Merge pull request #4535 from tomhughes/rails-tokens

Use rails generated tokens for emails

.rubocop_todo.yml

@@ -66,7 +66,7 @@ Metrics/BlockNesting:
 # Offense count: 26
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 305
+  Max: 313
 
 # Offense count: 59
 # Configuration parameters: AllowedMethods, AllowedPatterns.

app/controllers/concerns/session_methods.rb

@@ -62,9 +62,10 @@ module SessionMethods
   ##
   #
   def unconfirmed_login(user)
-    session[:token] = user.tokens.create.token
+    session[:pending_user] = user.id
 
-    redirect_to :controller => "confirmations", :action => "confirm", :display_name => user.display_name
+    redirect_to :controller => "confirmations", :action => "confirm",
+                :display_name => user.display_name, :referer => session[:referer]
 
     session.delete(:remember_me)
     session.delete(:referer)

app/controllers/concerns/user_methods.rb

@@ -51,7 +51,7 @@ module UserMethods
           flash[:notice] = t "accounts.update.success_confirm_needed"
 
           begin
-            UserMailer.email_confirm(user, user.tokens.create).deliver_later
+            UserMailer.email_confirm(user, user.generate_token_for(:new_email)).deliver_later
           rescue StandardError
             # Ignore errors sending email
           end

app/controllers/confirmations_controller.rb

@@ -15,41 +15,37 @@ class ConfirmationsController < ApplicationController
 
   def confirm
     if request.post?
-      token = UserToken.find_by(:token => params[:confirm_string])
+      token = params[:confirm_string]
-      if token&.user&.active?
+
-        flash[:error] = t(".already active")
+      user = User.find_by_token_for(:new_user, token) ||
-        redirect_to login_path
+             UserToken.unexpired.find_by(:token => token)&.user
-      elsif !token || token.expired?
+
+      if !user
         flash[:error] = t(".unknown token")
         redirect_to :action => "confirm"
-      elsif !token.user.visible?
+      elsif user.active?
-        render_unknown_user token.user.display_name
+        flash[:error] = t(".already active")
+        redirect_to login_path
+      elsif !user.visible?
+        render_unknown_user user.display_name
       else
-        user = token.user
         user.activate
         user.email_valid = true
         flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
         user.save!
-        referer = safe_referer(token.referer) if token.referer
+        referer = safe_referer(params[:referer]) if params[:referer]
-        token.destroy
+        UserToken.delete_by(:token => token)
 
-        if session[:token]
+        pending_user = session.delete(:pending_user)
-          token = UserToken.find_by(:token => session[:token])
-          session.delete(:token)
-        else
-          token = nil
-        end
-
-        if token.nil? || token.user != user
-          flash[:notice] = t(".success")
-          redirect_to login_path(:referer => referer)
-        else
-          token.destroy
 
+        if user.id == pending_user
           session[:user] = user.id
           session[:fingerprint] = user.fingerprint
 
           redirect_to referer || welcome_path
+        else
+          flash[:notice] = t(".success")
+          redirect_to login_path(:referer => referer)
         end
       end
     else
@@ -61,12 +57,11 @@ class ConfirmationsController < ApplicationController
 
   def confirm_resend
     user = User.visible.find_by(:display_name => params[:display_name])
-    token = UserToken.find_by(:token => session[:token])
 
-    if user.nil? || token.nil? || token.user != user
+    if user.nil? || user.id != session[:pending_user]
       flash[:error] = t ".failure", :name => params[:display_name]
     else
-      UserMailer.signup_confirm(user, user.tokens.create).deliver_later
+      UserMailer.signup_confirm(user, user.generate_token_for(:new_user)).deliver_later
       flash[:notice] = { :partial => "confirmations/resend_success_flash", :locals => { :email => user.email, :sender => Settings.email_from } }
     end
 
