Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/bug_589335_auth_tokens into lp:canonical-identity-provider/release

bug_589335_auth_tokens
Merge into trunk

Proposed by Łukasz Czyżykowski on 2010-06-15

Status:

Merged

Merged at revision:

Proposed branch:

lp:~canonical-isd-hackers/canonical-identity-provider/bug_589335_auth_tokens

Merge into:

lp:canonical-identity-provider/release

Diff against target:

1395 lines (+506/-196)

22 files modified

doctests/stories/openid/per-version/sso-workflow-complete.txt (+2/-2)
doctests/stories/openid/per-version/sso-workflow-register.txt (+1/-1)
doctests/stories/openid/per-version/sso-workflow-reset-password.txt (+1/-1)
doctests/stories/sso-server/standalone-login.txt (+172/-46)
identityprovider/forms.py (+20/-1)
identityprovider/models/authtoken.py (+40/-4)
identityprovider/templates/enter_token.html (+37/-0)
identityprovider/templates/launchpad/email/forgottenpassword.txt (+4/-0)
identityprovider/templates/launchpad/email/newuser.txt (+4/-0)
identityprovider/templates/launchpad/email/validate-email.txt (+4/-0)
identityprovider/templates/registration/confirm_new_account.html (+1/-1)
identityprovider/templates/registration/email_sent.html (+16/-6)
identityprovider/templates/registration/reset_password.html (+1/-1)
identityprovider/templates/ubuntu/email/forgottenpassword.txt (+4/-0)
identityprovider/templates/ubuntu/email/newuser.txt (+4/-0)
identityprovider/templates/ubuntu/email/validate-email.txt (+4/-0)
identityprovider/tests/test_views_ui.py (+79/-93)
identityprovider/tests/utils.py (+2/-0)
identityprovider/urls.py (+9/-4)
identityprovider/views/account.py (+11/-5)
identityprovider/views/ui.py (+79/-31)
identityprovider/views/utils.py (+11/-0)

To merge this branch:

bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/bug_589335_auth_tokens

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Canonical ISD hackers		2010-06-15	Pending
Review via email: mp+27595@code.launchpad.net

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

David Owen

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/bug_589335_auth_tokens into lp:canonical-identity-provider/release

