Require user to sign in after accepting invitation

To mitigate the security risk posed by leaked invitation tokens, we're
no longer automatically signing a user in when they accept an
invitation.

This is a feature of Devise's Invitable module, so not a lot of work on
our part.

config/initializers/devise.rb

@@ -116,6 +116,11 @@
   # Default: false
   config.validate_on_invite = true
 
+  # Auto-login after the user accepts the invite. If this is false,
+  # the user will need to manually log in after accepting the invite.
+  # Default: true
+  config.allow_insecure_sign_in_after_accept = false
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be

test/integration/inviting_users_test.rb

@@ -11,7 +11,24 @@ class InvitingUsersTest < ActionDispatch::IntegrationTest
     fill_in "Confirm new password", with: "this 1s 4 v3333ry s3cur3 p4ssw0rd.!Z"
     click_button "Save password"
 
-    assert_response_contains("You are now signed in")
+    assert_response_contains("Your password was set successfully.")
+  end
+
+  should "require the invited user to sign in after setting their password" do
+    user = User.invite!(name: "Neptuno Keighley", email: "neptuno.keighley@office.gov.uk")
+
+    accept_invitation(
+      invitation_token: user.raw_invitation_token,
+      password: "pretext annoying headpiece waviness header slinky",
+    )
+
+    assert_response_contains("Sign in to GOV.UK")
+
+    fill_in "Email", with: "neptuno.keighley@office.gov.uk"
+    fill_in "Password", with: "pretext annoying headpiece waviness header slinky"
+    click_button "Sign in"
+
+    assert_response_contains("Make your account more secure by setting up 2‑step verification.")
   end
 
   should "not send invitation token to Google Analytics" do