From 1de0aa2f1025d4a860a11e658ce5fed26fe1c4ad Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Mon, 17 Dec 2018 17:28:58 +0300
Subject: [PATCH] [#114] Account confirmation email, registration as
 unconfirmed (config-based), auth prevention for unconfirmed.

---
 lib/pleroma/emails/user_email.ex              | 24 ++++++++++++++++++-
 lib/pleroma/user.ex                           |  2 ++
 lib/pleroma/user/info.ex                      | 14 +++++++++++
 lib/pleroma/web/oauth/oauth_controller.ex     |  2 ++
 lib/pleroma/web/router.ex                     |  3 ++-
 .../controllers/util_controller.ex            |  2 ++
 lib/pleroma/web/twitter_api/twitter_api.ex    | 22 +++++++++++++++--
 .../web/twitter_api/twitter_api_controller.ex |  4 ++--
 8 files changed, 67 insertions(+), 6 deletions(-)

diff --git a/lib/pleroma/emails/user_email.ex b/lib/pleroma/emails/user_email.ex
index 7e3e9b020..856816386 100644
--- a/lib/pleroma/emails/user_email.ex
+++ b/lib/pleroma/emails/user_email.ex
@@ -15,6 +15,7 @@ defp sender do
 
   defp recipient(email, nil), do: email
   defp recipient(email, name), do: {name, email}
+  defp recipient(%Pleroma.User{} = user), do: recipient(user.email, user.name)
 
   def password_reset_email(user, password_reset_token) when is_binary(password_reset_token) do
     password_reset_url =
@@ -32,7 +33,7 @@ def password_reset_email(user, password_reset_token) when is_binary(password_res
     """
 
     new()
-    |> to(recipient(user.email, user.name))
+    |> to(recipient(user))
     |> from(sender())
     |> subject("Password reset")
     |> html_body(html_body)
@@ -63,4 +64,25 @@ def user_invitation_email(
     |> subject("Invitation to #{instance_name()}")
     |> html_body(html_body)
   end
+
+  def account_confirmation_email(user) do
+    confirmation_url =
+      Router.Helpers.confirm_email_url(
+        Endpoint,
+        :confirm_email,
+        to_string(user.info.confirmation_token)
+      )
+
+    html_body = """
+    <h3>Welcome to #{instance_name()}!</h3>
+    <p>Email confirmation is required to activate the account.</p>
+    <p>Click the following link to proceed: <a href="#{confirmation_url}">activate your account</a>.</p>
+    """
+
+    new()
+    |> to(recipient(user))
+    |> from(sender())
+    |> subject("#{instance_name()} account confirmation")
+    |> html_body(html_body)
+  end
 end
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index ee0a0dfb9..a38ead81a 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -38,6 +38,8 @@ defmodule Pleroma.User do
     timestamps()
   end
 
+  def auth_active?(user), do: user.info && !user.info.confirmation_pending
+
   def avatar_url(user) do
     case user.avatar do
       %{"url" => [%{"href" => href} | _]} -> href
diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex
index f75984038..9ce9129cd 100644
--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@@ -143,6 +143,20 @@ def profile_update(info, params) do
     ])
   end
 
+  def confirmation_update(info, :confirmed) do
+    confirmation_update(info, %{
+      confirmation_pending: false,
+      confirmation_token: nil
+    })
+  end
+
+  def confirmation_update(info, :unconfirmed) do
+    confirmation_update(info, %{
+      confirmation_pending: true,
+      confirmation_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64()
+    })
+  end
+
   def confirmation_update(info, params) do
     cast(info, params, [:confirmation_pending, :confirmation_token])
   end
diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex
index 20c2e799b..10158f07e 100644
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@@ -31,6 +31,7 @@ def create_authorization(conn, %{
       }) do
     with %User{} = user <- User.get_by_nickname_or_email(name),
          true <- Pbkdf2.checkpw(password, user.password_hash),
+         true <- User.auth_active?(user),
          %App{} = app <- Repo.get_by(App, client_id: client_id),
          {:ok, auth} <- Authorization.create_authorization(app, user) do
       # Special case: Local MastodonFE.
@@ -101,6 +102,7 @@ def token_exchange(
     with %App{} = app <- get_app_from_request(conn, params),
          %User{} = user <- User.get_by_nickname_or_email(name),
          true <- Pbkdf2.checkpw(password, user.password_hash),
+         true <- User.auth_active?(user),
          {:ok, auth} <- Authorization.create_authorization(app, user),
          {:ok, token} <- Token.exchange_token(app, auth) do
       response = %{
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index b2fbc088d..0e4589116 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -281,7 +281,8 @@ defmodule Pleroma.Web.Router do
 
