AuthN: reset email verified on email change (#85643)

* AuthN: reset email verified on email change

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>

pkg/services/authn/authnimpl/sync/user_sync.go

@@ -234,6 +234,12 @@ func (s *UserSync) updateUserAttributes(ctx context.Context, usr *user.User, id
 	if id.Email != "" && id.Email != usr.Email {
 		updateCmd.Email = id.Email
 		usr.Email = id.Email
+
+		// If we get a new email for a user we need to mark it as non-verified.
+		verified := false
+		updateCmd.EmailVerified = &verified
+		usr.EmailVerified = verified
+
 		needsUpdate = true
 	}
 
@@ -391,6 +397,7 @@ func syncUserToIdentity(usr *user.User, id *authn.Identity) {
 	id.Login = usr.Login
 	id.Email = usr.Email
 	id.Name = usr.Name
+	id.EmailVerified = usr.EmailVerified
 	id.IsGrafanaAdmin = &usr.IsAdmin
 }
 

pkg/services/authn/authnimpl/sync/user_sync_test.go

@@ -65,6 +65,16 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 		IsAdmin:    false,
 	}}
 
+	userServiceEmailMod := &usertest.FakeUserService{ExpectedUser: &user.User{
+		ID:            3,
+		Login:         "test",
+		Name:          "test",
+		Email:         "test@test.com",
+		EmailVerified: true,
+		IsDisabled:    true,
+		IsAdmin:       false,
+	}}
+
 	userServiceNil := &usertest.FakeUserService{
 		ExpectedError: user.ErrUserNotFound,
 		CreateFn: func(ctx context.Context, cmd *user.CreateUserCommand) (*user.User, error) {
@@ -424,6 +434,54 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "sync - reset email verified on email change",
+			fields: fields{
+				userService:     userServiceEmailMod,
+				authInfoService: authFakeNil,
+				quotaService:    &quotatest.FakeQuotaService{},
+			},
+			args: args{
+				ctx: context.Background(),
+				id: &authn.Identity{
+					ID:             "",
+					Login:          "test",
+					Name:           "test",
+					Email:          "test_mod@test.com",
+					EmailVerified:  true,
+					IsDisabled:     false,
+					IsGrafanaAdmin: ptrBool(true),
+					ClientParams: authn.ClientParams{
+						SyncUser:   true,
+						EnableUser: true,
+						LookUpParams: login.UserLookupParams{
+							UserID: ptrInt64(3),
+							Email:  nil,
+							Login:  nil,
+						},
+					},
+				},
+			},
+			wantErr: false,
+			wantID: &authn.Identity{
+				ID:             "user:3",
+				Login:          "test",
+				Name:           "test",
+				Email:          "test_mod@test.com",
+				IsDisabled:     false,
+				EmailVerified:  false,
+				IsGrafanaAdmin: ptrBool(true),
+				ClientParams: authn.ClientParams{
+					SyncUser:   true,
+					EnableUser: true,
+					LookUpParams: login.UserLookupParams{
+						UserID: ptrInt64(3),
+						Email:  nil,
+						Login:  nil,
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {