diff --git a/ChangeLog.rst b/ChangeLog.rst index 574f2452ae..ca73a21a2d 100644 --- a/ChangeLog.rst +++ b/ChangeLog.rst @@ -1,7 +1,11 @@ 64.2.1 (unreleased) ******************* -- ... +Fixes +----- + +- Verifying the email address by clicking on the link would no longer log you in, even + in case of ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = True``. 64.2.0 (2024-08-30) diff --git a/allauth/account/forms.py b/allauth/account/forms.py index 3a1c43eabf..16bca348cc 100644 --- a/allauth/account/forms.py +++ b/allauth/account/forms.py @@ -383,6 +383,7 @@ def try_save(self, request): email = self.cleaned_data["email"] resp = flows.signup.prevent_enumeration(request, email) user = None + # Fake a login stage. request.session[flows.login.LOGIN_SESSION_KEY] = EmailVerificationStage.key else: user = self.save(request) diff --git a/allauth/account/middleware.py b/allauth/account/middleware.py index bb6e485914..cdd29da95f 100644 --- a/allauth/account/middleware.py +++ b/allauth/account/middleware.py @@ -8,6 +8,7 @@ from asgiref.sync import iscoroutinefunction, sync_to_async +from allauth.account import app_settings from allauth.account.adapter import get_adapter from allauth.account.internal import flows from allauth.core import context @@ -81,8 +82,24 @@ def _should_check_dangling_login(request, response): def _check_dangling_login(request): + from allauth.account.stages import EmailVerificationStage + if not getattr(request, "_account_login_accessed", False): - if flows.login.LOGIN_SESSION_KEY in request.session: + if login := request.session.get(flows.login.LOGIN_SESSION_KEY): + if isinstance(login, dict): # Deal with fake stages + current_stage = login.get("state", {}).get("stages", {}).get("current") + if ( + current_stage == EmailVerificationStage.key + and not app_settings.EMAIL_VERIFICATION_BY_CODE_ENABLED + ): + # These days, "email verification by link" is just a regular + # stage. However, "email verification by link" was never + # automatically cancelled. So we need to make an exception + # here. + # + # TODO: Reconsider the overall approach to dangling logins: + # https://github.com/pennersr/django-allauth/issues/4087 + return request.session.pop(flows.login.LOGIN_SESSION_KEY) diff --git a/allauth/account/tests/test_email_verification.py b/allauth/account/tests/test_email_verification.py index 172b1f4074..3d716cb1e9 100644 --- a/allauth/account/tests/test_email_verification.py +++ b/allauth/account/tests/test_email_verification.py @@ -49,6 +49,9 @@ def test_login_on_verification( assert resp.status_code == 302 assert resp["location"] == reverse("account_email_verification_sent") + resp = client.get(resp["location"]) + assert resp.status_code == 200 + email = EmailAddress.objects.get(email="a@a.com") key = EmailConfirmationHMAC(email).key diff --git a/allauth/account/tests/test_middleware.py b/allauth/account/tests/test_middleware.py index 72b6025eb4..8d0aaf6846 100644 --- a/allauth/account/tests/test_middleware.py +++ b/allauth/account/tests/test_middleware.py @@ -6,6 +6,7 @@ import pytest +from allauth.account.internal import flows from allauth.account.middleware import AccountMiddleware from allauth.core.exceptions import ImmediateHttpResponse @@ -38,7 +39,7 @@ def test_remove_dangling_login( response["Content-Type"] = content_type mw = AccountMiddleware(lambda request: response) mw(request) - assert ("account_login" in request.session) is (not login_removed) + assert (flows.login.LOGIN_SESSION_KEY in request.session) is (not login_removed) def raise_immediate_http_response(request):