Commit message

Description of the change

Preview Diff

Subscribers

 === modified file 'doctests/stories/openid/per-version/sso-workflow-complete.txt'
 --- doctests/stories/openid/per-version/sso-workflow-complete.txt	2010-04-21 15:29:24 +0000
 +++ doctests/stories/openid/per-version/sso-workflow-complete.txt	2010-06-22 23:23:25 +0000
@@ -54,7 +54,7 @@
      >>> token_url = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(token_url)
      >>> print browser.url
--    http://openid.launchpad.dev/token/.../+newaccount
++    http://openid.launchpad.dev/token/.../+newaccount/new-user%40example.com
      >>> browser.getControl(name='displayname').value = 'New User'
      >>> browser.getControl(name='password').value = 'testP4ss'
@@ -134,7 +134,7 @@
      >>> token_url = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(token_url)
      >>> print browser.url
--    http://.../+resetpassword
++    http://.../+resetpassword/new-user%40example.com
      >>> browser.getControl(name='password').value = 'test2...'
      >>> browser.getControl(name='passwordconfirm').value = 'test2...'
 === modified file 'doctests/stories/openid/per-version/sso-workflow-register.txt'
 --- doctests/stories/openid/per-version/sso-workflow-register.txt	2010-04-21 15:29:24 +0000
 +++ doctests/stories/openid/per-version/sso-workflow-register.txt	2010-06-22 23:23:25 +0000
@@ -79,7 +79,7 @@
      >>> link = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(link)
      >>> print browser.url
--    http://openid.launchpad.dev/token/.../+newaccount
++    http://openid.launchpad.dev/token/.../+newaccount/new-user%40example.com
  The user can enter their full name and password, to complete the
  registration:
 === modified file 'doctests/stories/openid/per-version/sso-workflow-reset-password.txt'
 --- doctests/stories/openid/per-version/sso-workflow-reset-password.txt	2010-04-21 15:29:24 +0000
 +++ doctests/stories/openid/per-version/sso-workflow-reset-password.txt	2010-06-22 23:23:25 +0000
@@ -78,7 +78,7 @@
      >>> link = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(link)
      >>> print browser.url
--    http://openid.launchpad.dev/token/.../+resetpassword
++    http://openid.launchpad.dev/token/.../+resetpassword/test%40canonical.com
  The user can now enter a new password:
 === modified file 'doctests/stories/sso-server/standalone-login.txt'
 --- doctests/stories/sso-server/standalone-login.txt	2010-05-21 21:10:59 +0000
 +++ doctests/stories/sso-server/standalone-login.txt	2010-06-22 23:23:25 +0000
@@ -13,9 +13,13 @@
      Log in to Ubuntu Single Sign On
      ...
--    >>> browser.getControl(name='email').value = 'mark@example.com'
--    >>> browser.getControl(name='password').value = 'test'
--    >>> browser.getControl(name='continue').click()
++    >>> def login(browser, email=None, password=None):
++    ...     browser.open('http://openid.launchpad.dev')
++    ...     browser.getControl(name='email').value = email
++    ...     browser.getControl(name='password').value = password
++    ...     browser.getControl(name='continue').click()
++
++    >>> login(browser, email='mark@example.com', password='test')
  Once successfully logged in, they will see the details of their account.
@@ -30,37 +34,51 @@
      >>> from identityprovider.models.account import AccountManager
      >>> from identityprovider.models.emailaddress import EmailAddress
--    >>> try:
--    ...     EmailAddress.objects.filter(email='new-user@example.com').delete()
--    ... except:
--    ...     pass
--    >>> try:
--    ...     AccountManager().get_by_email('new-user@example.com').delete()
--    ... except:
--    ...     pass
++
++    >>> def register(browser):
++    ...     try:
++    ...         EmailAddress.objects.filter(
++    ...             email='new-user@example.com').delete()
++    ...     except:
++    ...         pass
++    ...     try:
++    ...         AccountManager().get_by_email('new-user@example.com').delete()
++    ...     except:
++    ...         pass
++    ...     browser.open('http://openid.launchpad.dev')
++    ...     browser.getLink('New account').click()
++    ...     browser.getControl(name='email').value = 'new-user@example.com'
++    ...     browser.getControl(name='continue').click()
++
      >>> browser = setupBrowser()
--    >>> browser.open('http://openid.launchpad.dev')
--    >>> browser.getLink('New account').click()
--    >>> browser.getControl(name='email').value = 'new-user@example.com'
--    >>> browser.getControl(name='continue').click()
++    >>> register(browser)
++
      >>> browser.contents.find("Registration mail sent") > 0
      True
      >>> from identityprovider.models.const import LoginTokenType
      >>> from identityprovider.models import AuthToken
--    >>> token = AuthToken.objects.filter(
--    ...     email='new-user@example.com',
--    ...     token_type=LoginTokenType.NEWPERSONLESSACCOUNT,
--    ...     date_consumed=None).order_by('-date_created')[0].token
++    >>> def find_my_token(type, email='new-user@example.com'):
++    ...     return AuthToken.objects.filter(
++    ...         email=email,
++    ...         token_type=type,
++    ...         date_consumed=None).order_by('-date_created')[0].token
++
++    >>> token = find_my_token(LoginTokenType.NEWPERSONLESSACCOUNT)
      >>> link = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(link)
      >>> print browser.url
--    http://openid.launchpad.dev/token/.../+newaccount
--
--    >>> browser.getControl(name='displayname').value = 'New User'
--    >>> browser.getControl(name='password').value = 'testP4ss'
--    >>> browser.getControl(name='passwordconfirm').value = 'testP4ss'
--    >>> browser.getControl(name='continue').click()
++    http://openid.launchpad.dev/token/.../+newaccount/new-user%40example.com
++
++Finish the registration process.
++
++    >>> def finish_registration(browser):
++    ...     browser.getControl(name='displayname').value = 'New User'
++    ...     browser.getControl(name='password').value = 'testP4ss'
++    ...     browser.getControl(name='passwordconfirm').value = 'testP4ss'
++    ...     browser.getControl(name='continue').click()
++
++    >>> finish_registration(browser)
      >>> print browser.url
      http://openid.launchpad.dev/
@@ -70,42 +88,150 @@
      >>> print AccountManager().get_by_email(email='new-user@example.com').person
      None
++
++=== Confirm out of session ===
++
++Begin registration as before.
++
++    >>> browser = setupBrowser()
++    >>> register(browser)
++
++    >>> browser.contents.find("Registration mail sent") > 0
++    True
++
++But now, try to confirm the new account from out of the original
++session.
++
++    >>> browser = setupBrowser()
++    >>> token = find_my_token(LoginTokenType.NEWPERSONLESSACCOUNT)
++    >>> link = 'http://openid.launchpad.dev/token/%s' % token
++    >>> browser.open(link)
++
++It should prompt for the e-mail that the token was sent to, as a
++security precaution.
++
++    >>> print browser.url
++    http://.../+enter_token?token=...
++
++Fill in the e-mail address, then continue as before.
++
++    >>> browser.getControl(name='email').value = 'new-user@example.com'
++    >>> browser.getControl(name='continue').click()
++    >>> print browser.url
++    http://openid.launchpad.dev/token/.../+newaccount/new-user%40example.com
++
++    >>> finish_registration(browser)
++
++    >>> print browser.url
++    http://openid.launchpad.dev/
++
++
  == Resetting the password ==
++    >>> def request_reset(browser):
++    ...     browser.open('http://openid.launchpad.dev')
++    ...     browser.getLink('Forgot your password?').click()
++    ...     browser.getControl(name='email').value = 'new-user@example.com'
++    ...     browser.getControl(name='continue').click()
