Fix email ownership check

[st3fan]

This is a small fix for an incorrect object ownership check in the resend-email endpoint.

See https://hackerone.com/reports/3568986 for the full discussion. (May only be accessible to the Mozilla Security Team.)

The report was not accepted by the H1 team because I do not have the time to explore this further. The bug is real though and I hope this is a contribution for a fix you will take anyway.

👋🏻 ❤️ 🦊

[st3fan]

@kschelonka Should I contribute a test for the endpoint that i changed? I a not super familiar with these frameworks but I can try.

[kschelonka]

@kschelonka Should I contribute a test for the endpoint that i changed? I a not super familiar with these frameworks but I can try.

Yeah, it would be nice since ideally should have triggered a failure. It's somewhat burdensome to test this whole endpoint, although easier now with the new integration test pattern. You could consider a small refactor to test a smaller unit alone, e.g. lines 37-41 could be refactored into a function like export userHasEmail(emailId: number, subscriberId: number): Promise<boolean>. Or for a pure unit test you could essentially export the filter behavior as its own method taking the email list and subscriber as inputs.

For testing you can model after BreachNotificationSubscriber for integration tests that use the database directly rather than setting up a db mock. We introduced recently so it's not a widespread pattern yet.

[kschelonka]

This is an obvious bug though, so if it's burdensome for you to add test coverage we can proceed and make a ticket for the team to improve coverage of this endpoint.