upgrade user confirmation to v2

Author: Johnetordoff

api/users/serializers.py

@@ -442,7 +442,7 @@ class Meta:
         type_ = 'user_reset_password'
 
 
-class ExternalLoginConfirmEmailSerializer(BaseAPISerializer):
+class ConfirmEmailSerializer(BaseAPISerializer):
     uid = ser.CharField(write_only=True, required=True)
     destination = ser.CharField(write_only=True, required=True)
     token = ser.CharField(write_only=True, required=True)

api/users/urls.py

@@ -14,6 +14,7 @@
     re_path(r'^(?P<user_id>\w+)/addons/(?P<provider>\w+)/accounts/$', views.UserAddonAccountList.as_view(), name=views.UserAddonAccountList.view_name),
     re_path(r'^(?P<user_id>\w+)/addons/(?P<provider>\w+)/accounts/(?P<account_id>\w+)/$', views.UserAddonAccountDetail.as_view(), name=views.UserAddonAccountDetail.view_name),
     re_path(r'^(?P<user_id>\w+)/claim/$', views.ClaimUser.as_view(), name=views.ClaimUser.view_name),
+    re_path(r'^(?P<user_id>\w+)/confirm/$', views.ConfirmEmailView.as_view(), name=views.ConfirmEmailView.view_name),
     re_path(r'^(?P<user_id>\w+)/draft_registrations/$', views.UserDraftRegistrations.as_view(), name=views.UserDraftRegistrations.view_name),
     re_path(r'^(?P<user_id>\w+)/institutions/$', views.UserInstitutions.as_view(), name=views.UserInstitutions.view_name),
     re_path(r'^(?P<user_id>\w+)/nodes/$', views.UserNodes.as_view(), name=views.UserNodes.view_name),

api/users/views.py

@@ -68,7 +68,7 @@
     UserChangePasswordSerializer,
     UserMessageSerializer,
     ExternalLoginSerialiser,
-    ExternalLoginConfirmEmailSerializer,
+    ConfirmEmailSerializer,
 )
 from django.contrib.auth.models import AnonymousUser
 from django.http import JsonResponse
@@ -80,6 +80,7 @@
 from framework.auth.oauth_scopes import CoreScopes, normalize_scopes
 from framework.auth.exceptions import ChangePasswordError
 from framework.celery_tasks.handlers import enqueue_task
+from framework.flask import redirect
 from framework.utils import throttle_period_expired
 from framework.sessions.utils import remove_sessions_for_user
 from framework.exceptions import PermissionsError, HTTPError
@@ -105,7 +106,7 @@
 from website import mails, settings, language
 from website.project.views.contributor import send_claim_email, send_claim_registered_email
 from website.util.metrics import CampaignClaimedTags, CampaignSourceTags
-from framework.auth import exceptions
+from framework.auth import exceptions, cas
 
 
 class UserMixin:
@@ -1060,6 +1061,90 @@ def post(self, request, *args, **kwargs):
         return Response(status=status.HTTP_204_NO_CONTENT)
 
 
+class ConfirmEmailView(JSONAPIBaseView, generics.CreateAPIView):
+    """
+    Confirm an e-mail address created during *first-time* OAuth login.
+
+    **URL:**  POST /v2/users/external_login/confirm_email/
+
+    **Body (JSON):**
+    {
+        "uid": "<osf_user_id>",
+        "token": "<email_verification_token>",
+        "destination": "<campaign-code or relative URL>"
+    }
+
+    On success the endpoint redirects (HTTP 302) to CAS with a
+    one-time verification key, exactly like the original Flask view.
+    """
+    permission_classes = (
+        drf_permissions.IsAuthenticatedOrReadOnly,
+        base_permissions.TokenHasScope,
+    )
+    serializer_class = ConfirmEmailSerializer
+    throttle_classes = (NonCookieAuthThrottle, BurstRateThrottle, RootAnonThrottle)
+    view_category = 'users'
+    view_name = 'confirm-user'
+
+    def post(self, request, *args, **kwargs):
+        data = self.get_serializer(data=request.data)
+        data.is_valid(raise_exception=True)
+
+        uid = data.validated_data['uid']
+        token = data.validated_data['token']
+
+        user = OSFUser.load(uid)
+        if not user:
+            raise ValidationError('User not found.')
+
+        verification = user.email_verifications.get(token)
+        if not verification:
+            raise ValidationError('Invalid or expired token.')
+
+        provider = next(iter(verification['external_identity']))
+        provider_id = next(iter(verification['external_identity'][provider]))
+
+        if provider not in user.external_identity:
+            raise ValidationError('External-ID provider mismatch.')
+
+        external_status = user.external_identity[provider][provider_id]
+        ensure_external_identity_uniqueness(provider, provider_id, user)
+
+        email = verification['email']
+        if not user.is_registered:
+            user.register(email)
+
+        user.emails.get_or_create(address=email.lower())
+        user.external_identity[provider][provider_id] = 'VERIFIED'
+        user.date_last_logged_in = timezone.now()
+
+        del user.email_verifications[token]
+        user.verification_key = generate_verification_key()
+        user.save()
+
+        service_url = request.build_absolute_uri()
+        if external_status == 'CREATE':
+            service_url += '&' + urlencode({'new': 'true'})
+        elif external_status == 'LINK':
+            mails.send_mail(
+                user=user,
+                to_addr=user.username,
+                mail=mails.EXTERNAL_LOGIN_LINK_SUCCESS,
+                external_id_provider=provider,
+                can_change_preferences=False,
+            )
+
+        enqueue_task(update_affiliation_for_orcid_sso_users.s(user._id, provider_id))
+
+        return redirect(
+            cas.get_login_url(
+                service_url,
+                username=user.username,
+                verification_key=user.verification_key,
+            ),
+        )
+
+
 class UserEmailsList(JSONAPIBaseView, generics.ListAPIView, generics.CreateAPIView, UserMixin, ListFilterMixin):
     permission_classes = (
         drf_permissions.IsAuthenticatedOrReadOnly,
@@ -1212,7 +1297,7 @@ class ExternalLoginConfirmEmailView(generics.CreateAPIView):
     permission_classes = (
         drf_permissions.AllowAny,
     )
-    serializer_class = ExternalLoginConfirmEmailSerializer
+    serializer_class = ConfirmEmailSerializer
     view_category = 'users'
     view_name = 'external-login-confirm-email'
     throttle_classes = (NonCookieAuthThrottle, BurstRateThrottle, RootAnonThrottle)

