reordered change email validations to make enumerations slightly harder

CHANGELOG.md

@@ -6,7 +6,7 @@
 
 - Reload trusted proxy info UI after settings save.
 
-- Minor expand query optimization that skips the duplicated record ids from the `IN` list.
+- Other minor improvements (skips the duplicated record ids from the `IN` expand list, reordered confirm-email-change error checks to minimize enumeration attacks, etc.).
 
 
 ## v0.37.4

apis/record_auth_email_change_confirm.go

@@ -102,12 +102,6 @@ func (form *EmailChangeConfirmForm) parseToken() (*core.Record, string, error) {
 		return nil, "", validation.NewError("validation_invalid_token_payload", "Invalid token payload - newEmail must be set.")
 	}
 
-	// ensure that there aren't other users with the new email
-	_, err := form.app.FindAuthRecordByEmail(form.collection, newEmail)
-	if err == nil {
-		return nil, "", validation.NewError("validation_existing_token_email", "The new email address is already registered: "+newEmail)
-	}
-
 	// verify that the token is not expired and its signature is valid
 	authRecord, err := form.app.FindAuthRecordByToken(form.Token, core.TokenTypeEmailChange)
 	if err != nil {
@@ -118,5 +112,11 @@ func (form *EmailChangeConfirmForm) parseToken() (*core.Record, string, error) {
 		return nil, "", validation.NewError("validation_token_collection_mismatch", "The provided token is for different auth collection.")
 	}
 
+	// check if there are other users with the new email
+	_, err = form.app.FindAuthRecordByEmail(form.collection, newEmail)
+	if err == nil {
+		return nil, "", validation.NewError("validation_invalid_token_email", "The new email address is invalid.")
+	}
+
 	return authRecord, newEmail, nil
 }