Move email confirmation to POST request

locale/core.yml

@@ -545,6 +545,11 @@ core:
 
   # Translations in this namespace are used in views other than Flarum's normal JS client.
   views:
+    # Translations in this namespace are displayed by the Confirm Email interface.
+    confirm_email:
+      submit_button: => core.ref.confirm_email
+      text: Click the button below to confirm your account's email.
+      title: => core.ref.confirm_email
 
     # Translations in this namespace are displayed by the basic HTML content loader.
     content:
@@ -656,6 +661,7 @@ core:
     change_password: Change Password
     color: Color                                 # Referenced by flarum-tags.yml
     confirm_password: Confirm Password
+    confirm_email: Confirm Email
     confirmation_email_sent: "We've sent a confirmation email to {email}. If it doesn't arrive soon, check your spam folder."
     custom_footer_text: Add HTML to be displayed at the very bottom of the page.
     custom_footer_title: Edit Custom Footer

src/Forum/Controller/ConfirmEmailViewController.php

@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Forum\Controller;
+
+use Flarum\Http\Controller\AbstractHtmlController;
+use Flarum\User\EmailToken;
+use Illuminate\Contracts\View\Factory;
+use Illuminate\Support\Arr;
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+class ConfirmEmailViewController extends AbstractHtmlController
+{
+    /**
+     * @var Factory
+     */
+    protected $view;
+
+    /**
+     * @param Factory $view
+     */
+    public function __construct(Factory $view)
+    {
+        $this->view = $view;
+    }
+
+    /**
+     * @param Request $request
+     * @return \Illuminate\Contracts\View\View
+     */
+    public function render(Request $request)
+    {
+        $token = Arr::get($request->getQueryParams(), 'token');
+
+        $token = EmailToken::validOrFail($token);
+
+        return $this->view->make('flarum.forum::confirm-email')
+            ->with('csrfToken', $request->getAttribute('session')->token());
+    }
+}

src/Forum/routes.php

@@ -64,7 +64,13 @@
     $map->get(
         '/confirm/{token}',
         'confirmEmail',
-        $route->toController(Controller\ConfirmEmailController::class)
+        $route->toController(Controller\ConfirmEmailViewController::class),
+    );
+
+    $map->post(
+        '/confirm/{token}',
+        'confirmEmail.submit',
+        $route->toController(Controller\ConfirmEmailController::class),
     );
 
     $map->get(

views/confirm-email.blade.php

@@ -0,0 +1,25 @@
+@extends('flarum.forum::layouts.basic')
+
+@section('title', $translator->trans('core.views.confirm_email.title'))
+
+@section('content')
+    @if ($errors->any())
+        <div class="errors">
+            <ul>
+                @foreach ($errors->all() as $error)
+                    <li>{{ $error }}</li>
+                @endforeach
+            </ul>
+        </div>
+    @endif
+
+    <form class="form" method="POST" action="">
+        <input type="hidden" name="csrfToken" value="{{ $csrfToken }}" />
+
+        <p>{{ $translator->trans('core.views.confirm_email.text') }}</p>
+
+        <p class="form-group">
+            <button type="submit" class="button">{{ $translator->trans('core.views.confirm_email.submit_button') }}</button>
+        </p>
+    </form>
+@endsection