fix: handle malformed token in verify_email_address (baserow#5375)

silvestrid · web-flow · commit 0bda673cac64 · 2026-05-15T15:13:38.000+02:00
* fix: convert BadSignature to InvalidVerificationToken in verify_email_address

* fix flaky test
diff --git a/backend/src/baserow/core/user/handler.py b/backend/src/baserow/core/user/handler.py
@@ -938,7 +938,10 @@ def verify_email_address(self, token: str) -> User:
         """
 
         signer = self._get_email_verification_signer()
-        token_data = signer.loads(token)
+        try:
+            token_data = signer.loads(token)
+        except BadSignature as ex:
+            raise InvalidVerificationToken() from ex
 
         if datetime.fromisoformat(token_data["expires_at"]) < datetime.now(
             tz=timezone.utc
diff --git a/backend/tests/baserow/contrib/database/field/test_field_tasks.py b/backend/tests/baserow/contrib/database/field/test_field_tasks.py
@@ -363,16 +363,18 @@ def test_all_formula_that_needs_updates_are_periodically_updated(data_fixture):
     table = data_fixture.create_database_table(database=database)
     with freeze_time("2023-02-27 10:15"):
         now_field = data_fixture.create_formula_field(
-            table=table, formula="now()", date_include_time=True
+            name="now", table=table, formula="now()", date_include_time=True
         )
         data_fixture.create_formula_field(
+            name="ref_now",
             table=table,
             formula=f"field('{now_field.name}')",
             date_include_time=True,
         )
 
         date_field = data_fixture.create_date_field(table=table, date_include_time=True)
         data_fixture.create_formula_field(
+            name="now_vs_date",
             table=table,
             formula=f"now() > field('{date_field.name}')",
             date_include_time=True,
diff --git a/backend/tests/baserow/core/user/test_user_handler.py b/backend/tests/baserow/core/user/test_user_handler.py
@@ -780,6 +780,12 @@ def test_verify_email_address_expired(data_fixture):
         UserHandler().verify_email_address(token)
 
 
+@pytest.mark.django_db
+def test_verify_email_address_malformed_token():
+    with pytest.raises(InvalidVerificationToken):
+        UserHandler().verify_email_address("not-a-real-token")
+
+
 @pytest.mark.django_db
 def test_verify_email_address_user_doesnt_exist(data_fixture):
     user = data_fixture.create_user()
diff --git a/changelog/entries/unreleased/bug/5374_fixes_a_server_error_when_submitting_an_invalid_email_verifi.json b/changelog/entries/unreleased/bug/5374_fixes_a_server_error_when_submitting_an_invalid_email_verifi.json
@@ -0,0 +1,9 @@
+{
+    "type": "bug",
+    "message": "Fixes a server error when submitting an invalid email verification token",
+    "issue_origin": "github",
+    "issue_number": 5374,
+    "domain": "core",
+    "bullet_points": [],
+    "created_at": "2026-05-15"
+}
