types::EmailToken>(&token, &state)
        .await
        .change_context(UserErrors::LinkInvalid)?;
+    auth::blacklist::check_email_token_in_blacklist(&state, &token).await?;
    let user = state
        .store
-        .find_user_by_email(token.get_email())
+        .find_user_by_email(email_token.get_email())
        .await
        .change_context(UserErrors::InternalServerError)?;
    let user = state
@ -1065,6 +1086,9 @@ pub async fn verify_email_without_invite_checks(
        .change_context(UserErrors::InternalServerError)?;
    let user_from_db: domain::UserFromStorage = user.into();
    let user_role = user_from_db.get_role_from_db(state.clone()).await?;
+    let _ = auth::blacklist::insert_email_token_in_blacklist(&state, &token)
+        .await
+        .map_err(|e| logger::error!(?e));
    let token = utils::user::generate_jwt_auth_token(&state, &user_from_db, &user_role).await?;

    Ok(ApplicationResponse::Json(
@ -1077,13 +1101,16 @@ pub async fn verify_email(
    state: AppState,
    req: user_api::VerifyEmailRequest,
 ) -> UserResponse<user_api::SignInResponse> {
-    let token = auth::decode_jwt::<email_types::EmailToken>(&req.token.clone().expose(), &state)
+    let token = req.token.clone().expose();
+    let email_token = auth::decode_jwt::<email_types::EmailToken>(&token, &state)
        .await
        .change_context(UserErrors::LinkInvalid)?;

+    auth::blacklist::check_email_token_in_blacklist(&state, &token).await?;
+
    let user = state
        .store
-        .find_user_by_email(token.get_email())
+        .find_user_by_email(email_token.get_email())
        .await
        .change_context(UserErrors::InternalServerError)?;

@ -1115,6 +1142,10 @@ pub async fn verify_email(
            .await?
        };

+    let _ = auth::blacklist::insert_email_token_in_blacklist(&state, &token)
+        .await
+        .map_err(|e| logger::error!(?e));
+
    Ok(ApplicationResponse::Json(
        signin_strategy.get_signin_response(&state).await?,
    ))