[v12.0/forgejo] fix: delete old auth token upon replacing primary email (#9087)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9076

When the primary email is changed before it is validated, the URL sent for validation purposes must be invalidated. It was previously possible use to delay use of the URL to validate the primary email and modify the primary email in the meantime. It allowed to validate the newer primary email using the older primary email, effectively bypassing validation.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9076): <!--number 9076 --><!--line 0 --><!--description ZGVsZXRlIG9sZCBhdXRoIHRva2VuIHVwb24gcmVwbGFjaW5nIHByaW1hcnkgZW1haWw=-->delete old auth token upon replacing primary email<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9087
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>

services/user/TestReplaceInactivePrimaryEmail/forgejo_auth_token.yml

@@ -0,0 +1,5 @@
+-
+ id: 1001
+ uid: 10
+ lookup_key: unique
+ purpose: user_activation

services/user/email.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"strings"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/setting"
@@ -171,6 +172,11 @@ func ReplaceInactivePrimaryEmail(ctx context.Context, oldEmail string, email *us
 		return err
 	}
 
+	// Delete previous activation token.
+	if err := auth_model.DeleteAuthTokenByUser(ctx, user.ID); err != nil {
+		return err
+	}
+
 	return DeleteEmailAddresses(ctx, user, []string{oldEmail})
 }
 

services/user/email_test.go

@@ -6,6 +6,7 @@ package user
 import (
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	organization_model "forgejo.org/models/organization"
 	"forgejo.org/models/unittest"
@@ -123,25 +124,34 @@ func TestAddEmailAddresses(t *testing.T) {
 }
 
 func TestReplaceInactivePrimaryEmail(t *testing.T) {
+	defer unittest.OverrideFixtures("services/user/TestReplaceInactivePrimaryEmail/")()
 	require.NoError(t, unittest.PrepareTestDatabase())
 
-	email := &user_model.EmailAddress{
-		Email: "user9999999@example.com",
-		UID:   9999999,
-	}
-	err := ReplaceInactivePrimaryEmail(db.DefaultContext, "user10@example.com", email)
-	require.Error(t, err)
-	assert.True(t, user_model.IsErrUserNotExist(err))
+	t.Run("User doesn't exist", func(t *testing.T) {
+		email := &user_model.EmailAddress{
+			Email: "user9999999@example.com",
+			UID:   9999999,
+		}
+		err := ReplaceInactivePrimaryEmail(db.DefaultContext, "user10@example.com", email)
+		require.Error(t, err)
+		assert.True(t, user_model.IsErrUserNotExist(err))
+	})
 
-	email = &user_model.EmailAddress{
-		Email: "user201@example.com",
-		UID:   10,
-	}
-	err = ReplaceInactivePrimaryEmail(db.DefaultContext, "user10@example.com", email)
-	require.NoError(t, err)
+	t.Run("Normal", func(t *testing.T) {
+		unittest.AssertExistsIf(t, true, &auth_model.AuthorizationToken{UID: 10})
 
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10})
-	assert.Equal(t, "user201@example.com", user.Email)
+		email := &user_model.EmailAddress{
+			Email: "user201@example.com",
+			UID:   10,
+		}
+		err := ReplaceInactivePrimaryEmail(db.DefaultContext, "user10@example.com", email)
+		require.NoError(t, err)
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10})
+		assert.Equal(t, "user201@example.com", user.Email)
+
+		unittest.AssertExistsIf(t, false, &auth_model.AuthorizationToken{UID: 10})
+	})
 }
 
 func TestDeleteEmailAddresses(t *testing.T) {