iachat/app
Shivam Mishra 284977687c
fix: patch Devise confirmable race condition vulnerability (#13843)
Devise 4.9.x has a race condition in the reconfirmable flow where
concurrent email change requests can desynchronize the confirmation
token from `unconfirmed_email`, letting an attacker confirm an email
they don't own. We use `:confirmable` with `reconfirmable = true`, so
we're directly exposed.

The upstream fix is in Devise 5.0.3, but we can't upgrade —
`devise-two-factor` only supports Devise 5 from v6.4.0, which also
raised its Rails minimum to 7.2+. No released version supports both
Devise 5 and Rails 7.1.

This PR ports the Devise 5.0.3 fix locally by overriding
`postpone_email_change_until_confirmation_and_regenerate_confirmation_token`
on the User model to persist the record before regenerating the token.
This is a stopgap — remove it once the dependency chain allows upgrading
to Devise 5.

### How to test

Sign in as a confirmed user and change your email. The app should send a
confirmation to the new address while keeping the current email
unchanged until confirmed.
2026-03-18 21:30:09 -07:00
..
actions fix: Skip redundant contact saves in ContactIdentifyAction (#13778) 2026-03-11 21:40:38 -07:00
assets feat: Hide installation identifier (#11722) 2025-06-17 15:45:40 -07:00
builders fix: Handle Facebook reel attachment type (#13691) 2026-03-06 08:49:41 +04:00
channels fix: Move contact events to account stream rather than individual user stream (#11082) 2025-03-13 17:46:48 -07:00
controllers feat(widget): Allow widget loading in mobile app WebViews when domain restrictions are set (#13763) 2026-03-17 14:29:41 +04:00
dashboards fix(super-admin): prefill confirmed_at in new user form (#13662) 2026-03-10 12:14:58 +05:30
dispatchers feat(ee): Add Captain features (#10665) 2025-01-14 16:15:47 -08:00
drops feat: Add the support for custom attributes in message variables (#8511) 2023-12-08 14:13:35 -08:00
fields fix(super-admin): prefill confirmed_at in new user form (#13662) 2026-03-10 12:14:58 +05:30
finders feat: Add a priority + created at sort for conversations (#13658) 2026-02-25 18:22:41 -08:00
helpers Merge branch 'hotfix/4.11.2' into develop 2026-03-09 21:20:08 +05:30
javascript chore: Update translations (#13832) 2026-03-17 16:02:40 -07:00
jobs feat: distributed scheduling for version check job (#13042) 2026-03-17 02:27:49 -07:00
listeners feat: captain decides if conversation should be resolved or kept open (#13336) 2026-03-13 10:03:58 +05:30
mailboxes refactor: strategy pattern for mailbox conversation finding (#12766) 2025-11-10 20:47:18 +05:30
mailers fix(email): Allow inbox OAuth replies without global SMTP (#13820) 2026-03-17 11:10:42 +04:00
models fix: patch Devise confirmable race condition vulnerability (#13843) 2026-03-18 21:30:09 -07:00
policies feat(help-center): enable drag-and-drop category reordering (#13706) 2026-03-05 12:53:38 +05:30
presenters fix: Force account_id to use index on messages query on conversation push_event_data (#13757) 2026-03-11 01:03:18 +05:30
services feat(whatsapp): add webhook registration and status endpoints (#13551) 2026-03-16 12:48:16 +05:30
views fix: return correct outgoing_url in Platform agent bot API responses (#13827) 2026-03-17 13:40:45 -07:00