Mandate email validation for free accounts. Be sure to set EMAIL_VALIDATION_CUTOFF_DATE before deploy

app.rb

@@ -29,6 +29,8 @@ before do
     content_type :json
   elsif request.path.match /^\/webhooks\//
     # Skips the CSRF check for stripe web hooks
+  elsif email_not_validated? && !(request.path =~ /^\/site\/.+\/confirm_email|^\/settings\/change_email|^\/signout|^\/welcome|^\/plan/)
+    redirect "/site/#{current_site.username}/confirm_email"
   else
     content_type :html, 'charset' => 'utf-8'
     redirect '/' if request.post? && !csrf_safe?

app/api.rb

@@ -138,6 +138,7 @@ end
 def require_api_credentials
   if !request.env['HTTP_AUTHORIZATION'].nil?
     init_api_credentials
+    api_error(403, 'email_not_validated', 'you need to validate your email address before using the API') if email_not_validated?
   else
     api_error_invalid_auth
   end

app/settings.rb

@@ -280,9 +280,15 @@ end
 post '/settings/change_email' do
   require_login
 
+  if params[:from_confirm]
+    redirect_url = "/site/#{parent_site.username}/confirm_email"
+  else
+    redirect_url = '/settings#email'
+  end
+
   if params[:email] == parent_site.email
     flash[:error] = 'You are already using this email address for this account.'
-    redirect '/settings#email'
+    redirect redirect_url
   end
 
   parent_site.email = params[:email]
@@ -292,12 +298,17 @@ post '/settings/change_email' do
   if parent_site.valid?
     parent_site.save_changes
     send_confirmation_email
-    flash[:success] = 'Successfully changed email. We have sent a confirmation email, please use it to confirm your email address.'
-    redirect '/settings#email'
+    if !parent_site.supporter?
+      session[:fromsettings] = true
+      redirect "/site/#{parent_site.email}/confirm_email"
+    else
+      flash[:success] = 'Email address changed.'
+      redirect '/settings#email'
+    end
   end
 
   flash[:error] = parent_site.errors.first.last.first
-  redirect '/settings#email'
+  redirect redirect_url
 end
 
 post '/settings/change_email_notification' do

app/site.rb

@@ -172,8 +172,23 @@ post '/site/create_directory' do
 end
 
 get '/site/:username/confirm_email/:token' do
+  if current_site && current_site.email_confirmed
+    return erb(:'site_email_confirmed')
+  end
+
   site = Site[username: params[:username]]
-  if !site.nil? && site.email_confirmation_token == params[:token]
+
+  if site.nil?
+    return erb(:'site_email_not_confirmed')
+  end
+
+  if site.email_confirmed
+    return erb(:'site_email_confirmed')
+  end
+
+  if site.email_confirmation_token == params[:token]
+    site.email_confirmation_token = nil
+    site.email_confirmation_count = 0
     site.email_confirmed = true
     site.save_changes
 
@@ -183,6 +198,47 @@ get '/site/:username/confirm_email/:token' do
   end
 end
 
+get '/site/:username/confirm_email' do
+  require_login
+  @fromsettings = session[:fromsettings]
+  redirect '/' if current_site.username != params[:username] || !current_site.parent? || current_site.email_confirmed
+  erb :'site/confirm_email'
+end
+
+post '/site/:username/confirm_email' do
+  require_login
+
+  redirect '/' if current_site.username != params[:username] || !current_site.parent? || current_site.email_confirmed
+
+  # Update email, resend token
+  if params[:email]
+    send_confirmation_email @site
+  end
+
+  if params[:token].blank?
+    flash[:error] = 'You must enter a valid token.'
+    redirect "/site/#{current_site.username}/confirm_email"
+  end
+
+  if current_site.email_confirmation_token == params[:token]
+    current_site.email_confirmation_token = nil
+    current_site.email_confirmation_count = 0
+    current_site.email_confirmed = true
+    current_site.save_changes
+
+    if session[:fromsettings]
+      session[:fromsettings] = nil
+      flash[:success] = 'Email address changed.'
+      redirect '/settings#email'
+    end
+
+    redirect '/'
+  else
+    flash[:error] = 'You must enter a valid token.'
+    redirect "/site/#{current_site.username}/confirm_email"
+  end
+end
+
 post '/site/:username/report' do |username|
   site = Site[username: username]
 

app_helpers.rb

@@ -72,12 +72,19 @@ def encoding_fix(file)
 end
 
 def send_confirmation_email(site=current_site)
+  if site.email_confirmation_count > Site::MAXIMUM_EMAIL_CONFIRMATIONS
+    flash[:error] = 'You sent too many email confirmation requests, cannot continue.'
+    redirect request.referrer
+  end
+
+  DB['UPDATE sites set email_confirmation_count=email_confirmation_count+1 WHERE id=?', site.id].first
+
   EmailWorker.perform_async({
     from: 'web@neocities.org',
     reply_to: 'contact@neocities.org',
     to: site.email,
     subject: "[Neocities] Confirm your email address",
-    body: Tilt.new('./views/templates/email_confirm.erb', pretty: true).render(self, site: site)
+    body: Tilt.new('./views/templates/email/confirm.erb', pretty: true).render(self, site: site)
   })
 end
 
