From 9ac2ea0180826cd2f65e679524aabfb10666e973 Mon Sep 17 00:00:00 2001
From: Kang Ming <kang.ming1996@gmail.com>
Date: Thu, 3 Oct 2024 01:57:11 -0700
Subject: [PATCH] fix: bypass check for token & verify endpoints (#1785)

## What kind of change does this PR introduce?
* Allow requests to skip check for authorized email addresses for /token
and /verify endpoints

## What is the current behavior?

Please link any relevant issues here.

## What is the new behavior?

Feel free to include screenshots if it includes visual changes.

## Additional context

Add any other context or screenshots.
---
 internal/api/middleware.go      |  5 ++++-
 internal/api/middleware_test.go | 14 ++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index 3b56f59d1..e2598b180 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -173,11 +173,14 @@ func isIgnoreCaptchaRoute(req *http.Request) bool {
 
 var emailLabelPattern = regexp.MustCompile("[+][^@]+@")
 
+// we don't need to enforce the check on these endpoints since they don't send emails
+var containsNonEmailSendingPath = regexp.MustCompile(`^/(admin|token|verify)`)
+
 func (a *API) isValidAuthorizedEmail(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	ctx := req.Context()
 
 	// skip checking for authorized email addresses if it's an admin request
-	if strings.HasPrefix(req.URL.Path, "/admin") || req.Method == http.MethodGet || req.Method == http.MethodDelete {
+	if containsNonEmailSendingPath.MatchString(req.URL.Path) || req.Method == http.MethodGet || req.Method == http.MethodDelete {
 		return ctx, nil
 	}
 
diff --git a/internal/api/middleware_test.go b/internal/api/middleware_test.go
index 7056d91dd..77065e5b3 100644
--- a/internal/api/middleware_test.go
+++ b/internal/api/middleware_test.go
@@ -531,6 +531,20 @@ func (ts *MiddlewareTestSuite) TestIsValidAuthorizedEmail() {
 				"email": "test@example.com",
 			},
 		},
+		{
+			desc:    "bypass check for token endpoint",
+			reqPath: "/token",
+			body: map[string]interface{}{
+				"email": "valid@example.com",
+			},
+		},
+		{
+			desc:    "bypass check for verify endpoint",
+			reqPath: "/token",
+			body: map[string]interface{}{
+				"email": "valid@example.com",
+			},
+		},
 		{
 			desc:    "bypass check if no email in request body",
 			reqPath: "/signup",