From d9b4ab1e341875f51fccb7bc9e916e09027e6803 Mon Sep 17 00:00:00 2001
From: Danielle Maywood <danielle@coder.com>
Date: Mon, 21 Oct 2024 14:09:30 +0000
Subject: [PATCH 1/2] fix: urlencode email in reset password link

---
 ...00267_fix_password_reset_notification_link.down.sql |  0
 .../000267_fix_password_reset_notification_link.up.sql | 10 ++++++++++
 coderd/notifications/notifications_test.go             |  2 +-
 .../TemplateUserRequestedOneTimePasscode.html.golden   | 10 +++++-----
 .../TemplateUserRequestedOneTimePasscode.json.golden   |  4 ++--
 5 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 coderd/database/migrations/000267_fix_password_reset_notification_link.down.sql
 create mode 100644 coderd/database/migrations/000267_fix_password_reset_notification_link.up.sql

diff --git a/coderd/database/migrations/000267_fix_password_reset_notification_link.down.sql b/coderd/database/migrations/000267_fix_password_reset_notification_link.down.sql
new file mode 100644
index 0000000000000..e69de29bb2d1d
diff --git a/coderd/database/migrations/000267_fix_password_reset_notification_link.up.sql b/coderd/database/migrations/000267_fix_password_reset_notification_link.up.sql
new file mode 100644
index 0000000000000..bb5e1a123cb0f
--- /dev/null
+++ b/coderd/database/migrations/000267_fix_password_reset_notification_link.up.sql
@@ -0,0 +1,10 @@
+UPDATE notification_templates
+SET
+    title_template = E'Reset your password for Coder',
+    body_template = E'Hi {{.UserName}},\n\nUse the link below to reset your password.\n\nIf you did not make this request, you can ignore this message.',
+    actions = '[{
+		"label": "Reset password",
+		"url": "{{base_url}}/reset-password/change?otp={{.Labels.one_time_passcode}}&email={{.UserEmail | urlquery}}"
+	}]'::jsonb
+WHERE
+    id = '62f86a30-2330-4b61-a26d-311ff3b608cf'
diff --git a/coderd/notifications/notifications_test.go b/coderd/notifications/notifications_test.go
index 2280f4680ae89..e168135ca4b8e 100644
--- a/coderd/notifications/notifications_test.go
+++ b/coderd/notifications/notifications_test.go
@@ -994,7 +994,7 @@ func TestNotificationTemplates_Golden(t *testing.T) {
 			id:   notifications.TemplateUserRequestedOneTimePasscode,
 			payload: types.MessagePayload{
 				UserName:     "Bobby",
-				UserEmail:    "bobby@coder.com",
+				UserEmail:    "bobby+label@coder.com",
 				UserUsername: "bobby",
 				Labels: map[string]string{
 					"one_time_passcode": "fad9020b-6562-4cdb-87f1-0486f1bea415",
diff --git a/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden b/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
index fc74699e70afd..bf2d9b63a7d04 100644
--- a/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
+++ b/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
@@ -1,5 +1,5 @@
 From: system@coder.com
-To: bobby@coder.com
+To: bobby+label@coder.com
 Subject: Reset your password for Coder
 Message-Id: 02ee4935-73be-4fa1-a290-ff9999026b13@blush-whale-48
 Date: Fri, 11 Oct 2024 09:03:06 +0000
@@ -18,7 +18,7 @@ If you did not make this request, you can ignore this message.
 
 
 Reset password: http://test.com/reset-password/change?otp=3Dfad9020b-6562-4=
-cdb-87f1-0486f1bea415&email=3Dbobby@coder.com
+cdb-87f1-0486f1bea415&email=3Dbobby%2Blabel%40coder.com
 
 --bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
 Content-Transfer-Encoding: quoted-printable
@@ -57,9 +57,9 @@ argin: 8px 0 32px; line-height: 1.5;">
       <div style=3D"text-align: center; margin-top: 32px;">
        =20
         <a href=3D"http://test.com/reset-password/change?otp=3Dfad9020b-656=
-2-4cdb-87f1-0486f1bea415&email=3Dbobby@coder.com" style=3D"display: inline-=
-block; padding: 13px 24px; background-color: #020617; color: #f8fafc; text-=
-decoration: none; border-radius: 8px; margin: 0 4px;">
+2-4cdb-87f1-0486f1bea415&email=3Dbobby%2Blabel%40coder.com" style=3D"displa=
+y: inline-block; padding: 13px 24px; background-color: #020617; color: #f8f=
+afc; text-decoration: none; border-radius: 8px; margin: 0 4px;">
           Reset password
         </a>
        =20
diff --git a/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden b/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
index b3610b6661da6..a3c090ca1e780 100644
--- a/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
+++ b/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
@@ -6,13 +6,13 @@
     "notification_name": "One-Time Passcode",
     "notification_template_id": "00000000-0000-0000-0000-000000000000",
     "user_id": "00000000-0000-0000-0000-000000000000",
-    "user_email": "bobby@coder.com",
+    "user_email": "bobby+label@coder.com",
     "user_name": "Bobby",
     "user_username": "bobby",
     "actions": [
       {
         "label": "Reset password",
-        "url": "http://test.com/reset-password/change?otp=00000000-0000-0000-0000-000000000000\u0026email=bobby@coder.com"
+        "url": "http://test.com/reset-password/change?otp=00000000-0000-0000-0000-000000000000\u0026email=bobby%2Blabel%40coder.com"
       }
     ],
     "labels": {

