[To Main] DESENG-618: Removed token from the Email verification respo…

…nse object (#2523) * DESENG-618: Removed token from the Email verification response object * update changelog
bcgov · May 23, 2024 · 4993462 · 4993462
1 parent 3acdbcd
commit 4993462
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 10 deletions.
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -1,4 +1,9 @@
 ## May 23, 2024
+
+- **Bugfix** Security issue with email verification [🎟️ DESENG-618](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-618)
+  - Removed verification token from the response object
+  - Updated the test to reflect the change
+
 - **Bugfix** Add try catch block around snowplow call [🎟️ DESENG-621](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-621)
   - Added a try catch block to all snowplow calls
 

diff --git a/met-api/src/met_api/services/email_verification_service.py b/met-api/src/met_api/services/email_verification_service.py
@@ -62,12 +62,13 @@ def create(cls, email_verification: EmailVerificationSchema,
 
         email_verification['created_by'] = email_verification.get(
             'participant_id')
-        email_verification['verification_token'] = uuid.uuid4()
-        EmailVerification.create(email_verification, session)
+        verification_token = uuid.uuid4()
+        EmailVerification.create({**email_verification, 'verification_token': verification_token}, session)
 
         # TODO: remove this once email logic is brought over from submission service to here
         if email_verification.get('type', None) != EmailVerificationType.RejectedComment:
-            cls._send_verification_email(email_verification, subscription_type)
+            cls._send_verification_email(
+                {**email_verification, 'verification_token': verification_token}, subscription_type)
 
         return email_verification
 

diff --git a/met-api/tests/unit/api/test_email_verification_service.py b/met-api/tests/unit/api/test_email_verification_service.py
@@ -140,13 +140,6 @@ def test_post_subscription_email_verification(client, jwt, session, notify_mock,
                      headers=headers, content_type=ContentType.JSON.value)
 
     assert rv.status_code == 200
-    verification_token = rv.json.get('verification_token')
-
-    rv = client.get(f'/api/email_verification/{verification_token}',
-                    headers=headers, content_type=ContentType.JSON.value)
-
-    assert rv.status_code == 200
-    assert rv.json.get('type') == EmailVerificationType.Subscribe
 
     with patch.object(EmailVerificationService, 'create', side_effect=side_effect):
         rv = client.post(f'/api/email_verification/{SubscriptionTypes.PROJECT.value}/subscribe',