UFAL/Shibboleth - do not login the user without verification token from the email

dspace-api/src/main/java/org/dspace/authenticate/clarin/ClarinShibAuthentication.java

@@ -239,7 +239,17 @@ public int authenticate(Context context, String username, String password,
         // The user e-mail is not stored in the `shibheaders` but in the `clarinVerificationToken`.
         // The email was added to the `clarinVerificationToken` in the ClarinShibbolethFilter.
         String[] netidHeaders = configurationService.getArrayProperty("authentication-shibboleth.netid-header");
-        clarinVerificationToken = clarinVerificationTokenService.findByNetID(context, netidHeaders, shibheaders);
+
+        // Load the verification token from the request header or from the request parameter.
+        // This is only set if the user is trying to authenticate with the `verification-token`.
+        String VERIFICATION_TOKEN = "verification-token";
+        String verificationTokenFromRequest = StringUtils.defaultIfBlank(request.getHeader(VERIFICATION_TOKEN),
+                        request.getParameter(VERIFICATION_TOKEN));
+        if (StringUtils.isNotEmpty(verificationTokenFromRequest)) {
+            log.info("Verification token from request header `{}`: {}", VERIFICATION_TOKEN,
+                    verificationTokenFromRequest);
+            clarinVerificationToken = clarinVerificationTokenService.findByToken(context, verificationTokenFromRequest);
+        }
         // CLARIN
 
         // Initialize the additional EPerson metadata.

dspace-server-webapp/src/test/java/org/dspace/app/rest/security/ClarinShibbolethLoginFilterIT.java

@@ -621,6 +621,43 @@ public void shouldAskForEmailWhenHasPersistentId() throws Exception {
                         Util.formatNetId(persistentId, IDP_TEST_EPERSON)));
     }
 
+    // The user was registered and signed in with the verification token on the second attempt, after the email
+    // containing the verification token was sent.
+    @Test
+    public void shouldNotAuthenticateOnSecondAttemptWithoutVerificationTokenInRequest() throws Exception {
+        String email = "[email protected]";
+        String netId = email;
+        String idp = "Test Idp";
+
+        // Try to authenticate but the Shibboleth doesn't send the email in the header, so the user won't be registered
+        // but the user will be redirected to the page where he will fill in the user email.
+        getClient().perform(get("/api/authn/shibboleth")
+                        .header("Shib-Identity-Provider", idp)
+                        .header("SHIB-NETID", netId))
+                .andExpect(status().isFound())
+                .andExpect(redirectedUrl("http://localhost:4000/login/auth-failed?netid=" +
+                        Util.formatNetId(netId, idp)));
+
+        // Send the email with the verification token.
+        String tokenAdmin = getAuthToken(admin.getEmail(), password);
+        getClient(tokenAdmin).perform(post("/api/autoregistration?netid=" + netId + "&email=" + email)
+                        .contentType(MediaType.APPLICATION_JSON_PATCH_JSON))
+                .andExpect(status().isOk());
+
+        // Load the created verification token.
+        ClarinVerificationToken clarinVerificationToken = clarinVerificationTokenService.findByNetID(context, netId);
+        assertTrue(Objects.nonNull(clarinVerificationToken));
+
+        // Try to authenticate the user again, and it should NOT to be automatically registered and signed in,
+        // because the verification token is not passed in the request header.
+        getClient().perform(get("/api/authn/shibboleth")
+                        .header("Shib-Identity-Provider", idp)
+                        .header("SHIB-NETID", netId))
+                .andExpect(status().isFound())
+                .andExpect(redirectedUrl("http://localhost:4000/login/auth-failed?netid=" +
+                        Util.formatNetId(netId, idp)));
+    }
+
     private EPerson checkUserWasCreated(String netIdValue, String idpValue, String email, String name)
             throws SQLException {
         // Check if was created a user with such email and netid.