Fix confirmation token handling

adjust data path
remember user-associated orders on iteraction
2026-04-02 22:25:42 +02:00 · 2026-04-02 22:19:22 +02:00 · 2026-04-02 22:19:08 +02:00
3 changed files with 42 additions and 2 deletions
@@ -403,10 +403,47 @@ def confirm_account_action(token: str) -> dict[str, Any]:
        raise HTTPException(status_code=422, detail="Token is required")

    with get_connection() as conn:
-        confirmation = consume_confirmation_token(conn, token.strip())
+        normalized_token = token.strip()
+
+        try:
+            confirmation = consume_confirmation_token(conn, normalized_token)
+            already_consumed = False
+        except HTTPException as exc:
+            if exc.status_code != 409 or str(exc.detail) != "Confirmation token already used":
+                raise
+
+            confirmation = conn.execute(
+                """
+                SELECT token, user_id, action, process_id, email, new_email, new_user_id, created_at, expires_at, consumed_at
+                FROM account_confirmation_tokens
+                WHERE token = ?
+                """,
+                (normalized_token,),
+            ).fetchone()
+
+            if not confirmation:
+                raise HTTPException(status_code=404, detail="Confirmation token not found")
+
+            already_consumed = True
+
        action = str(confirmation["action"])
        confirmed_user_id = str(confirmation["user_id"])

+        if already_consumed:
+            if action == "user_id_change_confirm":
+                migrated_user_id = str(confirmation["new_user_id"] or "").strip() or confirmed_user_id
+                return {
+                    "status": "already_confirmed",
+                    "action": action,
+                    "user_id": migrated_user_id,
+                }
+
+            return {
+                "status": "already_confirmed",
+                "action": action,
+                "user_id": confirmed_user_id,
+            }
+
        if action == "register_confirm":
            conn.execute(
                "UPDATE user_profiles SET email_confirmed = 1, updated_at = ? WHERE user_id = ?",
@@ -676,6 +713,7 @@ def get_my_order_access(order_id: str, user_id: str = Depends(get_existing_user_
    ensure_order_exists(order_id)

    with get_connection() as conn:
+        upsert_user_order_tokens(conn, clean_id, order_id)
        auth = get_user_order_tokens(conn, clean_id, order_id)

    return {
@@ -4,7 +4,7 @@ services:
      context: backend
      dockerfile: Containerfile
    volumes:
-      - ../.data:/app/data
+      - ./.data:/app/data
      - ../config.yaml:/app/config.yaml:ro
      - ./backend/app:/app/app
    environment:
@@ -416,6 +416,7 @@ export default function App() {
      message.success("Registration email sent. Open the link in your inbox to finish setup.");
    } catch (error: any) {
      message.error(error?.message || "Could not create account.");
+      throw error;
    }
  };

@@ -430,6 +431,7 @@ export default function App() {
      message.success("Migration email sent. Open the link in your inbox to complete migration.");
    } catch (error: any) {
      message.error(error?.message || "Could not migrate account.");
+      throw error;
    }
  };
Author	SHA1	Message	Date
fhs52267	acb16f08b8	Fix confirmation token handling	2026-04-02 22:25:42 +02:00
fhs52267	b0ef0302cf	adjust data path	2026-04-02 22:19:22 +02:00
fhs52267	32c46f6e94	remember user-associated orders on iteraction	2026-04-02 22:19:08 +02:00