Require a POST for email-verification

2026-03-10 08:01:17 +00:00 · 2024-06-06 10:03:01 +02:00
parent ecc3b9a8d2
commit b1d1f6f2f7
2 changed files with 43 additions and 7 deletions
--- a/users/templates/users/confirm_email.html
+++ b/users/templates/users/confirm_email.html
@@ -0,0 +1,29 @@
+{% extends "barest_base.html" %}
+{% load static %}
+
+{% block title %}Confirm email · {{ site_title }}{% endblock %}
+
+{% block content %}
+
+<div class="bg-cyan-100 h-screen overflow-y-scroll flex items-center justify-center"> {# the cyan background #}
+    <div class="bg-white lg:w-5/12 md:6/12 w-10/12">  {# the centered box #}
+        <div class="bg-slate-200 absolute left-1/2 transform -translate-x-1/2 -translate-y-1/2 rounded-full p-4 md:p-8">  {# the logo #}
+                <a href="/"><img src="{% static 'images/bugsink-logo.png' %}" class="h-8 w-8 md:h-16 md:w-16" alt="Bugsink"></a>
+        </div>
+
+        <div class="p-12 md:pt-24 md:pl-24 md:pr-24 md:pb-16">
+            
+            <div class="mb-8">
+                Confirm your email address by clicking the button below.
+            </div>
+
+            <form method="post" action=".">
+                {% csrf_token %}
+                <button class="bg-slate-800 font-medium p-2 md:p-4 text-white uppercase w-full">Confirm</button>
+            </form>
+        </div>
+
+    </div>
+</div>
+
+{% endblock %}
--- a/users/views.py
+++ b/users/views.py
@@ -54,15 +54,22 @@ def confirm_email(request, token=None):
        # good enough (though a special page might be prettier)
        raise Http404("Invalid or expired token")

-    verification.user.is_active = True
-    verification.user.save()
-    verification.delete()
+    if request.method == 'POST':
+        # We insist on POST requests to do the actual confirmation (at the cost of an extra click). See:
+        # https://softwareengineering.stackexchange.com/a/422579/168778
+        # there's no form, the'res just a button to generate the post request

-    # this mirrors the approach of what we do in password-resetting; and rightfully so because the in both cases access
-    # to email is assumed to be sufficient proof of identity.
-    login(request, verification.user)
+        verification.user.is_active = True
+        verification.user.save()
+        verification.delete()

-    return redirect('home')
+        # this mirrors the approach of what we do in password-resetting; and rightfully so because the in both cases
+        # access to email is assumed to be sufficient proof of identity.
+        login(request, verification.user)
+
+        return redirect('home')
+
+    return render(request, "users/confirm_email.html")


 def resend_confirmation(request):