Fix: Preserve OAuth referer when resending confirmation email

app/controllers/confirmations_controller.rb

@@ -60,11 +60,12 @@ def confirm_resend
     if user.nil? || user.id != session[:pending_user]
       flash[:error] = t ".failure", :name => params[:display_name]
     else
-      UserMailer.signup_confirm(user, user.generate_token_for(:new_user)).deliver_later
+      referer = session[:referer]
+      UserMailer.signup_confirm(user, user.generate_token_for(:new_user), referer).deliver_later
       flash[:notice] = { :partial => "confirmations/resend_success_flash", :locals => { :email => user.email, :sender => Settings.email_from } }
     end
 
-    redirect_to login_path
+    redirect_to login_path(:referer => session[:referer])
   end
 
   def confirm_email

app/controllers/users_controller.rb

@@ -89,6 +89,7 @@ def create
             successful_login(current_user, referer)
           else
             session[:pending_user] = current_user.id
+            session[:referer] = params[:referer]
             UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
             redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
           end

test/controllers/confirmations_controller_test.rb

@@ -300,4 +300,63 @@ def test_gravatar_auto_disable
     # gravatar use should now be disabled
     assert_not User.find(user.id).image_use_gravatar
   end
+
+  ##
+  # Test that OAuth referer is preserved through initial signup confirmation
+  def test_confirm_success_with_oauth_referer
+    user = build(:user, :pending)
+    stub_gravatar_request(user.email)
+
+    oauth_referer = "/oauth2/authorize?client_id=test_client&response_type=code&scope=read_prefs"
+    post users_path, :params => { :user => user.attributes, :referer => oauth_referer }
+
+    # Process enqueued jobs to deliver the signup confirmation email
+    perform_enqueued_jobs
+
+    confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
+
+    # confirmation email
+    email = ActionMailer::Base.deliveries.last
+    assert_not_nil email
+
+    email_body = email.html_part.body.to_s
+    assert_match(/oauth_return_url/, email_body, "Initial confirmation email should contain oauth_return_url")
+
+    welcome_referer = "/welcome?oauth_return_url=#{CGI.escape(oauth_referer)}"
+    post user_confirm_path, :params => {
+      :display_name => user.display_name,
+      :confirm_string => confirm_string,
+      :referer => welcome_referer
+    }
+
+    assert_redirected_to welcome_referer
+  end
+
+  ##
+  # Test that OAuth referer is preserved when resending confirmation email
+  def test_confirm_resend_preserves_oauth_referer
+    user = build(:user, :pending)
+
+    oauth_referer = "/oauth2/authorize?client_id=test_client&response_type=code&scope=read_prefs"
+    post users_path, :params => { :user => user.attributes, :referer => oauth_referer }
+
+    # Get the first confirmation email sent during signup
+    ActionMailer::Base.deliveries.clear
+
+    # User clicks "Resend confirmation email"
+    assert_difference "ActionMailer::Base.deliveries.size", 1 do
+      perform_enqueued_jobs do
+        post user_confirm_resend_path(user)
+      end
+    end
+
+    email = ActionMailer::Base.deliveries.last
+    assert_not_nil email
+    assert_equal user.email, email.to.first
+
+    email_body = email.html_part.body.to_s
+
+    assert_match(/referer=.*oauth2.*authorize/i, email_body,
+                 "Resent confirmation email should preserve oauth referer in confirmation URL")
+  end
 end