Bug Report / Security Concern — auth.api.changeEmail applies the change before confirming the link
Problem Description: When updating the email address and the email is sent, it updates correctly. However, upon clicking the new link, the email address can be updated again without double confirmation. This is because the implementation itself updates the database values before sending and confirming the new email. Consequently, if someone gains access to the link (or if the email address is incorrect), they can reuse it and continue modifying the email address without a second, valid verification. This compromises the integrity of the email change flow, especially in applications where the email address is a critical identifier.
Expected Behavior: The email address should not be changed until the user:
1. Clicks the link sent to the new email address, and
2. The token is successfully validated and is not expired or revoked.
In other words, the system should follow a stateful model similar to secure email change:
1. Register the request
2. Send an email with the link
3. Upon opening the email and validating the token, the user.email address is updated and the token is invalidated.
4. Invalidate the token (prevent reuse) if the user requests it (e.g., incorrectly entered the email address).
Security Risks:
1. Email change without real confirmation: Possible account hijacking.
2. Links sent in error cannot be revoked: Risk in corporate/ERP environments.
3. Reusable token: Weakens identity validation.
4. Not properly auditable: Affects regulatory compliance (GDPR, ISO, SOC2, etc.).
Final Comment: A stateful flow should be implemented, or at least the user should be given the option to choose this method. This would be a significant improvement for environments where the email address is a critical credential, as well as for other fields or when generating tokens or other values. I am available to collaborate on PR proposals if you deem it appropriate.
1 Reply
the flow currentlyh is
- request change email with an email address
- we send confirmation to the old email address
- when you access that link we update your email address to the new email
- we send email verification to the new email address
not sure how this a security concern