Validate users before confirming new accounts

[sakibsadmanshajib]

Description

This PR fixes #2916 by adding user validation before confirming new accounts. Previously, a user clicking a confirmation link could confirm an account without being logged in or proving their identity, leading to potential security risks (e.g., confirming someone else's account if they had the link).

The changes include:

• Moving the GET /users/confirm/:token and POST /users/confirm/:token routes behind the :require_authenticated_user plug in lib/lightning_web/router.ex. This ensures that users must be logged in to access the confirmation page.
• Updating UserConfirmationController.edit/2 and UserConfirmationController.update/2 to verify that the logged-in user matches the user associated with the confirmation token. If they do not match, an error is displayed and the user is redirected.
• Updating UserConfirmationControllerTest.exs to reflect these changes, testing both the redirection for unauthenticated users and the identity check for logged-in users.

Validation steps

1. As a new user, register for an account.
2. Receive the confirmation email with the link (or copy it from logs/console).
3. Open the link in an incognito window (where you are not logged in).
4. Verify that you are redirected to the login page.
5. Log in with the correct credentials.
6. Verify that you are redirected back to the confirmation page and see the "Confirm my account" button.
7. Click the button and verify the account is confirmed.
8. (Negative Test) Try to open the confirmation link while logged in as a different user. Verify that you see an error message: "You are logged in as a different user."

Additional notes for the reviewer

The UserConfirmationController logic now explicitly checks conn.assigns.current_user.id against the token's user ID. This check is redundant with the router's require_authenticated_user for the presence of a user, but critical for ensuring the correct user is confirming the account.

AI Usage

Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):

• I have used Claude Code
• I have used another model
• I have not used AI

Pre-submission checklist

• I have performed an AI review of my code (we recommend using /review
  with Claude Code)
• I have implemented and tested all related authorization policies.
  (e.g., :owner, :admin, :editor, :viewer)
• I have updated the changelog.
• I have ticked a box in "AI usage" in this PR

[Copilot]

Pull request overview

This PR addresses issue #2916 by requiring authentication and validating the logged-in user before allowing account confirmation via /users/confirm/:token, preventing confirmation with only possession of the link.

Changes:

• Moved GET/POST /users/confirm/:token behind :require_authenticated_user in the router.
• Added controller checks to ensure the confirmation token’s user matches current_user, with error handling for mismatches/invalid tokens.
• Updated controller tests to cover unauthenticated redirects and wrong-user token usage.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
lib/lightning_web/router.ex	Moves confirm-by-token routes into the authenticated browser scope.
lib/lightning_web/controllers/user_confirmation_controller.ex	Validates token ownership against current_user for edit/update flows.
lib/lightning/accounts.ex	Adds get_user_by_confirmation_token/1 helper to resolve token → user.
test/lightning_web/controllers/user_confirmation_controller_test.exs	Updates tests for authentication requirement and identity enforcement.
CHANGELOG.md	Documents the security fix under “Fixed”.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sakibsadmanshajib]

I have addressed the Copilot AI comments:

1. Updated the assertion in UserConfirmationControllerTest.exs to specifically check for the confirmation token's removal, allowing valid session tokens to persist.
2. Updated UserConfirmationController.edit/2 to mirror update/2's behavior: already-confirmed users are now redirected without an error message when clicking an invalid or expired confirmation link.
3. Applied formatting to all modified files.

All tests are now passing locally.

[midigofrank]

Hey @sakibsadmanshajib , great job here. I have 2 change requests:

1. For security reasons, we should not disclose that the token belongs to another user, let's just tell them that it's an invalid token
2. Can we extract out the logic that verifies the token into a function plug? That way it can be reused by the update action. Something like:

plug :verify_confirmation_token when action in [:edit, :update]


defp verify_confirmation_token(conn, _opts) do
end

[midigofrank]

Nicely done @sakibsadmanshajib

[stuartc]

Looks good, thanks! I'm adding one test for the silent redirect if the user is already confirmed.