FEATURE: Require Javascript to activate an account via email link

app/controllers/users_controller.rb

@@ -5,7 +5,7 @@ require_dependency 'avatar_upload_service'
 class UsersController < ApplicationController
 
   skip_before_filter :authorize_mini_profiler, only: [:avatar]
-  skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :activate_account, :authorize_email, :user_preferences_redirect, :avatar, :my_redirect]
+  skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :activate_account, :perform_account_activation, :authorize_email, :user_preferences_redirect, :avatar, :my_redirect]
 
   before_filter :ensure_logged_in, only: [:username, :update, :change_email, :user_preferences_redirect, :upload_user_image, :pick_avatar, :destroy_user_image, :destroy]
   before_filter :respond_to_suspicious_request, only: [:create]
@@ -273,6 +273,10 @@ class UsersController < ApplicationController
 
   def activate_account
     expires_now()
+    render layout: 'no_js'
+  end
+
+  def perform_account_activation
     if @user = EmailToken.confirm(params[:token])
 
       # Log in the user unless they need to be approved

app/views/users/activate_account.html.erb

@@ -1,19 +1,27 @@
 <div id='simple-container'>
 
-  <%if flash[:error]%>
-    <div class='alert alert-error'>
-      <%=flash[:error]%>
-    </div>
-  <%else%>
     <h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2>
-    <p>
-    <% if @needs_approval %>
-      <%= t 'activation.approval_required' %>
-    <% else %>
-      <%= raw t('activation.please_continue', link: link_to(SiteSetting.title, '/')) %></a>.
+    <br/>
+    <button class='btn' id='activate-account-button'><%= t 'activation.action' %></button>
+
+    <%= form_tag(perform_activate_account_path, method: :put, id: 'activate-account-form') do %>
     <% end %>
-    </p>
-
-  <%end%>
-
 </div>
+
+<script language="javascript">
+  (function() {
+   var t1 = new Date().getTime(),
+       button = document.getElementById('activate-account-button'),
+       form = document.getElementById('activate-account-form');
+
+    button.addEventListener('click', function() {
+      var diff = new Date().getTime() - t1;
+
+      // Ensure the form has been visible for a few ms before allowing the
+      // user to submit.
+      if (diff > 50) {
+        form.submit();
+      }
+    });
+  })();
+</script>

app/views/users/perform_account_activation.html.erb

@@ -0,0 +1,20 @@
+<div id='simple-container'>
+
+  <%if flash[:error]%>
+    <div class='alert alert-error'>
+      <%=flash[:error]%>
+    </div>
+  <%else%>
+    <h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2>
+    <p>
+    <% if @needs_approval %>
+      <%= t 'activation.approval_required' %>
+    <% else %>
+      <br>
+      <%= raw t('activation.please_continue', link: link_to(SiteSetting.title, '/')) %></a>.
+    <% end %>
+    </p>
+
+  <%end%>
+
+</div>

config/locales/server.en.yml

@@ -383,6 +383,7 @@ en:
     error: "There was an error changing your email address. Perhaps the address is already in use?"
 
   activation:
+    action: "Activate your account"
     already_done: "Sorry, this account confirmation link is no longer valid. Perhaps your account is already active?"
     please_continue: "Your new account is confirmed, and you are now logged in. Continue to %{link}"
     welcome_to: "Welcome to %{site_name}!"

config/routes.rb

@@ -188,6 +188,7 @@ Discourse::Application.routes.draw do
   get "users/password-reset/:token" => "users#password_reset"
   put "users/password-reset/:token" => "users#password_reset"
   get "users/activate-account/:token" => "users#activate_account"
+  put "users/activate-account/:token" => "users#perform_account_activation", as: 'perform_activate_account'
   get "users/authorize-email/:token" => "users#authorize_email"
   get "users/hp" => "users#get_honeypot_value"
   get "my/*path", to: 'users#my_redirect'

spec/controllers/users_controller_spec.rb

@@ -65,7 +65,6 @@ describe UsersController do
     end
 
     context 'valid token' do
-
       it 'authorizes with a correct token' do
         user = Fabricate(:user)
         email_token = user.email_tokens.create(email: user.email)
@@ -82,7 +81,7 @@ describe UsersController do
     context 'invalid token' do
       before do
         EmailToken.expects(:confirm).with('asdfasdf').returns(nil)
-        get :activate_account, token: 'asdfasdf'
+        put :perform_account_activation, token: 'asdfasdf'
       end
 
       it 'return success' do
@@ -105,13 +104,13 @@ describe UsersController do
         it 'enqueues a welcome message if the user object indicates so' do
           user.send_welcome_message = true
           user.expects(:enqueue_welcome_message).with('welcome_user')
-          get :activate_account, token: 'asdfasdf'
+          put :perform_account_activation, token: 'asdfasdf'
         end
 
         it "doesn't enqueue the welcome message if the object returns false" do
           user.send_welcome_message = false
           user.expects(:enqueue_welcome_message).with('welcome_user').never
-          get :activate_account, token: 'asdfasdf'
+          put :perform_account_activation, token: 'asdfasdf'
         end
 
       end
@@ -120,7 +119,7 @@ describe UsersController do
         before do
           Guardian.any_instance.expects(:can_access_forum?).returns(true)
           EmailToken.expects(:confirm).with('asdfasdf').returns(user)
-          get :activate_account, token: 'asdfasdf'
+          put :perform_account_activation, token: 'asdfasdf'
         end
 
         it 'returns success' do
@@ -145,7 +144,7 @@ describe UsersController do
         before do
           Guardian.any_instance.expects(:can_access_forum?).returns(false)
           EmailToken.expects(:confirm).with('asdfasdf').returns(user)
-          get :activate_account, token: 'asdfasdf'
+          put :perform_account_activation, token: 'asdfasdf'
         end
 
         it 'returns success' do