From: Tom Hughes <tom@compton.nu>
Date: Mon, 6 May 2024 10:15:12 +0000 (+0100)
Subject: Merge remote-tracking branch 'upstream/pull/4757'
X-Git-Tag: live~665
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/0b189373848583f848439516a1471f103af9bf0e?hp=f418d0bbb4a40e9c2b2a00e69589a0feb332f2f2

Merge remote-tracking branch 'upstream/pull/4757'
---

diff --git a/app/assets/javascripts/auth_providers.js b/app/assets/javascripts/auth_providers.js
new file mode 100644
index 000000000..975c57a9b
--- /dev/null
+++ b/app/assets/javascripts/auth_providers.js
@@ -0,0 +1,23 @@
+//= require qs/dist/qs
+
+$(document).ready(function () {
+  // Attach referer to authentication buttons
+  $(".auth_button").each(function () {
+    var params = Qs.parse(this.search.substring(1));
+    params.referer = $("#referer").val();
+    this.search = Qs.stringify(params);
+  });
+
+  // Add click handler to show OpenID field
+  $("#openid_open_url").click(function (e) {
+    e.preventDefault();
+    $("#openid_url").val("http://");
+    $("#login_auth_buttons").hide().removeClass("d-flex");
+    $("#login_openid_url").show();
+    $("#openid_login_button").show();
+  });
+
+  // Hide OpenID field for now
+  $("#login_openid_url").hide();
+  $("#openid_login_button").hide();
+});
diff --git a/app/assets/javascripts/login.js b/app/assets/javascripts/login.js
index 43e2cf660..83ca4d440 100644
--- a/app/assets/javascripts/login.js
+++ b/app/assets/javascripts/login.js
@@ -1,28 +1,6 @@
-//= qs/dist/qs
-
 $(document).ready(function () {
   // Preserve location hash in referer
   if (window.location.hash) {
     $("#referer").val($("#referer").val() + window.location.hash);
   }
-
-  // Attach referer to authentication buttons
-  $(".auth_button").each(function () {
-    var params = Qs.parse(this.search.substring(1));
-    params.referer = $("#referer").val();
-    this.search = Qs.stringify(params);
-  });
-
-  // Add click handler to show OpenID field
-  $("#openid_open_url").click(function (e) {
-    e.preventDefault();
-    $("#openid_url").val("http://");
-    $("#login_auth_buttons").hide();
-    $("#login_openid_url").show();
-    $("#login_openid_submit").show();
-  });
-
-  // Hide OpenID field for now
-  $("#login_openid_url").hide();
-  $("#login_openid_submit").hide();
 });
diff --git a/app/assets/stylesheets/common.scss b/app/assets/stylesheets/common.scss
index 17d20c812..53a60a3b2 100644
--- a/app/assets/stylesheets/common.scss
+++ b/app/assets/stylesheets/common.scss
@@ -711,6 +711,7 @@ tr.turn {
 
   &.new-user-main {
     background-image: image-url("sign-up-illustration.png");
+    background-position-x: 50px;
   }
 
   &.confirm-main {
@@ -720,17 +721,6 @@ tr.turn {
   &.new-user-terms {
     background-image: image-url("terms-illustration.png");
   }
-
-  &.new-user-arm {
-    height: 110px;
-    width: 130px;
-    left: 280px;
-    top: 180px;
-    background-image: image-url("sign-up-illustration-arm.png");
-    position: absolute;
-    z-index: 100;
-    pointer-events: none;
-  }
 }
 
 [dir=rtl] .header-illustration {
@@ -998,6 +988,10 @@ div.secondary-actions {
   }
 }
 
+.auth-container {
+  max-width: 600px;
+}
+
 /* Rules for tabs inside secondary background sections */
 
