From 6289d4209fc5000d45e546cc93299dffcb96cfd4 Mon Sep 17 00:00:00 2001 From: Alisha Zaman Date: Thu, 29 Jan 2026 00:01:25 -0500 Subject: [PATCH 1/3] 686: Display correct email verfication success 686: Addressed Co-Pilot comments 686: Return error redirect when domain change --- .../patinanetwork/codebloom/api/auth/AuthController.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java index 6b3a0a68e..68d3c3d2a 100644 --- a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java +++ b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java @@ -290,7 +290,7 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { boolean isSuccessful = userRepository.updateUser(user); if (!isSuccessful) { - throw new RuntimeException("User repository failed to update user and add school email."); + return new RedirectView("/settings?success=false&message=Failed to update email"); } String emailDomain = magicLink @@ -323,7 +323,11 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { schoolEnum.getInternalTag().name())) .build()); } else { - userTagRepository.createTag(schoolTag); + try { + userTagRepository.createTag(schoolTag); + } catch (Exception e) { + return new RedirectView("/settings?success=false&message=Failed to create school tag"); + } } return new RedirectView("/settings?success=true&message=The email has been verified!"); From c7d601f8a338be861b8ad86d6609afdef9aab563 Mon Sep 17 00:00:00 2001 From: Alisha Zaman Date: Thu, 29 Jan 2026 12:08:55 -0500 Subject: [PATCH 2/3] 686: Validate magiclink --- .../codebloom/api/auth/AuthController.java | 14 +++++++------- .../codebloom/common/schools/magic/MagicLink.java | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java index 68d3c3d2a..d60eb43da 100644 --- a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java +++ b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java @@ -231,7 +231,7 @@ public ResponseEntity> enrollSchool( simpleRedis.put(userId, System.currentTimeMillis()); - MagicLink magicLink = new MagicLink(email, userId); + MagicLink magicLink = new MagicLink(email, userId, serverUrlUtils.getUrl()); try { String token = jwtClient.encode(magicLink, Duration.ofHours(1)); String verificationLink = serverUrlUtils.getUrl() + "/api/auth/school/verify?state=" + token; @@ -276,6 +276,10 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { MagicLink magicLink; try { magicLink = jwtClient.decode(token, MagicLink.class); + String expectedIssuer = serverUrlUtils.getUrl(); + if (!expectedIssuer.equals(magicLink.getIssuer())) { + return new RedirectView("/settings?success=false&message=You issued for different environment"); + } } catch (Exception e) { return new RedirectView("/settings?success=false&message=Invalid or expired token"); } @@ -290,7 +294,7 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { boolean isSuccessful = userRepository.updateUser(user); if (!isSuccessful) { - return new RedirectView("/settings?success=false&message=Failed to update email"); + throw new RuntimeException("User repository failed to update user and add school email."); } String emailDomain = magicLink @@ -323,11 +327,7 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { schoolEnum.getInternalTag().name())) .build()); } else { - try { - userTagRepository.createTag(schoolTag); - } catch (Exception e) { - return new RedirectView("/settings?success=false&message=Failed to create school tag"); - } + userTagRepository.createTag(schoolTag); } return new RedirectView("/settings?success=true&message=The email has been verified!"); diff --git a/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java b/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java index f8b742d20..79a206670 100644 --- a/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java +++ b/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java @@ -4,6 +4,7 @@ public class MagicLink { private String email; private String userId; + private String issuer; public MagicLink() {} @@ -12,6 +13,12 @@ public MagicLink(final String email, final String userId) { this.userId = userId; } + public MagicLink(final String email, final String userId, final String issuer) { + this.email = email; + this.userId = userId; + this.issuer = issuer; + } + public String getEmail() { return email; } @@ -27,4 +34,12 @@ public String getUserId() { public void setUserId(final String userId) { this.userId = userId; } + + public String getIssuer() { + return issuer; + } + + public void setIssuer(final String issuer) { + this.issuer = issuer; + } } From e975404652fb2c686894d42ea64dcc8f319ed2a4 Mon Sep 17 00:00:00 2001 From: Alisha Zaman Date: Sun, 1 Feb 2026 00:39:46 -0500 Subject: [PATCH 3/3] 686: Confirm domain type --- .../codebloom/api/auth/AuthController.java | 13 ++++++++----- .../codebloom/common/schools/magic/MagicLink.java | 15 --------------- 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java index d60eb43da..d418e177e 100644 --- a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java +++ b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java @@ -231,7 +231,7 @@ public ResponseEntity> enrollSchool( simpleRedis.put(userId, System.currentTimeMillis()); - MagicLink magicLink = new MagicLink(email, userId, serverUrlUtils.getUrl()); + MagicLink magicLink = new MagicLink(email, userId); try { String token = jwtClient.encode(magicLink, Duration.ofHours(1)); String verificationLink = serverUrlUtils.getUrl() + "/api/auth/school/verify?state=" + token; @@ -258,6 +258,13 @@ public ResponseEntity> enrollSchool( }) @GetMapping("/school/verify") public RedirectView verifySchoolEmail(final HttpServletRequest request) { + String referer = request.getHeader("Referer"); + String allowedOrigin = serverUrlUtils.getUrl(); + + if (referer == null || !referer.startsWith(allowedOrigin)) { + return new RedirectView("/settings?success=false&message=Invalid request origin"); + } + AuthenticationObject authenticationObject; Session session; User user; @@ -276,10 +283,6 @@ public RedirectView verifySchoolEmail(final HttpServletRequest request) { MagicLink magicLink; try { magicLink = jwtClient.decode(token, MagicLink.class); - String expectedIssuer = serverUrlUtils.getUrl(); - if (!expectedIssuer.equals(magicLink.getIssuer())) { - return new RedirectView("/settings?success=false&message=You issued for different environment"); - } } catch (Exception e) { return new RedirectView("/settings?success=false&message=Invalid or expired token"); } diff --git a/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java b/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java index 79a206670..f8b742d20 100644 --- a/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java +++ b/src/main/java/org/patinanetwork/codebloom/common/schools/magic/MagicLink.java @@ -4,7 +4,6 @@ public class MagicLink { private String email; private String userId; - private String issuer; public MagicLink() {} @@ -13,12 +12,6 @@ public MagicLink(final String email, final String userId) { this.userId = userId; } - public MagicLink(final String email, final String userId, final String issuer) { - this.email = email; - this.userId = userId; - this.issuer = issuer; - } - public String getEmail() { return email; } @@ -34,12 +27,4 @@ public String getUserId() { public void setUserId(final String userId) { this.userId = userId; } - - public String getIssuer() { - return issuer; - } - - public void setIssuer(final String issuer) { - this.issuer = issuer; - } }