Skip to content

fix(security): prevent untrusted ATProto email from overwriting user data#551

Merged
tompscanlan merged 5 commits intomainfrom
fix/atproto-email-trust
Mar 5, 2026
Merged

fix(security): prevent untrusted ATProto email from overwriting user data#551
tompscanlan merged 5 commits intomainfrom
fix/atproto-email-trust

Conversation

@tompscanlan
Copy link
Copy Markdown
Contributor

@tompscanlan tompscanlan commented Mar 5, 2026

Summary

  • Skip email-overwrite branch in findOrCreateUser() for Bluesky/ATProto providers — a malicious PDS can self-report emailConfirmed=true for any email
  • Force profile.emailConfirmed = false early in findOrCreateUser() for ATProto providers so email is stored but never treated as verified
  • Defense-in-depth: both the early mutation and an explicit !isUntrustedEmailProvider guard protect the email-overwrite path

Test Plan

  • New test: Bluesky OAuth with different verified email does NOT overwrite existing user email
  • New test: INACTIVE Bluesky user is NOT activated when PDS reports emailConfirmed=true
  • New test: Google OAuth (trusted provider) can still update user email
  • Updated existing tests to use Google provider for trusted-email scenarios
  • Full test suite passes (138 suites, 1888 tests)
  • Type check clean (no new errors)
  • Lint clean on changed files

@tompscanlan
fix(security): skip email overwrite for untrusted ATProto providers
9a25c35 
Bluesky/ATProto PDS can self-report emailConfirmed=true for any email.
Never overwrite an existing user's email based on ATProto OAuth data.

Issue: om-ibft
@tompscanlan
fix(security): force emailConfirmed=false for ATProto providers
e654272 
PDS-reported emailConfirmed is untrusted. Force it to false early in
findOrCreateUser() so email is stored but never treated as verified.
Users still get ACTIVE status via DID identity proof.

Issue: om-ibft
@tompscanlan
test: update email trust tests for ATProto provider changes
705e70a 
Switch tests that verified email-update and activation behavior to use
Google provider (trusted). Bluesky email trust is now covered by new
security tests. Update Email Handling tests to expect INACTIVE status
when Bluesky provides email without trusted verification.

Issue: om-ibft
@tompscanlan
test: add regression test for trusted provider email updates
a5caca1 
Verify Google OAuth can still update user email (trusted provider).

Issue: om-ibft
@tompscanlan
style: fix lint issues in ATProto email trust tests
0560316 
Fix prettier formatting and unused variable in test added by e654272.

Issue: om-ibft
@tompscanlan tompscanlan merged commit 01c5f71 into main Mar 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tompscanlan