Remove profile completion from the signup flow

And restore the previous quick login after verifying the user's email address. The profile completion form - which has a 'first name' and a 'last name' field along with a login button - can easily be mistaken for a login form. In fact, I fell for this myself, entering my email in the first name field and my password in the last name field! This presents a security risk: we end up inadvertently storing plain-text passwords of any users who happen to mistake the profile form for a login form.
SAEONData · Mar 12, 2021 · b6d4923 · b6d4923
1 parent 13c9428
commit b6d4923
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/odp/identity/templates/verify_email_complete.html b/odp/identity/templates/verify_email_complete.html
@@ -0,0 +1,13 @@
+{% extends 'base.html' %}
+{% from 'bootstrap/form.html' import render_field %}
+
+{% block heading %}
+    Account verified
+{% endblock %}
+
+{% block content %}
+    <form action="{{ url_for('account.verify_email_complete', token=token) }}" method="POST">
+        {{ form.csrf_token }}
+        {{ render_field(form.submit) }}
+    </form>
+{% endblock %}
diff --git a/odp/identity/views/account.py b/odp/identity/views/account.py
@@ -34,8 +34,8 @@ def verify_email():
             update_user_verified(user_id, True)
             flash("Your email address has been verified.")
 
-            complete_token = encode_token(challenge, 'account.profile', user_id=user_id)
-            redirect_to = url_for('.profile', token=complete_token)
+            complete_token = encode_token(challenge, 'account.verify_email_complete', user_id=user_id)
+            redirect_to = url_for('.verify_email_complete', token=complete_token)
 
         except x.ODPIdentityError as e:
             # any validation error => reject login
@@ -47,6 +47,36 @@ def verify_email():
         return hydra_error_page(e)
 
 
+@bp.route('/verify-email-complete', methods=('GET', 'POST'))
+def verify_email_complete():
+    """View for concluding the login with Hydra after verifying an email address.
+
+    The token ensures that we can only get here from the verify email view.
+    """
+    token = request.args.get('token')
+    try:
+        login_request, challenge, params = decode_token(token, 'account.verify_email_complete')
+
+        form = AutoLoginForm()
+        user_id = params.get('user_id')
+
+        if request.method == 'POST':
+            try:
+                validate_auto_login(user_id)
+                redirect_to = hydra_admin.accept_login_request(challenge, user_id)
+
+            except x.ODPIdentityError as e:
+                # any validation error => reject login
+                redirect_to = hydra_admin.reject_login_request(challenge, e.error_code, e.error_description)
+
+            return redirect(redirect_to)
+
+        return render_template('verify_email_complete.html', form=form, token=token)
+
+    except x.HydraAdminError as e:
+        return hydra_error_page(e)
+
+
 @bp.route('/profile', methods=('GET', 'POST'))
 def profile():
     """View for updating user profile info."""