From a14b7f8b51d86f48ec286f7906b2a6f4d86b0f9a Mon Sep 17 00:00:00 2001
From: Peter Dulacka <dulacka@gmail.com>
Date: Sun, 6 Feb 2022 13:43:13 +0100
Subject: [PATCH] Fix leak of unclaimed user ID in UsersEmailApiHandler

remp/hiking#10
---
 src/Api/UsersEmailHandler.php       | 1 +
 src/Tests/UsersEmailHandlerTest.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Api/UsersEmailHandler.php b/src/Api/UsersEmailHandler.php
index 38bcee0..a35fa40 100644
--- a/src/Api/UsersEmailHandler.php
+++ b/src/Api/UsersEmailHandler.php
@@ -79,6 +79,7 @@ public function handle(ApiAuthorizationInterface $authorization)
                 $status = 'taken';
                 $passwordStatus = ($params['password']) ? false : null;
             } elseif ($authException->getCode() ===  UserAuthenticator::NOT_APPROVED) {
+                $user = null;
                 $status = 'available';
             } else {
                 $status = 'taken';
diff --git a/src/Tests/UsersEmailHandlerTest.php b/src/Tests/UsersEmailHandlerTest.php
index 1be9761..62f022c 100644
--- a/src/Tests/UsersEmailHandlerTest.php
+++ b/src/Tests/UsersEmailHandlerTest.php
@@ -208,8 +208,8 @@ public function testUnclaimedUser()
 
         $this->assertEquals('available', $payload['status']);
         $this->assertEquals($email, $payload['email']);
-        $this->assertEquals($user->id, $payload['id']);
-        $this->assertEquals(null, $payload['password']);
+        $this->assertNull($payload['id']);
+        $this->assertNull($payload['password']);
         $this->assertEquals(LoginAttemptsRepository::STATUS_UNCLAIMED_USER, $lastAttempt->status);
     }