Better ask email verification flow

Allow user to resend the email verification link when changing the current email Fix success messages when validating a new email
2025-10-03 01:39:37 +02:00 · 2025-04-15 09:19:12 +02:00 · 2025-04-15 09:19:12 +02:00 · 986e71a1f7
commit 986e71a1f7
parent e19ee1ebc9
29 changed files with 426 additions and 271 deletions
--- a/server/core/controllers/api/users/email-verification.ts
+++ b/server/core/controllers/api/users/email-verification.ts
@ -1,11 +1,12 @@
-import express from 'express'
 import { HttpStatusCode } from '@peertube/peertube-models'
+import express from 'express'
 import { CONFIG } from '../../../initializers/config.js'
-import { sendVerifyRegistrationEmail, sendVerifyUserEmail } from '../../../lib/user.js'
+import { sendVerifyRegistrationEmail, sendVerifyRegistrationRequestEmail, sendVerifyUserChangeEmail } from '../../../lib/user.js'
 import { asyncMiddleware, buildRateLimiter } from '../../../middlewares/index.js'
 import {
  registrationVerifyEmailValidator,
-  usersAskSendVerifyEmailValidator,
+  usersAskSendRegistrationVerifyEmailValidator,
+  usersAskSendUserVerifyEmailValidator,
  usersVerifyEmailValidator
 } from '../../../middlewares/validators/index.js'

@ -16,18 +17,24 @@ const askSendEmailLimiter = buildRateLimiter({

 const emailVerificationRouter = express.Router()

-emailVerificationRouter.post([ '/ask-send-verify-email', '/registrations/ask-send-verify-email' ],
+emailVerificationRouter.post(
+  '/ask-send-verify-email',
  askSendEmailLimiter,
-  asyncMiddleware(usersAskSendVerifyEmailValidator),
-  asyncMiddleware(reSendVerifyUserEmail)
+  asyncMiddleware(usersAskSendUserVerifyEmailValidator),
+  asyncMiddleware(reSendUserVerifyUserEmail)
 )

-emailVerificationRouter.post('/:id/verify-email',
-  asyncMiddleware(usersVerifyEmailValidator),
-  asyncMiddleware(verifyUserEmail)
+emailVerificationRouter.post(
+  '/registrations/ask-send-verify-email',
+  askSendEmailLimiter,
+  asyncMiddleware(usersAskSendRegistrationVerifyEmailValidator),
+  asyncMiddleware(reSendRegistrationVerifyUserEmail)
 )

-emailVerificationRouter.post('/registrations/:registrationId/verify-email',
+emailVerificationRouter.post('/:id/verify-email', asyncMiddleware(usersVerifyEmailValidator), asyncMiddleware(verifyUserEmail))
+
+emailVerificationRouter.post(
+  '/registrations/:registrationId/verify-email',
  asyncMiddleware(registrationVerifyEmailValidator),
  asyncMiddleware(verifyRegistrationEmail)
 )
@ -38,14 +45,20 @@ export {
  emailVerificationRouter
 }

-async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
-  const user = res.locals.user
-  const registration = res.locals.userRegistration
+async function reSendUserVerifyUserEmail (req: express.Request, res: express.Response) {
+  if (res.locals.userPendingEmail) { // User wants to change its current email
+    await sendVerifyUserChangeEmail(res.locals.userPendingEmail)
+  } else { // After an account creation
+    await sendVerifyRegistrationEmail(res.locals.userEmail)
+  }

-  if (user) await sendVerifyUserEmail(user)
-  else if (registration) await sendVerifyRegistrationEmail(registration)
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}

-  return res.status(HttpStatusCode.NO_CONTENT_204).end()
+async function reSendRegistrationVerifyUserEmail (req: express.Request, res: express.Response) {
+  await sendVerifyRegistrationRequestEmail(res.locals.userRegistration)
+
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
 }

 async function verifyUserEmail (req: express.Request, res: express.Response) {
@ -59,7 +72,7 @@ async function verifyUserEmail (req: express.Request, res: express.Response) {

  await user.save()

-  return res.status(HttpStatusCode.NO_CONTENT_204).end()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
 }

 async function verifyRegistrationEmail (req: express.Request, res: express.Response) {
@ -68,5 +81,5 @@ async function verifyRegistrationEmail (req: express.Request, res: express.Respo

  await registration.save()

