fix: email_verified field not being updated on signup confirmation

internal/api/verify.go

@@ -328,6 +328,25 @@ func (a *API) signupVerify(r *http.Request, ctx context.Context, conn *storage.C
 		if terr = user.Confirm(tx); terr != nil {
 			return internalServerError("Error confirming user").WithInternalError(terr)
 		}
+
+		// on signupVerify, the user will always only have an email identity
+		// so we can safely assume that the first identity is the email identity
+		//
+		// we still check for the length of the identities slice to be safe.
+		if len(user.Identities) != 0 {
+			if len(user.Identities) > 1 {
+				return internalServerError("User has more than one identity on signup")
+			}
+			emailIdentity := user.Identities[0]
+			if emailIdentity.Email != user.Email {
+				return internalServerError("User email identity does not match user email")
+			}
+			if terr = emailIdentity.UpdateIdentityData(tx, map[string]interface{}{
+				"email_verified": true,
+			}); terr != nil {
+				return internalServerError("Error updating email identity").WithInternalError(terr)
+			}
+		}
 		return nil
 	})
 	if err != nil {

internal/api/verify_test.go

@@ -48,6 +48,15 @@ func (ts *VerifyTestSuite) SetupTest() {
 	u, err := models.NewUser("12345678", "[email protected]", "password", ts.Config.JWT.Aud, nil)
 	require.NoError(ts.T(), err, "Error creating test user model")
 	require.NoError(ts.T(), ts.API.db.Create(u), "Error saving new test user")
+
+	// Create identity
+	i, err := models.NewIdentity(u, "email", map[string]interface{}{
+		"sub":            u.ID.String(),
+		"email":          "[email protected]",
+		"email_verified": false,
+	})
+	require.NoError(ts.T(), err, "Error creating test identity model")
+	require.NoError(ts.T(), ts.API.db.Create(i), "Error saving new test identity")
 }
 
 func (ts *VerifyTestSuite) TestVerifyPasswordRecovery() {
@@ -673,6 +682,8 @@ func (ts *VerifyTestSuite) TestVerifySignupWithRedirectURLContainedPath() {
 			u, err = models.FindUserByEmailAndAudience(ts.API.db, "[email protected]", ts.Config.JWT.Aud)
 			require.NoError(ts.T(), err)
 			assert.True(ts.T(), u.IsConfirmed())
+			assert.True(ts.T(), u.UserMetaData["email_verified"].(bool))
+			assert.True(ts.T(), u.Identities[0].IdentityData["email_verified"].(bool))
 		})
 	}
 }
@@ -875,6 +886,18 @@ func (ts *VerifyTestSuite) TestVerifyValidOtp() {
 				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
 			},
 		},
+		{
+			desc:     "Valid Signup Token Hash",
+			sentTime: time.Now(),
+			body: map[string]interface{}{
+				"type":       mail.SignupVerification,
+				"token_hash": crypto.GenerateTokenHash(u.GetEmail(), "123456"),
+			},
+			expected: expected{
+				code:      http.StatusOK,
+				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
+			},
+		},
 		{
 			desc:     "Valid Recovery OTP",
 			sentTime: time.Now(),
@@ -940,18 +963,6 @@ func (ts *VerifyTestSuite) TestVerifyValidOtp() {
 				tokenHash: crypto.GenerateTokenHash(u.PhoneChange, "123456"),
 			},
 		},
-		{
-			desc:     "Valid Signup Token Hash",
-			sentTime: time.Now(),
-			body: map[string]interface{}{
-				"type":       mail.SignupVerification,
-				"token_hash": crypto.GenerateTokenHash(u.GetEmail(), "123456"),
-			},
-			expected: expected{
-				code:      http.StatusOK,
-				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
-			},
-		},
 		{
 			desc:     "Valid Email Change Token Hash",
 			sentTime: time.Now(),

internal/models/user.go

@@ -449,6 +449,12 @@ func (u *User) Confirm(tx *storage.Connection) error {
 		return err
 	}
 
+	if err := u.UpdateUserMetaData(tx, map[string]interface{}{
+		"email_verified": true,
+	}); err != nil {
+		return err
+	}
+
 	if err := ClearAllOneTimeTokensForUser(tx, u.ID); err != nil {
 		return err
 	}