 .bg-body-secondary .nav-tabs {
diff --git a/app/controllers/concerns/session_methods.rb b/app/controllers/concerns/session_methods.rb
index cebe932fc..5dcddb82d 100644
--- a/app/controllers/concerns/session_methods.rb
+++ b/app/controllers/concerns/session_methods.rb
@@ -3,6 +3,18 @@ module SessionMethods
 
   private
 
+  ##
+  # Read @preferred_auth_provider and @client_app_name from oauth2 authorization request's referer
+  def parse_oauth_referer(referer)
+    referer_query = URI(referer).query if referer
+    return unless referer_query
+
+    ref_params = CGI.parse referer_query
+    preferred = ref_params["preferred_auth_provider"].first
+    @preferred_auth_provider = preferred if preferred && Settings.key?(:"#{preferred}_auth_id")
+    @client_app_name = Oauth2Application.where(:uid => ref_params["client_id"].first).pick(:name)
+  end
+
   ##
   # return the URL to use for authentication
   def auth_url(provider, uid, referer = nil)
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index e57ffc06a..fdf2df6a7 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -15,6 +15,8 @@ class SessionsController < ApplicationController
     override_content_security_policy_directives(:form_action => []) if Settings.csp_enforce || Settings.key?(:csp_report_url)
 
     session[:referer] = safe_referer(params[:referer]) if params[:referer]
+
+    parse_oauth_referer session[:referer]
   end
 
   def create
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c55a177b4..06df8f2be 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -60,6 +60,8 @@ class UsersController < ApplicationController
                  session[:referer]
                end
 
+    parse_oauth_referer @referer
+
     append_content_security_policy_directives(
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
@@ -69,13 +71,18 @@ class UsersController < ApplicationController
       # page, instead send them to the home page
       redirect_to @referer || { :controller => "site", :action => "index" }
     elsif params.key?(:auth_provider) && params.key?(:auth_uid)
+      @email_hmac = params[:email_hmac]
+
       self.current_user = User.new(:email => params[:email],
-                                   :email_confirmation => params[:email],
                                    :display_name => params[:nickname],
                                    :auth_provider => params[:auth_provider],
                                    :auth_uid => params[:auth_uid])
 
-      flash.now[:notice] = render_to_string :partial => "auth_association"
+      if current_user.valid? || current_user.errors[:email].empty?
+        flash.now[:notice] = render_to_string :partial => "auth_association"
+      else
+        flash.now[:warning] = t ".duplicate_social_email"
+      end
     else
       check_signup_allowed
 
@@ -91,7 +98,7 @@ class UsersController < ApplicationController
 
       Rails.logger.info "create: #{session[:referer]}"
 
-      if current_user.auth_provider.present? && current_user.pass_crypt.empty?
+      if current_user.auth_uid.present?
         # We are creating an account with external authentication and
         # no password was specified so create a random one
         current_user.pass_crypt = SecureRandom.base64(16)
@@ -108,7 +115,7 @@ class UsersController < ApplicationController
       else
         # Save the user record
         session[:new_user] = current_user.slice("email", "display_name", "pass_crypt", "pass_crypt_confirmation")
-        redirect_to :action => :terms
+        save_new_user params[:email_hmac]
       end
     end
   end
@@ -132,7 +139,7 @@ class UsersController < ApplicationController
       if current_user&.terms_agreed?
         # Already agreed to terms, so just show settings
         redirect_to edit_account_path
-      elsif current_user.nil? && session[:new_user].nil?
+      elsif current_user.nil?
         redirect_to login_path(:referer => request.fullpath)
       end
     end
@@ -168,48 +175,6 @@ class UsersController < ApplicationController
       referer = safe_referer(params[:referer]) if params[:referer]
 
       redirect_to referer || edit_account_path
-    else
-      new_user = session.delete(:new_user)
-      verified_email = new_user.delete("verified_email")
-
-      self.current_user = User.new(new_user)
-
-      if check_signup_allowed(current_user.email)
-        current_user.data_public = true
-        current_user.description = "" if current_user.description.nil?
-        current_user.creation_ip = request.remote_ip
-        current_user.languages = http_accept_language.user_preferred_languages
-        current_user.terms_agreed = Time.now.utc
-        current_user.tou_agreed = Time.now.utc
-        current_user.terms_seen = true
-
-        if current_user.auth_uid.blank?
-          current_user.auth_provider = nil
-          current_user.auth_uid = nil
-        elsif current_user.email == verified_email
-          current_user.activate
-        end
-
-        if current_user.save
-          SIGNUP_IP_LIMITER&.update(request.remote_ip)
-          SIGNUP_EMAIL_LIMITER&.update(canonical_email(current_user.email))
-
-          flash[:matomo_goal] = Settings.matomo["goals"]["signup"] if defined?(Settings.matomo)
-
-          referer = welcome_path(welcome_options)
-
-          if current_user.status == "active"
-            session[:referer] = referer
-            successful_login(current_user)
-          else
-            session[:pending_user] = current_user.id
-            UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
-            redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
-          end
-        else
-          render :action => "new", :referer => params[:referer]
-        end
-      end
     end
   end
 
