Merge pull request #467 from alphagov/move-tokens-to-query-params

Move tokens from a path param to a query param
alphagov · May 19, 2016 · ccbb1a2 · ccbb1a2
2 parents eef9358 + f0f3070
commit ccbb1a2
Show file tree

Hide file tree

Showing 32 changed files with 180 additions and 76 deletions.
diff --git a/app/controllers/signatures_controller.rb b/app/controllers/signatures_controller.rb
@@ -3,7 +3,10 @@ class SignaturesController < ApplicationController
 
   before_action :retrieve_petition, only: [:new, :create, :thank_you]
   before_action :retrieve_signature, only: [:verify, :unsubscribe, :signed]
+  before_action :verify_token, only: [:verify, :signed]
+  before_action :verify_unsubscribe_token, only: [:unsubscribe]
   before_action :redirect_to_petition_page, if: :petition_closed?, only: [:new, :create, :verify]
+  before_action :redirect_to_verify_page, unless: :signature_validated?, only: [:signed]
   before_action :do_not_cache
 
   respond_to :html
@@ -16,6 +19,7 @@ def new
 
   def create
     matching_signatures = find_existing_pending_signatures
+
     if matching_signatures.any?
       handle_existing_signatures(matching_signatures, @petition)
     else
@@ -24,25 +28,15 @@ def create
   end
 
   def signed
-    verify_token
-
-    if @signature.validated?
-
-      if @signature.seen_signed_confirmation_page?
-        redirect_to petition_url @signature.petition
-      else
-        @signature.mark_seen_signed_confirmation_page!
-        @petition = @signature.petition
-      end
-
+    if @signature.seen_signed_confirmation_page?
+      redirect_to petition_url @signature.petition
     else
-      redirect_to(verify_signature_url(@signature, @signature.perishable_token))
+      @signature.mark_seen_signed_confirmation_page!
+      @petition = @signature.petition
     end
   end
 
   def verify
-    verify_token
-
     if @signature.sponsor?
       validate_sponsor
     else
@@ -51,13 +45,25 @@ def verify
   end
 
   def unsubscribe
-    @signature.unsubscribe!(params[:unsubscribe_token])
+    @signature.unsubscribe!(token_param)
   end
 
   private
 
+  def token_param
+    @token_param ||= (params[:token] || params[:legacy_token]).to_s
+  end
+
   def verify_token
-    raise ActiveRecord::RecordNotFound unless @signature.perishable_token == params[:token]
+    unless @signature.perishable_token == token_param
+      raise ActiveRecord::RecordNotFound, "Unable to find Signature with token: token_param.inspect}"
+    end
+  end
+
+  def verify_unsubscribe_token
+    unless @signature.unsubscribe_token == token_param
+      raise ActiveRecord::RecordNotFound, "Unable to find Signature with unsubscribe token: #{token_param.inspect}"
+    end
   end
 
   def retrieve_petition
@@ -73,10 +79,18 @@ def redirect_to_petition_page
     redirect_to petition_url(@petition)
   end
 
+  def redirect_to_verify_page
+    redirect_to verify_signature_url(@signature, token: @signature.perishable_token)
+  end
+
   def petition_closed?
     @petition && @petition.closed?
   end
 
+  def signature_validated?
+    @signature && @signature.validated?
+  end
+
   def send_email_to_petition_signer(signature)
     EmailConfirmationForSignerEmailJob.perform_later(signature)
   end

diff --git a/app/views/petition_mailer/email_confirmation_for_signer.html.erb b/app/views/petition_mailer/email_confirmation_for_signer.html.erb
@@ -1,6 +1,6 @@
 <p>Click this link to sign the petition "<%= @petition.action %>"</p>
 
-<p><%= link_to nil, verify_signature_url(@signature, @signature.perishable_token) %></p>
+<p><%= link_to nil, verify_signature_url(@signature, token: @signature.perishable_token) %></p>
 
