complete_user_creation is less aggressive about deleting the pendingCreation...

complete_user_creation is less aggressive about deleting the pendingCreation toeken - this allows a user to reload to try to complete email creation if the database is temporarily down

complete_user_creation is less aggressive about deleting the pendingCreation...
complete_user_creation is less aggressive about deleting the pendingCreation toeken - this allows a user to reload to try to complete email creation if the database is temporarily down
bae40c16 · Lloyd Hilaiel · 65da95e2 · bae40c16
Commit bae40c16 authored 12 years ago by Lloyd Hilaiel
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -58,20 +58,25 @@ exports.process = function(req, res) {
  }

  function postAuthentication() {
-    // the time the email verification is performed, we'll clear the pendingCreation
-    // data on the session.
-    delete req.session.pendingCreation;
-
    db.haveVerificationSecret(req.body.token, function(err, known) {
      if (err) return wsapi.databaseDown(res, err);

-      if (!known) return res.json({ success: false} );
+      if (!known) {
+        // clear the pendingCreation token from the session if we find no such
+        // token in the database
+        delete req.session.pendingCreation;
+        return res.json({ success: false} );
+      }

      db.gotVerificationSecret(req.body.token, function(err, email, uid) {
        if (err) {
          logger.warn("couldn't complete email verification: " + err);
          wsapi.databaseDown(res, err);
        } else {
+          // clear the pendingCreation token from the session once we
+          // successfully complete user creation
+          delete req.session.pendingCreation;
+
          // At this point, the user is either on the same browser with a token from
          // their email address, OR they've provided their account password.  It's
          // safe to grant them an authenticated session.