class EmailConfirmationController

Public Instance Methods

show() click to toggle source
# File lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb, line 5
def show
  if current_user.email_confirmed
    # Do not automatically log in the user
    flash[:notice] = "Thanks for confirming your email address"

    respond_to do |format|
      format.json { head :no_content }
      format.html { redirect_to root_path }
    end
  else
    respond_to do |format|
      format.json { render json: { status: 'error', errors: current_user.errors }.to_json, status: 422 }
      format.html {
        flash[:error] = "Could not confirm email address because it is already in use"
        redirect_to root_path
      }
    end
  end
end

Protected Instance Methods

require_token() click to toggle source

Confirmation tokens confirm an email address. It is conceivable that an attacker might choose an address out of their control and attempt to brute-force a confirmation. By default this gains the attacker nothing.

It is possible to consider failed confirmation tokens failed attempts and lock the account.

# File lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb, line 33
def require_token
  valid = params[:token].present? && current_user.confirmation_token.present?
  valid = valid && ActiveSupport::SecurityUtils.secure_compare(params[:token], current_user.confirmation_token)
  valid = valid && !current_user.confirmation_token_expired?
  deny_user("Invalid token", root_path) unless valid
end