     post("/account/register", TwitterAPI.Controller, :register)
     post("/account/password_reset", TwitterAPI.Controller, :password_reset)
-    get("/account/confirm_email/:token", TwitterAPI.Controller, :confirm_email)
+
+    get("/account/confirm_email/:token", TwitterAPI.Controller, :confirm_email, as: :confirm_email)
 
     get("/search", TwitterAPI.Controller, :search)
     get("/statusnet/tags/timeline/:tag", TwitterAPI.Controller, :public_and_external_timeline)
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index 38653f0b8..3baeba619 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -174,6 +174,8 @@ def config(conn, _params) do
           closed: if(Keyword.get(instance, :registrations_open), do: "0", else: "1"),
           private: if(Keyword.get(instance, :public, true), do: "0", else: "1"),
           vapidPublicKey: vapid_public_key,
+          accountActivationRequired:
+            if(Keyword.get(instance, :account_activation_required, false), do: "1", else: "0"),
           invitesEnabled: if(Keyword.get(instance, :invites_enabled, false), do: "1", else: "0")
         }
 
diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex
index 90b8345c5..b77761aa4 100644
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -1,8 +1,10 @@
 defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
   alias Pleroma.{UserInviteToken, User, Activity, Repo, Object}
+  alias Pleroma.{UserEmail, Mailer}
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.TwitterAPI.UserView
   alias Pleroma.Web.CommonAPI
+
   import Ecto.Query
 
   def create_status(%User{} = user, %{"status" => _} = data) do
@@ -165,6 +167,22 @@ def register_user(params) do
 
           with {:ok, user} <- Repo.insert(changeset) do
             !registrations_open && UserInviteToken.mark_as_used(token.token)
+
+            if Pleroma.Config.get([:instance, :account_activation_required]) do
+              info_change = User.Info.confirmation_update(user.info, :unconfirmed)
+
+              {:ok, unconfirmed_user} =
+                user
+                |> Ecto.Changeset.change()
+                |> Ecto.Changeset.put_embed(:info, info_change)
+                |> Repo.update()
+
+              {:ok, _} =
+                unconfirmed_user
+                |> UserEmail.account_confirmation_email()
+                |> Mailer.deliver()
+            end
+
             {:ok, user}
           else
             {:error, changeset} ->
@@ -189,8 +207,8 @@ def password_reset(nickname_or_email) do
          %User{local: true} = user <- User.get_by_nickname_or_email(nickname_or_email),
          {:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
       user
-      |> Pleroma.UserEmail.password_reset_email(token_record.token)
-      |> Pleroma.Mailer.deliver()
+      |> UserEmail.password_reset_email(token_record.token)
+      |> Mailer.deliver()
     else
       false ->
         {:error, "bad user identifier"}
diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
index 2680be25f..e8a3150e9 100644
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -13,6 +13,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
   require Logger
 
   plug(:only_if_public_instance when action in [:public_timeline, :public_and_external_timeline])
+  plug(:fetch_flash when action in [:confirm_email])
   action_fallback(:errors)
 
   def verify_credentials(%{assigns: %{user: user}} = conn, _params) do
@@ -375,8 +376,7 @@ def password_reset(conn, params) do
   def confirm_email(conn, %{"token" => token}) do
     with %User{} = user <- User.get_by_confirmation_token(token),
          true <- user.local,
-         new_info_fields <- %{confirmation_pending: false, confirmation_token: nil},
-         info_change <- User.Info.confirmation_update(user.info, new_info_fields),
+         info_change <- User.Info.confirmation_update(user.info, :confirmed),
          changeset <- Changeset.change(user) |> Changeset.put_embed(:info, info_change),
          {:ok, _} <- User.update_and_set_cache(changeset) do
       conn