++
      >>> browser = setupBrowser()
--    >>> browser.open('http://openid.launchpad.dev')
--    >>> browser.getLink('Forgot your password?').click()
--    >>> browser.getControl(name='email').value = 'new-user@example.com'
--    >>> browser.getControl(name='continue').click()
++    >>> request_reset(browser)
      >>> browser.contents.find("Forgotten your password?") > 0
      True
      >>> from identityprovider.models.const import LoginTokenType
      >>> from identityprovider.models import AuthToken
--    >>> token = AuthToken.objects.filter(
--    ...     email='new-user@example.com',
--    ...     token_type=LoginTokenType.PASSWORDRECOVERY,
--    ...     date_consumed=None).order_by('-date_created')[0].token
++    >>> token = find_my_token(LoginTokenType.PASSWORDRECOVERY)
      >>> link = 'http://openid.launchpad.dev/token/%s' % token
      >>> browser.open(link)
      >>> print browser.url
--    http://openid.launchpad.dev/token/.../+resetpassword
--
--    >>> browser.getControl(name='password').value = 'new Password'
--    >>> browser.getControl(name='passwordconfirm').value = 'new Password'
--    >>> browser.getControl(name='continue').click()
--
++    http://openid.launchpad.dev/token/.../+resetpassword/new-user%40example.com
++
++    >>> def set_new_password(browser):
++    ...     browser.getControl(name='password').value = 'new Password'
++    ...     browser.getControl(name='passwordconfirm').value = 'new Password'
++    ...     browser.getControl(name='continue').click()
++
++    >>> set_new_password(browser)
      >>> print browser.url
      http://openid.launchpad.dev/
--
--=== Logging in with the new password ===
--
--    >>> browser = setupBrowser()
--    >>> browser.open('http://openid.launchpad.dev')
++Log in with the new password.
++
++    >>> browser = setupBrowser()
++    >>> login(browser, email='new-user@example.com', password='new Password')
++    >>> print extract_text(find_tag_by_id(browser.contents, 'content'))
++    New User
++    ...
++    new-user@example.com
++    ...
++
++=== Confirm out of session ===
++
++Start as before.
++
++    >>> browser = setupBrowser()
++    >>> request_reset(browser)
++    >>> browser.contents.find("Forgotten your password?") > 0
++    True
++
++But now, try to finish the reset from out of the original session.
++
++    >>> browser = setupBrowser()
++    >>> token = find_my_token(LoginTokenType.PASSWORDRECOVERY)
++    >>> link = 'http://openid.launchpad.dev/token/%s' % token
++    >>> browser.open(link)
++
++It should prompt for the e-mail that the token was sent to.
++
++    >>> print browser.url
++    http://.../+enter_token?token=...
++
++Fill in the e-mail address, then continue as before.
++
      >>> browser.getControl(name='email').value = 'new-user@example.com'
--    >>> browser.getControl(name='password').value = 'new Password'
--    >>> browser.getControl(name='continue').click()
++    >>> browser.getControl(name='continue').click()
++    >>> print browser.url
++    http://openid.launchpad.dev/token/.../+resetpassword/new-user%40example.com
++
++    >>> set_new_password(browser)
++    >>> print browser.url
++    http://openid.launchpad.dev/
++
++Log in with the new password.
++
++    >>> browser = setupBrowser()
++    >>> login(browser, email='new-user@example.com', password='new Password')
++    >>> print extract_text(find_tag_by_id(browser.contents, 'content'))
++    New User
++    ...
++    new-user@example.com
++    ...
++
++
++== Adding an e-mail address ==
++
++    >>> browser = setupBrowser()
++    >>> login(browser, email='new-user@example.com', password='new Password')
++
++    >>> def add_email(browser, email):
++    ...     browser.open('http://openid.launchpad.dev/+edit')
++    ...     browser.getLink('Add another email').click()
++    ...     browser.getControl(name='newemail').value = email
++    ...     browser.getControl(name='continue').click()
++
++    >>> add_email(browser, 'alpha@example.org')
++
++    >>> token = find_my_token(LoginTokenType.VALIDATEEMAIL,
++    ...                       email='alpha@example.org')
++    >>> browser.open('http://openid.launchpad.dev/token/%s' % token)
++    >>> print browser.url
++    http://openid.launchpad.dev/token/.../+newemail/alpha%40example.org
++
++    >>> browser.getControl(name='continue').click()
++
++    >>> browser = setupBrowser()
++    >>> login(browser, email='alpha@example.org', password='new Password')
      >>> print extract_text(find_tag_by_id(browser.contents, 'content'))
      New User
      ...
 === modified file 'identityprovider/forms.py'
 --- identityprovider/forms.py	2010-05-20 20:08:19 +0000
 +++ identityprovider/forms.py	2010-06-22 23:23:25 +0000
@@ -9,7 +9,7 @@
  from django.utils.safestring import mark_safe
  from django.utils.translation import ugettext as _
--from identityprovider.models import Account, EmailAddress
++from identityprovider.models import Account, EmailAddress, verify_token_string
  from identityprovider.models.const import EmailStatus
  from identityprovider.utils import (
      get_person_and_account_by_email, CannotResetPasswordException,
@@ -136,6 +136,25 @@
          widget=widgets.TextInput(attrs={'class': 'textType', 'size': '20'}))
++class TokenForm(GenericEmailForm):
++    """If the token and e-mail are entered correctly, and if the
++    specified token exists and can be used, the token object is placed
++    in cleaned_data['atoken']."""
++
++    token = fields.CharField()
++
++    def clean(self):
++        data = self.cleaned_data
++        token_string = data.get('token')
++        email = data.get('email')
++        if token_string is not None and email is not None:
++            atoken = verify_token_string(token_string, email)
++            if atoken is None:
++                raise forms.ValidationError(_("Token not found."))
++            data['atoken'] = atoken
++        return data
++
++
  class PreferredEmailField(forms.ModelChoiceField):
      def label_from_instance(self, obj):
          return obj.email
 === modified file 'identityprovider/models/authtoken.py'
 --- identityprovider/models/authtoken.py	2010-05-20 14:07:52 +0000
 +++ identityprovider/models/authtoken.py	2010-06-22 23:23:25 +0000
@@ -10,6 +10,7 @@
  from django.core.mail import send_mail
  from django.core.urlresolvers import reverse
  from django.db import models
++from django.http import urlencode
  from django.template.loader import render_to_string
  from identityprovider.branding import current_brand
@@ -18,12 +19,25 @@
  from identityprovider.utils import format_address
  __all__ = (
++    'AUTHTOKEN_LENGTH',
++    'AUTHTOKEN_PATTERN',
      'AuthToken',
      'AuthTokenFactory',
--    'send_validation_email_request'
++    'get_type_of_token',
++    'send_validation_email_request',
++    'verify_token_string'
+ )
++AUTHTOKEN_LENGTH = 6
++
++# For now, we have some older tokens (20 chars) still active, while we
++# introduce the shorter tokens.  After a while, we could probably
++# bound this pattern's repetition more tightly.
++#AUTHTOKEN_PATTERN = '[A-Za-z0-9]{%s}' % AUTHTOKEN_LENGTH
++AUTHTOKEN_PATTERN = '[A-Za-z0-9]+' # % AUTHTOKEN_LENGTH
++
++
  class AuthToken(models.Model):
      date_created = models.DateTimeField(default=datetime.datetime.utcnow,
          blank=True, editable=False)
@@ -50,7 +64,8 @@
      def get_absolute_url(self):
          path = reverse('identityprovider.views.ui.claim_token',
              kwargs={'authtoken': self.token})
--        return urljoin(settings.SSO_ROOT_URL, path)
++        return urljoin(settings.SSO_ROOT_URL, path) + '?' + \
++               urlencode({'email': self.email})
      def consume(self):
          self.date_consumed = datetime.datetime.now()