@@ -266,9 +231,9 @@ class UsersController < ApplicationController
     elsif session[:new_user]
       session[:new_user]["auth_provider"] = provider
       session[:new_user]["auth_uid"] = uid
-      session[:new_user]["verified_email"] = email if email_verified
 
-      redirect_to :action => "terms"
+      email_hmac = UsersController.message_hmac(email) if email_verified && email
+      save_new_user email_hmac
     else
       user = User.find_by(:auth_provider => provider, :auth_uid => uid)
 
@@ -290,7 +255,8 @@ class UsersController < ApplicationController
           failed_login t("sessions.new.auth failure")
         end
       else
-        redirect_to :action => "new", :nickname => name, :email => email,
+        email_hmac = UsersController.message_hmac(email) if email_verified && email
+        redirect_to :action => "new", :nickname => name, :email => email, :email_hmac => email_hmac,
                     :auth_provider => provider, :auth_uid => uid
       end
     end
@@ -306,8 +272,56 @@ class UsersController < ApplicationController
     redirect_to origin || login_url
   end
 
+  def self.message_hmac(text)
+    sha256 = Digest::SHA256.new
+    sha256 << Rails.application.key_generator.generate_key("openstreetmap/email_address")
+    sha256 << text
+    Base64.urlsafe_encode64(sha256.digest)
+  end
+
   private
 
+  def save_new_user(email_hmac)
+    new_user = session.delete(:new_user)
+    self.current_user = User.new(new_user)
+    if check_signup_allowed(current_user.email)
+      current_user.data_public = true
+      current_user.description = "" if current_user.description.nil?
+      current_user.creation_ip = request.remote_ip
+      current_user.languages = http_accept_language.user_preferred_languages
+      current_user.terms_agreed = Time.now.utc
+      current_user.tou_agreed = Time.now.utc
+      current_user.terms_seen = true
+
+      if current_user.auth_uid.blank?
+        current_user.auth_provider = nil
+        current_user.auth_uid = nil
+      elsif email_hmac && ActiveSupport::SecurityUtils.secure_compare(email_hmac, UsersController.message_hmac(current_user.email))
+        current_user.activate
+      end
+
+      if current_user.save
+        SIGNUP_IP_LIMITER&.update(request.remote_ip)
+        SIGNUP_EMAIL_LIMITER&.update(canonical_email(current_user.email))
+
+        flash[:matomo_goal] = Settings.matomo["goals"]["signup"] if defined?(Settings.matomo)
+
+        referer = welcome_path(welcome_options)
+
+        if current_user.status == "active"
+          session[:referer] = referer
+          successful_login(current_user)
+        else
+          session[:pending_user] = current_user.id
+          UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
+          redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
+        end
+      else
+        render :action => "new", :referer => params[:referer]
+      end
+    end
+  end
+
   def welcome_options
     uri = URI(session[:referer]) if session[:referer].present?
 
@@ -334,9 +348,10 @@ class UsersController < ApplicationController
   ##
   # return permitted user parameters
   def user_params
-    params.require(:user).permit(:email, :email_confirmation, :display_name,
+    params.require(:user).permit(:email, :display_name,
                                  :auth_provider, :auth_uid,
-                                 :pass_crypt, :pass_crypt_confirmation)
+                                 :pass_crypt, :pass_crypt_confirmation,
+                                 :consider_pd)
   end
 