@@ -75,9 +70,12 @@ class ConfirmationsController < ApplicationController
 
   def confirm_email
     if request.post?
-      token = UserToken.find_by(:token => params[:confirm_string])
+      token = params[:confirm_string]
-      if token&.user&.new_email?
+
-        self.current_user = token.user
+      self.current_user = User.find_by_token_for(:new_email, token) ||
+                          UserToken.unexpired.find_by(:token => params[:confirm_string])&.user
+
+      if current_user&.new_email?
         current_user.email = current_user.new_email
         current_user.new_email = nil
         current_user.email_valid = true
@@ -94,7 +92,7 @@ class ConfirmationsController < ApplicationController
         current_user.tokens.delete_all
         session[:user] = current_user.id
         session[:fingerprint] = current_user.fingerprint
-      elsif token
+      elsif current_user
         flash[:error] = t ".failure"
       else
         flash[:error] = t ".unknown_token"

app/controllers/passwords_controller.rb

@@ -19,11 +19,10 @@ class PasswordsController < ApplicationController
     @title = t ".title"
 
     if params[:token]
-      token = UserToken.find_by(:token => params[:token])
+      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
+                          UserToken.unexpired.find_by(:token => params[:token])&.user
 
-      if token
+      if current_user.nil?
-        self.current_user = token.user
-      else
         flash[:error] = t ".flash token bad"
         redirect_to :action => "new"
       end
@@ -42,7 +41,7 @@ class PasswordsController < ApplicationController
     end
 
     if user
-      token = user.tokens.create
+      token = user.generate_token_for(:password_reset)
       UserMailer.lost_password(user, token).deliver_later
       flash[:notice] = t ".notice email on way"
       redirect_to login_path
@@ -54,11 +53,10 @@ class PasswordsController < ApplicationController
 
   def update
     if params[:token]
-      token = UserToken.find_by(:token => params[:token])
+      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
-
+                          UserToken.unexpired.find_by(:token => params[:token])&.user
-      if token
-        self.current_user = token.user
 
+      if current_user
         if params[:user]
           current_user.pass_crypt = params[:user][:pass_crypt]
           current_user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
@@ -66,7 +64,7 @@ class PasswordsController < ApplicationController
           current_user.email_valid = true
 
           if current_user.save
-            token.destroy
+            UserToken.delete_by(:token => params[:token])
             session[:fingerprint] = current_user.fingerprint
             flash[:notice] = t ".flash changed"
             successful_login(current_user)

app/controllers/sessions_controller.rb

@@ -27,12 +27,7 @@ class SessionsController < ApplicationController
     @title = t ".title"
 
     if request.post?
-      if session[:token]
+      session.delete(:pending_user)
-        token = UserToken.find_by(:token => session[:token])
-        token&.destroy
-        session.delete(:token)
-      end
-
       session.delete(:user)
       session_expires_automatically
 

app/controllers/users_controller.rb

@@ -203,8 +203,8 @@ class UsersController < ApplicationController
             session[:referer] = referer
             successful_login(current_user)
           else
-            session[:token] = current_user.tokens.create.token
+            session[:pending_user] = current_user.id
-            UserMailer.signup_confirm(current_user, current_user.tokens.create(:referer => referer)).deliver_later
+            UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
             redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
           end
         else

app/mailers/user_mailer.rb

@@ -10,11 +10,12 @@ class UserMailer < ApplicationMailer
   before_action :set_shared_template_vars
   before_action :attach_project_logo
 
-  def signup_confirm(user, token)
+  def signup_confirm(user, token, referer = nil)
     with_recipient_locale user do
       @url = url_for(:controller => "confirmations", :action => "confirm",
                      :display_name => user.display_name,
-                     :confirm_string => token.token)
+                     :confirm_string => token,
+                     :referer => referer)
 
       mail :to => user.email,
            :subject => t(".subject")
@@ -25,7 +26,7 @@ class UserMailer < ApplicationMailer
     with_recipient_locale user do
       @address = user.new_email
       @url = url_for(:controller => "confirmations", :action => "confirm_email",
-                     :confirm_string => token.token)
+                     :confirm_string => token)
 
       mail :to => user.new_email,
            :subject => t(".subject")
@@ -34,7 +35,7 @@ class UserMailer < ApplicationMailer
 
   def lost_password(user, token)
     with_recipient_locale user do
-      @url = user_reset_password_url(:token => token.token)
+      @url = user_reset_password_url(:token => token)
 
       mail :to => user.email,
            :subject => t(".subject")

app/models/user.rb

@@ -124,6 +124,18 @@ class User < ApplicationRecord
   before_save :update_tile
   after_save :spam_check
 
