Files
Verso/services/web
3140e46e68 [web] Replace token-link email verification with 6-digit code on SSO registration (ORCID) (#33889)
* Replace token-link email with 6-digit code on SSO registration

Unverified SSO emails previously received a long-lived token link
(90-day TTL) via UserEmailsConfirmationHandler. This replaces that
flow with the same 6-digit code verification used for password
registration, redirecting through /registration/confirm-email.

- SSOManager.registerSSO now always confirms email (caller must
  verify first); removes sendConfirmationEmail / _finishRegistration
- SSOController._signUp sends confirmation code and stores
  pendingSSORegistration in session when IdP email_verified is false
- New SSOConfirmEmailHandler completes registration after code check
  via completeSSOEmailConfirmation module hook
- OnboardingController confirm-email handlers accept
  pendingSSORegistration alongside pendingUserRegistration

confirmEmailFromToken (POST /user/emails/confirm) removal is deferred
to a follow-up PR to avoid breaking in-flight 90-day tokens.

Closes #28607

* Fix unverified-email edge cases; Add ORCID e2e tests;

* Rename `confirmEmail` parameter to `emailVerifiedByIdP` in _signUp function

* Remove `sendConfirmationEmail`

* Mock getUserByAnyEmail in tests

* Extract _finishSSORegistration helper to deduplicate the register →
set session flags → allocate referral → finishSaasLogin → finishLogin
sequence shared by both the direct and deferred (code-confirmed) paths.

* Stop duplicating session data in pendingSSORegistration

analyticsId, splitTests, and referal_* are already in the session at
confirmation time — no need to copy them into pendingSSORegistration.
Re-fetch splitTests fresh on completion instead.

* Simplify the code

* Remove dead confirmEmail template

No callers remain after sendConfirmationEmail was deleted. The token-link
flow (confirmEmailFromToken) only validates tokens, never sends email.

* Remove dead reconfirmEmail template

* Address comments from Copilot

* Clear stale pending registration when starting a new flow

* Add unit tests for completeSSOEmailConfirmation

* Add `verificationMethod` param

* Fix camelcase issues

* Extract _createSSOUser and _registerAndFinish helpers to deduplicate registration logic

* Remove obscure "registration_error"

* Prevent FormTextIcon from shrinking

* Enable "email_already_registered_sso" error

* Misc. improvements to confirm-email-form.tsx

* Remove `UserEmailsConfirmationHandler` mock

Co-authored-by: Olzhas Askar <olzhas.askar@overleaf.com>

* Add info on sso_email.pug page

---------

Co-authored-by: Olzhas Askar <olzhas.askar@overleaf.com>
GitOrigin-RevId: d0196ebc6d81ff61bcd27726d0b899b743d08d64
2026-06-05 08:06:34 +00:00
..
2026-05-01 08:06:13 +00:00
2026-05-13 08:05:50 +00:00
2026-06-03 08:05:55 +00:00
2025-10-21 08:05:37 +00:00
2026-04-22 08:06:26 +00:00
2026-04-28 08:52:37 +00:00
2026-06-03 08:06:29 +00:00
2026-04-28 08:52:37 +00:00
2026-05-20 08:06:05 +00:00

overleaf/web

overleaf/web is the front-end web service of the open-source web-based collaborative LaTeX editor, Overleaf. It serves all the HTML pages, CSS and javascript to the client. overleaf/web also contains a lot of logic around creating and editing projects, and account management.

The rest of the Overleaf stack, along with information about contributing can be found in the overleaf/overleaf repository.

Running the app

The app runs natively using yarn and Node on the local system:

$ yarn install
$ yarn run start

Running Tests

To run all tests run:

make test

To run both unit and acceptance tests for a module run:

make test_module MODULE=saas-authentication

Unit Tests

The test suites run in Docker.

Unit tests can be run in the test_unit container defined in docker-compose.tests.yml.

The makefile contains a short cut to run these:

make test_unit

During development it is often useful to only run a subset of tests, which can be configured with arguments to the mocha CLI:

make test_unit MOCHA_GREP='AuthorizationManager'

To run only the unit tests for a single module do:

make test_unit_module MODULE=saas-authentication

Module tests can also use a MOCHA_GREP argument:

make test_unit_module MODULE=saas-authentication MOCHA_GREP=SSO

Acceptance Tests

Acceptance tests are run against a live service, which runs in the acceptance_test container defined in docker-compose.tests.yml.

To run the tests out-of-the-box, the makefile defines:

make test_acceptance

However, during development it is often useful to leave the service running for rapid iteration on the acceptance tests. This can be done with:

make test_acceptance_app_start_service
make test_acceptance_app_run # Run as many times as needed during development
make test_acceptance_app_stop_service

make test_acceptance just runs these three commands in sequence and then runs make test_acceptance_modules which performs the tests for each module in the modules directory. (Note that there is not currently an equivalent to the -start / -run x n / -stop series for modules.)

During development it is often useful to only run a subset of tests, which can be configured with arguments to the mocha CLI:

make test_acceptance_run MOCHA_GREP='AuthorizationManager'

To run only the acceptance tests for a single module do:

make test_acceptance_module MODULE=saas-authentication

Module tests can also use a MOCHA_GREP argument:

make test_acceptance_module MODULE=saas-authentication MOCHA_GREP=SSO

Routes

Run bin/routes to print out all routes in the project.

License and Credits

This project is licensed under the AGPLv3 license

Stylesheets

Overleaf is based on Bootstrap, which is licensed under the MIT license. All modifications (*.less files in public/stylesheets) are also licensed under the MIT license.

Artwork

Silk icon set 1.3

We gratefully acknowledge Mark James for releasing his Silk icon set under the Creative Commons Attribution 2.5 license. Some of these icons are used within Overleaf inside the public/img/silk and public/brand/icons directories.

IconShock icons

We gratefully acknowledge IconShock for use of the icons in the public/img/iconshock directory found via findicons.com