Merge pull request #1968 from basecamp/flavorjones/only-email-confirmed-users

Mark users as "verified" and only send notifications to verified users

Author: flavorjones

app/controllers/join_codes_controller.rb

@@ -18,7 +18,7 @@ def create
     if identity == Current.identity && user.setup?
       redirect_to landing_url(script_name: @join_code.account.slug)
     elsif identity == Current.identity
-      redirect_to new_users_join_url(script_name: @join_code.account.slug)
+      redirect_to new_users_verification_url(script_name: @join_code.account.slug)
     else
       logout_and_send_new_magic_link(identity)
       redirect_to session_magic_link_url(script_name: nil)
@@ -44,6 +44,6 @@ def logout_and_send_new_magic_link(identity)
       magic_link = identity.send_magic_link
       serve_development_magic_link(magic_link)
 
-      session[:return_to_after_authenticating] = new_users_join_url(script_name: @join_code.account.slug)
+      session[:return_to_after_authenticating] = new_users_verification_url(script_name: @join_code.account.slug)
     end
 end

app/controllers/users/verifications_controller.rb

@@ -0,0 +1,11 @@
+class Users::VerificationsController < ApplicationController
+  layout "public"
+
+  def new
+  end
+
+  def create
+    Current.user.verify
+    redirect_to new_users_join_path
+  end
+end

app/javascript/controllers/magic_link_controller.js

@@ -4,12 +4,18 @@ import { onNextEventLoopTick } from "helpers/timing_helpers"
 export default class extends Controller {
   static targets = [ "input" ]
 
+  submitOnEnter(event) {
+    event.preventDefault()
+    this.submit()
+  }
+
+  submitOnPaste() {
+    onNextEventLoopTick(() => this.submit())
+  }
+
   submit() {
-    onNextEventLoopTick(() => {
-      if (!this.inputTarget.disabled) {
-        this.element.submit()
-        this.inputTarget.disabled = true
-      }
-    })
+    if (this.inputTarget.disabled) return
+    this.element.submit()
+    this.inputTarget.disabled = true
   }
 }

app/models/account.rb

@@ -21,7 +21,7 @@ class << self
     def create_with_owner(account:, owner:)
       create!(**account).tap do |account|
         account.users.create!(role: :system, name: "System")
-        account.users.create!(**owner.reverse_merge(role: "owner"))
+        account.users.create!(**owner.reverse_merge(role: "owner", verified_at: Time.current))
       end
     end
   end

app/models/user.rb

@@ -28,6 +28,14 @@ def setup?
     name != identity.email_address
   end
 
+  def verified?
+    verified_at.present?
+  end
+
+  def verify
+    update!(verified_at: Time.current) unless verified?
+  end
+
   private
     def close_remote_connections
       ActionCable.server.remote_connections.where(current_user: self).disconnect(reconnect: false)

app/models/user/settings.rb

@@ -21,7 +21,7 @@ def bundle_aggregation_period
   end
 
   def bundling_emails?
-    !bundle_email_never? && !user.system? && user.active?
+    !bundle_email_never? && !user.system? && user.active? && user.verified?
   end
 
   def timezone

app/views/sessions/magic_links/show.html.erb

@@ -10,7 +10,7 @@
     <%= form.text_field :code, required: true, class: "input center txt-align-enter txt-large",
         autofocus: true, autocorrect: "off", autocapitalize: "off", spellcheck: "false", "data-1p-ignore": true,
         autocomplete: "one-time-code", maxlength: "6", placeholder: "••••••", value: params[:code],
-        data: { magic_link_target: "input", action: "keydown.enter->magic-link#submit paste->magic-link#submit" } %>
+        data: { magic_link_target: "input", action: "keydown.enter->magic-link#submitOnEnter paste->magic-link#submitOnPaste" } %>
   <% end %>
 
   <p class="txt-small">The code you receive will work for <%= distance_of_time_in_words(MagicLink::EXPIRATION_TIME) %>.</p>

app/views/users/show.html.erb

@@ -18,20 +18,25 @@
       <div class="flex flex-column gap-half margin-block-end">
         <h1 class="txt-x-large margin-none"><%= @user.name %></h1>
         <div class="txt-medium">
-          <% if @user.active? %>
-            <%= mail_to @user.identity.email_address %>
-          <% else %>
+          <% if !@user.active? %>
             <%= @user.name %> is no longer on this account
+          <% elsif !@user.verified? %>
+            Unverified
+            <div class="txt-small txt-tinted">A sign-in code has been sent to this email address, but the user has not yet logged in to confirm their identity.</div>
+          <% else %>
+            <%= mail_to @user.identity.email_address %>
           <% end %>
         </div>
       </div>
 
-      <div class="flex-inline center justify-center flex-wrap gap">
-        <%= link_to "Which cards are assigned to #{me_or_you}?",
-              cards_path(assignee_ids: [ @user.id ], sorted_by: "newest"), class: "btn", data: { turbo_frame: "_top" } %>
-        <%= link_to "Which cards were added by #{me_or_you}?",
-              cards_path(creator_ids: [ @user.id ], sorted_by: "newest"), class: "btn", data: { turbo_frame: "_top" } %>
-      </div>
+      <% if @user.verified? %>
+        <div class="flex-inline center justify-center flex-wrap gap">
+          <%= link_to "Which cards are assigned to #{me_or_you}?",
+                cards_path(assignee_ids: [ @user.id ], sorted_by: "newest"), class: "btn", data: { turbo_frame: "_top" } %>
+          <%= link_to "Which cards were added by #{me_or_you}?",
+                cards_path(creator_ids: [ @user.id ], sorted_by: "newest"), class: "btn", data: { turbo_frame: "_top" } %>
+        </div>
+      <% end %>
     </div>
   </section>
 
@@ -48,4 +53,6 @@
   <% end %>
 </div>
 
-<%= turbo_frame_tag "user_events", src: user_events_path(@user) %>
+<% if @user.verified? %>
+  <%= turbo_frame_tag "user_events", src: user_events_path(@user) %>
+<% end %>

app/views/users/verifications/new.html.erb

@@ -0,0 +1 @@
+<%= auto_submit_form_with url: users_verifications_path, method: :post %>

config/routes.rb

@@ -138,6 +138,7 @@
 
   namespace :users do
     resources :joins
+    resources :verifications, only: %i[ new create ]
   end
 
   resource :session do