From 601f9986f0a7454d6e94554c9ff2cdd8440241fe Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Thu, 12 Dec 2024 12:16:58 +0800
Subject: [PATCH] fix: add checks for cases where more than 1 identity is
 returned

---
 internal/api/verify.go      |  6 ++++++
 internal/api/verify_test.go | 25 +++++++++++++------------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/internal/api/verify.go b/internal/api/verify.go
index c9d7ebf6f..b48716a87 100644
--- a/internal/api/verify.go
+++ b/internal/api/verify.go
@@ -334,7 +334,13 @@ func (a *API) signupVerify(r *http.Request, ctx context.Context, conn *storage.C
 		//
 		// we still check for the length of the identities slice to be safe.
 		if len(user.Identities) != 0 {
+			if len(user.Identities) > 1 {
+				return internalServerError("User has more than one identity on signup")
+			}
 			emailIdentity := user.Identities[0]
+			if emailIdentity.Email != user.Email {
+				return internalServerError("User email identity does not match user email")
+			}
 			if terr = emailIdentity.UpdateIdentityData(tx, map[string]interface{}{
 				"email_verified": true,
 			}); terr != nil {
diff --git a/internal/api/verify_test.go b/internal/api/verify_test.go
index c5fe965eb..7c97d69ea 100644
--- a/internal/api/verify_test.go
+++ b/internal/api/verify_test.go
@@ -52,6 +52,7 @@ func (ts *VerifyTestSuite) SetupTest() {
 	// Create identity
 	i, err := models.NewIdentity(u, "email", map[string]interface{}{
 		"sub":            u.ID.String(),
+		"email":          "test@example.com",
 		"email_verified": false,
 	})
 	require.NoError(ts.T(), err, "Error creating test identity model")
@@ -885,6 +886,18 @@ func (ts *VerifyTestSuite) TestVerifyValidOtp() {
 				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
 			},
 		},
+		{
+			desc:     "Valid Signup Token Hash",
+			sentTime: time.Now(),
+			body: map[string]interface{}{
+				"type":       mail.SignupVerification,
+				"token_hash": crypto.GenerateTokenHash(u.GetEmail(), "123456"),
+			},
+			expected: expected{
+				code:      http.StatusOK,
+				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
+			},
+		},
 		{
 			desc:     "Valid Recovery OTP",
 			sentTime: time.Now(),
@@ -950,18 +963,6 @@ func (ts *VerifyTestSuite) TestVerifyValidOtp() {
 				tokenHash: crypto.GenerateTokenHash(u.PhoneChange, "123456"),
 			},
 		},
-		{
-			desc:     "Valid Signup Token Hash",
-			sentTime: time.Now(),
-			body: map[string]interface{}{
-				"type":       mail.SignupVerification,
-				"token_hash": crypto.GenerateTokenHash(u.GetEmail(), "123456"),
-			},
-			expected: expected{
-				code:      http.StatusOK,
-				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
-			},
-		},
 		{
 			desc:     "Valid Email Change Token Hash",
 			sentTime: time.Now(),