rule /account/activate must be uncoupled & unexpired does not seem to be enforced

Question

rule /account/activate must be uncoupled & unexpired does not seem to be enforced

henriterhofte opened this issue 4 years ago · 1 comments

Slide 9 of the design states:
“5.API verifies account token: must belong to uncoupled account, and must be unexpired”

This rule does not seem to be enforced currently; symptoms:

I could use the same Firebase Dynamic Link over and over
I tried it also on the API, by doing https://api.tst.energietransitiewindesheim.nl/docs#/default/account_activate_account_activate_post; multiple, times, with a succesfull https://api.tst.energietransitiewindesheim.nl/docs#/default/account_device_activate_account_device_activate_post inbetween, using a session token (which should satisfy the rule "Save long-lived session token; account activation token will expire the first time the session token is used by app" in slide 9 of the design).

Please coordinate with app devs when you (plan to) start enforcing this rule. They know it's likely coming and that they may need to create multiple uncoupled and unexpired accounts per test user.

Answer 1 · 2021-05-26T09:05:10.000Z

I confirm this is not enforced, and needs to be fixed.