The source project of this merge request has been removed.
Authenticate on confirmation
What does this MR do?
When a user clicks on the link in the confirmation email, we now authenticate them immediately. This improves the on-boarding flow for our users, as it removes another obstacle to start using GitLab.
This MR introduces some risk since it authenticates a user. I've added tests in the controller to test if we we should authenticate the user (based on the discussion in https://gitlab.com/gitlab-org/gitlab-ce/issues/56517) as well as added audit logging.
We only authenticate the user if:
- They have not confirmed their mail yet (have not clicked on the link)
- They clicked the link within 24 hours. The timeframe is up for discussion.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56517
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry for user-facing changes, or community contribution. Check the link for other scenarios. -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
Security reports checked/validated by a reviewer from the AppSec team
PS: Sorry for the strange commit history in the audit log. There was an oversight and I pushed from the wrong folder.
Edited by Nicolas Dular