fix: apply mailer autoconfirm config to update user email

[kangmingtay]

What kind of change does this PR introduce?

• GOTRUE_MAILER_AUTOCONFIRM setting should be respected in the update email flow via PUT /user

What is the current behavior?

• When GOTRUE_MAILER_AUTOCONFIRM=true, updating a user's email still sends an email and requires user confirmation
• Difficult for anonymous users to upgrade to a permanent user seamlessly without requiring email confirmation
• Fixes With email verification disabled in my project, email verification is still required in order to promote an anonymous user #1619

What is the new behavior?

• When GOTRUE_MAILER_AUTOCONFIRM=true, updating a user's email will not require email confirmation.

Additional context

Add any other context or screenshots.

[coveralls]

Pull Request Test Coverage Report for Build 9783906918

Details

• 11 of 22 (50.0%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.01%) to 57.965%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/user.go	7	18	38.89%

Totals
Change from base Build 9783578837:	-0.01%
Covered Lines:	8802
Relevant Lines:	15185

---

💛 - Coveralls

[J0]

Nice!

Looks like we added a new if branch / clause to handle the autoconfirm case and we only do verification checks on the /verify route for email change when there's mailer autoconfirm enabled.

LGTM

[kangmingtay]

@J0 thanks for reviewing, will add some tests before merging

[coveralls]

Pull Request Test Coverage Report for Build 9800151798

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 16 of 22 (72.73%) changed or added relevant lines in 2 files are covered.
• 4 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.03%) to 58.004%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/user.go	12	18	66.67%

Files with Coverage Reduction	New Missed Lines	%
internal/api/user.go	4	65.03%

Totals
Change from base Build 9783578837:	0.03%
Covered Lines:	8809
Relevant Lines:	15187

---

💛 - Coveralls

[bnjmnt4n]

Hey @kangmingtay! This change had some unexpected effects for us (we have enabled GOTRUE_MAILER_AUTOCONFIRM=true). We were expecting a confirmation email when switching to a new email, whereas following this update the email was immediately updated. This isn't ideal behavior because it's easy for a user to lose all access immediately just by entering the wrong email. IMO, autoconfirm on creating an account with a new email is fine because even if the user has entered the wrong email, they have a new account, so there is little chance of data loss, and they can always follow up by updating their email. However, autoconfirm on updating a user's email doesn't allow the user any way to correct their mistake if entering the wrong email.

Would it be possible to either tweak this behavior? A possible change is to autoconfirm on update of user email if there is no existing email address (which handles #1619), but require confirmation if there is an existing email address. Otherwise, can we add a new configuration option to restore the original behavior?

[kangmingtay]

@bnjmnt4n yeah we have a fix for this here - #1679

[bnjmnt4n]

Thanks for the fast response @kangmingtay! 🔥