SMQ-3093 - User email verification

[arvindh123]

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

• Resolves NOISSUE - Handle callout error #3039

Have you included tests for your changes?

Did you document any new/modified feature?

Notes

[dborovcanin]

CI is failing.

[codecov]

Codecov Report

❌ Patch coverage is 60.31519% with 277 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.81%. Comparing base (2261691) to head (30bf733).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/sdk/mocks/sdk.go	0.00%	72 Missing ⚠️
users/verification.go	45.90%	22 Missing and 11 partials ⚠️
cli/users.go	0.00%	26 Missing ⚠️
users/events/streams.go	0.00%	26 Missing ⚠️
users/emailer/emailer.go	0.00%	18 Missing ⚠️
users/postgres/users.go	68.51%	12 Missing and 5 partials ⚠️
users/service.go	81.17%	11 Missing and 5 partials ⚠️
users/events/events.go	0.00%	15 Missing ⚠️
pkg/sdk/users.go	0.00%	14 Missing ⚠️
users/postgres/verfications.go	86.51%	8 Missing and 4 partials ⚠️
... and 5 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3101      +/-   ##
==========================================
+ Coverage   35.15%   43.81%   +8.65%     
==========================================
  Files         323      212     -111     
  Lines       47509    35520   -11989     
==========================================
- Hits        16704    15562    -1142     
+ Misses      29977    19206   -10771     
+ Partials      828      752      -76     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dborovcanin]

Remove if unused.

[dborovcanin]

Once you remove unused const, make this inline and rename const verificationTokenDuration.

[dborovcanin]

No need for nested if:

if err == repoerr.ErrNotFound {
    return nil
}
if err != nil {
    return err
}

Why do we return nil in case of notFound?

[dborovcanin]

Not related to this PR, but Role+1 is too cryptic.

[dborovcanin]

Let's move this to a separate file.

[dborovcanin]

Should we check if verificationToken is empty first?

[arvindh123]

I will think about this, What we should return if token is empty ?

[dborovcanin]

Update instead of UpdateTo.

[dborovcanin]

Add godoc comments.

[dborovcanin]

Same, add godoc.

[dborovcanin]

We are missing tests for the added methods. Either do it now or open a ticket for the follow-up PR, since this one is already large.

[dborovcanin]

Do we need this redundancy? Why don't we just use verified_at as nullable?

[arvindh123]

Yes. We use a verified (boolean) field in JWTs and for other condition checks. Relying only on verified_at would make the logic less clear.

For example, if we only had verified_at, we’d need to write something like:

verified: !verified_at.IsZero()

By keeping a verified field, the code is cleaner and easier to understand.

[dborovcanin]

Why is this allowed for unverified user?

[arvindh123]

1. Change Email Endpoint:
   If a user enters the wrong email address during signup, they must have the ability to correct it. Allowing unverified users to change their email ensures they can complete the verification process successfully.

2. Refresh Token Endpoint:
   The refresh token enables users to request new access tokens regardless of their verification status. Both access and refresh tokens include a verified field. Before verification, this field is false. Once the user completes verification and refreshes their token, the newly issued tokens will correctly reflect verified = true

[dborovcanin]

1. Change Email Endpoint:
   If a user enters the wrong email address during signup, they must have the ability to correct it. Allowing unverified users to change their email ensures they can complete the verification process successfully.

No need -> they can restart the procedure process with the correct email.

2. Refresh Token Endpoint:
   The refresh token enables users to request new access tokens regardless of their verification status. Both access and refresh tokens include a verified field. Before verification, this field is false. Once the user completes verification and refreshes their token, the newly issued tokens will correctly reflect verified = true

Why? Isn't it simpler to disable issuing tokens to who don't have VerifiedAt field?

[arvindh123]

No need -> they can restart the procedure process with the correct email.

• A username cannot be reused until the associated account is deleted.
• This ensures usernames can be properly recycled.
• It helps prevent the buildup of unwanted or unverified user accounts.

[arvindh123]

We can provide some basic operation without verification of email
This provides flexibility.

During this basic operation time, If user want to reset password, then they need to verify the email.

[felixgateru]

[dborovcanin]

CI is failing.

[dborovcanin]

Is the token needed at all? Can we put user ID in JWT we send for verification?

[dborovcanin]

Is this needed if we are going to use JWT that already contains the expiration?

[dborovcanin]

Let's use expires_at since we used created_at.

[dborovcanin]

Oguv?

[arvindh123]

oguv - Original (OG) User Verification

[dborovcanin]

Both ruvs and oguv are not descriptive names. Please update. Rename ruvs to user; and user to updatedUser or just updated. Rename ruvs to token, and ruv := UserVerification to uv := userVerification. Especially since this does not have to be registration (r) related.

[dborovcanin]

Let's rename to verifications, no need for users prefix.

[dborovcanin]

CI is failing.

[smithjilks]

@arvindh123
I get no token/invalid token when I call sdk verify email method with the token gotten from link query params.

[smithjilks]

You can update the template so that it says welcome to 'host' instead of 'host/endpoint'

[dborovcanin]

Both ruvs and oguv are not descriptive names. Please update. Rename ruvs to user; and user to updatedUser or just updated. Rename ruvs to token, and ruv := UserVerification to uv := userVerification. Especially since this does not have to be registration (r) related.

[dborovcanin]

Let's just use authn for this variable.

[dborovcanin]

Let's use received and stored instead, so we have stored.Match(received).