lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb in authkit-0.4.0 vs lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb in authkit-0.5.0

@@ -32,10 +32,10 @@
   #
   # It is possible to consider failed confirmation tokens failed attempts and
   # lock the account.
   def require_token
     verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
-    valid = params[:token].present?
+    valid = params[:token].present? && current_user.confirmation_token.present?
     valid = valid && verifier.send(:secure_compare, params[:token], current_user.confirmation_token)
     valid = valid && !current_user.confirmation_token_expired?
     deny_user("Invalid token", root_path) unless valid
   end
 end