pow-auth · danschultzer · Jan 28, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## v1.0.40 (TBA)
+
+### Enhancements
+
+* [`PowEmailConfirmation.Phoenix.ConfirmationController`] Now redirects with success message for invalid confirmation token when signed in user has no email confirmation token
+
 ## v1.0.39 (2025-01-11)
 
 Now requires Elixir 1.14+.

diff --git a/lib/extensions/email_confirmation/phoenix/controllers/confirmation_controller.ex b/lib/extensions/email_confirmation/phoenix/controllers/confirmation_controller.ex
@@ -33,12 +33,22 @@ defmodule PowEmailConfirmation.Phoenix.ConfirmationController do
     case Plug.load_user_by_token(conn, token) do
       {:error, conn} ->
         conn
-        |> put_flash(:error, extension_messages(conn).invalid_token(conn))
+        |> put_confirmation_flash_message()
         |> redirect(to: redirect_to(conn))
         |> halt()
 
       {:ok, conn} ->
         conn
     end
   end
+
+  defp put_confirmation_flash_message(conn) do
+    case Pow.Plug.current_user(conn) do
+      %{email_confirmation_token: nil} ->
+        put_flash(conn, :info, extension_messages(conn).email_has_been_confirmed(conn))
+
+      _ ->
+        put_flash(conn, :error, extension_messages(conn).invalid_token(conn))
+    end
+  end
 end
diff --git a/test/extensions/email_confirmation/phoenix/controllers/confirmation_controller_test.exs b/test/extensions/email_confirmation/phoenix/controllers/confirmation_controller_test.exs
@@ -69,6 +69,7 @@ defmodule PowEmailConfirmation.Phoenix.ConfirmationControllerTest do
         |> get(~p"/confirm-email/#{sign_token("valid")}")
 
       assert redirected_to(conn) == ~p"/registration/edit"
+      assert get_flash(conn, :info) == "The email address has been confirmed."
       assert Pow.Plug.current_user(conn)
       refute conn.private[:plug_session][@session_key] == session_id
     end
@@ -81,9 +82,30 @@ defmodule PowEmailConfirmation.Phoenix.ConfirmationControllerTest do
         |> get(~p"/confirm-email/#{sign_token("valid")}")
 
       assert redirected_to(conn) == ~p"/registration/edit"
+      assert get_flash(conn, :info) == "The email address has been confirmed."
       assert Pow.Plug.current_user(conn)
       assert conn.private[:plug_session][@session_key] == session_id
     end
+
+    test "when in user signed in with invalid token", %{conn: conn} do
+      conn =
+        conn
+        |> Pow.Plug.assign_current_user(%User{id: 1, email_confirmation_token: "valid"}, [])
+        |> get(~p"/confirm-email/#{sign_token("invalid")}")
+
+      assert redirected_to(conn) == ~p"/registration/edit"
+      assert get_flash(conn, :error) == "The confirmation token is invalid or has expired."
+    end
+
+    test "when in user signed in with invalid token and no confirmation token for user", %{conn: conn} do
+      conn =
+        conn
+        |> Pow.Plug.assign_current_user(%User{id: 1}, [])
+        |> get(~p"/confirm-email/#{sign_token("invalid")}")
+
+      assert redirected_to(conn) == ~p"/registration/edit"
+      assert get_flash(conn, :info) == "The email address has been confirmed."
+    end
   end
 
   defp sign_token(token) do