fix(account): Login on verification broken

pennersr · Sep 4, 2024 · 6b731eb · 6b731eb
1 parent e224199
commit 6b731eb
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 3 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,7 +1,11 @@
 64.2.1 (unreleased)
 *******************
 
-- ...
+Fixes
+-----
+
+- Verifying the email address by clicking on the link would no longer log you in, even
+  in case of ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = True``.
 
 
 64.2.0 (2024-08-30)

diff --git a/allauth/account/forms.py b/allauth/account/forms.py
@@ -383,6 +383,7 @@ def try_save(self, request):
             email = self.cleaned_data["email"]
             resp = flows.signup.prevent_enumeration(request, email)
             user = None
+            # Fake a login stage.
             request.session[flows.login.LOGIN_SESSION_KEY] = EmailVerificationStage.key
         else:
             user = self.save(request)

diff --git a/allauth/account/middleware.py b/allauth/account/middleware.py
@@ -8,6 +8,7 @@
 
 from asgiref.sync import iscoroutinefunction, sync_to_async
 
+from allauth.account import app_settings
 from allauth.account.adapter import get_adapter
 from allauth.account.internal import flows
 from allauth.core import context
@@ -81,8 +82,24 @@ def _should_check_dangling_login(request, response):
 
 
 def _check_dangling_login(request):
+    from allauth.account.stages import EmailVerificationStage
+
     if not getattr(request, "_account_login_accessed", False):
-        if flows.login.LOGIN_SESSION_KEY in request.session:
+        if login := request.session.get(flows.login.LOGIN_SESSION_KEY):
+            if isinstance(login, dict):  # Deal with fake stages
+                current_stage = login.get("state", {}).get("stages", {}).get("current")
+                if (
+                    current_stage == EmailVerificationStage.key
+                    and not app_settings.EMAIL_VERIFICATION_BY_CODE_ENABLED
+                ):
+                    # These days, "email verification by link" is just a regular
+                    # stage.  However, "email verification by link" was never
+                    # automatically cancelled. So we need to make an exception
+                    # here.
+                    #
+                    # TODO: Reconsider the overall approach to dangling logins:
+                    # https://github.com/pennersr/django-allauth/issues/4087
+                    return
             request.session.pop(flows.login.LOGIN_SESSION_KEY)
 
 

diff --git a/allauth/account/tests/test_email_verification.py b/allauth/account/tests/test_email_verification.py
@@ -49,6 +49,9 @@ def test_login_on_verification(
     assert resp.status_code == 302
     assert resp["location"] == reverse("account_email_verification_sent")
 
+    resp = client.get(resp["location"])
+    assert resp.status_code == 200
+
     email = EmailAddress.objects.get(email="[email protected]")
     key = EmailConfirmationHMAC(email).key
 

diff --git a/allauth/account/tests/test_middleware.py b/allauth/account/tests/test_middleware.py
@@ -6,6 +6,7 @@
 
 import pytest
 
+from allauth.account.internal import flows
 from allauth.account.middleware import AccountMiddleware
 from allauth.core.exceptions import ImmediateHttpResponse
 
@@ -38,7 +39,7 @@ def test_remove_dangling_login(
     response["Content-Type"] = content_type
     mw = AccountMiddleware(lambda request: response)
     mw(request)
-    assert ("account_login" in request.session) is (not login_removed)
+    assert (flows.login.LOGIN_SESSION_KEY in request.session) is (not login_removed)
 
 
 def raise_immediate_http_response(request):