Skip to content

Commit

Permalink
fix(account): Login on verification broken
Browse files Browse the repository at this point in the history
  • Loading branch information
pennersr committed Sep 4, 2024
1 parent e224199 commit 6b731eb
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 3 deletions.
6 changes: 5 additions & 1 deletion ChangeLog.rst
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
64.2.1 (unreleased)
*******************

- ...
Fixes
-----

- Verifying the email address by clicking on the link would no longer log you in, even
in case of ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = True``.


64.2.0 (2024-08-30)
Expand Down
1 change: 1 addition & 0 deletions allauth/account/forms.py
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,7 @@ def try_save(self, request):
email = self.cleaned_data["email"]
resp = flows.signup.prevent_enumeration(request, email)
user = None
# Fake a login stage.
request.session[flows.login.LOGIN_SESSION_KEY] = EmailVerificationStage.key
else:
user = self.save(request)
Expand Down
19 changes: 18 additions & 1 deletion allauth/account/middleware.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

from asgiref.sync import iscoroutinefunction, sync_to_async

from allauth.account import app_settings
from allauth.account.adapter import get_adapter
from allauth.account.internal import flows
from allauth.core import context
Expand Down Expand Up @@ -81,8 +82,24 @@ def _should_check_dangling_login(request, response):


def _check_dangling_login(request):
from allauth.account.stages import EmailVerificationStage

if not getattr(request, "_account_login_accessed", False):
if flows.login.LOGIN_SESSION_KEY in request.session:
if login := request.session.get(flows.login.LOGIN_SESSION_KEY):
if isinstance(login, dict): # Deal with fake stages
current_stage = login.get("state", {}).get("stages", {}).get("current")
if (
current_stage == EmailVerificationStage.key
and not app_settings.EMAIL_VERIFICATION_BY_CODE_ENABLED
):
# These days, "email verification by link" is just a regular
# stage. However, "email verification by link" was never
# automatically cancelled. So we need to make an exception
# here.
#
# TODO: Reconsider the overall approach to dangling logins:
# https://github.com/pennersr/django-allauth/issues/4087
return
request.session.pop(flows.login.LOGIN_SESSION_KEY)


Expand Down
3 changes: 3 additions & 0 deletions allauth/account/tests/test_email_verification.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ def test_login_on_verification(
assert resp.status_code == 302
assert resp["location"] == reverse("account_email_verification_sent")

resp = client.get(resp["location"])
assert resp.status_code == 200

email = EmailAddress.objects.get(email="[email protected]")
key = EmailConfirmationHMAC(email).key

Expand Down
3 changes: 2 additions & 1 deletion allauth/account/tests/test_middleware.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

import pytest

from allauth.account.internal import flows
from allauth.account.middleware import AccountMiddleware
from allauth.core.exceptions import ImmediateHttpResponse

Expand Down Expand Up @@ -38,7 +39,7 @@ def test_remove_dangling_login(
response["Content-Type"] = content_type
mw = AccountMiddleware(lambda request: response)
mw(request)
assert ("account_login" in request.session) is (not login_removed)
assert (flows.login.LOGIN_SESSION_KEY in request.session) is (not login_removed)


def raise_immediate_http_response(request):
Expand Down

0 comments on commit 6b731eb

Please sign in to comment.