   ##
diff --git a/app/helpers/user_helper.rb b/app/helpers/user_helper.rb
index 19bb8e0d6..0a68e608e 100644
--- a/app/helpers/user_helper.rb
+++ b/app/helpers/user_helper.rb
@@ -53,19 +53,33 @@ module UserHelper
   # External authentication support
 
   def openid_logo
-    image_tag "openid_small.png", :alt => t("sessions.new.openid_logo_alt"), :class => "align-text-bottom"
+    image_tag "openid_small.png", :alt => t("application.auth_providers.openid_logo_alt"), :class => "align-text-bottom"
   end
 
   def auth_button(name, provider, options = {})
     link_to(
       image_tag("#{name}.svg",
-                :alt => t("sessions.new.auth_providers.#{name}.alt"),
-                :class => "rounded-3",
-                :size => "36"),
+                :alt => t("application.auth_providers.#{name}.alt"),
+                :class => "rounded-1",
+                :size => "24"),
       auth_path(options.merge(:provider => provider)),
       :method => :post,
-      :class => "auth_button",
-      :title => t("sessions.new.auth_providers.#{name}.title")
+      :class => "auth_button p-2 d-block",
+      :title => t("application.auth_providers.#{name}.title")
+    )
+  end
+
+  def auth_button_preferred(name, provider, options = {})
+    link_to(
+      image_tag("#{name}.svg",
+                :alt => t("application.auth_providers.#{name}.alt"),
+                :class => "rounded-1 me-3",
+                :width => "24px",
+                :height => "24px") + t("application.auth_providers.#{name}.title"),
+      auth_path(options.merge(:provider => provider)),
+      :method => :post,
+      :class => "auth_button fs-6 border rounded text-muted text-decoration-none py-2 px-4 d-flex justify-content-center align-items-center",
+      :title => t("application.auth_providers.#{name}.title")
     )
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index 45ecbcc1b..192f52ac4 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -100,7 +100,7 @@ class User < ApplicationRecord
                            :whitespace => { :leading => false, :trailing => false },
                            :width => { :minimum => 3 }
   validate :display_name_cannot_be_user_id_with_other_id, :if => proc { |u| u.display_name_changed? }
-  validates :email, :presence => true, :confirmation => true, :characters => true
+  validates :email, :presence => true, :characters => true
   validates :email, :if => proc { |u| u.email_changed? },
                     :uniqueness => { :case_sensitive => false }
   validates :email, :if => proc { |u| u.email_changed? },
diff --git a/app/views/application/_auth_providers.html.erb b/app/views/application/_auth_providers.html.erb
new file mode 100644
index 000000000..a79e7b5ce
--- /dev/null
+++ b/app/views/application/_auth_providers.html.erb
@@ -0,0 +1,44 @@
+<div>
+  <div class="list-inline justify-content-center d-flex align-items-center flex-wrap mb-3 gap-3" id="login_auth_buttons">
+
+    <% %w[google facebook microsoft github wikipedia].each do |provider| %>
+      <% if Settings.key?("#{provider}_auth_id".to_sym) -%>
+        <% if @preferred_auth_provider == provider %>
+          <div class="mx-2"><%= auth_button_preferred provider, provider %></div>
+        <% end %>
+      <% end -%>
+    <% end -%>
+
+    <div class="justify-content-center d-flex gap-1">
+      <div>
+        <%= link_to image_tag("openid.png",
+                              :alt => t("application.auth_providers.openid.title"),
+                              :size => "24"),
+                    "#",
+                    :id => "openid_open_url",
+                    :title => t("application.auth_providers.openid.title"),
+                    :class => "p-2 d-block" %>
+      </div>
+
+      <% %w[google facebook microsoft github wikipedia].each do |provider| %>
+        <% unless @preferred_auth_provider == provider %>
+          <% if Settings.key?("#{provider}_auth_id".to_sym) -%>
+            <div><%= auth_button provider, provider %></div>
+          <% end -%>
+        <% end %>
+      <% end -%>
+    </div>
+  </div>
+
+  <%# :tabindex starts high to allow rendering at the bottom of the template %>
+  <%= form_tag(auth_path(:provider => "openid"), :id => "openid_login_form") do %>
+    <div id="login_openid_url" class="mb-3">
+      <label for="openid_url" class="form-label"><%= t ".openid_html", :logo => openid_logo %></label>
+      <%= hidden_field_tag("referer", params[:referer], :autocomplete => "off") %>
+      <%= text_field_tag("openid_url", "", :tabindex => 20, :autocomplete => "on", :class => "openid_url form-control") %>
+      <span class="form-text text-muted">(<a href="<%= t "accounts.edit.openid.link" %>" target="_new"><%= t "accounts.edit.openid.link text" %></a>)</span>
+    </div>
+
+    <%= submit_tag t(".openid_login_button"), :tabindex => 21, :id => "openid_login_button", :class => "btn btn-primary" %>
+  <% end %>
+</div>
diff --git a/app/views/layouts/_header.html.erb b/app/views/layouts/_header.html.erb
index 9f3d01b02..8942eb49c 100644
--- a/app/views/layouts/_header.html.erb
+++ b/app/views/layouts/_header.html.erb
@@ -104,7 +104,7 @@
           <%= link_to t("layouts.logout"), logout_path(:referer => request.fullpath), :method => "post", :class => "geolink dropdown-item" %>
         </div>
       </div>
-    <% else %>
+    <% elsif (controller_name != "users" and controller_name != "sessions") || action_name != "new" %>
       <div class="d-inline-flex btn-group login-menu" role="">
         <%= link_to t("layouts.log_in"), login_path(:referer => request.fullpath), :class => "geolink btn btn-outline-secondary" %>
         <%= link_to t("layouts.sign_up"), user_new_path, :class => "btn btn-outline-secondary" %>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index ffaad054a..d30eb6697 100644
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,59 +1,67 @@
 <% content_for :head do %>
   <%= javascript_include_tag "login" %>
+  <%= javascript_include_tag "auth_providers" %>
 <% end %>
 
