Merge pull request #1775 from overleaf/ta-fetch-user-before-confirm

Check User Exists Before Confirming Email

GitOrigin-RevId: 3622044f31f78e8499ccd084ca99297ca297ca97

services/web/app/coffee/Features/User/UserEmailsConfirmationHandler.coffee

@@ -5,6 +5,7 @@ settings = require 'settings-sharelatex'
 Errors = require "../Errors/Errors"
 logger = require "logger-sharelatex"
 UserUpdater = require "./UserUpdater"
+UserGetter = require "./UserGetter"
 
 ONE_YEAR_IN_S = 365 * 24 * 60 * 60
 
@@ -34,4 +35,8 @@ module.exports = UserEmailsConfirmationHandler =
 			logger.log {data, user_id, email, token_start: token.slice(0,8)}, 'found data for email confirmation'
 			if !user_id? or email != EmailHelper.parseEmail(email)
 				return callback(new Errors.NotFoundError('invalid data'))
+			UserGetter.getUser user_id, {}, (error, user) ->
+				return callback(error) if error?
+				unless user?._id
+					return callback(new Errors.NotFoundError('user not found'))
 				UserUpdater.confirmEmail user_id, email, callback

services/web/test/unit/coffee/User/UserEmailsConfirmationHandlerTests.coffee

@@ -17,9 +17,12 @@ describe "UserEmailsConfirmationHandler", ->
 			"../Security/OneTimeTokenHandler": @OneTimeTokenHandler = {}
 			"../Errors/Errors": Errors
 			"./UserUpdater": @UserUpdater = {}
+			"./UserGetter": @UserGetter =
+				getUser: sinon.stub().yields(null, @mockUser)
 			"../Email/EmailHandler": @EmailHandler = {}
 			"../Helpers/EmailHelper": EmailHelper
-		@user_id = "mock-user-id"
+		@mockUser = _id:  "mock-user-id"
+		@user_id = @mockUser._id
 		@email = "mock@example.com"
 		@callback = sinon.stub()
 
@@ -124,3 +127,12 @@ describe "UserEmailsConfirmationHandler", ->
 			it "should call the callback with a NotFoundError", ->
 				@callback.calledWith(sinon.match.instanceOf(Errors.NotFoundError)).should.equal true
 
+
+		describe 'with no user found', ->
+			beforeEach ->
+				@UserGetter.getUser.yields(null, null)
+				@UserEmailsConfirmationHandler.confirmEmailFromToken @token = 'mock-token', @callback
+
+			it "should call the callback with a NotFoundError", ->
+				@callback.calledWith(sinon.match.instanceOf(Errors.NotFoundError)).should.equal true
+