fix(auth-emailpass): allow email update in updateProvider method#15050
fix(auth-emailpass): allow email update in updateProvider method#15050ashif323 wants to merge 1 commit intomedusajs:developfrom
Conversation
|
|
@ashif323 is attempting to deploy a commit to the medusajs Team on Vercel. A member of the Team first needs to authorize it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d4565f9. Configure here.
| authIdentity = await authIdentityService.update(entity_id, { | ||
| provider_metadata: providerMetadataUpdate, | ||
| user_metadata: userMetadataUpdate, | ||
| }) |
There was a problem hiding this comment.
Empty metadata objects always sent to update call
Medium Severity
The update method always passes both provider_metadata and user_metadata to authIdentityService.update(), even when they're empty objects. When only updating email, provider_metadata: {} is sent; when only updating password, user_metadata: {} is sent; when neither is provided, both are {}. This is safe only because MikroORM's assign uses mergeObjectProperties: true, which merges rather than replaces JSON columns. If that option ever changes or the update pipeline is refactored, empty objects would overwrite existing data (e.g., wiping the password hash). The update payload object could be built conditionally so only non-empty metadata fields are included.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit d4565f9. Configure here.
ashif323
force-pushed
the
fix/auth-emailpass-email-update
branch
2 times, most recently
from
c457b06 to
c3be8df
Compare
- Added email field to update method type signature - Email is now saved to user_metadata when passed to updateProvider - Password remains optional, both fields can be updated independently - Added integration tests for email and password update scenarios Fixes medusajs#14921
ashif323
force-pushed
the
fix/auth-emailpass-email-update
branch
from
c3be8df to
5d4388a
Compare
|
@medusajs-bot review this |
|
Thank you for your contribution! After reviewing this PR, we need a few things addressed before we can move forward: Required changes:
Concerns: The PR description says "Email is now saved to authIdentity = await authIdentityService.retrieve({
entity_id: email,
})The Could you clarify whether the intent is to update Thanks! |
2 participants
What
Fixes #14921
authModuleService.updateProviderwas not allowing email updates for emailpass provider. Only password updates were supported despite the docs stating email can also be updated.Why
In
EmailPassAuthService.update(), theemailfield was completely absent from the type signature and never destructured or saved. Onlypasswordwas handled.How
email?to theupdatemethod type signatureuser_metadatawhen passedNote
Medium Risk
Touches authentication provider update logic by allowing
user_metadata.emailupdates and always calling the identity service update, which could affect identity persistence if callers relied on previous no-op behavior. Also expands admin price list remote query fields to include nested price details, potentially increasing payload size and query cost.Overview
Auth email/password provider:
EmailPassAuthService.updatenow accepts optionalemailandpassword, hashes and updates the password inprovider_metadata, and persists email changes touser_metadata; new integration tests cover missingentity_id, password-only updates, and email-only updates.Admin price lists: Expands
adminPriceListRemoteQueryFieldsinprice-lists/query-config.tsto include additional nestedprices.*fields (ids, amounts/quantities, raw values, timestamps, rules, and variant id) in admin price list queries.Reviewed by Cursor Bugbot for commit d4565f9. Bugbot is set up for automated code reviews on this repo. Configure here.