 <p>Thanks,<br />
 <%= t("petitions.emails.signoff_prefix") %><br />

diff --git a/app/views/petition_mailer/email_confirmation_for_signer.text.erb b/app/views/petition_mailer/email_confirmation_for_signer.text.erb
@@ -1,6 +1,6 @@
 Click this link to sign the petition "<%= @petition.action %>"
 
-<%= verify_signature_url(@signature, @signature.perishable_token) %>
+<%= verify_signature_url(@signature, token: @signature.perishable_token) %>
 
 Thanks,
 <%= t("petitions.emails.signoff_prefix") %>

diff --git a/app/views/petition_mailer/email_creator.html.erb b/app/views/petition_mailer/email_creator.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -15,4 +15,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/email_creator.text.erb b/app/views/petition_mailer/email_creator.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -15,4 +15,4 @@ Thanks,
 
 --
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/email_signer.html.erb b/app/views/petition_mailer/email_signer.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -15,4 +15,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/email_signer.text.erb b/app/views/petition_mailer/email_signer.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -15,4 +15,4 @@ Thanks,
 
 --
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_creator_of_debate_outcome.html.erb b/app/views/petition_mailer/notify_creator_of_debate_outcome.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -38,4 +38,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/notify_creator_of_debate_outcome.text.erb b/app/views/petition_mailer/notify_creator_of_debate_outcome.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -39,4 +39,4 @@ Thanks,
 
 --
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_creator_of_debate_scheduled.html.erb b/app/views/petition_mailer/notify_creator_of_debate_scheduled.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -18,4 +18,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/notify_creator_of_debate_scheduled.text.erb b/app/views/petition_mailer/notify_creator_of_debate_scheduled.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -18,4 +18,4 @@ Thanks,
 
 --
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_creator_of_threshold_response.html.erb b/app/views/petition_mailer/notify_creator_of_threshold_response.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -30,4 +30,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you created this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/notify_creator_of_threshold_response.text.erb b/app/views/petition_mailer/notify_creator_of_threshold_response.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -30,4 +30,4 @@ Thanks,
 
 --
 You’re receiving this email because you created this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_signer_of_debate_outcome.html.erb b/app/views/petition_mailer/notify_signer_of_debate_outcome.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>

diff --git a/app/views/petition_mailer/notify_signer_of_debate_outcome.text.erb b/app/views/petition_mailer/notify_signer_of_debate_outcome.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -39,4 +39,4 @@ Thanks,
 
 --
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_signer_of_debate_scheduled.html.erb b/app/views/petition_mailer/notify_signer_of_debate_scheduled.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -18,4 +18,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/notify_signer_of_debate_scheduled.text.erb b/app/views/petition_mailer/notify_signer_of_debate_scheduled.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -18,4 +18,4 @@ Thanks,
 
 --
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/notify_signer_of_threshold_response.html.erb b/app/views/petition_mailer/notify_signer_of_threshold_response.html.erb
@@ -1,5 +1,5 @@
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
 <hr>
 
 <p>Dear <%= @signature.name %>,</p>
@@ -30,4 +30,4 @@
 
 <hr>
 <p><small>You’re receiving this email because you signed this petition: “<%= @petition.action %>”.</small></p>
-<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %></small></p>
+<p><small>To unsubscribe from this petition: <%= link_to nil, unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %></small></p>
diff --git a/app/views/petition_mailer/notify_signer_of_threshold_response.text.erb b/app/views/petition_mailer/notify_signer_of_threshold_response.text.erb
@@ -1,5 +1,5 @@
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
 --
 
 Dear <%= @signature.name %>,
@@ -30,4 +30,4 @@ Thanks,
 
 --
 You’re receiving this email because you signed this petition: “<%= @petition.action %>”.
-To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, @signature.unsubscribe_token) %>
+To unsubscribe from this petition: <%= unsubscribe_signature_url(@signature, token: @signature.unsubscribe_token) %>
diff --git a/app/views/petition_mailer/special_resend_of_email_confirmation_for_signer.html.erb b/app/views/petition_mailer/special_resend_of_email_confirmation_for_signer.html.erb
@@ -4,7 +4,7 @@
 
