♻️ Restrict change user email (#5472)

Author: pcrespov

api/specs/web-server/_auth.py

@@ -194,6 +194,8 @@ async def reset_password_allowed(code: str, _body: ResetPasswordConfirmation):
             "description": "unable to send confirmation email",
         },
     },
+    # Disabled in https://github.com/ITISFoundation/osparc-simcore/pull/5472
+    include_in_schema=False,
 )
 async def change_email(_body: ChangeEmailBody):
     """logged in user changes email"""

services/payments/src/simcore_service_payments/services/notifier_email.py

@@ -220,6 +220,7 @@ async def _create_successful_payments_message(
         self, user_id: UserID, payment: PaymentTransaction
     ) -> EmailMessage:
         data = await self._users_repo.get_notification_data(user_id, payment.payment_id)
+        data_vendor = data.vendor or {}
 
         # email for successful payment
         msg: EmailMessage = await _create_user_email(
@@ -237,7 +238,7 @@ async def _create_successful_payments_message(
             product=_ProductData(
                 product_name=data.product_name,
                 display_name=data.display_name,
-                vendor_display_inline=f"{data.vendor.get('name', '')}. {data.vendor.get('address', '')}",
+                vendor_display_inline=f"{data_vendor.get('name', '')}. {data_vendor.get('address', '')}",
                 support_email=data.support_email,
             ),
         )

services/web/server/VERSION

@@ -1 +1 @@
-0.38.0
+0.39.0

services/web/server/setup.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.38.0
+current_version = 0.39.0
 commit = True
 message = services/webserver api version: {current_version} → {new_version}
 tag = False

services/web/server/src/simcore_service_webserver/api/v0/openapi.yaml

@@ -2,7 +2,7 @@ openapi: 3.0.2
 info:
   title: simcore-service-webserver
   description: Main service with an interface (http-API & websockets) to the web front-end
-  version: 0.38.0
+  version: 0.39.0
 servers:
 - url: ''
   description: webserver
@@ -344,38 +344,6 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Envelope_Error_'
-  /v0/auth/change-email:
-    post:
-      tags:
-      - auth
-      summary: Change Email
-      description: logged in user changes email
-      operationId: auth_change_email
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ChangeEmailBody'
-        required: true
-      responses:
-        '200':
-          description: Successful Response
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Envelope_Log_'
-        '401':
-          description: unauthorized user. Login required
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Envelope_Error_'
-        '503':
-          description: unable to send confirmation email
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Envelope_Error_'
   /v0/auth/change-password:
     post:
       tags:
@@ -2925,7 +2893,7 @@ paths:
         '403':
           description: ProjectInvalidRightsError
         '404':
-          description: ProjectNotFoundError, UserDefaultWalletNotFoundError
+          description: UserDefaultWalletNotFoundError, ProjectNotFoundError
         '409':
           description: ProjectTooManyProjectOpenedError
         '422':
@@ -4686,12 +4654,13 @@ components:
           email: [email protected]
           phone: +1 123456789
           company: EM Com
-          address: Infinite Loop. California
+          address: Infinite Loop
+          city: Washington
+          postalCode: '98001'
           country: USA
           application: Antenna_Design
-          description: Description of sometin
+          description: Description of something
           hear: Search_Engine
-          message: I would love to use your tool
     Activity:
       title: Activity
       required:
@@ -5004,17 +4973,6 @@ components:
           type: object
           additionalProperties:
             $ref: '#/components/schemas/BootChoice'
-    ChangeEmailBody:
-      title: ChangeEmailBody
-      required:
-      - email
-      type: object
-      properties:
-        email:
-          title: Email
-          type: string
-          format: email
-      additionalProperties: false
     ChangePasswordBody:
       title: ChangePasswordBody
       required:
@@ -9905,6 +9863,9 @@ components:
       title: TaskProgress
       type: object
       properties:
+        task_id:
+          title: Task Id
+          type: string
         message:
           title: Message
           type: string

services/web/server/src/simcore_service_webserver/login/handlers_change.py

@@ -136,9 +136,8 @@ class ChangeEmailBody(InputSchema):
     email: LowerCaseEmailStr
 