-  return res.status(HttpStatusCode.NO_CONTENT_204).end()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
 }
--- a/server/core/controllers/api/users/me.ts
+++ b/server/core/controllers/api/users/me.ts
@ -22,7 +22,7 @@ import { MIMETYPES } from '../../../initializers/constants.js'
 import { sequelizeTypescript } from '../../../initializers/database.js'
 import { sendUpdateActor } from '../../../lib/activitypub/send/index.js'
 import { deleteLocalActorImageFile, updateLocalActorImageFiles } from '../../../lib/local-actor.js'
-import { getOriginalVideoFileTotalDailyFromUser, getOriginalVideoFileTotalFromUser, sendVerifyUserEmail } from '../../../lib/user.js'
+import { getOriginalVideoFileTotalDailyFromUser, getOriginalVideoFileTotalFromUser, sendVerifyUserChangeEmail } from '../../../lib/user.js'
 import {
  asyncMiddleware,
  asyncRetryTransactionMiddleware,
@ -290,7 +290,7 @@ async function updateMe (req: express.Request, res: express.Response) {
  })

  if (sendVerificationEmail === true) {
-    await sendVerifyUserEmail(user, true)
+    await sendVerifyUserChangeEmail(user)
  }

  return res.status(HttpStatusCode.NO_CONTENT_204).end()
--- a/server/core/controllers/api/users/registrations.ts
+++ b/server/core/controllers/api/users/registrations.ts
@ -1,7 +1,3 @@
-import express from 'express'
-import { Emailer } from '@server/lib/emailer.js'
-import { Hooks } from '@server/lib/plugins/hooks.js'
-import { UserRegistrationModel } from '@server/models/user/user-registration.js'
 import { pick } from '@peertube/peertube-core-utils'
 import {
  HttpStatusCode,
@ -11,11 +7,20 @@ import {
  UserRegistrationUpdateState,
  UserRight
 } from '@peertube/peertube-models'
+import { Emailer } from '@server/lib/emailer.js'
+import { Hooks } from '@server/lib/plugins/hooks.js'
+import { UserRegistrationModel } from '@server/models/user/user-registration.js'
+import express from 'express'
 import { auditLoggerFactory, UserAuditView } from '../../../helpers/audit-logger.js'
 import { logger } from '../../../helpers/logger.js'
 import { CONFIG } from '../../../initializers/config.js'
 import { Notifier } from '../../../lib/notifier/index.js'
-import { buildUser, createUserAccountAndChannelAndPlaylist, sendVerifyRegistrationEmail, sendVerifyUserEmail } from '../../../lib/user.js'
+import {
+  buildUser,
+  createUserAccountAndChannelAndPlaylist,
+  sendVerifyRegistrationEmail,
+  sendVerifyRegistrationRequestEmail
+} from '../../../lib/user.js'
 import {
  acceptOrRejectRegistrationValidator,
  asyncMiddleware,
@ -45,7 +50,8 @@ const registrationRateLimiter = buildRateLimiter({

 const registrationsRouter = express.Router()

-registrationsRouter.post('/registrations/request',
+registrationsRouter.post(
+  '/registrations/request',
  registrationRateLimiter,
  asyncMiddleware(ensureUserRegistrationAllowedFactory('request-registration')),
  ensureUserRegistrationAllowedForIP,
@ -53,27 +59,31 @@ registrationsRouter.post('/registrations/request',
  asyncRetryTransactionMiddleware(requestRegistration)
 )

-registrationsRouter.post('/registrations/:registrationId/accept',
+registrationsRouter.post(
+  '/registrations/:registrationId/accept',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_REGISTRATIONS),
  asyncMiddleware(acceptOrRejectRegistrationValidator),
  asyncRetryTransactionMiddleware(acceptRegistration)
 )
-registrationsRouter.post('/registrations/:registrationId/reject',
+registrationsRouter.post(
+  '/registrations/:registrationId/reject',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_REGISTRATIONS),
  asyncMiddleware(acceptOrRejectRegistrationValidator),
  asyncRetryTransactionMiddleware(rejectRegistration)
 )

-registrationsRouter.delete('/registrations/:registrationId',
+registrationsRouter.delete(
+  '/registrations/:registrationId',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_REGISTRATIONS),
  asyncMiddleware(getRegistrationValidator),
  asyncRetryTransactionMiddleware(deleteRegistration)
 )

-registrationsRouter.get('/registrations',
+registrationsRouter.get(
+  '/registrations',
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_REGISTRATIONS),
  paginationValidator,
@ -84,7 +94,8 @@ registrationsRouter.get('/registrations',
  asyncMiddleware(listRegistrations)
 )

-registrationsRouter.post('/register',
+registrationsRouter.post(
+  '/register',
  registrationRateLimiter,
  asyncMiddleware(ensureUserRegistrationAllowedFactory('direct-registration')),
  ensureUserRegistrationAllowedForIP,
@ -118,7 +129,7 @@ async function requestRegistration (req: express.Request, res: express.Response)
  await registration.save()

  if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
-    await sendVerifyRegistrationEmail(registration)
+    await sendVerifyRegistrationRequestEmail(registration)
  }

  Notifier.Instance.notifyOnNewRegistrationRequest(registration)
@ -242,7 +253,7 @@ async function registerUser (req: express.Request, res: express.Response) {
  logger.info('User %s with its channel and account registered.', body.username)

  if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
-    await sendVerifyUserEmail(user)
+    await sendVerifyRegistrationEmail(user)
  }

  Notifier.Instance.notifyOnNewDirectRegistration(user)