 <p>Click this link to sign the petition:</p>
 
-<p><%= link_to nil, verify_signature_url(@signature, @signature.perishable_token) %></p>
+<p><%= link_to nil, verify_signature_url(@signature, token: @signature.perishable_token) %></p>
 
 <p>Thanks,<br />
 <%= t("petitions.emails.signoff_prefix") %><br />

diff --git a/app/views/petition_mailer/special_resend_of_email_confirmation_for_signer.text.erb b/app/views/petition_mailer/special_resend_of_email_confirmation_for_signer.text.erb
@@ -4,7 +4,7 @@ We noticed that you tried to sign the petition "<%= @petition.action %>" but hav
 
 Click this link to sign the petition:
 
-<%= verify_signature_url(@signature, @signature.perishable_token) %>
+<%= verify_signature_url(@signature, token: @signature.perishable_token) %>
 
 Thanks,
 <%= t("petitions.emails.signoff_prefix") %>

diff --git a/app/views/sponsor_mailer/petition_and_email_confirmation_for_sponsor.html.erb b/app/views/sponsor_mailer/petition_and_email_confirmation_for_sponsor.html.erb
@@ -1,6 +1,6 @@
 <p>Click this link to sign the petition “<%= @petition.action %>”</p>
 
-<p><%= link_to nil, verify_signature_url(@signature, @signature.perishable_token) %></p>
+<p><%= link_to nil, verify_signature_url(@signature, token: @signature.perishable_token) %></p>
 
 <hr />
 
@@ -17,4 +17,4 @@
 <hr />
 
 <p>Click this link to sign the petition:<br />
-<%= link_to nil, verify_signature_url(@signature, @signature.perishable_token) %></p>
+<%= link_to nil, verify_signature_url(@signature, token: @signature.perishable_token) %></p>
diff --git a/app/views/sponsor_mailer/petition_and_email_confirmation_for_sponsor.text.erb b/app/views/sponsor_mailer/petition_and_email_confirmation_for_sponsor.text.erb
@@ -1,6 +1,6 @@
 Click this link to sign the petition "<%= @petition.action %>"
 
-<%= verify_signature_url(@signature, @signature.perishable_token) %>
+<%= verify_signature_url(@signature, token: @signature.perishable_token) %>
 
 --
 
@@ -17,4 +17,4 @@ Click this link to sign the petition "<%= @petition.action %>"
 --
 
 Click this link to sign the petition:
-<%= verify_signature_url(@signature, @signature.perishable_token) %>
+<%= verify_signature_url(@signature, token: @signature.perishable_token) %>
diff --git a/config/routes.rb b/config/routes.rb
@@ -39,9 +39,9 @@
     post 'petitions/new' => 'petitions#create', :as => :create_petition
 
     scope 'signatures/:id' do
-      get 'verify/:token' => 'signatures#verify', :as => :verify_signature
-      get 'unsubscribe/:unsubscribe_token' => 'signatures#unsubscribe', :as => :unsubscribe_signature
-      get 'signed/:token' => 'signatures#signed', :as => :signed_signature
+      get 'verify(/:legacy_token)' => 'signatures#verify', :as => :verify_signature
+      get 'unsubscribe(/:legacy_token)' => 'signatures#unsubscribe', :as => :unsubscribe_signature
+      get 'signed(/:legacy_token)' => 'signatures#signed', :as => :signed_signature
     end
 
     namespace :archived do

diff --git a/features/step_definitions/unsubscription_steps.rb b/features/step_definitions/unsubscription_steps.rb
@@ -1,7 +1,7 @@
 Then /^Suzie should have received a petition response email with an unsubscription link$/ do
   expect(unread_emails_for(@suzies_signature.email).size).to eq 1
   open_email(@suzies_signature.email)
-  unsubscription_url = unsubscribe_signature_url(@suzies_signature, @suzies_signature.unsubscribe_token)
+  unsubscription_url = unsubscribe_signature_url(@suzies_signature, token: @suzies_signature.unsubscribe_token)
   expect(current_email.default_part_body.to_s).to include(unsubscription_url)
 end