verification should work even without login

It should depend on the user id in the token, not in the signed in user
id. Additionally it shouldn't even require a signed in user, but if
there's one, it should be the same as in the token.

Author: dutow

app/controllers/verifications_controller.rb

@@ -67,17 +67,23 @@ def handle_register(token)
   end
 
   def handle_add_alias(token)
-    require_authentication
+    user = token.user
+    return redirect_to root_path, alert: 'Invalid token user' unless user
+
+    if user_signed_in? && current_user.id != user.id
+      return redirect_to settings_path, alert: 'This verification link belongs to a different user.'
+    end
+
     email = token.email
-    if Alias.by_email(email).where.not(user_id: [nil, current_user.id]).exists?
+    if Alias.by_email(email).where.not(user_id: [nil, user.id]).exists?
       return redirect_to settings_path, alert: 'Email is linked to another account. Delete that account first to release it.'
     end
 
     aliases = Alias.by_email(email)
     if aliases.exists?
-      aliases.update_all(user_id: current_user.id, verified_at: Time.current)
+      aliases.update_all(user_id: user.id, verified_at: Time.current)
     else
-      Alias.create!(user: current_user, name: email, email: email, verified_at: Time.current)
+      Alias.create!(user: user, name: email, email: email, verified_at: Time.current)
     end
 
     redirect_to settings_path, notice: 'Email added and verified.'

spec/requests/emails_management_spec.rb

@@ -23,6 +23,10 @@ def sign_in(email:, password: 'secret')
     end
 
     raw = extract_raw_token_from_mailer
+
+    # Simulate user clicking verification link while logged out (no session).
+    delete session_path
+
     get verification_path(token: raw)
     expect(response).to redirect_to(settings_path)
 
@@ -45,6 +49,55 @@ def sign_in(email:, password: 'secret')
     expect(response).to redirect_to(settings_path)
   end
 
+  it 'attaches all matching aliases when the email exists multiple times' do
+    user = create(:user, password: 'secret', password_confirmation: 'secret')
+    create(:alias, user: user, email: 'me-multi@example.com', primary_alias: true)
+    Alias.by_email('me-multi@example.com').update_all(verified_at: Time.current)
+
+    # Legacy duplicates for the same email (different names)
+    create(:alias, email: 'multi@example.com', name: 'Old One')
+    create(:alias, email: 'multi@example.com', name: 'Older One')
+
+    sign_in(email: 'me-multi@example.com')
+
+    perform_enqueued_jobs do
+      post emails_path, params: { email: 'multi@example.com' }
+      expect(response).to redirect_to(settings_path)
+    end
+
+    raw = extract_raw_token_from_mailer
+    get verification_path(token: raw)
+    expect(response).to redirect_to(settings_path)
+
+    aliases = Alias.by_email('multi@example.com')
+    expect(aliases.count).to eq(2)
+    expect(aliases.pluck(:user_id).uniq).to eq([user.id])
+    expect(aliases.where(verified_at: nil)).to be_empty
+  end
+
+  it 'rejects verification when logged in as a different user than the token user' do
+    token_user = create(:user, password: 'secret', password_confirmation: 'secret')
+    create(:alias, user: token_user, email: 'token-user@example.com', primary_alias: true)
+    Alias.by_email('token-user@example.com').update_all(verified_at: Time.current)
+
+    other_user = create(:user, password: 'secret', password_confirmation: 'secret')
+    create(:alias, user: other_user, email: 'other@example.com', primary_alias: true)
+    Alias.by_email('other@example.com').update_all(verified_at: Time.current)
+
+    # Simulate an existing verification token for token_user.
+    token, raw = UserToken.issue!(purpose: 'add_alias', user: token_user, email: 'token-user@example.com', ttl: 1.hour)
+
+    sign_in(email: 'other@example.com')
+
+    get verification_path(token: raw)
+
+    expect(response).to redirect_to(settings_path)
+    expect(flash[:alert]).to match(/different user/)
+    expect(Alias.by_email('token-user@example.com').pluck(:user_id).uniq).to eq([token_user.id])
+  ensure
+    token&.destroy
+  end
+
   def extract_raw_token_from_mailer
     mail = ActionMailer::Base.deliveries.last
     expect(mail).to be_present