@@ -76,6 +91,7 @@
              'requester': self.requester.displayname,
              'requester_email': self.requester_email,
              'toaddress': self.email,
++            'token': self.token,
              'token_url': self.get_absolute_url(),
              'support_form_url': settings.SUPPORT_FORM_URL,
+         }
@@ -98,6 +114,7 @@
      def sendPasswordResetEmail(self):
          replacements = {
++            'token': self.token,
              'token_url': self.get_absolute_url(),
+         }
          from_name = unicode(current_brand.name)
@@ -108,7 +125,8 @@
      def sendNewUserEmail(self):
          replacements = {
--            'token_url': self.get_absolute_url(),
++            'token': self.token,
++            'token_url': self.get_absolute_url()
+         }
          from_name = unicode(current_brand.name)
          message = render_to_string('%s/email/newuser.txt' %
@@ -142,7 +160,8 @@
                            requester_email=requester_email,
                            email=email, token_type=token_type,
                            redirection_url=redirection_url)
--        token.token = create_unique_token_for_table(20, AuthToken, 'token')
++        token.token = create_unique_token_for_table(
++            AUTHTOKEN_LENGTH, AuthToken, 'token')
          token.save()
          return token
@@ -235,6 +254,14 @@
      return True
++def get_type_of_token(token_string):
++    try:
++        token = AuthToken.objects.get(token=token_string)
++        return token.token_type
++    except AuthToken.DoesNotExist:
++        return None
++
++
  def send_validation_email_request(account, email, redirection_url):
      if account.preferredemail is None:
          preferredemail_email = None
@@ -248,3 +275,12 @@
          token_type=LoginTokenType.VALIDATEEMAIL,
          redirection_url=redirection_url)
      token.sendEmailValidationRequest()
++
++    return token
++
++def verify_token_string(token_string, email):
++    try:
++        return AuthToken.objects.get(token=token_string, email=email,
++                                     date_consumed=None)
++    except AuthToken.DoesNotExist:
++        return None
 === added file 'identityprovider/templates/enter_token.html'
 --- identityprovider/templates/enter_token.html	1970-01-01 00:00:00 +0000
 +++ identityprovider/templates/enter_token.html	2010-06-22 23:23:25 +0000
@@ -0,0 +1,37 @@
++<!-- Copyright 2010 Canonical Ltd.  This software is licensed under the
++GNU Affero General Public License version 3 (see the file  LICENSE). -->
++
++{% extends "base.html" %}
++{% load i18n %}
++
++{% block "title" %}
++    {% blocktrans %}Enter token{% endblocktrans %}
++{% endblock %}
++
++{% block "content" %}
++
++<h2 class="main">Enter token</h2>
++
++<p>Enter the token that you received in an e-mail, and the e-mail
++  address at which you received it.</p>
++
++<form method="post">
++
++  {% if form.non_field_errors %}
++  <p><span class="error">{{ form.non_field_errors.0 }}</span></p>
++  {% endif %}
++
++  <p><label>Token<br>
++      {{ form.token }}</label>
++    {% if form.token.errors %}<span class="error">{{ form.token.errors|join:"" }}</span>{% endif %}</p>
++
++  <p><label>E-mail<br>
++      {{ form.email }}</label>
++    {% if form.email.errors %}<span class="error">{{ form.email.errors|join:"" }}</span>{% endif %}</p>
++
++  <p><button class="btn" type="submit" name="continue">
++      <span><span>Continue</span></span></button></p>
++
++</form>
++
++{% endblock %}
 === modified file 'identityprovider/templates/launchpad/email/forgottenpassword.txt'
 --- identityprovider/templates/launchpad/email/forgottenpassword.txt	2010-05-13 14:41:45 +0000
 +++ identityprovider/templates/launchpad/email/forgottenpassword.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you don't know what this is about, then someone else has entered your email address at the Launchpad Login Service. Sorry about that. You don't need to do anything further, just delete this message.
  Regards,
 === modified file 'identityprovider/templates/launchpad/email/newuser.txt'
 --- identityprovider/templates/launchpad/email/newuser.txt	2010-05-13 14:41:45 +0000
 +++ identityprovider/templates/launchpad/email/newuser.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you don't know what this is about, then someone has probably entered your email address by mistake at the Launchpad Login Service web site. Sorry about that. You don't need to do anything further, just delete this message.
  Regards,
 === modified file 'identityprovider/templates/launchpad/email/validate-email.txt'
 --- identityprovider/templates/launchpad/email/validate-email.txt	2010-05-13 14:41:45 +0000
 +++ identityprovider/templates/launchpad/email/validate-email.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you did not make this request, please ignore this message or report it on
      {{ support_form_url }}
 === modified file 'identityprovider/templates/registration/confirm_new_account.html'
 --- identityprovider/templates/registration/confirm_new_account.html	2010-06-18 12:43:10 +0000
 +++ identityprovider/templates/registration/confirm_new_account.html	2010-06-22 23:23:25 +0000
@@ -55,7 +55,7 @@
  <div id="auth">
      <h1 class="main">{{ brand.complete_reg }}</h1>
--    <form id="login-form" class="longfields" action="+newaccount" method="post">
++    <form id="login-form" class="longfields" method="post">
          <p class="input-row{% if form.displayname.errors %} haserrors{% endif %}">
              <label for="id_displayname">{% trans "Full name" %}</label>
              {{ form.displayname }}
 === modified file 'identityprovider/templates/registration/email_sent.html'
 --- identityprovider/templates/registration/email_sent.html	2010-05-31 12:51:21 +0000
 +++ identityprovider/templates/registration/email_sent.html	2010-06-22 23:23:25 +0000
@@ -8,21 +8,28 @@
  {% block "content" %}
  {% if user.is_authenticated %}<div class="email-sent-auth">{% endif %}
++
  <div id="col1">
      <h2 class="main">{{ email_heading }}</h2>
      <div class="larger">
          <p>{{ email_reason|safe }}</p>
          <p class="last">
--            {% trans "To continue, follow the link in that message." %}
++            {% trans "To continue, follow the link in that message, or enter the token that it contains below:" %}
          </p>
      </div>
--    {% if user.is_authenticated %}
--    <p>
--        <a href="./+edit" class="btn"><span><span>{% trans "Continue" %}</span></span></a>
--    </p>
--    {% endif %}
++    <form action="/+enter_token" method="post">
++      <p><label>Token<br>
++          <input name="token" type="text" class="textType"></label></p>
++      <p><button type="submit" class="btn">
++          <span><span>Continue</span></span>
++        </button>
++        {% if user.is_authenticated %} or, <a href="/+edit">return to
++        profile</a>{% endif %}
++      </p>
++    </form>
  </div>
++
  <div id="col2">
      <h2 class="main">{% trans "Haven&rsquo;t received it?" %}</h2>
      <p>{% blocktrans %}If you don&rsquo;t receive the message within a few minutes, it might be because:{% endblocktrans %}</p>
@@ -35,5 +42,8 @@
      <p>{% blocktrans %}If neither of those work, our service might be having a problem.{% endblocktrans %}
      </p>
  </div>
++
++<div style="clear: both"></div>
++
  {% if user.is_authenticated %}</div>{% endif %}
  {% endblock %}
 === modified file 'identityprovider/templates/registration/reset_password.html'
 --- identityprovider/templates/registration/reset_password.html	2010-06-18 12:43:10 +0000
 +++ identityprovider/templates/registration/reset_password.html	2010-06-22 23:23:25 +0000
@@ -56,7 +56,7 @@
          <div id="auth">
