Auth/PM-6198 - Registration with Email Verification - Add email clicked endpoint (#4520)

* PM-6198 - RegistrationEmailVerificationTokenable - add new static validate token method * PM-6198 - Rename RegistrationStart to Registration as we now have to add another anonymous reference event. * PM-6198 - rest of work * PM-6198 - Unit test new account controller method. * PM-6198 - Integration test new account controller endpoint
2025-04-05 21:18:13 -05:00 · 2024-07-22 17:24:42 -04:00 · 2024-07-22 17:24:42 -04:00 · 1b5f9e3f3e
commit 1b5f9e3f3e
parent 45b99336da
9 changed files with 229 additions and 6 deletions
--- a/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs
+++ b/src/Core/Auth/Models/Api/Request/Accounts/RegisterVerificationEmailClickedRequestModel.cs
@ -0,0 +1,17 @@
 #nullable enable
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Utilities;
 namespace Bit.Core.Auth.Models.Api.Request.Accounts;
 public class RegisterVerificationEmailClickedRequestModel
 {
    [Required]
    [StrictEmailAddress]
    [StringLength(256)]
    public string Email { get; set; }
    [Required]
    public string EmailVerificationToken { get; set; }
 }
--- a/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/RegistrationEmailVerificationTokenable.cs
@ -55,4 +55,12 @@ public class RegistrationEmailVerificationTokenable : ExpiringTokenable
        && !string.IsNullOrWhiteSpace(Email);
    public static bool ValidateToken(IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> dataProtectorTokenFactory, string token, string userEmail)
    {
        return dataProtectorTokenFactory.TryUnprotect(token, out var tokenable)
               && tokenable.Valid
               && tokenable.TokenIsValid(userEmail);
    }
 }
--- a/src/Core/Tools/Enums/ReferenceEventSource.cs
+++ b/src/Core/Tools/Enums/ReferenceEventSource.cs
@ -10,6 +10,6 @@ public enum ReferenceEventSource
    User,
    [EnumMember(Value = "provider")]
    Provider,
-    [EnumMember(Value = "registrationStart")]
+    [EnumMember(Value = "registration")]
-    RegistrationStart,
+    Registration,
 }
--- a/src/Core/Tools/Enums/ReferenceEventType.cs
+++ b/src/Core/Tools/Enums/ReferenceEventType.cs
@ -6,6 +6,8 @@ public enum ReferenceEventType
 {
    [EnumMember(Value = "signup-email-submit")]
    SignupEmailSubmit,
    [EnumMember(Value = "signup-email-clicked")]
    SignupEmailClicked,
    [EnumMember(Value = "signup")]
    Signup,
    [EnumMember(Value = "upgrade-plan")]
--- a/src/Core/Tools/Models/Business/ReferenceEvent.cs
+++ b/src/Core/Tools/Models/Business/ReferenceEvent.cs
@ -256,7 +256,19 @@ public class ReferenceEvent
    public string? PlanUpgradePath { get; set; }
    /// <summary>
-    /// Used for the sign up event to determine if the user has opted in to marketing emails.
+    /// Used for the <see cref="ReferenceEventType.Signup"/> event to determine if the user has opted in to marketing emails.
    /// </summary>
    public bool? ReceiveMarketingEmails { get; set; }
    /// <summary>
    /// Used for the <see cref="ReferenceEventType.SignupEmailClicked"/> event to indicate if the user
    /// landed on the registration finish screen with a valid or invalid email verification token.
    /// </summary>
    public bool? EmailVerificationTokenValid { get; set; }
    /// <summary>
    /// Used for the <see cref="ReferenceEventType.SignupEmailClicked"/> event to indicate if the user
    /// landed on the registration finish screen after re-clicking an already used link.
