Require verification after email change

When the User model is configured to require email verification,
then any change of the email address should trigger re-verification.

Author: loay

common/models/user.js

@@ -667,6 +667,7 @@ module.exports = function(User) {
 
     // Delete old sessions once email is updated
     UserModel.observe('before save', function beforeEmailUpdate(ctx, next) {
+      var emailChanged;
       if (ctx.isNewInstance) return next();
       if (!ctx.where && !ctx.instance) return next();
       var where = ctx.where || { id: ctx.instance.id };
@@ -675,6 +676,19 @@ module.exports = function(User) {
         ctx.hookState.originalUserData = userInstances.map(function(u) {
           return { id: u.id, email: u.email };
         });
+        if (ctx.instance) {
+          emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+          if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
+            ctx.instance.emailVerified = false;
+          }
+        } else {
+          emailChanged = ctx.hookState.originalUserData.some(function(data) {
+            return data.email != ctx.data.email;
+          });
+          if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
+            ctx.data.emailVerified = false;
+          }
+        }
         next();
       });
     });

test/user.test.js

@@ -2188,6 +2188,70 @@ describe('User', function() {
     });
   });
 
+  describe('Verification after updating email', function() {
+    var NEW_EMAIL = '[email protected]';
+    var userInstance;
+
+    beforeEach(createOriginalUser);
+
+    it('sets verification to false after email update if verification is required',
+    function(done) {
+      User.settings.emailVerificationRequired = true;
+      async.series([
+        function updateUser(next) {
+          userInstance.updateAttribute('email', NEW_EMAIL, function(err, info) {
+            if (err) return next(err);
+            assert.equal(info.email, NEW_EMAIL);
+            next();
+          });
+        },
+        function findUser(next) {
+          User.findById(userInstance.id, function(err, info) {
+            if (err) return next(err);
+            assert.equal(info.email, NEW_EMAIL);
+            assert.equal(info.emailVerified, false);
+            next();
+          });
+        },
+      ], done);
+    });
+
+    it('leaves verification as is after email update if verification is not required',
+    function(done) {
+      User.settings.emailVerificationRequired = false;
+      async.series([
+        function updateUser(next) {
+          userInstance.updateAttribute('email', NEW_EMAIL, function(err, info) {
+            if (err) return next(err);
+            assert.equal(info.email, NEW_EMAIL);
+            next();
+          });
+        },
+        function findUser(next) {
+          User.findById(userInstance.id, function(err, info) {
+            if (err) return next(err);
+            assert.equal(info.email, NEW_EMAIL);
+            assert.equal(info.emailVerified, true);
+            next();
+          });
+        },
+      ], done);
+    });
+
+    function createOriginalUser(done) {
+      var userData = {
+        email: '[email protected]',
+        password: 'bar',
+        emailVerified: true,
+      };
+      User.create(userData, function(err, instance) {
+        if (err) return done(err);
+        userInstance = instance;
+        done();
+      });
+    }
+  });
+
   describe('password reset with/without email verification', function() {
     it('allows resetPassword by email if email verification is required and done',
     function(done) {