mastodon/app/controllers/auth/confirmations_controller.rb

# frozen_string_literal: true

class Auth::ConfirmationsController < Devise::ConfirmationsController
  include CaptchaConcern

  layout 'auth'

  before_action :set_body_classes
  before_action :set_pack
  before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
  before_action :require_unconfirmed!

  before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
  before_action :require_captcha_if_needed!, only: [:show]

  skip_before_action :require_functional!

  def new
    super

    resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
  end

  def show
    old_session_values = session.to_hash
    reset_session
    session.update old_session_values.except('session_id')

    super
  end

  def confirm_captcha
    check_captcha! do |message|
      flash.now[:alert] = message
      render :captcha
      return
    end

    show
  end

  private

  def require_captcha_if_needed!
    render :captcha if captcha_required?
  end

  def set_confirmation_user!
    # We need to reimplement looking up the user because
    # Devise::ConfirmationsController#show looks up and confirms in one
    # step.
    confirmation_token = params[:confirmation_token]
    return if confirmation_token.nil?
    @confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
  end

  def captcha_user_bypass?
    return true if @confirmation_user.nil? || @confirmation_user.confirmed?

    invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
    invite.present? && !invite.max_uses.nil?
  end

  def set_pack
    use_pack 'auth'
  end

  def require_unconfirmed!
    if user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
      redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
    end
  end

  def set_body_classes
    @body_classes = 'lighter'
  end

  def after_resending_confirmation_instructions_path_for(_resource_name)
    if user_signed_in?
      if current_user.confirmed? && current_user.approved?
        edit_user_registration_path
      else
        auth_setup_path
      end
    else
      new_user_session_path
    end
  end

  def after_confirmation_path_for(_resource_name, user)
    if user.created_by_application && truthy_param?(:redirect_to_app)
      user.created_by_application.confirmation_redirect_uri
    else
      super
    end
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 15:56:29 +00:00			`# frozen_string_literal: true`

Adding e-mail confirmations 2016-10-03 14:38:22 +00:00			`class Auth::ConfirmationsController < Devise::ConfirmationsController`
Add ability to set hCaptcha either on registration form or on e-mail validation Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API. 2022-01-25 21:37:12 +00:00			`include CaptchaConcern`

Adding e-mail confirmations 2016-10-03 14:38:22 +00:00			`layout 'auth'`
Merge remote-tracking branch 'origin/master' into merge-upstream Conflicts: app/controllers/auth/confirmations_controller.rb 2017-12-30 23:20:07 +00:00
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-30 23:14:33 +00:00			`before_action :set_body_classes`
Finalized theme loading and stuff 2017-11-21 06:13:37 +00:00			`before_action :set_pack`
Add ability to set hCaptcha either on registration form or on e-mail validation Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API. 2022-01-25 21:37:12 +00:00			`before_action :set_confirmation_user!, only: [:show, :confirm_captcha]`
Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`before_action :require_unconfirmed!`
Default follows for new users (#4871) When a new user confirms their e-mail, bootstrap their home timeline by automatically following a set of accounts. By default, all local admin accounts (that are unlocked). Can be customized by new admin setting (comma-separated usernames, local and unlocked only) 2017-09-10 07:58:38 +00:00
Add ability to set hCaptcha either on registration form or on e-mail validation Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API. 2022-01-25 21:37:12 +00:00			`before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]`
			`before_action :require_captcha_if_needed!, only: [:show]`

Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication. 2019-07-22 08:48:50 +00:00			`skip_before_action :require_functional!`
CAS + SAML authentication feature (#6425) * Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add locales 2018-02-04 04:42:13 +00:00
Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`def new`
			`super`

			`resource.email = current_user.unconfirmed_email \|\| current_user.email if user_signed_in?`
			`end`

Add ability to set hCaptcha either on registration form or on e-mail validation Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API. 2022-01-25 21:37:12 +00:00			`def show`
			`old_session_values = session.to_hash`
			`reset_session`
			`session.update old_session_values.except('session_id')`

			`super`
			`end`

			`def confirm_captcha`
			`check_captcha! do \|message\|`
			`flash.now[:alert] = message`
			`render :captcha`
			`return`
			`end`

			`show`
			`end`

CAS + SAML authentication feature (#6425) * Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add locales 2018-02-04 04:42:13 +00:00			`private`

Add ability to set hCaptcha either on registration form or on e-mail validation Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API. 2022-01-25 21:37:12 +00:00			`def require_captcha_if_needed!`
			`render :captcha if captcha_required?`
			`end`

			`def set_confirmation_user!`
			`# We need to reimplement looking up the user because`
			`# Devise::ConfirmationsController#show looks up and confirms in one`
			`# step.`
			`confirmation_token = params[:confirmation_token]`
			`return if confirmation_token.nil?`
			`@confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)`
			`end`

			`def captcha_user_bypass?`
			`return true if @confirmation_user.nil? \|\| @confirmation_user.confirmed?`

			`invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?`
			`invite.present? && !invite.max_uses.nil?`
			`end`

Fix confirmations_controller 2018-06-21 21:48:54 +00:00			`def set_pack`
			`use_pack 'auth'`
			`end`

Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`def require_unconfirmed!`
Change confirmations controller to redirect to / for approved users (#16151) Clicking the confirmation link multiple times currently leads to entering account settings, which can be confusing. This commit changes that so that it redirects to the root path, so it behaves the same way as clicking only once in most cases. 2021-05-03 13:45:19 +00:00			`if user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?`
			`redirect_to(current_user.approved? ? root_path : edit_user_registration_path)`
			`end`
Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`end`

Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-30 23:14:33 +00:00			`def set_body_classes`
			`@body_classes = 'lighter'`
			`end`

Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`def after_resending_confirmation_instructions_path_for(_resource_name)`
			`if user_signed_in?`
Fix wrong variable regression from #11753 (#11763) 2019-09-05 04:13:50 +00:00			`if current_user.confirmed? && current_user.approved?`
Change account deletion page to have better explanations (#11753) Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form 2019-09-04 02:13:54 +00:00			`edit_user_registration_path`
			`else`
			`auth_setup_path`
			`end`
			`else`
			`new_user_session_path`
			`end`
			`end`

Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account 2018-12-24 18:12:38 +00:00			`def after_confirmation_path_for(_resource_name, user)`
			`if user.created_by_application && truthy_param?(:redirect_to_app)`
Fix confirmation redirect to app without `Location` header (#18523) 2022-05-26 20:03:54 +00:00			`user.created_by_application.confirmation_redirect_uri`
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account 2018-12-24 18:12:38 +00:00			`else`
			`super`
			`end`
			`end`
Adding e-mail confirmations 2016-10-03 14:38:22 +00:00			`end`