SECURITY: signup without verified email using Google auth

app/controllers/users_controller.rb

@@ -344,6 +344,11 @@ class UsersController < ApplicationController
 
     authentication.start
 
+    if authentication.email_valid? && !authentication.authenticated?
+      # posted email is different that the already validated one?
+      return fail_with('login.incorrect_username_email_or_password')
+    end
+
     activation = UserActivator.new(user, request, session, cookies)
     activation.start
 

app/services/user_authenticator.rb

@@ -25,12 +25,16 @@ class UserAuthenticator
     @session = nil
   end
 
-  private
+  def email_valid?
+    @session && @session[:email_valid]
+  end
 
   def authenticated?
     @session && @session[:email] == @user.email && @session[:email_valid]
   end
 
+  private
+
   def authenticator
     if authenticator_name
       @authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)

spec/controllers/users_controller_spec.rb

@@ -640,6 +640,24 @@ describe UsersController do
           expect(TwitterUserInfo.count).to eq(1)
         end
       end
+
+      it "returns an error when email has been changed from the validated email address" do
+        auth = session[:authentication] = {}
+        auth[:email_valid] = 'true'
+        auth[:email] = 'therealone@gmail.com'
+        post_user
+        json = JSON.parse(response.body)
+        expect(json['success']).to eq(false)
+        expect(json['message']).to be_present
+      end
+
+      it "will create the user successfully if email validation is required" do
+        auth = session[:authentication] = {}
+        auth[:email] = post_user_params[:email]
+        post_user
+        json = JSON.parse(response.body)
+        expect(json['success']).to eq(true)
+      end
     end
 
     context 'after success' do