@@ -116,3 +123,7 @@ end
 def dont_browser_cache
   @dont_browser_cache = true
 end
+
+def email_not_validated?
+  current_site && current_site.parent? && !current_site.is_education && !current_site.email_confirmed && !current_site.supporter? && Site::EMAIL_VALIDATION_CUTOFF_DATE < Time.now
+end

models/site.rb

@@ -121,6 +121,8 @@ class Site < Sequel::Model
     maximum_site_files: 2000
   )
 
+  EMAIL_VALIDATION_CUTOFF_DATE = Time.now - 1
+
   def self.newsletter_sites
      Site.select(:email).
        exclude(email: 'nil').exclude(is_banned: true).
@@ -160,6 +162,8 @@ class Site < Sequel::Model
     EMAIL_BLAST_MAXIMUM_PER_DAY = 1000
   end
 
+  MAXIMUM_EMAIL_CONFIRMATIONS = 20
+
   many_to_many :tags
 
   one_to_many :profile_comments

tests/acceptance/settings/account_tests.rb

@@ -16,7 +16,14 @@ describe 'site/settings' do
       @new_email = "#{SecureRandom.uuid.gsub('-', '')}@example.com"
       fill_in 'email', with: @new_email
       click_button 'Change Email'
-      page.must_have_content /successfully changed email/i
+
+      page.must_have_content /enter the confirmation code here/
+
+      fill_in 'token', with: @site.reload.email_confirmation_token
+      click_button 'Confirm Email'
+
+      page.must_have_content /Email address changed/i
+
       @site.reload
       @site.email.must_equal @new_email
       EmailWorker.jobs.length.must_equal 1

tests/acceptance/settings/site_tests.rb

@@ -345,13 +345,11 @@ describe 'delete' do
     owned_site = Fabricate :site, parent_site_id: @site.id
     visit "/settings/#{owned_site.username}#delete"
     fill_in 'confirm_username', with: owned_site.username
-    fill_in 'deleted_reason', with: 'got bored with it'
     click_button 'Delete Site'
 
     @site.reload
     owned_site.reload
     owned_site.is_deleted.must_equal true
-    owned_site.deleted_reason.must_equal 'got bored with it'
     @site.is_deleted.must_equal false
 
     page.current_path.must_equal "/settings"

tests/acceptance/signup_tests.rb

@@ -54,6 +54,12 @@ describe 'signup' do
     click_signup_button
     site_created?
 
+    click_link 'Continue'
+    page.must_have_content /almost ready!/
+    fill_in 'token', with: Site[username: @site[:username]].email_confirmation_token
+    click_button 'Confirm Email'
+    page.must_have_content /Thanks for joining the Neocities community/
+
     index_file_path = File.join Site::SITE_FILES_ROOT, @site[:username], 'index.html'
     File.exist?(index_file_path).must_equal true
 

tests/fabricators/site_fabricator.rb

@@ -1,5 +1,6 @@
 Fabricator(:site) do
-  username { SecureRandom.hex }
-  password { 'abcde' }
-  email    { SecureRandom.uuid.gsub('-', '')+'@example.com' }
+  username        { SecureRandom.hex }
+  password        { 'abcde' }
+  email           { SecureRandom.uuid.gsub('-', '')+'@example.com' }
+  email_confirmed { true }
 end

views/_header_links.erb

@@ -15,5 +15,13 @@
     <a href="/tutorials">Learn</a>
   </li>
   <li>
-    <a href="/plan">Support Us<i class="fa fa-heart"><i class="fa fa-heart"></i></i></a>
+    <a href="/plan">
+      <% if signed_in? %>
+        <% unless current_site.supporter? %>
+          Upgrade to Supporter<i class="fa fa-heart"><i class="fa fa-heart"></i></i>
+        <% end %>
+      <% else %>
+        Support Us<i class="fa fa-heart"><i class="fa fa-heart"></i></i>
+      <% end %>
+    </a>
   </li>

