From 55624bc49930ea48f6292cd33cb40c9416f082db Mon Sep 17 00:00:00 2001 From: Trisha Anand Date: Thu, 20 Mar 2025 22:39:51 +0530 Subject: [PATCH] chore: Fixing email verification on signup (#39838) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description If email verification is turned on, on sign up the user is not getting logged out in case they need to verify their email. This fixes that issue. Fixes #`Issue Number` _or_ Fixes `Issue URL` > [!WARNING] > _If no issue exists, please create an issue first, and check with the maintainers if the issue is valid._ ## Automation /test sanity ### :mag: Cypress test results > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: > Commit: 81eac95f38bf52516423a120018b525261b1eb3e > Cypress dashboard. > Tags: `@tag.Sanity` > Spec: >
Thu, 20 Mar 2025 16:37:15 UTC ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [ ] No ## Summary by CodeRabbit - **Bug Fixes** - Enhanced the authentication flow by fully terminating obsolete sessions after verification, ensuring that any residual session data is completely cleared for improved security. --- .../ce/AuthenticationSuccessHandlerCE.java | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java index c3c23d76f1..75534eec8c 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java @@ -171,16 +171,20 @@ public class AuthenticationSuccessHandlerCE implements ServerAuthenticationSucce private Mono postVerificationRequiredHandler( WebFilterExchange webFilterExchange, User user, Application defaultApplication) { return webFilterExchange.getExchange().getSession().flatMap(webSession -> { + // First remove the security context from the session attributes webSession.getAttributes().remove(DEFAULT_SPRING_SECURITY_CONTEXT_ATTR_NAME); - return redirectHelper - .getAuthSuccessRedirectUrl(webFilterExchange, defaultApplication, true) - .flatMap(redirectUrl -> extractRedirectUrlAndSendVerificationMail( - webFilterExchange, user, redirectUrl) - .map(url -> String.format( - "/user/verificationPending?email=%s", - URLEncoder.encode(user.getEmail(), StandardCharsets.UTF_8))) - .flatMap(redirectUri -> redirectStrategy.sendRedirect( - webFilterExchange.getExchange(), URI.create(redirectUri)))); + // Then invalidate the entire session to remove it from Redis + return webSession + .invalidate() + .then(redirectHelper + .getAuthSuccessRedirectUrl(webFilterExchange, defaultApplication, true) + .flatMap(redirectUrl -> extractRedirectUrlAndSendVerificationMail( + webFilterExchange, user, redirectUrl) + .map(url -> String.format( + "/user/verificationPending?email=%s", + URLEncoder.encode(user.getEmail(), StandardCharsets.UTF_8))) + .flatMap(redirectUri -> redirectStrategy.sendRedirect( + webFilterExchange.getExchange(), URI.create(redirectUri))))); }); }