Tested successful email update workflow

Author: chriscarrollsmith

main.py

@@ -169,10 +169,12 @@ async def read_home(
 
 @app.get("/login")
 async def read_login(
-    params: dict = Depends(common_unauthenticated_parameters)
+    params: dict = Depends(common_unauthenticated_parameters),
+    email_updated: Optional[str] = "false"
 ):
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
+    params["email_updated"] = email_updated
     return templates.TemplateResponse(params["request"], "authentication/login.html", params)
 
 
@@ -256,14 +258,16 @@ async def read_dashboard(
 
 @app.get("/profile")
 async def read_profile(
-    params: dict = Depends(common_authenticated_parameters)
+    params: dict = Depends(common_authenticated_parameters),
+    email_update_requested: Optional[str] = "false"
 ):
     # Add image constraints to the template context
     params.update({
         "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),  # Convert bytes to MB
         "min_dimension": MIN_DIMENSION,
         "max_dimension": MAX_DIMENSION,
-        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys())
+        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
+        "email_update_requested": email_update_requested
     })
     return templates.TemplateResponse(params["request"], "users/profile.html", params)
 

routers/authentication.py

@@ -338,7 +338,7 @@ async def request_email_update(
     )
 
     return RedirectResponse(
-        url="/settings?email_update_requested=true",
+        url="/profile?email_update_requested=true",
         status_code=303
     )
 
@@ -370,6 +370,6 @@ async def confirm_email_update(
     session.commit()
 
     return RedirectResponse(
-        url="/settings?email_updated=true",
+        url="/login?email_updated=true",
         status_code=303
     )

templates/authentication/login.html

@@ -6,6 +6,13 @@
 
 {% block auth_content %}
 <div class="login-form">
+
+    {% if email_updated == "true" %}
+    <div class="alert alert-success" role="alert">
+        Your email address has been successfully updated. Please login with your new email address.
+    </div>
+    {% endif %}
+
     <form method="POST" action="{{ url_for('login') }}" class="needs-validation" novalidate>
         <!-- Email Input -->
         <div class="mb-3">

templates/users/profile.html

@@ -8,6 +8,12 @@
 <div class="container mt-5">
     <h1 class="mb-4">User Profile</h1>
 
+    {% if email_update_requested == "true" %}
+    <div class="alert alert-info" role="alert">
+        Please check your current email address for a confirmation link to complete the email update.
+    </div>
+    {% endif %}
+
     <!-- Basic Information -->
     <div class="card mb-4" id="basic-info">
         <div class="card-header">
@@ -102,7 +108,7 @@ <h1 class="mb-4">User Profile</h1>
                 <p class="text-danger">This action cannot be undone. Please confirm your password to delete your account.</p>
                 <div class="mb-3">
                     <label for="confirm_delete_password" class="form-label">Password</label>
-                    <input type="password" class="form-control" id="confirm_delete_password" name="confirm_delete_password">
+                    <input type="password" class="form-control" id="confirm_delete_password" name="confirm_delete_password" autocomplete="off">
                 </div>
                 <button type="submit" class="btn btn-danger">Delete Account</button>
             </form>

tests/test_auth.py

@@ -1,7 +1,7 @@
 import re
 import string
 import random
-from datetime import timedelta
+from datetime import timedelta, UTC, datetime
 from urllib.parse import urlparse, parse_qs
 from starlette.datastructures import URLPath
 from main import app
@@ -13,8 +13,13 @@
     validate_token,
     generate_password_reset_url,
     COMPILED_PASSWORD_PATTERN,
-    convert_python_regex_to_html
+    convert_python_regex_to_html,
+    generate_email_update_url,
+    send_email_update_confirmation,
+    get_user_from_email_update_token
 )
+from unittest.mock import patch, MagicMock
+from utils.models import User, EmailUpdateToken
 
