Here is what I’ve been able to discover.
Part of the problem is that a email token is generated regardless if a user is active or not.
line 82 of user.rb
after_create :create_email_token
Upon login, the sessions controller calls email_confirmed?
def email_confirmed?
email_tokens.where(email: email, confirmed: true).present? || email_tokens.empty?
end
Any suggestions on the best way to resolve this bug? Maybe check to see if the token being created is for an active user that has never logged in, in this case make the token active? Or maybe not even create a token in this case?