+  generates_token_for :new_user, :expires_in => 1.week do
+    fingerprint
+  end
+
+  generates_token_for :new_email, :expires_in => 1.week do
+    fingerprint
+  end
+
+  generates_token_for :password_reset, :expires_in => 1.week do
+    fingerprint
+  end
+
   def display_name_cannot_be_user_id_with_other_id
     display_name&.match(/^user_(\d+)$/i) do |m|
       errors.add :display_name, I18n.t("activerecord.errors.messages.display_name_is_user_n") unless m[1].to_i == id

app/models/user_token.rb

@@ -21,6 +21,8 @@
 class UserToken < ApplicationRecord
   belongs_to :user
 
+  scope :unexpired, -> { where("expiry >= now()") }
+
   after_initialize :set_defaults
 
   def expired?

test/controllers/confirmations_controller_test.rb

@@ -39,7 +39,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     get user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
     assert_response :success
@@ -51,7 +51,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     # Get the confirmation page
     get user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
@@ -73,7 +73,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
 
@@ -87,7 +87,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
     assert_redirected_to welcome_path
@@ -98,7 +98,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
     session_for(create(:user))
@@ -113,11 +113,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create(:referer => new_diary_entry_path).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
 
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
     assert_redirected_to login_path(:referer => new_diary_entry_path)
     assert_match(/Confirmed your account/, flash[:notice])
   end
@@ -127,9 +127,9 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create(:referer => new_diary_entry_path).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
     assert_redirected_to new_diary_entry_path
   end
 
@@ -138,12 +138,12 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create(:referer => new_diary_entry_path).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
     session_for(create(:user))
 
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
     assert_redirected_to login_path(:referer => new_diary_entry_path)
     assert_match(/Confirmed your account/, flash[:notice])
   end
@@ -153,9 +153,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create(:expiry => 1.day.ago).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    travel 2.weeks do
+      post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    end
     assert_redirected_to :action => "confirm"
     assert_match(/confirmation code has expired/, flash[:error])
   end
@@ -165,15 +167,15 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create(:referer => new_diary_entry_path).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
     assert_redirected_to new_diary_entry_path
 
     post logout_path
 
-    confirm_string = User.find_by(:email => user.email).tokens.create(:referer => new_diary_entry_path).token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
-    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
     assert_redirected_to login_path
     assert_match(/already been confirmed/, flash[:error])
   end
@@ -183,7 +185,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-    confirm_string = User.find_by(:email => user.email).tokens.create.token
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     User.find_by(:display_name => user.display_name).hide!
 
@@ -269,7 +271,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
   def test_confirm_email_get
     user = create(:user)
-    confirm_string = user.tokens.create.token
+    confirm_string = user.generate_token_for(:new_email)
 
     get user_confirm_email_path, :params => { :confirm_string => confirm_string }
     assert_response :success
@@ -279,7 +281,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   def test_confirm_email_success
     user = create(:user, :new_email => "test-new@example.com")
     stub_gravatar_request(user.new_email)
-    confirm_string = user.tokens.create.token
+    confirm_string = user.generate_token_for(:new_email)
 
     post user_confirm_email_path, :params => { :confirm_string => confirm_string }
     assert_response :redirect
@@ -289,7 +291,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
   def test_confirm_email_already_confirmed
     user = create(:user)
-    confirm_string = user.tokens.create.token
+    confirm_string = user.generate_token_for(:new_email)
 
     post user_confirm_email_path, :params => { :confirm_string => confirm_string }
     assert_response :redirect
@@ -312,7 +314,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     # switch to email that has a gravatar
     user = create(:user, :new_email => "test-new@example.com")
     stub_gravatar_request(user.new_email, 200)
-    confirm_string = user.tokens.create.token
+    confirm_string = user.generate_token_for(:new_email)
     # precondition gravatar should be turned off
     assert_not user.image_use_gravatar
     post user_confirm_email_path, :params => { :confirm_string => confirm_string }
@@ -327,7 +329,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     # switch to email without a gravatar
     user = create(:user, :new_email => "test-new@example.com", :image_use_gravatar => true)
     stub_gravatar_request(user.new_email, 404)
-    confirm_string = user.tokens.create.token
+    confirm_string = user.generate_token_for(:new_email)
     # precondition gravatar should be turned on
     assert user.image_use_gravatar
     post user_confirm_email_path, :params => { :confirm_string => confirm_string }

test/controllers/passwords_controller_test.rb

@@ -127,21 +127,21 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
     assert_redirected_to :action => :new
 
