feat: email change confirmation flow (#5992)

* fix: update stripe email when changing email in account settings

* fix: review feedback

* fix: circular dependency, destroy all sessions on email change

* add: email change confirmation flow + smtp available check + enable email flows for oss and enterprise

* add: confirm email change page. update: change email behavior in account settings

---------

Co-authored-by: yau-wd <yau.ong@workday.com>

Author: 0xi4o

packages/server/src/IdentityManager.ts

@@ -312,6 +312,11 @@ export class IdentityManager {
         return await this.stripeManager.getCustomerWithDefaultSource(customerId)
     }
 
+    public async updateStripeCustomerEmail(customerId: string, email: string) {
+        if (!this.stripeManager) throw new Error('Stripe manager is not initialized')
+        await this.stripeManager.updateCustomerEmail(customerId, email)
+    }
+
     public async getAdditionalSeatsProration(subscriptionId: string, newQuantity: number) {
         if (!subscriptionId) return {}
         if (!this.stripeManager) {

packages/server/src/StripeManager.ts

@@ -270,6 +270,11 @@ export class StripeManager {
         }
     }
 
+    public async updateCustomerEmail(customerId: string, email: string) {
+        if (!this.stripe) throw new Error('Stripe is not initialized')
+        await this.stripe.customers.update(customerId, { email })
+    }
+
     public async getAdditionalSeatsProration(subscriptionId: string, quantity: number) {
         if (!this.stripe) {
             throw new Error('Stripe is not initialized')

packages/server/src/enterprise/controllers/account.controller.ts

@@ -57,6 +57,16 @@ export class AccountController {
         }
     }
 
+    public async confirmEmailChange(req: Request, res: Response, next: NextFunction) {
+        try {
+            const accountService = new AccountService()
+            const data = await accountService.confirmEmailChange(req.body)
+            return res.status(StatusCodes.OK).json(data)
+        } catch (error) {
+            next(error)
+        }
+    }
+
     public async forgotPassword(req: Request, res: Response, next: NextFunction) {
         try {
             const accountService = new AccountService()

packages/server/src/enterprise/controllers/user.controller.ts

@@ -4,6 +4,7 @@ import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 import { GeneralErrorMessage } from '../../utils/constants'
 import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
 import { User } from '../database/entities/user.entity'
+import { AccountService } from '../services/account.service'
 import { UserErrorMessage, UserService } from '../services/user.service'
 
 export class UserController {
@@ -51,7 +52,6 @@ export class UserController {
 
     public async update(req: Request, res: Response, next: NextFunction) {
         try {
-            const userService = new UserService()
             const currentUser = req.user
             if (!currentUser) {
                 throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, UserErrorMessage.USER_NOT_FOUND)
@@ -60,8 +60,11 @@ export class UserController {
             if (currentUser.id !== id) {
                 throw new InternalFlowiseError(StatusCodes.FORBIDDEN, UserErrorMessage.USER_NOT_FOUND)
             }
-            const user = await userService.updateUser({ id, name, updatedBy: currentUser.id, oldPassword, newPassword, confirmPassword })
-            return res.status(StatusCodes.OK).json(user)
+            const accountService = new AccountService()
+            const result = await accountService.updateAuthenticatedUserProfile(currentUser.id, req.body, (userId, newEmail) =>
+                accountService.syncStripeCustomerEmailAfterUserEmailChange(userId, newEmail)
+            )
+            return res.status(StatusCodes.OK).json(result)
         } catch (error) {
             next(error)
         }

packages/server/src/enterprise/emails/confirm_email_change.hbs

@@ -22,6 +22,8 @@ router.post('/logout', accountController.logout)
 
 router.post('/verify', accountController.verify)
 
+router.post('/confirm-email-change', accountController.confirmEmailChange)
+
 router.post('/resend-verification', accountController.resendVerificationEmail)
 
 router.post('/forgot-password', accountController.forgotPassword)