 
-@routes.post(f"/{API_VTAG}/auth/change-email", name="auth_change_email")
-@login_required
 async def submit_request_to_change_email(request: web.Request):
+    # NOTE: This code have been intentially disabled in https://github.com/ITISFoundation/osparc-simcore/pull/5472
     db: AsyncpgStorage = get_plugin_storage(request.app)
     product: Product = get_current_product(request)
 

services/web/server/tests/unit/with_dbs/03/login/test_login_change_email.py

@@ -22,6 +22,18 @@ def new_email(fake_user_email: str) -> str:
     return fake_user_email
 
 
+async def test_change_email_disabled(client: TestClient, new_email: str):
+    assert client.app
+    assert "auth_change_email" not in client.app.router
+
+    response = await client.post(
+        "/v0/auth/change-email",
+        json={"email": new_email},
+    )
+    await assert_status(response, status.HTTP_404_NOT_FOUND)
+
+
+@pytest.mark.xfail(reason="Change email has been disabled")
 async def test_unauthorized_to_change_email(client: TestClient, new_email: str):
     assert client.app
     url = client.app.router["auth_change_email"].url_for()
@@ -31,29 +43,29 @@ async def test_unauthorized_to_change_email(client: TestClient, new_email: str):
             "email": new_email,
         },
     )
-    assert response.status == 401
     await assert_status(response, status.HTTP_401_UNAUTHORIZED)
 
 
+@pytest.mark.xfail(reason="Change email has been disabled")
 async def test_change_to_existing_email(client: TestClient):
     assert client.app
     url = client.app.router["auth_change_email"].url_for()
 
-    async with LoggedUser(client) as user:
-        async with NewUser(app=client.app) as other:
-            response = await client.post(
-                f"{url}",
-                json={
-                    "email": other["email"],
-                },
-            )
-            await assert_status(
-                response,
-                status.HTTP_422_UNPROCESSABLE_ENTITY,
-                "This email cannot be used",
-            )
+    async with LoggedUser(client), NewUser(app=client.app) as other:
+        response = await client.post(
+            f"{url}",
+            json={
+                "email": other["email"],
+            },
+        )
+        await assert_status(
+            response,
+            status.HTTP_422_UNPROCESSABLE_ENTITY,
+            "This email cannot be used",
+        )
 
 
+@pytest.mark.xfail(reason="Change email has been disabled")
 async def test_change_and_confirm(
     client: TestClient,
     login_options: LoginOptions,
@@ -107,6 +119,5 @@ async def test_change_and_confirm(
                 "password": user["raw_password"],
             },
         )
-        payload = await response.json()
         assert response.url.path == login_url.path
         await assert_status(response, status.HTTP_200_OK, MSG_LOGGED_IN)

services/web/server/tests/unit/with_dbs/03/login/test_login_logout.py

@@ -13,12 +13,12 @@ async def test_logout(client: TestClient, db: AsyncpgStorage):
     assert client.app
 
     logout_url = client.app.router["auth_logout"].url_for()
-    protected_url = client.app.router["auth_change_email"].url_for()
+    protected_url = client.app.router["get_my_profile"].url_for()
 
     async with LoggedUser(client) as user:
 
         # try to access protected page
-        response = await client.post(f"{protected_url}", json={"email": user["email"]})
+        response = await client.get(f"{protected_url}")
         assert response.url.path == protected_url.path
         await assert_status(response, status.HTTP_200_OK)
 
@@ -28,7 +28,7 @@ async def test_logout(client: TestClient, db: AsyncpgStorage):
         await assert_status(response, status.HTTP_200_OK)
 
         # and try again
-        response = await client.post(f"{protected_url}")
+        response = await client.get(f"{protected_url}")
         assert response.url.path == protected_url.path
         await assert_status(response, status.HTTP_401_UNAUTHORIZED)