              <h2 class="main">{{ brand.reset_password }}</h2>
--            <form id="login-form" class="longfields" action="+resetpassword" method="post">
++            <form id="login-form" class="longfields" method="post">
                  <p class="input-row{% if form.password.errors or form.non_field_errors %} haserrors{% endif %}">
                      <label for="id_password">{% trans "Choose password" %}</label>
                      <div id="password_wrapper">{{ form.password }}<div id='password_strength'></div></div>
 === modified file 'identityprovider/templates/ubuntu/email/forgottenpassword.txt'
 --- identityprovider/templates/ubuntu/email/forgottenpassword.txt	2010-05-13 14:41:45 +0000
 +++ identityprovider/templates/ubuntu/email/forgottenpassword.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you don't know what this is about, then someone else has entered your email address at the Ubuntu Single Sign On service. Sorry about that. You don't need to do anything further, just delete this message.
  Regards,
 === modified file 'identityprovider/templates/ubuntu/email/newuser.txt'
 --- identityprovider/templates/ubuntu/email/newuser.txt	2010-05-13 15:12:04 +0000
 +++ identityprovider/templates/ubuntu/email/newuser.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you don't know what this is about, then someone has probably entered your email address by mistake at the Ubuntu Single Sign On service web site. Sorry about that. You don't need to do anything further, just delete this message.
  Regards,
 === modified file 'identityprovider/templates/ubuntu/email/validate-email.txt'
 --- identityprovider/templates/ubuntu/email/validate-email.txt	2010-05-13 15:12:04 +0000
 +++ identityprovider/templates/ubuntu/email/validate-email.txt	2010-06-22 23:23:25 +0000
@@ -7,6 +7,10 @@
      {{ token_url }}
++Or, you may enter the following token manually:
++
++    {{ token }}
++
  If you did not make this request, please ignore this message or report it on
      {{ support_form_url }}
 === modified file 'identityprovider/tests/test_views_ui.py'
 --- identityprovider/tests/test_views_ui.py	2010-06-15 16:11:25 +0000
 +++ identityprovider/tests/test_views_ui.py	2010-06-22 23:23:25 +0000
@@ -11,10 +11,12 @@
  from django.core import mail, urlresolvers
  from django.http import QueryDict
  from django.test.client import Client
++from django.utils.http import urlquote
++
  from openid.message import IDENTIFIER_SELECT
  from identityprovider import decorators, signed
--from identityprovider.models import authtoken as at
++from identityprovider.models import AUTHTOKEN_LENGTH, authtoken as at
  from identityprovider.models import EmailAddress, Person, OpenIDRPConfig
  from identityprovider.models.const import EmailStatus
  from identityprovider.views import ui, server
@@ -51,13 +53,24 @@
      def setUp(self):
          logging.disable(logging.WARNING)
--
--        # disable csrf
          self.disable_csrf()
++        self._ENABLE_TOKEN_DEBUG = getattr(settings, 'ENABLE_TOKEN_DEBUG')
++        settings.ENABLE_TOKEN_DEBUG = True
      def tearDown(self):
++        settings.ENABLE_TOKEN_DEBUG = self._ENABLE_TOKEN_DEBUG
          self.reset_csrf()
++    def _session_token(self):
++        token_string = self.client.session['token_string']
++        return AuthToken.objects.get(token=token_string)
++
++    def _token_url(self, view, token_string=None, token_email=None):
++        token_string = token_string or self.client.session['token_string']
++        token_email = token_email or self.client.session['token_email']
++        quoted_email = urlquote(token_email, safe='')
++        return '/token/%s/%s/%s' % (token_string, view, quoted_email)
++
      def authenticate(self):
          self.client.login(username='mark@example.com', password='test')
@@ -146,7 +159,8 @@
      def create_token(self, token_type, email=None, redirection_url=None):
          token = at.AuthToken.objects.create(
              token_type=token_type,
--            token=at.create_unique_token_for_table(20, at.AuthToken, 'token'),
++            token=at.create_unique_token_for_table(
++                AUTHTOKEN_LENGTH, at.AuthToken, 'token'),
+         )
          if email:
              token.email = email
@@ -155,12 +169,6 @@
          token.save()
          return token
--    def test_claim_token_for_password_recovery(self):
--        token = self.create_token(at.LoginTokenType.PASSWORDRECOVERY)
--        r = self.client.get('/token/%s/' % token.token)
--        self.assertRedirects(r, '/token/%s/+resetpassword' % token.token,
--                             target_status_code=302)
--
      def test_claim_token_for_password_recovery_no_preferredemail(self):
          """ According to bug #524582 this should be handled gracefully by
          verifying the email address and resetting the password. """
@@ -173,12 +181,9 @@
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
--
          # reset password
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post("/token/%s/+resetpassword" % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
          for email_obj in account.emailaddress_set.all():
@@ -186,25 +191,49 @@
              email_obj.save()
          account.preferredemail = _preferred_email
--    def test_claim_token_for_validate_email(self):
--        token = self.create_token(at.LoginTokenType.VALIDATEEMAIL)
--        r = self.client.get('/token/%s/' % token.token)
--        self.assertRedirects(r, '/token/%s/+newemail' % token.token,
--                             target_status_code=302)
++    def test_enter_unexisting_token(self):
++        r = self.client.post('/+enter_token', {
++            'email': 'fake@example.com',
++            'token': '0'})
++        self.assertContains(r, 'Token not found')
++
++    def test_claim_unexisting_token(self):
++        r = self.client.get('/token/%s/' % 0, {'email': 'fake%40example.com'})
++        self.assertEquals(r.status_code, 404)
      def test_claim_token_for_unexisting_token_type(self):
--        token = self.create_token(9999)
--        r = self.client.get('/token/%s/' % token.token)
++        token = self.create_token(9999, 'fake@example.com')
++        r = self.client.get('/token/%s/' % token.token,
++                            {'email': 'fake%40example.com'})
          self.assertEquals(r.status_code, 404)
++    def test_claim_consumed_token(self):
++        token = self.client.post('/+forgot_password',
++                                 {'email': 'test@canonical.com'})
++        url = self._token_url('+resetpassword')
++
++        pwd = 'Password1'
++        r = self.client.post(url, {'password': pwd, 'passwordconfirm': pwd})
++        self.assertRedirects(r, '/')
++
++        self.client.cookies.clear()
++
++        pwd = 'Password2'
++        r = self.client.post(url, {'password': pwd, 'passwordconfirm': pwd})
++        self.assertRedirects(r, '/+bad-token')
++
++    def test_token_form_validation(self):
++        r = self.client.post('/+enter_token')
++        self.assertContains(r, '<span class="error"')
++
      def test_config_email(self):
          self.authenticate()
          token = self.create_token(at.LoginTokenType.VALIDATEEMAIL,
--                                  email="mark@example.com",
++                                  email='mark@example.com',
                                    redirection_url="/")
--        r = self.client.post('/token/%s/+newemail' % token.token,
--            {'post': 'yes'})
++        url = '/token/%s/+newemail/%s' % (token.token, 'mark%40example.com')
++        r = self.client.post(url, {'post': 'yes'})
          self.assertRedirects(r, token.redirection_url)
      def test_token_from_email_when_it_is_turned_on(self):