     # Create a valid token for a user
-    token = user.tokens.create
+    token = user.generate_token_for(:password_reset)
 
     # Test a request with a valid token
-    get user_reset_password_path, :params => { :token => token.token }
+    get user_reset_password_path, :params => { :token => token }
     assert_response :success
     assert_template :edit
 
     # Test that errors are reported for erroneous submissions
-    post user_reset_password_path, :params => { :token => token.token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "different_password" } }
+    post user_reset_password_path, :params => { :token => token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "different_password" } }
     assert_response :success
     assert_template :edit
     assert_select "div.invalid-feedback"
 
     # Test setting a new password
-    post user_reset_password_path, :params => { :token => token.token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "new_password" } }
+    post user_reset_password_path, :params => { :token => token, :user => { :pass_crypt => "new_password", :pass_crypt_confirmation => "new_password" } }
     assert_response :redirect
     assert_redirected_to root_path
     assert_equal user.id, session[:user]

test/controllers/sessions_controller_test.rb

@@ -88,10 +88,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
     post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-
+    post logout_path
-    assert_difference "User.find_by(:email => user.email).tokens.count", -1 do
-      post logout_path
-    end
     assert_response :redirect
     assert_redirected_to root_path
   end

test/controllers/users_controller_test.rb

@@ -312,15 +312,13 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
     assert_difference "User.count", 1 do
       assert_difference "ActionMailer::Base.deliveries.size", 1 do
-        perform_enqueued_jobs do
+        post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+        assert_enqueued_with :job => ActionMailer::MailDeliveryJob,
-        end
+                             :args => proc { |args| args[3][:args][2] == welcome_path(:editor => "id", :zoom => 1, :lat => 2, :lon => 3) }
+        perform_enqueued_jobs
       end
     end
 
-    assert_equal welcome_path(:editor => "id", :zoom => 1, :lat => 2, :lon => 3),
-                 User.find_by(:email => user.email).tokens.order("id DESC").first.referer
-
     ActionMailer::Base.deliveries.clear
   end
 

test/integration/user_creation_test.rb

@@ -209,11 +209,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -222,11 +222,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -362,11 +362,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_openid/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -375,11 +375,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -516,11 +516,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_google/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -529,11 +529,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -668,11 +668,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_facebook/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -681,11 +681,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -820,11 +820,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_microsoft/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -833,11 +833,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -974,11 +974,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_github/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -987,11 +987,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success
@@ -1128,11 +1128,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
     assert_equal register_email.to.first, new_email
     # Check that the confirm account url is correct
-    confirm_regex = Regexp.new("/user/redirect_tester_wikipedia/confirm\\?confirm_string=([a-zA-Z0-9_-]*)")
+    confirm_regex = Regexp.new("confirm_string=([a-zA-Z0-9%_-]*)")
     email_text_parts(register_email).each do |part|
       assert_match confirm_regex, part.body.to_s
     end
-    confirm_string = email_text_parts(register_email).first.body.match(confirm_regex)[1]
+    confirm_string = CGI.unescape(email_text_parts(register_email).first.body.match(confirm_regex)[1])
 
     # Check the page
     assert_response :success
@@ -1141,11 +1141,11 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     # Go to the confirmation page
-    get "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    get "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :success
     assert_template "confirmations/confirm"
 
-    post "/user/#{display_name}/confirm", :params => { :confirm_string => confirm_string }
+    post "/user/#{display_name}/confirm", :params => { :referer => "/welcome", :confirm_string => confirm_string }
     assert_response :redirect
     follow_redirect!
     assert_response :success