Streamline email confirmation for existing users

aaronskiba · aaronskiba · commit 6af91b61af75 · 2025-04-16T15:23:36.000-06:00
By default, Devise's `:confirmable` module generates a `confirmation_token` and sends confirmation instructions when a new user is created. This commit enhances that behaviour to streamline the email confirmation process for **existing** users.

A new rake task (`lib/tasks/email_confirmation.rake#clear_all`) resets the following confirmation-related fields—`confirmed_at`, `confirmation_token`, and `confirmation_sent_at`—to `nil` for all non-superusers. After this reset, these users will be unable to sign in until they confirm their email.

To avoid requiring manual re-sending of confirmation instructions, we introduce a new check: `User#confirmed_or_has_confirmation_token?`, which returns `false` if a user is unconfirmed *and* has no outstanding confirmation_token.

In the `SessionsController#create` method, if a signing-in user fails the `confirmed_or_has_confirmation_token?` check, we invoke `handle_missing_confirmation_instructions(user)`. This generates a new confirmation_token and sends email instructions. On subsequent sign-in attempts, the check will return `true`, preventing redundant emails.

This approach ensures that email confirmations are triggered automatically and only once per affected user, minimising friction while preserving security.
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -13,6 +13,11 @@ def create
     existing_user = User.find_by(email: params[:user][:email])
     unless existing_user.nil?
 
+      unless existing_user.confirmed_or_has_confirmation_token?
+        handle_missing_confirmation_instructions(existing_user)
+        return
+      end
+
       # Until ORCID login is supported
       unless session['devise.shibboleth_data'].nil?
         args = {
@@ -45,3 +50,13 @@ def destroy
     set_locale
   end
 end
+
+private
+
+def handle_missing_confirmation_instructions(user)
+  # Generate a confirmation_token and email confirmation instructions to the user
+  user.send_confirmation_instructions
+  # Notify the user they are unconfirmed but confirmation instructions have been sent
+  flash[:notice] = I18n.t('devise.registrations.signed_up_but_unconfirmed')
+  redirect_to root_path
+end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -382,6 +382,10 @@ def deliver_invitation(options = {})
     )
   end
 
+  def confirmed_or_has_confirmation_token?
+    confirmed? || confirmation_token.present?
+  end
+
   # Case insensitive search over User model
   #
   # field - The name of the field being queried
diff --git a/lib/tasks/email_confirmation.rake b/lib/tasks/email_confirmation.rake
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+namespace :email_confirmation do
+  desc 'Reset confirmation status for all users, excluding superusers'
+  task clear_all: :environment do
+    p '------------------------------------------------------------------------'
+    p 'Beginning task: Unconfirming all users except superusers'
+    p '------------------------------------------------------------------------'
+    unconfirm_all_users_except_superusers
+    p 'Task completed: Unconfirmed all users except superusers'
+  end
+
+  private
+
+  def unconfirm_all_users_except_superusers
+    p 'Updating :confirmable columns to nil for all users'
+    p '(i.e. Setting confirmed_at, confirmation_token, and confirmation_sent_at to nil for all users)'
+    p '------------------------------------------------------------------------'
+    set_confirmable_cols_to_nil_for_all_users
+    p '------------------------------------------------------------------------'
+    p 'Updating superusers so that they are not required to confirm their email addresses'
+    p '(i.e. Setting `confirmed_at = Time.current` for superusers)'
+    p '------------------------------------------------------------------------'
+    confirm_superusers
+  end
+
+  def set_confirmable_cols_to_nil_for_all_users
+    count = User.update_all(confirmed_at: nil, confirmation_token: nil, confirmation_sent_at: nil)
+    p ":confirmable columns updated to nil for #{count} users"
+  end
+
+  # Sets `confirmed_at` to `Time.current` for all superusers
+  def confirm_superusers
+    confirmed_at = Time.current
+    count = User.joins(:perms).where(perms: { id: super_admin_perm_ids })
+                .distinct
+                .update_all(confirmed_at: confirmed_at)
+    p "Updated confirmed_at = #{confirmed_at} for #{count} superuser(s)"
+  end
+
+  # Returns an array of all perm ids that are considered super admin perms
+  # (Based off of `def can_super_admin?` in `app/models/user.rb`
+  # i.e. `can_add_orgs? || can_grant_api_to_orgs? || can_change_org?` )
+  def super_admin_perm_ids
+    [Perm.add_orgs.id, Perm.grant_api.id, Perm.change_affiliation.id]
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -382,6 +382,10 @@ def deliver_invitation(options = {})`
`382`	`382`	`)`
`383`	`383`	`end`
`384`	`384`
	`385`	`+ def confirmed_or_has_confirmation_token?`
	`386`	`+ confirmed? \|\| confirmation_token.present?`
	`387`	`+ end`
	`388`	`+`
`385`	`389`	`# Case insensitive search over User model`
`386`	`390`	`#`
`387`	`391`	`# field - The name of the field being queried`