api_tests/users/views/test_user_confirm.py

@@ -0,0 +1,135 @@
+import pytest
+from unittest import mock
+
+from api.base.settings.defaults import API_BASE
+from osf_tests.factories import UserFactory
+
+
+@pytest.mark.django_db
+class TestConfirmEmail:
+
+    @pytest.fixture()
+    def user_with_email_verification(self):
+        user = UserFactory()
+        email = '[email protected]'
+        external_identity = {
+            'ORCID': {
+                '0000-0000-0000-0000': 'CREATE',
+            }
+        }
+        token = user.add_unconfirmed_email(email, external_identity=external_identity)
+        user.external_identity.update(external_identity)
+        user.save()
+        return user, token, email
+
+    @pytest.fixture()
+    def confirm_url(self, user_with_email_verification):
+        user, _, _ = user_with_email_verification
+        return f'/{API_BASE}users/{user._id}/confirm/'
+
+    def test_get_not_allowed(self, app, confirm_url):
+        res = app.get(confirm_url, expect_errors=True)
+        assert res.status_code == 405
+
+    def test_post_missing_fields(self, app, confirm_url):
+        res = app.post_json_api(confirm_url, {'data': {'attributes': {}}}, expect_errors=True)
+        assert res.status_code == 400
+        assert any('uid' in err['detail'].lower() for err in res.json['errors'])
+
+    def test_post_user_not_found(self, app):
+        fake_user_id = 'abcd1'
+        url = f'/{API_BASE}users/{fake_user_id}/confirm/'
+        payload = {
+            'data': {
+                'attributes': {
+                    'uid': fake_user_id,
+                    'token': 'doesnotmatter',
+                }
+            }
+        }
+        res = app.post_json_api(url, payload, expect_errors=True)
+        assert res.status_code == 400
+        assert 'user not found' in res.json['errors'][0]['detail'].lower()
+
+    def test_post_invalid_token(self, app, confirm_url, user_with_email_verification):
+        user, _, _ = user_with_email_verification
+        payload = {
+            'data': {
+                'attributes': {
+                    'uid': user._id,
+                    'token': 'badtoken'
+                }
+            }
+        }
+        res = app.post_json_api(confirm_url, payload, expect_errors=True)
+        assert res.status_code == 400
+        assert 'expired' in res.json['errors'][0]['detail'].lower()
+
+    def test_post_provider_mismatch(self, app, confirm_url, user_with_email_verification):
+        user, token, _ = user_with_email_verification
+        user.external_identity = {}  # clear the valid provider
+        user.save()
+
+        payload = {
+            'data': {
+                'attributes': {
+                    'uid': user._id,
+                    'token': token
+                }
+            }
+        }
+        res = app.post_json_api(confirm_url, payload, expect_errors=True)
+        assert res.status_code == 400
+        assert 'provider mismatch' in res.json['errors'][0]['detail'].lower()
+
+    @mock.patch('website.mails.send_mail')
+    def test_post_success_create(self, mock_send_mail, app, confirm_url, user_with_email_verification):
+        user, token, email = user_with_email_verification
+        assert not user.is_registered
+
+        res = app.post_json_api(
+            confirm_url,
+            {
+                'data': {
+                    'attributes': {
+                        'uid': user._id,
+                        'token': token
+                    }
+                }
+            },
+            expect_errors=True
+        )
+        assert res.status_code == 302
+        assert '&new=true' in res.headers['Location']
+        assert not mock_send_mail.called
+
+        user.reload()
+        assert user.is_registered
+        assert token not in user.email_verifications
+        assert user.external_identity['ORCID']['0000-0000-0000-0000'] == 'VERIFIED'
+        assert user.emails.filter(address=email.lower()).exists()
+
+    @mock.patch('framework.auth.tasks.update_affiliation_for_orcid_sso_users.delay')
+    @mock.patch('website.mails.send_mail')
+    def test_post_success_link(self, mock_send_mail, mock_affil, app, confirm_url, user_with_email_verification):
+        user, token, email = user_with_email_verification
+        user.external_identity['ORCID']['0000-0000-0000-0000'] = 'LINK'
+        user.save()
+
+        payload = {
+            'data': {
+                'attributes': {
+                    'uid': user._id,
+                    'token': token
+                }
+            }
+        }
+
+        res = app.post_json_api(confirm_url, payload, expect_errors=True)
+        assert res.status_code == 302
+        assert '&new=true' not in res.headers['Location']
+        assert mock_send_mail.called
+        assert mock_affil.called
+
+        user.reload()
+        assert user.external_identity['ORCID']['0000-0000-0000-0000'] == 'VERIFIED'