+<% content_for :heading_class, "p-0 mw-100" %>
+
 <% content_for :heading do %>
-  <h1><%= t ".heading" %></h1>
+  <% if @client_app_name %>
+    <p class="text-center text-muted fs-6 py-2 mb-0 bg-white"><%= t(".login_to_authorize_html", :client_app_name => @client_app_name) %></p>
+  <% end %>
+
+  <div class="header-illustration new-user-main auth-container mx-auto">
+    <ul class="nav nav-tabs position-absolute bottom-0 px-3 fs-6 w-100">
+      <li class="nav-item">
+        <%= link_to t("sessions.new.tab_title"), "#", :class => "nav-link active" %>
+      </li>
+      <li class="nav-item">
+        <%= link_to t("users.new.tab_title"), url_for(:action => :new, :controller => :users), :class => "nav-link" %>
+      </li>
+    </ul>
+  </div>
 <% end %>
 
-<div id="login_login">
-  <p class='text-muted'><%= t ".no account" %> <%= link_to t(".register now"), user_new_path(:referer => params[:referer]) %></p>
+<div id="login_login" class="auth-container mx-auto my-0">
+  <% if @preferred_auth_provider %>
+    <%= render :partial => "auth_providers" %>
+    <div class="d-flex justify-content-center align-items-center">
+      <div class="border-bottom border-1 flex-grow-1"></div>
+      <div class="text-secondary mx-3"><%= t ".or" %></div>
+      <div class="border-bottom border-1 flex-grow-1"></div>
+    </div>
+  <% end %>
 
   <%= bootstrap_form_tag(:action => "login", :html => { :id => "login_form" }) do |f| %>
     <%= hidden_field_tag("referer", h(params[:referer]), :autocomplete => "off") %>
 
     <%= f.text_field :username, :label => t(".email or username"), :tabindex => 1, :value => params[:username] %>
-    <%= f.password_field :password, :label => t(".password"), :tabindex => 2, :value => "", :help => link_to(t(".lost password link"), user_forgot_password_path) %>
+
+    <div class="row">
+      <div class="col">
+        <%= f.label :password, :class => "form-label" %>
+      </div>
+      <div class="col text-end">
+        <small><%= link_to(t(".lost password link"), user_forgot_password_path) %></small>
+      </div>
+    </div>
+    <input class="form-control mb-3" type="password" name="password" id="password" tabindex="2" value="" autocomplete="off" />
+
     <%= f.form_group do %>
       <%= f.check_box :remember_me, { :label => t(".remember"), :tabindex => 3, :checked => (params[:remember_me] == "yes") }, "yes" %>
     <% end %>
 
