createUser: mark emails as unverified on creation

[bobheadxi]

Today, users created with mutation { createUser } automatically have their emails marked as verified, even if the email is bogus. This could cause us to automatically send potentially large numbers of emails automatically to nonexistent email addresses (see https://github.com/sourcegraph/customer/issues/1790). To mitigate this, this change marks the emails of created users as unverified if SMTP is configured.

This has implications for Cloud instances, where mutation { createUser } is frequently used to create initial admin users. After this change, these users may receive a more limited set of emails (i.e. https://github.com/sourcegraph/sourcegraph/pull/46184) and have limited capabilities (i.e. unable to link account via external service) until they verify their email by:

1. using a "set password" or "reset password" link delivered by email (https://github.com/sourcegraph/sourcegraph/pull/46307)
2. using "verify email" in user settings to send an email verification
3. a site admin verifying the user email manually via setUserEmailVerified mutation or UI

Test plan

I've added new unit tests that cover the old and new set password behaviour on the mutation.

Manual test:

1. sg start, configured with SMTP in dev-private
2. Site admin -> users -> create testuser with email
3. Site admin -> users -> testuser -> emails -> primary email is unverified
4. Log out
5. CLick password reset link in email
6. Log in
7. User -> emails -> primary email is verified

[bobheadxi]

Current dependencies on/for this PR:

• main
  • PR client: remove deprecated authenticatedUser.email #46183
    • PR email: do not send certain emails to unverified emails #46184
      • PR createUser: mark emails as unverified on creation #46187 👈

This comment was auto-generated by Graphite.

[sg-e2e-regression-test-bob]

Bundle size report 📦

Initial size	Total size	Async size	Modules
0.00% (0.00 kb)	0.00% (+0.34 kb)	0.00% (+0.34 kb)	0.00% (0)

Look at the Statoscope report for a full comparison between the commits c94542c and 40ab277 or learn more.

Open explanation

• Initial size is the size of the initial bundle (the one that is loaded when you open the page)
• Total size is the size of the initial bundle + all the async loaded chunks
• Async size is the size of all the async loaded chunks
• Modules is the number of modules in the initial bundle

[unknwon]

• We could send a verification email on user creation, but these aren't needed if an admin expects a user to sign in via an external service, and would send an extra email on top of the password reset link if needed. This is also awkward because you must sign in before you click the verification.

IIRC, if an account is pre-created with an unverified and the user is expected to sign in via an external service, a brand new account is always created because we only consider account linking by verified emails. Not saying we can't change the current behavior, just want to call out the implication.

• We could bundle verification into the password reset, but it's unclear how worthwhile this investment is at the moment - I could implement this in a follow-up PR if required.

For a best possible UX, I believe we should. I can't recall another product that wants me to do both when I get an account... If we trust the password reset link being sent to an email, there seems no reason we can't in turn trust the email itself, right?

[unknwon]

Minor thinking: should we keep the current behavior if SMTP is not configured?

[bobheadxi]

Minor thinking: should we keep the current behavior if SMTP is not configured?

SMTP configuration is not static - you might not set up SMTP until some time after an instance is stood up, for example. Also, whether the email is verified or not doesn't impact instances that don't have SMTP set up, since we cannot send emails anyway

Update: actually, I think you may be right - a lot of other functionality (login, external accounts) key on validated emails, so retaining the old behaviour is probably best. Instances that care should set up SMTP before onboarding users

IIRC, if an account is pre-created with an unverified and the user is expected to sign in via an external service, a brand new account is always created because we only consider account linking by verified emails. Not saying we can't change the current behavior, just want to call out the implication.

Ah, you are right. I think I'll look harder look at having the password reset also handle email verification before making this change then

Update: see https://github.com/sourcegraph/sourcegraph/pull/46307

[bobheadxi]

@kopancek thanks for the first round of reviews - I've addressed your comments and updated the behaviour, would appreciate a review when you get the chance!

[mrnugget]

Do we also need to update docs?

[bobheadxi]

@mrnugget I've created some docs around email verification here: https://github.com/sourcegraph/sourcegraph/pull/46187/commits/00d5137881812fc280f7b7265df34aadcb2e28d3

[sourcegraph-bot]

Codenotify: Notifying subscribers in CODENOTIFY files for diff 40ab277...c94542c.

Notify	File(s)
@sourcegraph/delivery	doc/admin/auth/index.md doc/admin/config/email.md

[mrnugget]

Thanks!

[kopancek]

Looks good to me. Added small suggestions that should not block PR merge.

[kopancek]

I think it would be better to have a link that points to the site config schema definition here. Not sure how feasible that is though 🤔

[bobheadxi]

Added a link!

[bobheadxi]

Trick seems to be to view the site_config page in browser, and get the anchor link through there