[BUG]: updateProfile Bypasses User Schema Validation and Permits Verification-State Updates

[VarshithReddy2006]

While reviewing the user profile update workflow, I identified a validation and authorization issue in updateProfile() that allows modification of verification-related fields and bypasses the user schema validation layer.

The controller copies the incoming request body, removes only password, email, and _id, sanitizes the remaining payload, and directly updates the user document using $set.

However, the endpoint does not validate updates against the configured user schema and does not restrict verification-state fields that are used elsewhere in the authentication flow.

Verification fields such as:

• emailVerified
• isVerified
• isverified

are actively used by the authentication and account-linking logic, but they are not removed or protected inside updateProfile().

As a result, authenticated users can submit updates containing verification-related fields, and those values are passed directly to the database update operation.

This creates an inconsistency where security-sensitive account state can be modified through a generic profile update endpoint instead of the dedicated verification workflow.

Additionally, because the endpoint does not use the same validation path as other data-update operations, user-configured schema constraints are not consistently enforced during profile updates.

[VarshithReddy2006]

Hi @yash-pouranik ,

While reviewing the authentication workflow, I identified the root cause and verified the affected code path in updateProfile().

The endpoint currently allows updates to verification-related fields and does not enforce the same validation flow used elsewhere for user data updates. This can lead to verification-state modification and inconsistent schema enforcement during profile updates.

I'd like to work on implementing a fix for this issue under GSSoC 2026.

Could you please assign this issue to me?

Thank you!

[Priyanka0205-CSE]

Hi @yash-pouranik

I have reviewed this issue and understood the root cause. The profile update endpoint currently allows verification-related fields to be updated and does not consistently enforce schema validation during profile updates.

I would like to work on fixing this issue by:

• Restricting verification-state fields from being modified through updateProfile().
• Ensuring user schema validations are properly enforced during profile updates.
• Preserving the existing profile update functionality while preventing unauthorized state changes.

Could you please assign this issue to me under GSSoC 2026?

Thank you!

[yash-pouranik]

As this was opened by @VarshithReddy2006

[yash-pouranik]

Can only assign this to him.

[yash-pouranik]

u can start
@VarshithReddy2006

[VarshithReddy2006]

Hi @yash-pouranik,

I have completed the fix and submitted a PR #271 for review.

The updateProfile endpoint now blocks verification-related fields (emailVerified, isVerified, and isverified) from being modified through profile updates, preventing unauthorized verification-state changes while preserving the existing profile update workflow.

Kindly review the PR when you get a chance. Thank you!

[yash-pouranik]

yh will Check.