Merge pull request #4815 from iraline/fix_confirmation_token_2746

Fix Confirmation Token to only work once
2022-06-02 15:23:47 +02:00
parent af2a940132 0195eac3fa
commit 954bc61014
3 changed files with 47 additions and 3 deletions
--- a/app/controllers/users/confirmations_controller.rb
+++ b/app/controllers/users/confirmations_controller.rb
@@ -48,9 +48,13 @@ class Users::ConfirmationsController < Devise::ConfirmationsController
      respond_with_navigational(resource) { render :show }
    elsif resource.errors.empty?
      set_official_position if resource.has_official_email?
-      resource.confirm # Last change: confirm happens here for people with passwords instead of af the top of the show action
-      set_flash_message(:notice, :confirmed) if is_flashing_format?
-      respond_with_navigational(resource) { redirect_to after_confirmation_path_for(resource_name, resource) }
+
+      if resource.confirm
+        set_flash_message(:notice, :confirmed) if is_flashing_format?
+        respond_with_navigational(resource) { redirect_to after_confirmation_path_for(resource_name, resource) }
+      else
+        respond_with_navigational(resource.errors, status: :unprocessable_entity) { render :new, status: :unprocessable_entity }
+      end
    else
      respond_with_navigational(resource.errors, status: :unprocessable_entity) { render :new }
    end
--- a/spec/controllers/users/confirmations_controller_spec.rb
+++ b/spec/controllers/users/confirmations_controller_spec.rb
@@ -9,5 +9,21 @@ describe Users::ConfirmationsController do
    it "returns a 404 code with a wrong token" do
      expect { get :show, params: { token: "non_existent" } }.to raise_error ActiveRecord::RecordNotFound
    end
+
+    it "returns a 422 code with a existent and used token " do
+      user = create(:user, confirmation_token: "token1")
+
+      get :show, params: { user: user, confirmation_token: "token1" }
+
+      expect(response).to have_http_status(:unprocessable_entity)
+    end
+
+    it "redirect to sign_in page with a existent and not used token " do
+      user = create(:user, confirmation_token: "token1", confirmed_at: "")
+
+      get :show, params: { user: user, confirmation_token: "token1" }
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
  end
 end
--- a/spec/system/users_auth_spec.rb
+++ b/spec/system/users_auth_spec.rb
@@ -30,6 +30,30 @@ describe "Users" do

        expect(page).to have_content error_message
      end
+
+      scenario "User already confirmed email with the token" do
+        message = "You have been sent a message containing a verification link. Please click on this link to activate your account."
+        visit "/"
+        click_link "Register"
+
+        fill_in "Username", with: "Manuela Carmena"
+        fill_in "Email", with: "manuela@consul.dev"
+        fill_in "Password", with: "judgementday"
+        fill_in "Confirm password", with: "judgementday"
+        check "user_terms_of_service"
+
+        click_button "Register"
+
+        expect(page).to have_content message
+
+        confirm_email
+        expect(page).to have_content "Your account has been confirmed."
+
+        sent_token = /.*confirmation_token=(.*)".*/.match(ActionMailer::Base.deliveries.last.body.to_s)[1]
+        visit user_confirmation_path(confirmation_token: sent_token)
+
+        expect(page).to have_content "You have already been verified; please attempt to sign in."
+      end
    end

    context "Sign in" do