Revert "Merge pull request from GHSA-7cmh-wm9h-j63f"

This reverts commit 8e5a8d1d54. The change will be re-applied with improvements.

app/controllers/users/omniauth_callbacks_controller.rb

@@ -134,10 +134,7 @@ class Users::OmniauthCallbacksController < ApplicationController
         user.email_tokens.create!(email: user.email)
       end
 
-      if !user.active || !user.email_confirmed?
-        user.password = SecureRandom.hex
-        user.activate
-      end
+      user.activate
       user.update!(registration_ip_address: request.remote_ip) if user.registration_ip_address.blank?
     end
 

spec/requests/omniauth_callbacks_controller_spec.rb

@@ -286,7 +286,7 @@ RSpec.describe Users::OmniauthCallbacksController do
         expect(user.email_confirmed?).to eq(true)
       end
 
-      it "should unstage staged user" do
+      it "should activate/unstage staged user" do
         user.update!(staged: true, registration_ip_address: nil)
 
         user.reload
@@ -306,22 +306,6 @@ RSpec.describe Users::OmniauthCallbacksController do
         expect(user.registration_ip_address).to be_present
       end
 
-      it "should activate user with matching email" do
-        user.update!(password: "securepassword", active: false)
-
-        user.reload
-        expect(user.active).to eq(false)
-        expect(user.confirm_password?("securepassword")).to eq(true)
-
-        get "/auth/google_oauth2/callback.json"
-
-        user.reload
-        expect(user.active).to eq(true)
-
-        # Delete the password, it may have been set by someone else
-        expect(user.confirm_password?("securepassword")).to eq(false)
-      end
-
       context 'when user has second factor enabled' do
         before do
           user.create_totp(enabled: true)