@@ -230,22 +259,16 @@
          r = self.client.get('/+bad-token')
          self.assertEquals(r.status_code, 200)
--    def test_confirm_account_with_bad_token(self):
--        token = self.create_token(at.LoginTokenType.NEWPERSONLESSACCOUNT)
--        self.authenticate()
--        r = self.client.get('/+logout')
--
--        r = self.client.get('/token/%s/+newaccount' % token.token)
--        self.assertRedirects(r, '/+bad-token')
--
      def test_logout_to_confirm(self):
          r = self.client.get('/+logout-to-confirm')
          self.assertEquals(r.status_code, 200)
      def test_confirm_account_while_logged_in(self):
--        token = self.create_token(at.LoginTokenType.NEWPERSONLESSACCOUNT)
++        token = self.create_token(at.LoginTokenType.NEWPERSONLESSACCOUNT,
++                                  email='me@example.com')
          self.authenticate()
--        r = self.client.get('/token/%s/' % token.token)
++        r = self.client.get('/token/%s/' % token.token,
++                            {'email': 'me@example.com'})
          location = None
          for item in r.items():
              if item[0] == 'Location':
@@ -263,9 +286,7 @@
          self.assertRedirects(r, '/+email-sent')
          # claim token
--        token2 = self.client.session['token_newaccount']
--
--        r = self.client.post("/token/%s/+newaccount" % token2,
++        r = self.client.post(self._token_url('+newaccount'),
              {'displayname': 'Person', 'password': 'P4ssw0rd',
               'passwordconfirm': 'P4ssw0rd'})
          self.assertRedirects(r, "/%s/+decide" % token1)
@@ -278,9 +299,7 @@
          self.assertRedirects(r, '/+email-sent')
          # claim token
--        token2 = self.client.session['token_newaccount']
--
--        r = self.client.post("/token/%s/+newaccount" % token2,
++        r = self.client.post(self._token_url('+newaccount'),
              {'displayname': 'Person', 'password': 'P4ssw0rd',
               'passwordconfirm': 'P4ssw0rd'})
          self.assertRedirects(r, "/%s/+decide" % token1)
@@ -305,9 +324,7 @@
          rpconfig = OpenIDRPConfig.objects.create(trust_root='http://localhost/')
          # claim token
--        token2 = self.client.session['token_newaccount']
--
--        r = self.client.post("/token/%s/+newaccount" % token2,
++        r = self.client.post(self._token_url('+newaccount'),
              {'displayname': 'Person', 'password': 'P4ssw0rd',
               'passwordconfirm': 'P4ssw0rd'})
          self.assertRedirects(r, "/%s/+decide" % token1)
@@ -320,12 +337,12 @@
      def test_confirm_account_invalid_form(self):
          # setup session
          token1 = create_token(16)
++        email = 'person@example.com'
          r = self.client.post("/%s/+new_account" % token1,
--                             {'email': 'person@example.com'})
++                             {'email': email})
          # test view
--        token2 = self.client.session['token_newaccount']
--        r = self.client.post("/token/%s/+newaccount" % token2)
++        r = self.client.post(self._token_url('+newaccount'))
          self.assertTemplateUsed(r, 'registration/confirm_new_account.html')
          self.assertFormError(r, 'form', 'displayname', 'Required field.')
@@ -397,15 +414,12 @@
          r = self.client.post("/%s/+forgot_password" % token1,
                               {'email': 'test@canonical.com'})
--        token2 = self.client.session['token_forgotpassword']
--        auth_token = AuthToken.objects.get(token=token2)
++        auth_token = self._session_token()
          self.assertEqual(auth_token.redirection_url, "/%s/+decide" % token1)
      def test_reset_password_when_account_active(self):
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          account = Account.objects.get_by_email('test@canonical.com')
          # make sure the account is active
@@ -414,14 +428,12 @@
          # confirm account
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
      def test_reset_password_when_account_active_no_password(self):
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          account = Account.objects.get_by_email('test@canonical.com')
          account.accountpassword.delete()
@@ -431,7 +443,7 @@
          # confirm account
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
      def test_reset_password_when_account_deactivated(self):
@@ -439,8 +451,6 @@
          functionality. Bug #556878 """
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          account = Account.objects.get_by_email('test@canonical.com')
          # make sure the account is deactivated
@@ -449,7 +459,7 @@
          # confirm account
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
      def test_reset_password_when_account_deactivated_no_preferred_email(self):
@@ -469,12 +479,9 @@
          self.assertEqual(len(mail.outbox), 1)
          mail.outbox = []
--        # claim token
--        token = self.client.session['token_forgotpassword']
--
          # reset password
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
          self.assertEqual(account.preferredemail.email, 'test@canonical.com')
@@ -487,8 +494,6 @@
      def test_reset_password_when_account_noaccount(self):
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          account = Account.objects.get_by_email('test@canonical.com')
          # make sure the account is deactivated
@@ -497,14 +502,12 @@
          # confirm account
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/')
      def test_reset_password_when_account_suspended(self):
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          account = Account.objects.get_by_email('test@canonical.com')
          account.status = AccountStatus.SUSPENDED
@@ -513,18 +516,16 @@
          data = {'password': 'Password1', 'passwordconfirm': 'Password1'}
          # confirm account
--        r = self.client.post('/token/%s/+resetpassword' % token, data)
++        r = self.client.post(self._token_url('+resetpassword'), data)
          self.assertRedirects(r, '/+bad-token')
      def test_reset_password_invalid_form(self):
          # get valid session
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          # test view
--        r = self.client.post("/token/%s/+resetpassword" % token)
++        r = self.client.post(self._token_url('+resetpassword'))
          self.assertTemplateUsed(r, 'registration/reset_password.html')
          self.assertFormError(r, 'form', 'password', 'Required field.')
@@ -532,11 +533,9 @@
          # get valid session
          r = self.client.post('/+forgot_password',
                               {'email': 'test@canonical.com'})
--        # claim token
--        token = self.client.session['token_forgotpassword']
          # test view
--        r = self.client.get("/token/%s/+resetpassword" % token)
++        r = self.client.get(self._token_url('+resetpassword'))
          self.assertTemplateUsed(r, 'registration/reset_password.html')
          for context in r.context:
              self.assertEqual(context['form'].errors, {})
@@ -607,8 +606,7 @@
      def test_new_account_when_account_not_exists_no_token(self):
          r = self.client.post('/+new_account', {'email': 'person@example.com'})
--        token = self.client.session['token_newaccount']
--        token_obj = AuthToken.objects.get(token=token)
++        token_obj = self._session_token()
          self.assertEqual(token_obj.redirection_url, '/')
      def test_edit_account_template(self):
@@ -674,21 +672,6 @@
          email = EmailAddress.objects.get(email=email.email)
          self.assertEqual(email.status, EmailStatus.NEW)
--    def test_confirm_email_post(self):
--        self.authenticate()
--
