Now allows user to update primary_email_auth_enabled to false via API (#697)

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->

<!-- ELLIPSIS_HIDDEN -->


----

> [!IMPORTANT]
> Allows `primary_email_auth_enabled` to be set to `false` via API,
fixing previous issue, with tests verifying behavior.
> 
>   - **Behavior**:
> - Allows `primary_email_auth_enabled` to be set to `false` in
`crud.tsx` by using nullish coalescing operator.
> - Updates `usedForAuth` field in `contactChannel` when
`primary_email_auth_enabled` changes without email change.
>   - **Tests**:
> - Adds tests in `users.test.ts` to verify disabling and re-enabling
`primary_email_auth_enabled`.
> - Tests cover both specific user updates and current user updates via
`/me` endpoint.
> 
> <sup>This description was created by </sup>[<img alt="Ellipsis"
src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup>
for b4b5354. You can
[customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this
summary. It will automatically update as commits are pushed.</sup>


<!-- ELLIPSIS_HIDDEN -->

---------

Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com>

Author: madster456

apps/backend/src/app/api/latest/users/crud.tsx

@@ -722,7 +722,7 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
       const passwordAuth = oldUser.authMethods.find((m) => m.passwordAuthMethod)?.passwordAuthMethod;
       const passkeyAuth = oldUser.authMethods.find((m) => m.passkeyAuthMethod)?.passkeyAuthMethod;
 
-      const primaryEmailAuthEnabled = data.primary_email_auth_enabled || !!primaryEmailContactChannel?.usedForAuth;
+      const primaryEmailAuthEnabled = data.primary_email_auth_enabled ?? !!primaryEmailContactChannel?.usedForAuth;
       const primaryEmailVerified = data.primary_email_verified || !!primaryEmailContactChannel?.isVerified;
       await checkAuthData(tx, {
         tenancyId: auth.tenancy.id,
@@ -755,7 +755,7 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
               tenancyId_projectUserId_type_isPrimary: {
                 tenancyId: auth.tenancy.id,
                 projectUserId: params.user_id,
-                type: 'EMAIL',
+                type: 'EMAIL' as const,
                 isPrimary: "TRUE",
               },
             },
@@ -794,6 +794,24 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
         });
       }
 
+      // if primary_email_auth_enabled is being updated without changing the email
+      // - update the primary email contact channel's usedForAuth field
+      if (data.primary_email_auth_enabled !== undefined && data.primary_email === undefined) {
+        await tx.contactChannel.update({
+          where: {
+            tenancyId_projectUserId_type_isPrimary: {
+              tenancyId: auth.tenancy.id,
+              projectUserId: params.user_id,
+              type: 'EMAIL',
+              isPrimary: "TRUE",
+            },
+          },
+          data: {
+            usedForAuth: primaryEmailAuthEnabled ? BooleanTrue.TRUE : null,
+          },
+        });
+      }
+
       // if otp_auth_enabled is true
       // - create a new otp auth method if it doesn't exist
       // if otp_auth_enabled is false

