🐛 Updated support email verification flow

[SimonBackx]

refs https://github.com/TryGhost/Team/issues/584

The current support email verification flow uses an API endpoint as verification URL inside the emails. This is a bad pattern, and also has the side effect that it shows a JSON error if something goes wrong.

To fix this, this commit updates the whole flow to use the same pattern as newsletters:

• You can update the members_support_address setting directly via the edit endpoint of settings.
• Changes to that (and future 'guarded' email properties) are blocked and generate verification emails automatically.
• When an email verification has been sent, the meta property sent_email_verification is set.

Other changes:

• Underlying, the implementation of email verificaton has moved from the (old) members service to the settings BREAD service. This makes it easier to add extra email addresses in settings later on that are not related to 'members'.
• Now you can update the members_support_address by updating the settings directly, so the updateMembersEmail endpoint has been deprecated and is mapped to the new behaviour.
• The SingleUseTokenProvider threw a UnauthorizedError error if a token was expired or invalid. Those errors are caught by the admin app, and causes it to do a page reload (making the error message and modals invisible). To fix that, I've swapped it with a validation error.

Future changes:

• Existing emails that have been sent 24h before this change is applied, still use the validateMembersEmailUpdate API endpoint. This endpoint has not been removed for now, to not break those emails. In a future release, we should remove this.

Changes to admin: TryGhost/Admin#2426

[codecov]

Codecov Report

Merging #15029 (31fe7d1) into main (d65aa08) will increase coverage by 0.40%.
The diff coverage is 88.32%.

@@            Coverage Diff             @@
##             main   #15029      +/-   ##
==========================================
+ Coverage   61.07%   61.47%   +0.40%     
==========================================
  Files         593      597       +4     
  Lines       47557    47925     +368     
  Branches     4271     4322      +51     
==========================================
+ Hits        29045    29462     +417     
+ Misses      18463    18413      -50     
- Partials       49       50       +1     

Impacted Files	Coverage Δ
.../api/endpoints/utils/serializers/input/settings.js	0.00% <0.00%> (ø)
...api/endpoints/utils/serializers/output/settings.js	0.00% <0.00%> (ø)
...r/api/endpoints/utils/validators/input/settings.js	0.00% <0.00%> (ø)
core/server/services/members/settings.js	26.66% <25.00%> (+12.87%)	⬆️
.../server/services/members/SingleUseTokenProvider.js	55.22% <33.33%> (ø)
...server/services/settings/settings-bread-service.js	73.93% <91.76%> (+30.12%)	⬆️
...re/server/services/settings/emails/verify-email.js	100.00% <100.00%> (ø)
core/server/services/settings/settings-service.js	58.85% <100.00%> (+1.78%)	⬆️
core/server/services/members/emails/updateEmail.js	0.00% <0.00%> (-1.21%)	⬇️
...er/api/endpoints/utils/serializers/output/index.js	58.77% <0.00%> (-0.49%)	⬇️
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d65aa08...31fe7d1. Read the comment docs.

[matthanley]

the updateMembersEmail endpoint is no longer needed and has been removed.

This is technically a breaking change. Can we reinstate it, but map it internally using the deprecation header to a settings update to trigger the new flow?

[SimonBackx]

You are right. I readded the old endpoints ✅