allow only one confirmation

[ghost]

When a user confirms and account (after a registration), if the registration is valid, the user is logged in automatically in the system.

After a successful confirmation the user can still use the confirmation email to login into the system (without a password) and this represents a security flaw.

If the token is valid and if the user is already confirmed, the devise_token_auth should return an expired token. This will raise an auth:email-confirmation-error in ng-token-auth.

This will require #410 because it looks for sign_in counter.

[zachfeldman]

@lynndylanhurley appears to be a decently sized security hole that's also easy to merge!

[zachfeldman]

I'm down to merge this right after #410 if it gets approval from one other person.

[lynndylanhurley]

Changes look good, I'll resolve the conflicts with the test file. We can merge once the conflicts are resolved.

[MaicolBen]

@rmvenancio can you rebase?

[ethagnawl]

It's very encouraging that each issue I've bumped while using this library has either been 1) recently fixed, 2) has a PR pending or 3) has a documented workaround.

👍

[ghost]

@MaicolBen Hi. I Don't have a Dev environment anymore. I can't help at this time.

[MaicolBen]

No problem, when I have a chance I'll do it myself

[ghost]

Thanks for the understanding. Continue with the good work. BR.

[MaicolBen]

I opened this PR with the conflicts solved (because I can't push to a fork)