    /// </summary>
    public bool? UserAlreadyExists { get; set; }
 }
--- a/src/Identity/Controllers/AccountsController.cs
+++ b/src/Identity/Controllers/AccountsController.cs
@ -41,6 +41,7 @@ public class AccountsController : Controller
    private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand;
    private readonly IReferenceEventService _referenceEventService;
    private readonly IFeatureService _featureService;
    private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
    public AccountsController(
        ICurrentContext currentContext,
@ -52,7 +53,8 @@ public class AccountsController : Controller
        IGetWebAuthnLoginCredentialAssertionOptionsCommand getWebAuthnLoginCredentialAssertionOptionsCommand,
        ISendVerificationEmailForRegistrationCommand sendVerificationEmailForRegistrationCommand,
        IReferenceEventService referenceEventService,
-        IFeatureService featureService
+        IFeatureService featureService,
        IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> registrationEmailVerificationTokenDataFactory
        )
    {
        _currentContext = currentContext;
@ -65,6 +67,7 @@ public class AccountsController : Controller
        _sendVerificationEmailForRegistrationCommand = sendVerificationEmailForRegistrationCommand;
        _referenceEventService = referenceEventService;
        _featureService = featureService;
        _registrationEmailVerificationTokenDataFactory = registrationEmailVerificationTokenDataFactory;
    }
    [HttpPost("register")]
@ -90,7 +93,7 @@ public class AccountsController : Controller
            Type = ReferenceEventType.SignupEmailSubmit,
            ClientId = _currentContext.ClientId,
            ClientVersion = _currentContext.ClientVersion,
-            Source = ReferenceEventSource.RegistrationStart
+            Source = ReferenceEventSource.Registration
        };
        await _referenceEventService.RaiseEventAsync(refEvent);
@ -102,6 +105,39 @@ public class AccountsController : Controller
        return NoContent();
    }
    [RequireFeature(FeatureFlagKeys.EmailVerification)]
    [HttpPost("register/verification-email-clicked")]
    public async Task<IActionResult> PostRegisterVerificationEmailClicked([FromBody] RegisterVerificationEmailClickedRequestModel model)
    {
        var tokenValid = RegistrationEmailVerificationTokenable.ValidateToken(_registrationEmailVerificationTokenDataFactory, model.EmailVerificationToken, model.Email);
        // Check to see if the user already exists - this is just to catch the unlikely but possible case
        // where a user finishes registration and then clicks the email verification link again.
        var user = await _userRepository.GetByEmailAsync(model.Email);
        var userExists = user != null;
        var refEvent = new ReferenceEvent
        {
            Type = ReferenceEventType.SignupEmailClicked,
            ClientId = _currentContext.ClientId,
            ClientVersion = _currentContext.ClientVersion,
            Source = ReferenceEventSource.Registration,
            EmailVerificationTokenValid = tokenValid,
            UserAlreadyExists = userExists
        };
        await _referenceEventService.RaiseEventAsync(refEvent);
        if (!tokenValid || userExists)
        {
            throw new BadRequestException("Expired link. Please restart registration or try logging in. You may already have an account");
        }
        return Ok();
    }
    [RequireFeature(FeatureFlagKeys.EmailVerification)]
    [HttpPost("register/finish")]
    public async Task<RegisterResponseModel> PostRegisterFinish([FromBody] RegisterFinishRequestModel model)
--- a/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs
+++ b/test/Identity.IntegrationTest/Controllers/AccountsControllerTests.cs
@ -268,6 +268,43 @@ public class AccountsControllerTests : IClassFixture<IdentityApplicationFactory>
        Assert.Equal(kdfParallelism, user.KdfParallelism);
    }
    [Theory, BitAutoData]
    public async Task PostRegisterVerificationEmailClicked_Success(
        [Required, StringLength(20)] string name,
        string emailVerificationToken)
    {
        // Arrange
        // Localize substitutions to this test.
        var localFactory = new IdentityApplicationFactory();
        var email = $"test+register+{name}@email.com";
        var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email);
        localFactory.SubstituteService<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>(emailVerificationTokenDataProtectorFactory =>
        {
            emailVerificationTokenDataProtectorFactory.TryUnprotect(Arg.Is(emailVerificationToken), out Arg.Any<RegistrationEmailVerificationTokenable>())
                .Returns(callInfo =>
                {
                    callInfo[1] = registrationEmailVerificationTokenable;
                    return true;
                });
        });
        var requestModel = new RegisterVerificationEmailClickedRequestModel
        {
            Email = email,
            EmailVerificationToken = emailVerificationToken
        };
        // Act
        var httpContext = await localFactory.PostRegisterVerificationEmailClicked(requestModel);
        var body = await httpContext.ReadBodyAsStringAsync();
        // Assert
        Assert.Equal(StatusCodes.Status200OK, httpContext.Response.StatusCode);
    }
    private async Task<User> CreateUserAsync(string email, string name, IdentityApplicationFactory factory = null)
    {
        var factoryToUse = factory ?? _factory;
--- a/test/Identity.Test/Controllers/AccountsControllerTests.cs
+++ b/test/Identity.Test/Controllers/AccountsControllerTests.cs
@ -41,6 +41,8 @@ public class AccountsControllerTests : IDisposable
    private readonly ISendVerificationEmailForRegistrationCommand _sendVerificationEmailForRegistrationCommand;
    private readonly IReferenceEventService _referenceEventService;
    private readonly IFeatureService _featureService;