--        account, email, token = self._setup_account_with_new_email()
--        # use verification token
--        r = self.client.post("/token/%s/+newemail" % token.token,
--            {'post': 'yes'})
--
--        # verify token has been consumed, and email has been verified
--        token = AuthToken.objects.get(token=token.token,
--            token_type=LoginTokenType.VALIDATEEMAIL)
--        self.assertNotEqual(token.date_consumed, None)
--        email = EmailAddress.objects.get(email=email.email)
--        self.assertEqual(email.status, EmailStatus.VALIDATED)
--
      def test_confirm_email_as_another_user_fails(self):
          self.authenticate()
          account = Account.objects.get_by_email('test@canonical.com')
@@ -707,14 +690,17 @@
          r, token = self.get_email_token_validation_response(account)
--        self.assertRedirects(r, '/+login?next=/token/%s/%%2Bnewemail' %
--                             token.token)
++        url = ('/+login?next=/token/%s/%%2Bnewemail/%s' %
++               (token.token, 'newemail2%40example.com'))
++        self.assertRedirects(r, url)
      def get_email_token_validation_response(self, account):
          email = account.emailaddress_set.create(
              email='newemail2@example.com', status=EmailStatus.NEW)
          token = self.create_token(at.LoginTokenType.VALIDATEEMAIL, email.email)
--        r = self.client.get("/token/%s/+newemail" % token.token)
++        url = ('/token/%s/+newemail/%s' %
++               (token.token, 'newemail2%40example.com'))
++        r = self.client.get(url)
          return (r, token)
      def test_suspended(self):
 === modified file 'identityprovider/tests/utils.py'
 --- identityprovider/tests/utils.py	2010-06-21 08:09:20 +0000
 +++ identityprovider/tests/utils.py	2010-06-22 23:23:25 +0000
@@ -211,6 +211,8 @@
      "A class that simulates writing to /dev/null."
      def write(self, s):
          pass
++    def flush(self):
++        pass
  # This function was adapted from the django project.
 === modified file 'identityprovider/urls.py'
 --- identityprovider/urls.py	2010-06-22 10:33:42 +0000
 +++ identityprovider/urls.py	2010-06-22 23:23:25 +0000
@@ -5,11 +5,14 @@
  from django.conf import settings
  from identityprovider.branding import current_brand
++from identityprovider.models import AUTHTOKEN_PATTERN
  repls = {
      'token': '(?P<token>[A-Za-z0-9]{16})/',
      'optional_token': '((?P<token>[A-Za-z0-9]{16})/)?',
++    'authtoken': '(?P<authtoken>%s)' % AUTHTOKEN_PATTERN,
++    'email_address': '(?P<email_address>.+)'
+ }
  urlpatterns = patterns('identityprovider.views.server',
@@ -28,12 +31,14 @@
      (r'^%(optional_token)s\+logout$' % repls, 'logout'),
      (r'^%(optional_token)s\+new_account$' % repls, 'new_account'),
      (r'^%(optional_token)s\+forgot_password$' % repls, 'forgot_password'),
--    (r'^token/(?P<authtoken>[A-Za-z0-9]{20})/$', 'claim_token'),
--    (r'^token/(?P<authtoken>[A-Za-z0-9]{20})/\+resetpassword$',
++    (r'^\+enter_token$', 'enter_token'),
++    (r'^token/%(authtoken)s/$' % repls, 'claim_token'),
++    (r'^token/%(authtoken)s/\+resetpassword/%(email_address)s$' % repls,
       'reset_password'),
--    (r'^token/(?P<authtoken>[A-Za-z0-9]{20})/\+newaccount$',
++    (r'^token/%(authtoken)s/\+newaccount/%(email_address)s$' % repls,
       'confirm_account'),
--    (r'^token/(?P<authtoken>[A-Za-z0-9]{20})/\+newemail$', 'confirm_email'),
++    (r'^token/%(authtoken)s/\+newemail/%(email_address)s$' % repls,
++     'confirm_email'),
      (r'^\+bad-token', 'bad_token'),
      (r'^\+logout-to-confirm', 'logout_to_confirm'),
      (r'^%(optional_token)s\+email-sent$' % repls, 'email_sent'),
 === modified file 'identityprovider/views/account.py'
 --- identityprovider/views/account.py	2010-06-21 16:00:10 +0000
 +++ identityprovider/views/account.py	2010-06-22 23:23:25 +0000
@@ -11,14 +11,15 @@
  from django.template import RequestContext
  from django.utils.translation import ugettext as _
++from identityprovider.decorators import check_readonly
  from identityprovider.forms import EditAccountForm, LoginForm, NewEmailForm
  from identityprovider.models import (send_validation_email_request,
      EmailAddress)
  from identityprovider.models.oauthtoken import Consumer, Token
  from identityprovider.models.const import EmailStatus
--from identityprovider.decorators import check_readonly
--from identityprovider.views.utils import redirection_url_for_token
  from identityprovider.readonly import readonly_manager
++from identityprovider.views.utils import (redirection_url_for_token,
++    set_session_token_info)
  def index(request, token=None):
@@ -92,17 +93,22 @@
  def _send_verification_email(account, session, email, tokenid=None):
++    # TODO: This makes use of `tokenid` if it's passed in, but the
++    # call to `send_validation_email_request` always generates a new
++    # token.  Is this right?
++
      # If there are any unverified emails that match they should be deleted.
      EmailAddress.objects.filter(email__iexact=email,
          status=EmailStatus.NEW).delete()
      # Ensure that this account has such email address; return value is not used
--    account.emailaddress_set.get_or_create(email=email, lp_person=account.person,
--        status=EmailStatus.NEW)
++    account.emailaddress_set.get_or_create(
++        email=email, lp_person=account.person, status=EmailStatus.NEW)
      redirection_url = redirection_url_for_token(tokenid)
--    send_validation_email_request(account, email, redirection_url)
++    token = send_validation_email_request(account, email, redirection_url)
++    set_session_token_info(session, token)
      session['email_feedback'] = settings.FEEDBACK_TO_ADDRESS
      session['email_heading'] = _("Validate your e-mail address")
 === modified file 'identityprovider/views/ui.py'
 --- identityprovider/views/ui.py	2010-06-15 14:12:57 +0000
 +++ identityprovider/views/ui.py	2010-06-22 23:23:25 +0000
@@ -12,19 +12,22 @@
  from django.core import urlresolvers
  from django.core.mail import send_mail
  from django.core.urlresolvers import Resolver404, resolve, reverse
--from django.http import Http404, HttpResponseRedirect, HttpResponseNotFound
++from django.http import (Http404, HttpResponseNotAllowed, HttpResponseNotFound,
++    HttpResponseRedirect, urlencode)
  from django.shortcuts import (get_object_or_404, get_list_or_404,
                                render_to_response)
  from django.template import RequestContext
++from django.template.loader import render_to_string
++from django.utils.http import urlquote
  from django.utils.translation import ugettext as _
--from django.template.loader import render_to_string
  from identityprovider.branding import current_brand
--from identityprovider.decorators import dont_cache, guest_required, limitlogin, requires_cookies
++from identityprovider.decorators import (dont_cache, guest_required, limitlogin,
++    requires_cookies)
  from identityprovider.forms import (LoginForm, ForgotPasswordForm,
--    ResetPasswordForm, NewAccountForm, ConfirmNewAccountForm)
++    ResetPasswordForm, NewAccountForm, ConfirmNewAccountForm, TokenForm)
  from identityprovider.models import (Account, AccountPassword, AuthToken,
--    AuthTokenFactory, EmailAddress)
++    AuthTokenFactory, EmailAddress, get_type_of_token, verify_token_string)
  from identityprovider.models.const import (AccountStatus, EmailStatus,
      LoginTokenType)
  import identityprovider.signed as signed
@@ -34,7 +37,7 @@
  from identityprovider.decorators import check_readonly
  from identityprovider.middleware.csrf import csrf_exempt
  from identityprovider.models.captcha import Captcha
--from identityprovider.views.utils import get_rpconfig
