redirect user who is already registered

CenterForOpenScience · Jul 30, 2020 · 5c15c6e · 5c15c6e
1 parent de1a488
commit 5c15c6e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/framework/auth/views.py b/framework/auth/views.py
@@ -505,6 +505,8 @@ def external_login_confirm_email_get(auth, uid, token):
     """
 
     user = OSFUser.load(uid)
+    service_url = request.url
+
     if not user:
         sentry.log_message('external_login_confirm_email_get::400 - Cannot find user')
         raise HTTPError(http_status.HTTP_400_BAD_REQUEST)
@@ -531,10 +533,13 @@ def external_login_confirm_email_get(auth, uid, token):
             status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True, id='welcome_message')
         return redirect(web_url_for('dashboard'))
 
-    # token is invalid
     if token not in user.email_verifications:
-        sentry.log_message('external_login_confirm_email_get::400 - bad token')
-        raise HTTPError(http_status.HTTP_400_BAD_REQUEST)
+        if user.is_registered:
+            # User is registered with account already linked, probably button mashing.
+            return redirect(web_url_for('dashboard'))
+        else:
+            sentry.log_message('external_login_confirm_email_get::400 - bad token')
+            raise HTTPError(http_status.HTTP_400_BAD_REQUEST)
     verification = user.email_verifications[token]
     email = verification['email']
     provider = list(verification['external_identity'].keys())[0]
@@ -564,8 +569,6 @@ def external_login_confirm_email_get(auth, uid, token):
     user.verification_key = generate_verification_key()
     user.save()
 
-    service_url = request.url
-
     if external_status == 'CREATE':
         mails.send_mail(
             to_addr=user.username,

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -4026,6 +4026,20 @@ def test_external_login_confirm_email_get_with_another_user_logged_in(self):
         assert_in('/logout?service=', res.location)
         assert_in(url, res.location)
 
+    def test_external_login_confirm_email_twice(self):
+        url = self.user.get_confirmation_url(self.user.username, external_id_provider='orcid', destination='dashboard')
+        print(self.user.email_verifications)
+        res = self.app.get(url, auth=self.auth)
+        assert_equal(res.status_code, 302, 'redirects to cas logout')
+        assert_in('/login?service=', res.location)
+
+        self.user.refresh_from_db()
+        assert_equal(self.user.email_verifications, {})
+
+        res = self.app.get(url, auth=self.auth)
+        assert_equal(res.status_code, 302, 'redirects to cas logout')
+        assert_in('/dashboard/', res.location)
+
     def test_external_login_confirm_email_get_without_destination(self):
         url = self.user.get_confirmation_url(self.user.username, external_id_provider='orcid')
         res = self.app.get(url, auth=self.auth, expect_errors=True)