apps/e2e/tests/backend/endpoints/api/v1/users.test.ts

@@ -2264,6 +2264,131 @@ describe("with server access", () => {
       }
     `);
   });
+
+  it("should be able to properly disable primary_email_auth_enabled", async ({ expect }) => {
+    // Test for the fix where primary_email_auth_enabled couldn't be disabled properly
+    // due to an OR operator issue that always kept it true
+
+    // Create a user with email auth enabled
+    const response1 = await niceBackendFetch("/api/v1/users", {
+      accessType: "server",
+      method: "POST",
+      body: {
+        primary_email: backendContext.value.mailbox.emailAddress,
+        primary_email_auth_enabled: true,
+        display_name: "Test User",
+      },
+    });
+    expect(response1.status).toEqual(201);
+    expect(response1.body.primary_email_auth_enabled).toEqual(true);
+    const userId = response1.body.id;
+
+    // Update the user to disable email auth
+    const response2 = await niceBackendFetch("/api/v1/users/" + userId, {
+      accessType: "server",
+      method: "PATCH",
+      body: {
+        primary_email_auth_enabled: false,
+      },
+    });
+    expect(response2).toMatchInlineSnapshot(`
+      NiceResponse {
+        "status": 200,
+        "body": {
+          "auth_with_email": false,
+          "client_metadata": null,
+          "client_read_only_metadata": null,
+          "display_name": "Test User",
+          "has_password": false,
+          "id": "<stripped UUID>",
+          "is_anonymous": false,
+          "last_active_at_millis": <stripped field 'last_active_at_millis'>,
+          "oauth_providers": [],
+          "otp_auth_enabled": false,
+          "passkey_auth_enabled": false,
+          "primary_email": "default-mailbox--<stripped UUID>@stack-generated.example.com",
+          "primary_email_auth_enabled": false,
+          "primary_email_verified": false,
+          "profile_image_url": null,
+          "requires_totp_mfa": false,
+          "selected_team": null,
+          "selected_team_id": null,
+          "server_metadata": null,
+          "signed_up_at_millis": <stripped field 'signed_up_at_millis'>,
+        },
+        "headers": Headers { <some fields may have been hidden> },
+      }
+    `);
+
+    // Verify the change persisted by reading the user again
+    const response3 = await niceBackendFetch("/api/v1/users/" + userId, {
+      accessType: "server",
+    });
+    expect(response3.status).toEqual(200);
+    expect(response3.body.primary_email_auth_enabled).toEqual(false);
+    expect(response3.body.auth_with_email).toEqual(false);
+
+    // Test that we can re-enable it
+    const response4 = await niceBackendFetch("/api/v1/users/" + userId, {
+      accessType: "server",
+      method: "PATCH",
+      body: {
+        primary_email_auth_enabled: true,
+      },
+    });
+    expect(response4.status).toEqual(200);
+    expect(response4.body.primary_email_auth_enabled).toEqual(true);
+    expect(response4.body.auth_with_email).toEqual(false); // Still false because no password/otp is set
+
+    // Verify re-enabling persisted
+    const response5 = await niceBackendFetch("/api/v1/users/" + userId, {
+      accessType: "server",
+    });
+    expect(response5.status).toEqual(200);
+    expect(response5.body.primary_email_auth_enabled).toEqual(true);
+  });
+
+  it("should be able to disable primary_email_auth_enabled on current user", async ({ expect }) => {
+    // Test the same functionality when updating the current user via /me endpoint
+    await Auth.Otp.signIn();
+
+    // First verify the user has email auth enabled (from OTP sign in)
+    const initialResponse = await niceBackendFetch("/api/v1/users/me", {
+      accessType: "server",
+    });
+    expect(initialResponse.status).toEqual(200);
+    expect(initialResponse.body.primary_email_auth_enabled).toEqual(true);
+
+    // Disable email auth on current user
+    const response1 = await niceBackendFetch("/api/v1/users/me", {
+      accessType: "server",
+      method: "PATCH",
+      body: {
+        primary_email_auth_enabled: false,
+      },
+    });
+    expect(response1.status).toEqual(200);
+    expect(response1.body.primary_email_auth_enabled).toEqual(false);
+    expect(response1.body.auth_with_email).toEqual(true); // May still be true due to existing auth methods
+
+    // Verify the change persisted by reading the user again
+    const response2 = await niceBackendFetch("/api/v1/users/me", {
+      accessType: "server",
+    });
+    expect(response2.status).toEqual(200);
+    expect(response2.body.primary_email_auth_enabled).toEqual(false);
+
+    // Re-enable email auth
+    const response3 = await niceBackendFetch("/api/v1/users/me", {
+      accessType: "server",
+      method: "PATCH",
+      body: {
+        primary_email_auth_enabled: true,
+      },
+    });
+    expect(response3.status).toEqual(200);
+    expect(response3.body.primary_email_auth_enabled).toEqual(true);
+  });
 });
 
 it.todo("creating a new user with an OAuth provider ID that does not exist should fail");