SECURITY: Support for confirm old as well as new email accounts

spec/controllers/users_controller_spec.rb

@@ -104,26 +104,6 @@ describe UsersController do
     end
   end
 
-  describe '.authorize_email' do
-    it 'errors out for invalid tokens' do
-      get :authorize_email, token: 'asdfasdf'
-      expect(response).to be_success
-      expect(flash[:error]).to be_present
-    end
-
-    context 'valid token' do
-      it 'authorizes with a correct token' do
-        user = Fabricate(:user)
-        email_token = user.email_tokens.create(email: user.email)
-
-        get :authorize_email, token: email_token.token
-        expect(response).to be_success
-        expect(flash[:error]).to be_blank
-        expect(session[:current_user_id]).to be_present
-      end
-    end
-  end
-
   describe '.activate_account' do
     before do
       UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(false)

spec/controllers/users_email_controller_spec.rb

@@ -2,6 +2,44 @@ require 'rails_helper'
 
 describe UsersEmailController do
 
+  describe '.confirm' do
+    it 'errors out for invalid tokens' do
+      get :confirm, token: 'asdfasdf'
+      expect(response).to be_success
+      expect(assigns(:update_result)).to eq(:error)
+    end
+
+    context 'valid old address token' do
+      let(:user) { Fabricate(:moderator) }
+      let(:updater) { EmailUpdater.new(user.guardian, user) }
+
+      before do
+        updater.change_to('new.n.cool@example.com')
+      end
+
+      it 'confirms with a correct token' do
+        get :confirm, token: user.email_tokens.last.token
+        expect(response).to be_success
+        expect(assigns(:update_result)).to eq(:authorizing_new)
+      end
+    end
+
+    context 'valid new address token' do
+      let(:user) { Fabricate(:user) }
+      let(:updater) { EmailUpdater.new(user.guardian, user) }
+
+      before do
+        updater.change_to('new.n.cool@example.com')
+      end
+
+      it 'confirms with a correct token' do
+        get :confirm, token: user.email_tokens.last.token
+        expect(response).to be_success
+        expect(assigns(:update_result)).to eq(:complete)
+      end
+    end
+  end
+
   describe '.update' do
     let(:new_email) { 'bubblegum@adventuretime.ooo' }
 
@@ -57,14 +95,8 @@ describe UsersEmailController do
       end
 
       context 'success' do
-
         it 'has an email token' do
-          expect { xhr :put, :update, username: user.username, email: new_email }.to change(EmailToken, :count)
-        end
-
-        it 'enqueues an email authorization' do
-          Jobs.expects(:enqueue).with(:user_email, has_entries(type: :authorize_email, user_id: user.id, to_address: new_email))
-          xhr :put, :update, username: user.username, email: new_email
+          expect { xhr :put, :update, username: user.username, email: new_email }.to change(EmailChangeRequest, :count)
         end
       end
     end