-    <%= f.primary t(".login_button"), :tabindex => 4 %>
+    <div class="mb-3">
+      <%= f.primary t(".login_button"), :tabindex => 4 %>
+    </div>
   <% end %>
 
-  <hr>
-
-  <div id="loginForm">
-    <div class="mb-3">
-      <label class="form-label"><%= t ".with external" %></label>
-
-      <ul class='list-inline' id="login_auth_buttons">
-        <li class="list-inline-item me-3">
-          <%= link_to image_tag("openid.png",
-                                :alt => t(".auth_providers.openid.title"),
-                                :size => "36"),
-                      "#",
-                      :id => "openid_open_url",
-                      :title => t(".auth_providers.openid.title") %>
-        </li>
-
-        <% %w[google facebook microsoft github wikipedia].each do |provider| %>
-          <% if Settings.key?("#{provider}_auth_id".to_sym) -%>
-            <li class="list-inline-item me-3"><%= auth_button provider, provider %></li>
-          <% end -%>
-        <% end -%>
-      </ul>
-
-      <%= form_tag(auth_path(:provider => "openid"), :id => "openid_login_form") do %>
-        <div id='login_openid_url' class="mb-3">
-          <label for='openid_url' class="form-label"><%= t ".openid_html", :logo => openid_logo %></label>
-          <%= hidden_field_tag("referer", params[:referer], :autocomplete => "off") %>
-          <%= text_field_tag("openid_url", "", :tabindex => 5, :autocomplete => "on", :class => "openid_url form-control") %>
-          <span class="form-text text-muted">(<a href="<%= t "accounts.edit.openid.link" %>" target="_new"><%= t "accounts.edit.openid.link text" %></a>)</span>
-        </div>
-
-        <%= submit_tag t(".login_button"), :tabindex => 6, :id => "login_openid_submit", :class => "btn btn-primary" %>
-      <% end %>
+  <% unless @preferred_auth_provider %>
+    <div class="d-flex justify-content-center align-items-center">
+      <div class="border-bottom border-1 flex-grow-1"></div>
+      <div class="text-secondary mx-3"><%= t ".with external" %></div>
+      <div class="border-bottom border-1 flex-grow-1"></div>
     </div>
-  </div>
+    <%= render :partial => "auth_providers" %>
+  <% end %>
 </div>
diff --git a/app/views/users/blocked.html.erb b/app/views/users/blocked.html.erb
index f1239bc1e..a97d9ba8d 100644
--- a/app/views/users/blocked.html.erb
+++ b/app/views/users/blocked.html.erb
@@ -1,11 +1,18 @@
-<% content_for :heading_class, "pb-0" %>
+<% content_for :heading_class, "p-0 mw-100" %>
 <% content_for :heading do %>
-  <div class='header-illustration new-user-main'>
-    <h1><%= t "users.new.title" %></h1>
+  <div class="header-illustration new-user-main auth-container mx-auto">
+    <ul class="nav nav-tabs position-absolute bottom-0 px-3 fs-6 w-100">
+      <li class="nav-item">
+        <%= link_to t("sessions.new.tab_title"), url_for(:action => :new, :controller => :sessions), :class => "nav-link" %>
+      </li>
+      <li class="nav-item">
+        <%= link_to t("users.new.tab_title"), "#", :class => "nav-link active" %>
+      </li>
+    </ul>
   </div>
 <% end %>
 
-<div class="mx-auto my-0">
+<div class="auth-container mx-auto my-0">
   <p><strong><%= t "users.new.no_auto_account_create" %></strong></p>
   <p><%= t "users.new.please_contact_support_html", :support_link => mail_to(Settings.support_email, t("users.new.support")) %></p>
 </div>
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
index 27e98b45b..bf96c4577 100644
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -1,52 +1,107 @@
 <% content_for :head do %>
   <%= javascript_include_tag "user" %>
+  <%= javascript_include_tag "auth_providers" %>
 <% end %>
 