    private readonly IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable> _registrationEmailVerificationTokenDataFactory;
    public AccountsControllerTests()
    {
@ -54,6 +56,8 @@ public class AccountsControllerTests : IDisposable
        _sendVerificationEmailForRegistrationCommand = Substitute.For<ISendVerificationEmailForRegistrationCommand>();
        _referenceEventService = Substitute.For<IReferenceEventService>();
        _featureService = Substitute.For<IFeatureService>();
        _registrationEmailVerificationTokenDataFactory = Substitute.For<IDataProtectorTokenFactory<RegistrationEmailVerificationTokenable>>();
        _sut = new AccountsController(
            _currentContext,
            _logger,
@ -64,7 +68,8 @@ public class AccountsControllerTests : IDisposable
            _getWebAuthnLoginCredentialAssertionOptionsCommand,
            _sendVerificationEmailForRegistrationCommand,
            _referenceEventService,
-            _featureService
+            _featureService,
            _registrationEmailVerificationTokenDataFactory
        );
    }
@ -380,4 +385,105 @@ public class AccountsControllerTests : IDisposable
        Assert.Equal(duplicateUserEmailErrorDesc, modelError.ErrorMessage);
    }
    [Theory, BitAutoData]
    public async Task PostRegisterVerificationEmailClicked_WhenTokenIsValid_ShouldReturnOk(string email, string emailVerificationToken)
    {
        // Arrange
        var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email);
        _registrationEmailVerificationTokenDataFactory
            .TryUnprotect(emailVerificationToken, out Arg.Any<RegistrationEmailVerificationTokenable>())
            .Returns(callInfo =>
            {
                callInfo[1] = registrationEmailVerificationTokenable;
                return true;
            });
        _userRepository.GetByEmailAsync(email).ReturnsNull(); // no existing user
        var requestModel = new RegisterVerificationEmailClickedRequestModel
        {
            Email = email,
            EmailVerificationToken = emailVerificationToken
        };
        // Act
        var result = await _sut.PostRegisterVerificationEmailClicked(requestModel);
        // Assert
        var okResult = Assert.IsType<OkResult>(result);
        Assert.Equal(200, okResult.StatusCode);
        await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is<ReferenceEvent>(e =>
            e.Type == ReferenceEventType.SignupEmailClicked
            && e.EmailVerificationTokenValid == true
            && e.UserAlreadyExists == false
            ));
    }
    [Theory, BitAutoData]
    public async Task PostRegisterVerificationEmailClicked_WhenTokenIsInvalid_ShouldReturnBadRequest(string email, string emailVerificationToken)
    {
        // Arrange
        var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable("wrongEmail");
        _registrationEmailVerificationTokenDataFactory
            .TryUnprotect(emailVerificationToken, out Arg.Any<RegistrationEmailVerificationTokenable>())
            .Returns(callInfo =>
            {
                callInfo[1] = registrationEmailVerificationTokenable;
                return true;
            });
        _userRepository.GetByEmailAsync(email).ReturnsNull(); // no existing user
        var requestModel = new RegisterVerificationEmailClickedRequestModel
        {
            Email = email,
            EmailVerificationToken = emailVerificationToken
        };
        // Act & assert
        await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostRegisterVerificationEmailClicked(requestModel));
        await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is<ReferenceEvent>(e =>
            e.Type == ReferenceEventType.SignupEmailClicked
            && e.EmailVerificationTokenValid == false
            && e.UserAlreadyExists == false
        ));
    }
    [Theory, BitAutoData]
    public async Task PostRegisterVerificationEmailClicked_WhenTokenIsValidButExistingUser_ShouldReturnBadRequest(string email, string emailVerificationToken, User existingUser)
    {
        // Arrange
        var registrationEmailVerificationTokenable = new RegistrationEmailVerificationTokenable(email);
        _registrationEmailVerificationTokenDataFactory
            .TryUnprotect(emailVerificationToken, out Arg.Any<RegistrationEmailVerificationTokenable>())
            .Returns(callInfo =>
            {
                callInfo[1] = registrationEmailVerificationTokenable;
                return true;
            });
        _userRepository.GetByEmailAsync(email).Returns(existingUser);
        var requestModel = new RegisterVerificationEmailClickedRequestModel
        {
            Email = email,
            EmailVerificationToken = emailVerificationToken
        };
        // Act & assert
        await Assert.ThrowsAsync<BadRequestException>(() => _sut.PostRegisterVerificationEmailClicked(requestModel));
        await _referenceEventService.Received(1).RaiseEventAsync(Arg.Is<ReferenceEvent>(e =>
            e.Type == ReferenceEventType.SignupEmailClicked
            && e.EmailVerificationTokenValid == true
            && e.UserAlreadyExists == true
        ));
    }
 }
--- a/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs
+++ b/test/IntegrationTestCommon/Factories/IdentityApplicationFactory.cs
@ -29,6 +29,11 @@ public class IdentityApplicationFactory : WebApplicationFactoryBase<Startup>
        return await Server.PostAsync("/accounts/register/finish", JsonContent.Create(model));
    }
    public async Task<HttpContext> PostRegisterVerificationEmailClicked(RegisterVerificationEmailClickedRequestModel model)
    {
        return await Server.PostAsync("/accounts/register/verification-email-clicked", JsonContent.Create(model));
    }
    public async Task<(string Token, string RefreshToken)> TokenFromPasswordAsync(string username,
        string password,
        string deviceIdentifier = DefaultDeviceIdentifier,