Skip to content

fix(security): prevent untrusted ATProto email from overwriting user data#551

Merged
tompscanlan merged 5 commits intomainfrom
fix/atproto-email-trust
Mar 5, 2026
Merged

fix(security): prevent untrusted ATProto email from overwriting user data#551
tompscanlan merged 5 commits intomainfrom
fix/atproto-email-trust

Conversation

@tompscanlan
Copy link
Copy Markdown
Contributor

Summary

  • Skip email-overwrite branch in findOrCreateUser() for Bluesky/ATProto providers — a malicious PDS can self-report emailConfirmed=true for any email
  • Force profile.emailConfirmed = false early in findOrCreateUser() for ATProto providers so email is stored but never treated as verified
  • Defense-in-depth: both the early mutation and an explicit !isUntrustedEmailProvider guard protect the email-overwrite path

Test Plan

  • New test: Bluesky OAuth with different verified email does NOT overwrite existing user email
  • New test: INACTIVE Bluesky user is NOT activated when PDS reports emailConfirmed=true
  • New test: Google OAuth (trusted provider) can still update user email
  • Updated existing tests to use Google provider for trusted-email scenarios
  • Full test suite passes (138 suites, 1888 tests)
  • Type check clean (no new errors)
  • Lint clean on changed files

Bluesky/ATProto PDS can self-report emailConfirmed=true for any email.
Never overwrite an existing user's email based on ATProto OAuth data.

Issue: om-ibft
PDS-reported emailConfirmed is untrusted. Force it to false early in
findOrCreateUser() so email is stored but never treated as verified.
Users still get ACTIVE status via DID identity proof.

Issue: om-ibft
Switch tests that verified email-update and activation behavior to use
Google provider (trusted). Bluesky email trust is now covered by new
security tests. Update Email Handling tests to expect INACTIVE status
when Bluesky provides email without trusted verification.

Issue: om-ibft
Verify Google OAuth can still update user email (trusted provider).

Issue: om-ibft
Fix prettier formatting and unused variable in test added by e654272.

Issue: om-ibft
@tompscanlan tompscanlan merged commit 01c5f71 into main Mar 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant