[ENG-9128] [Post-Release] P57 - [Contributors] Unregistered user’s “Set Password” link opens a blank page (#11367)

Ostap-Zherebetskyi · web-flow · commit 5413b85eb3ac · 2025-10-22T13:48:08.000-04:00
* Add claim user api endpoint

* Update ConfirmClaimUser endpoint to use 'guid' instead of 'pid' in payload and URL
diff --git a/api/users/urls.py b/api/users/urls.py
@@ -14,6 +14,7 @@
     re_path(r'^(?P<user_id>\w+)/addons/(?P<provider>\w+)/accounts/$', views.UserAddonAccountList.as_view(), name=views.UserAddonAccountList.view_name),
     re_path(r'^(?P<user_id>\w+)/addons/(?P<provider>\w+)/accounts/(?P<account_id>\w+)/$', views.UserAddonAccountDetail.as_view(), name=views.UserAddonAccountDetail.view_name),
     re_path(r'^(?P<user_id>\w+)/claim/$', views.ClaimUser.as_view(), name=views.ClaimUser.view_name),
+    re_path(r'^(?P<user_id>\w+)/confirm_claim/$', views.ConfirmClaimUser.as_view(), name=views.ConfirmClaimUser.view_name),
     re_path(r'^(?P<user_id>\w+)/confirm/$', views.ConfirmEmailView.as_view(), name=views.ConfirmEmailView.view_name),
     re_path(r'^(?P<user_id>\w+)/sanction_response/$', views.SanctionResponseView.as_view(), name=views.SanctionResponseView.view_name),
     re_path(r'^(?P<user_id>\w+)/draft_registrations/$', views.UserDraftRegistrations.as_view(), name=views.UserDraftRegistrations.view_name),
diff --git a/api/users/views.py b/api/users/views.py
@@ -100,13 +100,16 @@
     OSFUser,
     Email,
     Tag,
+    PreprintProvider,
 )
 from osf.utils.tokens import TokenHandler
 from osf.utils.tokens.handlers import sanction_handler
 from website import mails, settings, language
 from website.project.views.contributor import send_claim_email, send_claim_registered_email
 from website.util.metrics import CampaignClaimedTags, CampaignSourceTags
 from framework.auth import exceptions
+from website.project.views.contributor import _add_related_claimed_tag_to_user
+from website.util import api_v2_url
 
 
 class UserMixin:
@@ -1008,6 +1011,86 @@ def post(self, request, *args, **kwargs):
 
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+class ConfirmClaimUser(JSONAPIBaseView, generics.CreateAPIView, UserMixin):
+
+    view_category = 'users'
+    view_name = 'confirm-claim-user'
+
+    def verify_claim_token(self, user, token, pid):
+        """View helper that checks that a claim token for a given user and node ID
+        is valid. If not valid, throws an error with custom error messages.
+        """
+        # if token is invalid, throw an error
+        if not user.verify_claim_token(token=token, project_id=pid):
+            if user.is_registered:
+                raise ValidationError('User has already been claimed.')
+            else:
+                return False
+        return True
+
+    def post(self, request, *args, **kwargs):
+        """
+        View for setting the password for a claimed user.
+        Sets the user's password.
+        HTTP Method: POST
+        **URL:**  /v2/users/<user_id>/confirm_claim/
+        **Body (JSON):**
+        {
+            "data": {
+                "type": "users",
+                "attributes": {
+                    "guid": "node/preprint guid",
+                    "token": "token",
+                    "password": "password",
+                    "accepted_terms_of_service": bool
+                }
+            }
+        }
+        """
+
+        uid = kwargs['user_id']
+        token = request.data.get('token')
+        guid = request.data.get('guid')
+        password = request.data.get('password')
+        accepted_terms_of_service = request.data.get('accepted_terms_of_service', False)
+        user = OSFUser.load(uid)
+
+        # If unregistered user is not in database, or url bears an invalid token raise HTTP 400 error
+        if not user or not self.verify_claim_token(user, token, guid):
+            raise ValidationError('Claim user does not exists, the token in the URL is invalid or has expired.')
+
+        # If user is logged in, need to use 'confirm_claim_registered' view
+        if request.user.is_authenticated:
+            raise ValidationError('You are already logged in. Please log out before trying to claim a user via this view.')
+
+        unclaimed_record = user.unclaimed_records[guid]
+        user.fullname = unclaimed_record['name']
+        user.update_guessed_names()
+        username = unclaimed_record.get('claimer_email') or unclaimed_record.get('email')
+
+        user.register(username=username, password=password, accepted_terms_of_service=accepted_terms_of_service)
+        # Clear unclaimed records
+        user.unclaimed_records = {}
+        user.verification_key = generate_verification_key()
+        user.save()
+        provider = PreprintProvider.load(guid)
+        redirect_url = None
+        if provider:
+            redirect_url = api_v2_url('auth_login', next=provider.landing_url, _absolute=True)
+        else:
+            # Add related claimed tags to user
+            _add_related_claimed_tag_to_user(guid, user)
+            redirect_url = api_v2_url('resolve_guid', guid=guid, _absolute=True)
+
+        data = {
+            'firstname': user.given_name,
+            'email': username if username else '',
+            'fullname': user.fullname,
+            'osf_contact_email': settings.OSF_CONTACT_EMAIL,
+            'next': redirect_url,
+        }
+
+        return Response(status=status.HTTP_200_OK, data=data)
 
 class ConfirmEmailView(generics.CreateAPIView):
     """
diff --git a/api_tests/base/test_views.py b/api_tests/base/test_views.py
@@ -19,6 +19,7 @@
 )
 from api.users.views import (
     ClaimUser,
+    ConfirmClaimUser,
     ResetPassword,
     ExternalLoginConfirmEmailView,
     ExternalLogin,
@@ -60,6 +61,7 @@ class TestApiBaseViews(ApiTestCase):
     def setUp(self):
         super().setUp()
         self.EXCLUDED_VIEWS = [
+            ConfirmClaimUser,
             ClaimUser,
             CopyFileMetadataView,
             CountedAuthUsageView,
diff --git a/api_tests/users/views/test_user_claim.py b/api_tests/users/views/test_user_claim.py
@@ -232,3 +232,95 @@ def test_claim_auth_success(self, app, url, claimer, unreg_user, project, mock_s
         )
         assert res.status_code == 204
         assert mock_send_grid.call_count == 2
+
+
+@pytest.mark.django_db
+class TestConfirmClaimUser:
+
+    @pytest.fixture()
+    def referrer(self):
+        return AuthUserFactory()
+
+    @pytest.fixture()
+    def project(self, referrer):
+        return ProjectFactory(creator=referrer)
+
+    @pytest.fixture()
+    def preprint(self, referrer, project):
+        return PreprintFactory(creator=referrer, project=project)
+
+    @pytest.fixture()
+    def wrong_preprint(self, referrer):
+        return PreprintFactory(creator=referrer)
+
+    @pytest.fixture()
+    def unreg_user(self, referrer, project):
+        return project.add_unregistered_contributor(
+            'David Davidson',
+            'david@david.son',
+            auth=Auth(referrer),
+            save=True
+        )
+
+    @pytest.fixture()
+    def url(self):
+        return f'/{API_BASE}users/{{}}/confirm_claim/'
+
+    def payload(self, **kwargs):
+        payload = {
+            'data': {
+                'attributes': {}
+            }
+        }
+        _id = kwargs.pop('id', None)
+        if _id:
+            payload['data']['id'] = _id
+        if kwargs:
+            payload['data']['attributes'] = kwargs
+        return payload
+
+    def test_confirm_claim(self, app, url, unreg_user, project, wrong_preprint):
+        _url = url.format(unreg_user._id)
+        unclaimed_record = unreg_user.get_unclaimed_record(project._id)
+        token = unclaimed_record['token']
+        payload = self.payload(guid=project._id, password='password1234', accepted_terms_of_service=True, token=token)
+        res = app.post_json_api(
+            _url,
+            payload,
+        )
+        assert res.status_code == 200
+        unreg_user.reload()
+        assert unreg_user.is_registered
+
+    def test_confirm_claim_wrong_pid(self, app, url, unreg_user, project, wrong_preprint):
+        _url = url.format(unreg_user._id)
+        token = 'someinvalidtoken'
+        payload = self.payload(guid=wrong_preprint._id, password='password1234', accepted_terms_of_service=True, token=token)
+        res = app.post_json_api(
+            _url,
+            payload,
+            expect_errors=True
+        )
+        assert res.status_code == 400
+        assert res.json['errors'][0]['detail'] == 'Claim user does not exists, the token in the URL is invalid or has expired.'
+
+    def test_claimed_user(self, app, url, unreg_user, project, wrong_preprint):
+        _url = url.format(unreg_user._id)
+        unclaimed_record = unreg_user.get_unclaimed_record(project._id)
+        token = unclaimed_record['token']
+        payload = self.payload(guid=project._id, password='password1234', accepted_terms_of_service=True, token=token)
+        res = app.post_json_api(
+            _url,
+            payload,
+        )
+        assert res.status_code == 200
+        unreg_user.reload()
+        assert unreg_user.is_registered
+
+        res = app.post_json_api(
+            _url,
+            payload,
+            expect_errors=True
+        )
+        assert res.status_code == 400
+        assert res.json['errors'][0]['detail'] == 'User has already been claimed.'
