class EmailConfirmationController < ApplicationController before_filter :require_login before_filter :require_token respond_to :html def show if current_user.email_confirmed # Do not automatically log in the user flash[:notice] = "Thanks for confirming your email address" respond_to do |format| format.json { head :no_content } format.html { redirect_to root_path } end else respond_to do |format| format.json { render json: { status: 'error', errors: current_user.errors }.to_json, status: 422 } format.html { flash[:error] = "Could not confirm email address because it is already in use" redirect_to root_path } end end end protected # Confirmation tokens confirm an email address. It is conceivable # that an attacker might choose an address out of their control and attempt to # brute-force a confirmation. By default this gains the attacker nothing. # # It is possible to consider failed confirmation tokens failed attempts and # lock the account. def require_token verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base) valid = params[:token].present? valid = valid && verifier.send(:secure_compare, params[:token], current_user.confirmation_token) valid = valid && !current_user.confirmation_token_expired? deny_user("Invalid token", root_path) unless valid end end