Auth/PM-6198 - Registration with Email Verification - Add email clicked endpoint (#4520)

* PM-6198 - RegistrationEmailVerificationTokenable - add new static validate token method * PM-6198 - Rename RegistrationStart to Registration as we now have to add another anonymous reference event. * PM-6198 - rest of work * PM-6198 - Unit test new account controller method. * PM-6198 - Integration test new account controller endpoint
2025-07-01 08:02:49 -05:00 · 2024-07-22 17:24:42 -04:00
parent 45b99336da
commit 1b5f9e3f3e
9 changed files with 229 additions and 6 deletions
--- a/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs
+++ b/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs
@ -0,0 +1,17 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Models.Api.Request.Accounts;
+
+public class RegisterVerificationEmailClickedRequestModel
+{
+    [Required]
+    [StrictEmailAddress]
+    [StringLength(256)]
+    public string Email { get; set; }
+
+    [Required]
+    public string EmailVerificationToken { get; set; }
+
+}
--- a/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs
@ -55,4 +55,12 @@ public class RegistrationEmailVerificationTokenable : ExpiringTokenable
        && !string.IsNullOrWhiteSpace(Email);


+    public static bool ValidateToken(IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> dataProtectorTokenFactory, string token, string userEmail)
+    {
+        return dataProtectorTokenFactory.TryUnprotect(token, out var tokenable)
+               && tokenable.Valid
+               && tokenable.TokenIsValid(userEmail);
+    }
+
+
 }
--- a/src/Core/Tools/Enums/ReferenceEventSource.cs
+++ b/src/Core/Tools/Enums/ReferenceEventSource.cs
@ -10,6 +10,6 @@ public enum ReferenceEventSource
    User,
    [EnumMember(Value = "provider")]
    Provider,
-    [EnumMember(Value = "registrationStart")]
-    RegistrationStart,
+    [EnumMember(Value = "registration")]
+    Registration,
 }
--- a/src/Core/Tools/Enums/ReferenceEventType.cs
+++ b/src/Core/Tools/Enums/ReferenceEventType.cs
@ -6,6 +6,8 @@ public enum ReferenceEventType
 {
    [EnumMember(Value = "signup-email-submit")]
    SignupEmailSubmit,
+    [EnumMember(Value = "signup-email-clicked")]
+    SignupEmailClicked,
    [EnumMember(Value = "signup")]
    Signup,
    [EnumMember(Value = "upgrade-plan")]
--- a/src/Core/Tools/Models/Business/ReferenceEvent.cs
+++ b/src/Core/Tools/Models/Business/ReferenceEvent.cs
@ -256,7 +256,19 @@ public class ReferenceEvent
    public string? PlanUpgradePath { get; set; }

    /// <summary>
-    /// Used for the sign up event to determine if the user has opted in to marketing emails.
+    /// Used for the <see cref="ReferenceEventType.Signup"/> event to determine if the user has opted in to marketing emails.
    /// </summary>
    public bool? ReceiveMarketingEmails { get; set; }
+
+    /// <summary>
+    /// Used for the <see cref="ReferenceEventType.SignupEmailClicked"/> event to indicate if the user
+    /// landed on the registration finish screen with a valid or invalid email verification token.
+    /// </summary>
+    public bool? EmailVerificationTokenValid { get; set; }
+
+    /// <summary>
+    /// Used for the <see cref="ReferenceEventType.SignupEmailClicked"/> event to indicate if the user
+    /// landed on the registration finish screen after re-clicking an already used link.
+    /// </summary>
+    public bool? UserAlreadyExists { get; set; }
 }
--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@ -41,6 +41,7 @@ public class AccountsController : Controller
    private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand;
    private readonly IReferenceEventService _referenceEventService;
    private readonly IFeatureService _featureService;
+    private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;

    public AccountsController(
        ICurrentContext currentContext,
@ -52,7 +53,8 @@ public class AccountsController : Controller
        IGetWebAuthnLoginCredentialAssertionOptionsCommand getWebAuthnLoginCredentialAssertionOptionsCommand,
        ISendVerificationEmailForRegistrationCommand sendVerificationEmailForRegistrationCommand,
        IReferenceEventService referenceEventService,
-        IFeatureService featureService
+        IFeatureService featureService,
+        IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> registrationEmailVerificationTokenDataFactory
        )
    {
        _currentContext = currentContext;
@ -65,6 +67,7 @@ public class AccountsController : Controller
        _sendVerificationEmailForRegistrationCommand = sendVerificationEmailForRegistrationCommand;
        _referenceEventService = referenceEventService;
        _featureService = featureService;
+        _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory;
    }

    [HttpPost("register")]
@ -90,7 +93,7 @@ public class AccountsController : Controller
            Type = ReferenceEventType.SignupEmailSubmit,
            ClientId = _currentContext.ClientId,
            ClientVersion = _currentContext.ClientVersion,
-            Source = ReferenceEventSource.RegistrationStart
+            Source = ReferenceEventSource.Registration
        };
        await _referenceEventService.RaiseEventAsync(refEvent);

@ -102,6 +105,39 @@ public class AccountsController : Controller
        return NoContent();
    }

+    [RequireFeature(FeatureFlagKeys.EmailVerification)]
+    [HttpPost("register/verification-email-clicked")]
+    public async Task<IActionResult> PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model)
+    {
+        var tokenValid = RegistrationEmailVerificationTokenable.ValidateToken(_registrationEmailVerificationTokenDataFactory, model.EmailVerificationToken, model.Email);
+
+        // Check to see if the user already exists - this is just to catch the unlikely but possible case
+        // where a user finishes registration and then clicks the email verification link again.
+        var user = await _userRepository.GetByEmailAsync(model.Email);
+        var userExists = user != null;
+
+        var refEvent = new ReferenceEvent
+        {
+            Type = ReferenceEventType.SignupEmailClicked,
+            ClientId = _currentContext.ClientId,
+            ClientVersion = _currentContext.ClientVersion,
+            Source = ReferenceEventSource.Registration,
+            EmailVerificationTokenValid = tokenValid,
+            UserAlreadyExists = userExists
+        };
+
+        await _referenceEventService.RaiseEventAsync(refEvent);
+
+        if (!tokenValid || userExists)
+        {
+            throw new BadRequestException("Expired link. Please restart registration or try logging in. You may already have an account");
+        }
+
+        return Ok();
+
+
+    }
+
    [RequireFeature(FeatureFlagKeys.EmailVerification)]
    [HttpPost("register/finish")]
    public async Task<RegisterResponseModel> PostRegisterFinish([FromBody] RegisterFinishRequestModel model)