issue #1592 - email_for_token returns need_password: true when no password has been chosen.

lib/db/json.js

@@ -236,7 +236,7 @@ exports.emailForVerificationSecret = function(secret, cb) {
   process.nextTick(function() {
     sync();
     if (!db.staged[secret]) return cb("no such secret");
-    cb(null, db.staged[secret].email, db.staged[secret].existing_user);
+    cb(null, db.staged[secret].email, db.staged[secret].existing_user, db.staged[secret].passwd);
   });
 };
 

lib/db/mysql.js

@@ -265,14 +265,14 @@ exports.haveVerificationSecret = function(secret, cb) {
 
 exports.emailForVerificationSecret = function(secret, cb) {
   client.query(
-    "SELECT email, existing_user FROM staged WHERE secret = ?", [ secret ],
+    "SELECT email, existing_user, passwd FROM staged WHERE secret = ?", [ secret ],
     function(err, rows) {
       if (err) return cb("database unavailable");
 
       // if the record was not found, fail out
       if (!rows || rows.length != 1) return cb("no such secret");
 
-      cb(null, rows[0].email, rows[0].existing_user);
+      cb(null, rows[0].email, rows[0].existing_user, rows[0].passwd);
     });
 };
 

lib/wsapi/email_for_token.js

@@ -19,7 +19,7 @@ exports.args = ['token'];
 exports.i18n = false;
 
 exports.process = function(req, res) {
-  db.emailForVerificationSecret(req.query.token, function(err, email, uid) {
+  db.emailForVerificationSecret(req.query.token, function(err, email, uid, hash) {
     if (err) {
       if (err === 'database unavailable') {
         httputils.serviceUnavailable(res, err);
@@ -30,24 +30,64 @@ exports.process = function(req, res) {
         });
       }
     } else {
-      // must the user authenticate?  This is true if they are not authenticated
-      // as the uid who initiated the verification, and they are not on the same
-      // browser as the initiator
-      var must_auth = true;
+      function checkMustAuth() {
+        // must the user authenticate?  This is true if they are not authenticated
+        // as the uid who initiated the verification, and they are not on the same
+        // browser as the initiator
+        var must_auth = true;
 
-      if (uid && req.session.userid === uid) {
-        must_auth = false;
+        if (uid && req.session.userid === uid) {
+          must_auth = false;
+        }
+        else if (!uid && typeof req.session.pendingCreation === 'string' &&
+                 req.query.token === req.session.pendingCreation) {
+          must_auth = false;
+        }
+
+        res.json({
+          success: true,
+          email: email,
+          must_auth: must_auth
+        });
+      }
+
+      // backwards compatibility - issue #1592
+      // if there is no password in the user record, and no password in the staged
+      // table, then we require a password be fetched from the user upon verification.
+      // these checks are temporary and should disappear in 1 trains time.
+      function needsPassword() {
+        // no password is set neither in the user table nor in the staged record.
+        // the user must pick a password
+        res.json({
+          success: true,
+          email: email,
+          needs_password: true
+        });
       }
-      else if (!uid && typeof req.session.pendingCreation === 'string' &&
-               req.query.token === req.session.pendingCreation) {
-        must_auth = false;
+
+      if (!hash) {
+        if (!uid) {
+          needsPassword();
+        } else {
+          db.checkAuth(uid, function(err, hash) {
+            if (err) {
+              return res.json({
+                success: false,
+                reason: err
+              });
+            }
+
+            if (!hash) {
+              needsPassword();
+            } else {
+              checkMustAuth();
+            }
+          });
+        }
+      } else {
+        checkMustAuth();
       }
 
-      res.json({
-        success: true,
-        email: email,
-        must_auth: must_auth
-      });
     }
   });
 };