 
 def test_convert_python_regex_to_html() -> None:
@@ -146,3 +151,100 @@ def test_password_pattern() -> None:
     # No special character
     password = "aA1" * 3
     assert re.match(COMPILED_PASSWORD_PATTERN, password) is None
+
+def test_email_update_url_generation() -> None:
+    """
+    Tests that the email update confirmation URL is correctly formatted and contains
+    the required query parameters.
+    """
+    test_user_id = 123
+    test_token = "abc123"
+    test_new_email = "[email protected]"
+
+    url = generate_email_update_url(test_user_id, test_token, test_new_email)
+
+    # Parse the URL
+    parsed = urlparse(url)
+    query_params = parse_qs(parsed.query)
+
+    # Get the actual path from the FastAPI app
+    confirm_email_path: URLPath = app.url_path_for("confirm_email_update")
+
+    # Verify URL path
+    assert parsed.path == str(confirm_email_path)
+
+    # Verify query parameters
+    assert "user_id" in query_params
+    assert "token" in query_params
+    assert "new_email" in query_params
+    assert query_params["user_id"][0] == str(test_user_id)
+    assert query_params["token"][0] == test_token
+    assert query_params["new_email"][0] == test_new_email
+
+@patch('resend.Emails.send')
+def test_send_email_update_confirmation(mock_send: MagicMock) -> None:
+    """
+    Tests the email update confirmation sending functionality.
+    """
+    # Mock session and dependencies
+    session = MagicMock()
+    session.exec.return_value.first.return_value = None  # No existing token
+    
+    current_email = "[email protected]"
+    new_email = "[email protected]"
+    user_id = 123
+
+    # Mock successful email send
+    mock_send.return_value = {"id": "test_email_id"}
+
+    # Test successful email sending
+    send_email_update_confirmation(current_email, new_email, user_id, session)
+
+    # Verify session interactions
+    assert session.add.called
+    assert session.commit.called
+    
+    # Verify email was sent with correct parameters
+    mock_send.assert_called_once()
+    call_args = mock_send.call_args[0][0]
+    assert call_args["to"] == [current_email]
+    assert call_args["subject"] == "Confirm Email Update"
+    assert "from" in call_args
+    assert "html" in call_args
+
+    # Test existing token case
+    session.reset_mock()
+    session.exec.return_value.first.return_value = EmailUpdateToken()  # Existing token
+    
+    send_email_update_confirmation(current_email, new_email, user_id, session)
+    
+    # Verify no new token was created or email sent
+    assert not session.add.called
+    assert not session.commit.called
+    assert mock_send.call_count == 1  # Still just one call from before
+
+def test_get_user_from_email_update_token() -> None:
+    """
+    Tests retrieving a user using an email update token.
+    """
+    session = MagicMock()
+    
+    # Test valid token
+    mock_user = User(id=1, email="[email protected]")
+    mock_token = EmailUpdateToken(
+        user_id=1,
+        token="valid_token",
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        used=False
+    )
+    session.exec.return_value.first.return_value = (mock_user, mock_token)
+
+    user, token = get_user_from_email_update_token(1, "valid_token", session)
+    assert user == mock_user
+    assert token == mock_token
+
+    # Test invalid token
+    session.exec.return_value.first.return_value = None
+    user, token = get_user_from_email_update_token(1, "invalid_token", session)
+    assert user is None
+    assert token is None

tests/test_user.py

@@ -17,8 +17,7 @@ def test_update_profile_unauthorized(unauth_client: TestClient):
     response: Response = unauth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "New Name",
-            "email": "[email protected]",
+            "name": "New Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -40,8 +39,7 @@ def test_update_profile_authorized(mock_validate, auth_client: TestClient, test_
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "[email protected]",
+            "name": "Updated Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -54,7 +52,6 @@ def test_update_profile_authorized(mock_validate, auth_client: TestClient, test_
     # Verify changes in database
     session.refresh(test_user)
     assert test_user.name == "Updated Name"
-    assert test_user.email == "[email protected]"
     assert test_user.avatar_data == MOCK_IMAGE_DATA
     assert test_user.avatar_content_type == MOCK_CONTENT_TYPE
 
@@ -67,8 +64,7 @@ def test_update_profile_without_avatar(auth_client: TestClient, test_user: User,
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "[email protected]",
+            "name": "Updated Name"
         },
         follow_redirects=False
     )
@@ -78,7 +74,6 @@ def test_update_profile_without_avatar(auth_client: TestClient, test_user: User,
     # Verify changes in database
     session.refresh(test_user)
     assert test_user.name == "Updated Name"
-    assert test_user.email == "[email protected]"
 
 
 def test_delete_account_unauthorized(unauth_client: TestClient):
@@ -130,8 +125,7 @@ def test_get_avatar_authorized(mock_validate, auth_client: TestClient, test_user
     auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": test_user.name,
-            "email": test_user.email,
+            "name": test_user.name
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"fake image data", "image/jpeg")
@@ -167,8 +161,7 @@ def test_update_profile_invalid_image(mock_validate, auth_client: TestClient):
     response: Response = auth_client.post(
         app.url_path_for("update_profile"),
         data={
-            "name": "Updated Name",
-            "email": "[email protected]",
+            "name": "Updated Name"
         },
         files={
             "avatar_file": ("test_avatar.jpg", b"invalid image data", "image/jpeg")

utils/auth.py

@@ -473,7 +473,7 @@ def send_email_update_confirmation(
             user_id, token.token, new_email)
 
         # Render the email template
-        template = templates.get_template("emails/update_email.html")
+        template = templates.get_template("emails/update_email_email.html")
         html_content = template.render({
             "confirmation_url": confirmation_url,
             "current_email": current_email,

utils/models.py

@@ -215,6 +215,12 @@ class User(SQLModel, table=True):
             "cascade": "all, delete-orphan"
         }
     )
+    email_update_tokens: Mapped[List["EmailUpdateToken"]] = Relationship(
+        back_populates="user",
+        sa_relationship_kwargs={
+            "cascade": "all, delete-orphan"
+        }
+    )
     password: Mapped[Optional[UserPassword]] = Relationship(
         back_populates="user"
     )