Merge pull request #194 from SkynetLabs/ivo/recover_unconfirmed

Allow account recovery from unconfirmed emails.

Author: Christopher Schinnerl

api/handlers.go

@@ -1013,11 +1013,6 @@ func (api *API) userRecoverRequestPOST(_ *database.User, w http.ResponseWriter,
 		api.WriteError(w, errors.AddContext(err, "failed to fetch the user with this email"), http.StatusInternalServerError)
 		return
 	}
-	// Verify that the user's email is confirmed.
-	if u.EmailConfirmationToken != "" {
-		api.WriteError(w, errors.New("user's email is not confirmed. it cannot be used for account recovery"), http.StatusBadRequest)
-		return
-	}
 	// Generate a new recovery token and add it to the user's account.
 	u.RecoveryToken, err = lib.GenerateUUID()
 	if err != nil {

test/api/handlers_test.go

@@ -733,18 +733,8 @@ func testUserAccountRecovery(t *testing.T, at *test.AccountsTester) {
 	if len(msgs) != 1 || msgs[0].Subject != "Account access attempted" {
 		t.Fatalf("Expected to find a single email with subject '%s', got %v", "Account access attempted", msgs)
 	}
-	// Request recovery with a valid but unconfirmed email.
-	_, err = at.UserRecoverRequestPOST(u.Email)
-	if err == nil || !strings.Contains(err.Error(), badRequest) {
-		t.Fatalf("Expected '%s', got '%s'", badRequest, err)
-	}
-	// Confirm the email.
-	_, err = at.UserConfirmGET(u.EmailConfirmationToken)
-	if err != nil {
-		t.Fatal(err)
-	}
 	// Request recovery with a valid email. We expect there to be a single email
-	// with the recovery token.
+	// with the recovery token. The email is unconfirmed but we don't mind that.
 	bodyParams := url.Values{}
 	bodyParams.Set("email", u.Email)
 	_, err = at.UserRecoverRequestPOST(u.Email)