safe-global / safe-client-gateway / 26581380639
90%

DEFAULT BRANCH: main
Ran
Jobs 2
Files 1191
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 89.722% (+0.03%) from 89.695%
26581380639

push

github

web-flow 
feat(auth): require verified email for OIDC sign-in (#3101)

* feat(auth): require verified email for OIDC sign-in

Reject the OIDC sign-in early when the ID token carries an email
claim without `email_verified: true`. Closes the "double user
entry" path where an OIDC user could be created alongside an
unclaimed email-invite placeholder, and the user could never be
linked.

- New UserEmailNotVerifiedError (UnauthorizedException, 401,
  code `email_not_verified_error`).
- Guard in OidcAuthService.authenticateWithOidc fires before the
  repository call.
- No-email sign-ins are unaffected (the guard only triggers when
  the token carries an email).
- Spec updated: the previous "pass an unverified email through"
  test is replaced with two rejection cases (explicit `false` and
  missing `email_verified`); the propagation test now uses a
  verified email so the repo call still runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(users): require verified email, persist at INSERT, reject mismatch

Follow-up cleanup enabled by the verified-email guard added in the
preceding commit. With the auth-service now rejecting any sign-in
that lacks a verified email, the repository can simplify and
tighten its contract.

- findOrCreateByExtUserIdWithEmail takes a non-optional `email`
  argument (`{ address: string }`) — every OIDC sign-in that
  reaches the repo has one.
- The user row is INSERTed with the email atomically; the
  follow-up UPDATE step is gone. Race recovery now distinguishes
  between an extUserId collision (recover via lookup) and an email
  collision (surface as UserEmailAlreadyInUseError).
- The unverified-email branches in `handleUserEmail` /
  `assertEmailNotTaken` are no longer reachable and have been
  removed; persistVerifiedEmail becomes persistEmail, used only
  for the "existing user, no email yet" top-up case.
- New UserEmailMismatchError (401, code `email_mismatch_error`):
  thrown when an existing extUse... (continued)

4297 of 5158 branches covered (83.31%)

Branch coverage included in aggregate %.

22 of 24 new or added lines in 2 files covered. (91.67%)

2 existing lines in 1 file now uncovered.

16208 of 17696 relevant lines covered (91.59%)

587.82 hits per line

Uncovered Changes

Lines Coverage File
2
84.85
 0.0% src/modules/users/domain/users.repository.ts

Coverage Regressions

Lines Coverage File
2
84.85
 0.0% src/modules/users/domain/users.repository.ts
Jobs
ID Job ID Ran Files Coverage
1 run-integration-tests - 26581380639.1 2285
78.06
 GitHub Action Run
2 run-unit-tests - 26581380639.2 2088
57.71
 GitHub Action Run
Source Files on build 26581380639