fix #891: _requireSessionUser throws must-be-signed-in

controllers/user.js

@@ -13,8 +13,8 @@ const sha1 = require("../sha1-utils");
 
 
 function _requireSessionUser(req,res) {
-  if (!req.session.user) {
-    return res.redirect("https://accounts.firefox.com/");
+  if (!req.session || !req.session.user) {
+    throw new FluentError("must-be-signed-in");
   }
   return req.session.user;
 }

tests/controllers/user.test.js

@@ -80,6 +80,25 @@ test("user add request with invalid email throws error", async () => {
 });
 
 
+test("user verify request with valid token but no session throws error", async () => {
+    const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token;
+
+    const req = httpMocks.createRequest({
+      method: "GET",
+      url: `/user/verify?token=${validToken}`,
+      fluentFormat: jest.fn(),
+      app: { locals: { breaches: testBreaches } },
+    });
+  const resp = httpMocks.createResponse();
+
+  // Call code-under-test
+  await expect(user.verify(req, resp)).rejects.toThrow("must-be-signed-in");
+
+  const emailAddress = await DB.getEmailByToken(validToken);
+  expect(emailAddress.verified).toBeFalsy();
+});
+
+
 test("user verify request with valid token verifies user", async () => {
     const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token;
     const testSubscriberEmail = "firefoxaccount@test.com";