++from identityprovider.views.utils import get_rpconfig, set_session_token_info
  logger = logging.getLogger('sso')
@@ -112,14 +115,47 @@
      return response
++def enter_token(request):
++    token_string = request.REQUEST.get('token')
++    email = request.REQUEST.get('email') or request.session.get('token_email')
++    params = {'token': token_string, 'email': email}
++    if request.method == 'GET':
++        form = TokenForm(initial=params)
++    elif request.method == 'POST':
++        form = TokenForm(params)
++        if form.is_valid():
++            token = form.cleaned_data['atoken']
++            return _token_redirect(token.token_type, token_string, email)
++    else:
++        return HttpResponseNotAllowed(['GET', 'POST'])
++    return render_to_response('enter_token.html',
++                              RequestContext(request, {'form': form}))
++
++def _redirect_to_enter_token(token=None, email=None):
++    params = {}
++    if token is not None:
++        params['token'] = token
++    if email is not None:
++        params['email'] = email
++    return HttpResponseRedirect('/+enter_token?%s' % urlencode(params))
++
  def claim_token(request, authtoken):
--    atrequest = get_object_or_404(AuthToken, token=authtoken)
--    if atrequest.token_type == LoginTokenType.PASSWORDRECOVERY:
--        return HttpResponseRedirect('/token/%s/+resetpassword' % authtoken)
--    elif atrequest.token_type == LoginTokenType.NEWPERSONLESSACCOUNT:
--        return HttpResponseRedirect('/token/%s/+newaccount' % authtoken)
--    elif atrequest.token_type == LoginTokenType.VALIDATEEMAIL:
--        return HttpResponseRedirect('/token/%s/+newemail' % authtoken)
++    email = request.GET.get('email') or request.session.get('token_email')
++    if email is None:
++        return _redirect_to_enter_token(token=authtoken)
++    token_type = get_type_of_token(authtoken)
++    return _token_redirect(token_type, authtoken, email)
++
++def _token_redirect(token_type, token_string, email):
++    """Returns a redirect to the location that can complete handling
++    of this token."""
++    args = (token_string, urlquote(email, safe=''))
++    if token_type == LoginTokenType.PASSWORDRECOVERY:
++        return HttpResponseRedirect('/token/%s/+resetpassword/%s' % args)
++    elif token_type == LoginTokenType.NEWPERSONLESSACCOUNT:
++        return HttpResponseRedirect('/token/%s/+newaccount/%s' % args)
++    elif token_type == LoginTokenType.VALIDATEEMAIL:
++        return HttpResponseRedirect('/token/%s/+newemail/%s' % args)
      else:
          raise Http404()
@@ -187,7 +223,7 @@
                      token_type=LoginTokenType.NEWPERSONLESSACCOUNT,
                      redirection_url=redirection_url)
                  token.sendNewUserEmail()
--                request.session['token_newaccount'] = token.token
++                set_session_token_info(request.session, token)
              request.session['email_feedback'] = settings.FEEDBACK_TO_ADDRESS
              request.session['email_heading'] = _("Registration mail sent")
              request.session['email_reason'] = _("We&rsquo;ve just emailed "
@@ -222,16 +258,20 @@
  @check_readonly
--def confirm_account(request, authtoken):
++def confirm_account(request, authtoken, email_address):
      if request.user.is_authenticated():
          return HttpResponseRedirect('/+logout-to-confirm')
--    atrequest = get_object_or_404(AuthToken, token=authtoken,
--        token_type=LoginTokenType.NEWPERSONLESSACCOUNT)
--    session_token = request.session.get('token_newaccount')
--    if session_token is None or session_token != atrequest.token:
++
++    atrequest = verify_token_string(authtoken, email_address)
++    if (atrequest is None or
++        atrequest.token_type != LoginTokenType.NEWPERSONLESSACCOUNT):
          return HttpResponseRedirect('/+bad-token')
++
      form = ConfirmNewAccountForm()
--    if request.method == 'POST':
++
++    if request.method == 'GET':
++        pass
++    elif request.method == 'POST':
          form = ConfirmNewAccountForm(request.POST)
          if form.is_valid():
              username = atrequest.email
@@ -265,13 +305,21 @@
          RequestContext(request, {'form': form}))
++# TODO: Display a nice message at the login screen, like "Please login
++# to {use this token,finish this action}."
  @login_required
--def confirm_email(request, authtoken):
--    atrequest = get_object_or_404(AuthToken, token=authtoken,
--        token_type=LoginTokenType.VALIDATEEMAIL)
++def confirm_email(request, authtoken, email_address):
++    atrequest = verify_token_string(authtoken, email_address)
++    if (atrequest is None or
++        atrequest.token_type != LoginTokenType.VALIDATEEMAIL):
++        return HttpResponseRedirect('/+bad-token')
++
      email = get_object_or_404(EmailAddress, email__iexact=atrequest.email)
--
      if request.user.id != email.account.id:
++        # The user is authenticated to a different account.
++        # Potentially, the token was leaked or intercepted.  Let's
++        # delete it just in case.  The real user can generate another
++        # token easily enough.
          atrequest.delete()
          raise Http404
@@ -380,7 +428,7 @@
                      account, email, email, LoginTokenType.PASSWORDRECOVERY,
                      redirection_url=redirection_url)
                  token.sendPasswordResetEmail()
--                request.session['token_forgotpassword'] = token.token
++                set_session_token_info(request.session, token)
              request.session['email_feedback'] = settings.FEEDBACK_TO_ADDRESS
              request.session['email_heading'] = _("Forgotten your password?")
              request.session['email_reason'] = _("We&rsquo;ve just emailed "
@@ -403,17 +451,17 @@
  @guest_required
--def reset_password(request, authtoken):
--    atrequest = get_object_or_404(AuthToken, token=authtoken,
--        token_type=LoginTokenType.PASSWORDRECOVERY)
--    account = atrequest.requester
--    session_token = request.session.get('token_forgotpassword')
--    if (session_token is None or session_token != atrequest.token or
++def reset_password(request, authtoken, email_address):
++    atrequest = verify_token_string(authtoken, email_address)
++    account = atrequest and atrequest.requester
++    if (atrequest is None or
++        atrequest.token_type != LoginTokenType.PASSWORDRECOVERY or
          not account.can_reset_password):
          # we hide the fact the the account is inactive, to avoid
          # exposing valid accounts. however, deactivated accounts can be
          # reactivated.
          return HttpResponseRedirect('/+bad-token')
++
      if request.method == 'POST':
          form = ResetPasswordForm(request.POST)
          if form.is_valid():
 === modified file 'identityprovider/views/utils.py'
 --- identityprovider/views/utils.py	2010-05-27 15:05:18 +0000
 +++ identityprovider/views/utils.py	2010-06-22 23:23:25 +0000
@@ -1,6 +1,8 @@
  # Copyright 2010 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
++from django.conf import settings
++
  from identityprovider.models import OpenIDRPConfig
@@ -10,6 +12,15 @@
      else:
          return "/"
++def set_session_token_info(session, token):
++    """Places information about the token into the session in a
++    uniform place.  Specifically, places the token's e-mail address at
++    session['token_email'].  Also, if settings.ENABLE_TOKEN_DEBUG is
++    true, places the token string at session['token_string']."""
++    session['token_email'] = token.email
++    if getattr(settings, 'ENABLE_TOKEN_DEBUG', False):
++        session['token_string'] = token.token
++
  def get_rpconfig(trust_root):
      alternatives = [trust_root]