views/_team.erb

@@ -3,27 +3,20 @@
   <h1 class="beta txt-Center">The Neocities Team</h1>
 
   <div class="row txt-Center">
-    <div class="col col-33">
+    <div class="col col-50">
       <a href="https://kyledrake.neocities.org" title="Visit Kyle's Website">
         <img src="https://0.gravatar.com/avatar/62a43048a3c2c688654274abdc0ecb9c?d=https%3A%2F%2Fidenticons.github.com%2Ffde07ba82b25f95afa9d080819f95717.png&amp;r=x&amp;s=440" alt="kyle drake" class="pic-Rounded" />
       </a>
       <br />
       <a href="https://kyledrake.neocities.org" title="Kyle Drake" class="eps">Kyle Drake</a>
     </div>
-    <div class="col col-33">
+    <div class="col col-50">
       <a href="https://victoria.neocities.org" title="Visit Victoria's Website">
         <img src="https://1.gravatar.com/avatar/2b577f8b3e5ab79bc927ed5185c0eae0?d=https%3A%2F%2Fidenticons.github.com%2Fe03006819f4a835afa237716f6701c95.png&amp;r=x&amp;s=440" alt="Victoria Wang" class="pic-Rounded" />
       </a>
       <br />
       <a href="https://victoria.neocities.org" title="Visit Victoria's Website" class="eps">Victoria Wang</a>
     </div>
-    <div class="col col-33">
-      <a href="http://scottohara.neocities.org" title="Visit Scott's Website">
-        <img src="https://0.gravatar.com/avatar/6ade16e6184b3efb573ee91255ff7abe?d=https%3A%2F%2Fidenticons.github.com%2Fa6362986538cdcb93a8b04f6c3f66b5e.png&amp;r=x&amp;s=440" alt="Scott O'Hara" class="pic-Rounded" />
-      </a>
-      <br />
-      <a href="http://scottohara.neocities.org" title="Visit Scott's Website" class="eps">Scott O'Hara</a>
-    </div>
   </div>
 </section>
 

views/site/confirm_email.erb

@@ -0,0 +1,51 @@
+<section class="section plans welcome">
+  <h2>Check your Email</h2>
+  <div class="txt-Center"><img src="/img/fatcat.png" width="70px"></div>
+  <h3 class="subtitle">
+    <% if !@fromsettings %>
+      You're almost ready!<br>
+    <% end %>
+
+    We sent an email to <strong><%= current_site.email %></strong> to make sure it's correct.<br>Please check your email, enter the confirmation code here, and you're all set.
+  </h3>
+
+  <div class="row">
+    <div class="col col-100 txt-Center" style="margin-top: 10px;">
+
+        <% if flash[:success] %>
+          <div class="alert alert-block alert-success" style="margin-top: 20px">
+            <%== flash[:success] %>
+          </div>
+        <% end %>
+
+        <% if flash[:error] %>
+          <div class="alert alert-block alert-error" style="margin-top: 20px">
+            <%== flash[:error] %>
+          </div>
+        <% end %>
+
+      <form method="POST" action="/site/<%= current_site.username %>/confirm_email" class="content">
+        <%== csrf_token_input_html %>
+        <fieldset>
+          <label for="token">Email Confirmation Token</label>
+          <input name="token" type="text" class="input-Area" autofill="off" autocapitalize="off" autocorrect="off" value="<%= flash[:token] %>" style="width: 290px">
+        </fieldset>
+        <input class="btn-Action" type="submit" value="Confirm Email">
+      </form>
+
+      <h2 style="margin-top: 30px">Wrong email?</h2>
+      <h3 class="subtitle">If you entered the wrong email address by mistake:</h3>
+
+      <form method="POST" action="/settings/change_email" class="content">
+        <%== csrf_token_input_html %>
+        <input type="hidden" name="from_confirm" value="1">
+        <fieldset>
+          <input name="email" type="text" class="input-Area" autofill="off" autocapitalize="off" autocorrect="off" value="<%= current_site.email %>" style="width: 290px">
+        </fieldset>
+        <input class="btn-Action" type="submit" value="Update Email Address">
+      </form>
+
+    </div>
+  </div>
+
+</section>

views/templates/email/confirm.erb

@@ -2,7 +2,9 @@ Hello <%= site.username %>,
 
 Please confirm your email address for Neocities!
 
-You can confirm your email address using the link below:
+Your email confirmation code is: <%= site.email_confirmation_token %>
+
+You can also confirm your email address using the link below:
 
 https://neocities.org/site/<%= site.username %>/confirm_email/<%= site.email_confirmation_token %>