From c542d8e25053ffe23469789069104d38037642dd Mon Sep 17 00:00:00 2001
From: Danielle Maywood <danielle@coder.com>
Date: Mon, 21 Oct 2024 14:54:00 +0000
Subject: [PATCH 2/2] test: make bobby's email 'weirder'

---
 coderd/notifications/notifications_test.go            |  2 +-
 .../TemplateUserRequestedOneTimePasscode.html.golden  | 11 ++++++-----
 .../TemplateUserRequestedOneTimePasscode.json.golden  |  4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/coderd/notifications/notifications_test.go b/coderd/notifications/notifications_test.go
index e168135ca4b8e..b69d8910a0ce8 100644
--- a/coderd/notifications/notifications_test.go
+++ b/coderd/notifications/notifications_test.go
@@ -994,7 +994,7 @@ func TestNotificationTemplates_Golden(t *testing.T) {
 			id:   notifications.TemplateUserRequestedOneTimePasscode,
 			payload: types.MessagePayload{
 				UserName:     "Bobby",
-				UserEmail:    "bobby+label@coder.com",
+				UserEmail:    "bobby/drop-table+user@coder.com",
 				UserUsername: "bobby",
 				Labels: map[string]string{
 					"one_time_passcode": "fad9020b-6562-4cdb-87f1-0486f1bea415",
diff --git a/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden b/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
index bf2d9b63a7d04..04f69ed741da2 100644
--- a/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
+++ b/coderd/notifications/testdata/rendered-templates/smtp/TemplateUserRequestedOneTimePasscode.html.golden
@@ -1,5 +1,5 @@
 From: system@coder.com
-To: bobby+label@coder.com
+To: bobby/drop-table+user@coder.com
 Subject: Reset your password for Coder
 Message-Id: 02ee4935-73be-4fa1-a290-ff9999026b13@blush-whale-48
 Date: Fri, 11 Oct 2024 09:03:06 +0000
@@ -18,7 +18,7 @@ If you did not make this request, you can ignore this message.
 
 
 Reset password: http://test.com/reset-password/change?otp=3Dfad9020b-6562-4=
-cdb-87f1-0486f1bea415&email=3Dbobby%2Blabel%40coder.com
+cdb-87f1-0486f1bea415&email=3Dbobby%2Fdrop-table%2Buser%40coder.com
 
 --bbe61b741255b6098bb6b3c1f41b885773df633cb18d2a3002b68e4bc9c4
 Content-Transfer-Encoding: quoted-printable
@@ -57,9 +57,10 @@ argin: 8px 0 32px; line-height: 1.5;">
       <div style=3D"text-align: center; margin-top: 32px;">
        =20
         <a href=3D"http://test.com/reset-password/change?otp=3Dfad9020b-656=
-2-4cdb-87f1-0486f1bea415&email=3Dbobby%2Blabel%40coder.com" style=3D"displa=
-y: inline-block; padding: 13px 24px; background-color: #020617; color: #f8f=
-afc; text-decoration: none; border-radius: 8px; margin: 0 4px;">
+2-4cdb-87f1-0486f1bea415&email=3Dbobby%2Fdrop-table%2Buser%40coder.com" sty=
+le=3D"display: inline-block; padding: 13px 24px; background-color: #020617;=
+ color: #f8fafc; text-decoration: none; border-radius: 8px; margin: 0 4px;"=
+>
           Reset password
         </a>
        =20
diff --git a/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden b/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
index a3c090ca1e780..e5f2da431f112 100644
--- a/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
+++ b/coderd/notifications/testdata/rendered-templates/webhook/TemplateUserRequestedOneTimePasscode.json.golden
@@ -6,13 +6,13 @@
     "notification_name": "One-Time Passcode",
     "notification_template_id": "00000000-0000-0000-0000-000000000000",
     "user_id": "00000000-0000-0000-0000-000000000000",
-    "user_email": "bobby+label@coder.com",
+    "user_email": "bobby/drop-table+user@coder.com",
     "user_name": "Bobby",
     "user_username": "bobby",
     "actions": [
       {
         "label": "Reset password",
-        "url": "http://test.com/reset-password/change?otp=00000000-0000-0000-0000-000000000000\u0026email=bobby%2Blabel%40coder.com"
+        "url": "http://test.com/reset-password/change?otp=00000000-0000-0000-0000-000000000000\u0026email=bobby%2Fdrop-table%2Buser%40coder.com"
       }
     ],
     "labels": {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/15167.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/15167.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/15167.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/15167.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>