warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

"Start Account Recovery" Process Doesn't Update to Alternate Email Address

Open Thespi-Brain opened this issue 1 year ago • 2 comments

What's the problem this feature will solve? Currently, when a user with existing projects requests an email update/change, as part of the account verification process, the "start account recovery" function doesn't automatically update to the user's new/preferred email address after branch verification has been completed. This feature will remove the need for PyPI Support and/or Admin to manually update a user's email address.

Describe the solution you'd like An ideal solution would be: when the account verification process is initiated, if an input for an alternate email exists, the "Complete Recovery" function should also update a user's primary email address to the alternate email address, in addition to its current functionality of resetting the 2FA and recovery codes.

Additional context

Thespi-Brain avatar Aug 06 '24 01:08 Thespi-Brain

View configuration source here: https://github.com/pypi/warehouse/blob/96741388d3807bc41b279e18de72c0aa59b39d73/warehouse/admin/views/users.py#L543-L578

Noticing that the variable override_to_email is persisted on account_recovery.payload["override_to_email"] - so that's somewhere we could leverage to find the alternate email and set it to primary on completion.

@Thespi-Brain Considering that post-account-recovery completion, the user would have a new primary, but unverified email address, the user would have to also complete email verification step.

Unless you think that the account recovery process, by which we sent an email to the alternate (new) email is sufficient to confirm validity of the email address, and we can skip that step?

miketheman avatar Aug 08 '24 18:08 miketheman

@miketheman There have been lots of cases/issues where the alternate email of the user was already part of their account and it was verified, it just wasn't the primary email address and users for various reasons couldn't change it to make it their primary. So, I think in those instances where the alternate email is already verified, the functionality just needs to update it to primary on completion.

In the instances where the alternate email is a brand new email to the user account, verifying it would be a good idea!

Thespi-Brain avatar Aug 09 '24 17:08 Thespi-Brain