Parse Server option `emailVerifyTokenReuseIfValid: true` generates new token on every email verification request

[mtrezza]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

The Parse Server option emailVerifyTokenReuseIfValid: true generates a new token on every email verification request. This bug was likely introduced with #8212 where using the masterKey does not provide read access to fields of internal scope, in this case _email_verify_token, _email_verify_token_expires_at.

The bug has not been noticed due to a weak test case which compares the previous to the new token, but does not check whether a token and expiry date is defined at all; since these fields are not returned anymore by the masterKey, the test is comparing undefined values and passes, even if these values have changed in the DB.

parse-server/spec/EmailVerificationToken.spec.js

Lines 928 to 933 in 4aba66c

	// verify that our token & expiration has been changed for this new request
	expect(typeof userAfterRequest).toBe('object');
	expect(userBeforeRequest._email_verify_token).toEqual(userAfterRequest._email_verify_token);
	expect(userBeforeRequest._email_verify_token_expires_at).toEqual(
	userAfterRequest._email_verify_token_expires_at
	);

Steps to reproduce

See failing test in #8885.

Actual Outcome

Token and expiry date are modified.

Expected Outcome

Token and expiry date are not modified.

Environment

Server

• Parse Server version: 7.0.0-alpha.5

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[parseplatformorg]

🎉 This change has been released in version 7.0.0-alpha.6

[parseplatformorg]

🎉 This change has been released in version 7.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 7.0.0