fix: delete user.collective after OTP fails (#11237)

Author: kewitz

server/models/User.ts

@@ -484,6 +484,10 @@ class User extends Model<InferAttributes<User>, InferCreationAttributes<User>> {
 
     const destroyInTransaction = async transaction => {
       await this.update({ email: newEmail }, { transaction });
+      const collective = await Collective.findByPk(this.CollectiveId, { transaction });
+      if (collective) {
+        await collective.destroy({ transaction });
+      }
       return this.destroy({ transaction });
     };
 

test/server/controllers/users.test.ts

@@ -346,6 +346,7 @@ describe('server/controllers/users', () => {
       const otpSessionKey = `otp_signup_${email}`;
       let otpSession = await sessionCache.get(otpSessionKey);
       expect(otpSession).to.exist;
+      const userId = otpSession.userId;
 
       let verifyResponse = await makeVerifyOtpRequest(email, '023456', responseData.sessionId, randIPV4());
       expect(verifyResponse._getStatusCode()).to.eql(403);
@@ -362,8 +363,12 @@ describe('server/controllers/users', () => {
       expect(verifyResponse._getStatusCode()).to.eql(403);
       otpSession = await sessionCache.get(otpSessionKey);
       expect(otpSession).to.be.undefined;
-      const user = await models.User.findOne({ where: { email } });
-      expect(user).to.be.null;
+      const user = await models.User.findByPk(userId, {
+        include: [{ model: models.Collective, as: 'collective', paranoid: false }],
+        paranoid: false,
+      });
+      expect(user.deletedAt).not.to.be.null;
+      expect(user.collective.deletedAt).not.to.be.null;
     });
   });
 });