GRN2-233: Made account activation & password reset links based on tokens only (#959)

* GRN2-233: Hiding email in verification link and password reset link * updating tests * removing uid from email verificaiton link * GRN2-233: modifying test cases * GRN2-233: Removing uid from password reset link * GRN2-233: Removed email_params and fixed "authenticated?" method * GRN2-233: Fixed error when trying to sign in unverified * GRN2-233: Changed how activation tokens are generated
2020-02-24 13:05:09 -05:00
parent b7aa5406ea
commit 03266730e8
10 changed files with 42 additions and 46 deletions
--- a/app/controllers/account_activations_controller.rb
+++ b/app/controllers/account_activations_controller.rb
@ -51,6 +51,7 @@ class AccountActivationsController < ApplicationController
      flash[:alert] = I18n.t("verify.already_verified")
    else
      # Resend
+      @user.create_activation_token
      send_activation_email(@user)
    end

@ -60,14 +61,10 @@ class AccountActivationsController < ApplicationController
  private

  def find_user
-    @user = User.find_by!(email: params[:email], provider: @user_domain)
+    @user = User.find_by!(activation_digest: User.digest(params[:token]), provider: @user_domain)
  end

  def ensure_unauthenticated
    redirect_to current_user.main_room if current_user
  end
-
-  def email_params
-    params.require(:email).permit(:email, :token)
-  end
 end
--- a/app/controllers/concerns/emailer.rb
+++ b/app/controllers/concerns/emailer.rb
@ -125,7 +125,7 @@ module Emailer

  # Returns the link the user needs to click to verify their account
  def user_verification_link(user)
-    edit_account_activation_url(token: user.activation_token, email: user.email)
+    edit_account_activation_url(token: user.activation_token)
  end

  def admin_emails
@ -140,7 +140,7 @@ module Emailer
  end

  def reset_link(user)
-    edit_password_reset_url(user.reset_token, email: user.email)
+    edit_password_reset_url(user.reset_token)
  end

  def invitation_link(token)
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@ -68,7 +68,7 @@ class PasswordResetsController < ApplicationController
  private

  def find_user
-    @user = User.find_by(email: params[:email], provider: @user_domain)
+    @user = User.find_by(reset_digest: User.digest(params[:id]), provider: @user_domain)
  end

  def user_params
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -88,7 +88,10 @@ class SessionsController < ApplicationController
      # Check that the user is a Greenlight account
      return redirect_to(root_path, alert: I18n.t("invalid_login_method")) unless user.greenlight_account?
      # Check that the user has verified their account
-      return redirect_to(account_activation_path(email: user.email)) unless user.activated?
+      unless user.activated?
+        user.create_activation_token
+        return redirect_to(account_activation_path(token: user.activation_token))
+      end
    end

    login(user)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -58,6 +58,8 @@ class UsersController < ApplicationController
    # Sign in automatically if email verification is disabled or if user is already verified.
    login(@user) && return if !Rails.configuration.enable_email_verification || @user.email_verified

+    @user.create_activation_token
+
    send_activation_email(@user)

    redirect_to root_path