-<% content_for :heading_class, "pb-0" %>
+<% content_for :heading_class, "p-0 mw-100" %>
+
 <% content_for :heading do %>
-  <div class='header-illustration new-user-main'>
-    <h1><%= t ".title" %></h1>
-  </div>
-  <div class='header-illustration new-user-arm d-none d-md-block'></div>
-<% end %>
+  <% if @client_app_name %>
+    <p class="text-center text-muted fs-6 py-2 mb-0 bg-white"><%= t(".signup_to_authorize_html", :client_app_name => @client_app_name) %></p>
+  <% end %>
 
-<div class="row">
-  <div class='text-muted col-sm order-sm-2'>
-    <h4><%= t ".about.header" %></h4>
-    <p><%= t ".about.paragraph_1" %></p>
-    <p><%= t ".about.paragraph_2" %></p>
+  <div class="header-illustration new-user-main auth-container mx-auto">
+    <ul class="nav nav-tabs position-absolute bottom-0 px-3 fs-6 w-100">
+      <li class="nav-item">
+        <%= link_to t("sessions.new.tab_title"), url_for(:action => :new, :controller => :sessions), :class => "nav-link" %>
+      </li>
+      <li class="nav-item">
+        <%= link_to t("users.new.tab_title"), "#", :class => "nav-link active" %>
+      </li>
+    </ul>
   </div>
+<% end %>
 
-  <div class="col-sm">
-    <%= bootstrap_form_for current_user, :url => { :action => "create" } do |f| %>
-      <%= hidden_field_tag("referer", h(@referer)) unless @referer.nil? %>
+<div class="auth-container mx-auto my-0">
+  <% if current_user.auth_uid.nil? %>
+    <div class="text-muted fs-6">
+      <p><strong><%= t ".about.header" %></strong> <%= t ".about.paragraph_1" %></p>
+      <p><%= t ".about.paragraph_2" %></p>
+    </div>
 
-      <%= f.email_field :email, :tabindex => 1 %>
-      <%= f.email_field :email_confirmation, :help => t(".email_confirmation_help_html",
-                                                        :privacy_policy_link => link_to(t(".privacy_policy"),
-                                                                                        t(".privacy_policy_url"),
-                                                                                        :title => t(".privacy_policy_title"))),
-                                             :tabindex => 2 %>
+    <% unless @preferred_auth_provider.nil? %>
+      <%= render :partial => "auth_providers" %>
+      <div class="d-flex justify-content-center align-items-center">
+        <div class="border-bottom border-1 flex-grow-1"></div>
+        <div class="text-secondary mx-3"><%= t ".or" %></div>
+        <div class="border-bottom border-1 flex-grow-1"></div>
+      </div>
+    <% end %>
+  <% else %>
+    <h4><%= t ".about.welcome" %></h4>
+  <% end %>
 
-      <%= f.text_field :display_name, :help => t(".display name description"), :tabindex => 3 %>
+  <%= bootstrap_form_for current_user, :url => { :action => "create" } do |f| %>
+    <%= hidden_field_tag("referer", h(@referer)) unless @referer.nil? %>
+    <%= hidden_field_tag("email_hmac", h(@email_hmac)) unless @email_hmac.nil? %>
+    <%= f.hidden_field :auth_provider unless current_user.auth_provider.nil? %>
+    <%= f.hidden_field :auth_uid unless current_user.auth_uid.nil? %>
 
-      <fieldset class="mb-3" id="auth_field">
-        <label for="user_auth_provider" class="form-label"><%= t(".external auth") %></label>
-        <div class="row">
-          <%= f.select(:auth_provider, Auth.providers, :default => "", :hide_label => true, :wrapper => { :class => "col-auto mb-0" }, :tabindex => 4) %>
-          <%= f.text_field(:auth_uid, :hide_label => true, :wrapper => { :class => "col mb-0" }, :tabindex => 5) %>
-        </div>
-        <small class="form-text text-muted"><%= t ".auth no password" %></small>
-      </fieldset>
+    <% if current_user.auth_uid.nil? or @email_hmac.nil? or not current_user.errors[:email].empty? %>
+      <%= f.email_field :email, :help => t(".email_help_html",
+                                           :privacy_policy_link => link_to(t(".privacy_policy"),
+                                                                           t(".privacy_policy_url"),
+                                                                           :title => t(".privacy_policy_title"),
+                                                                           :target => :new)),
+                                :tabindex => 1 %>
+    <% else %>
+      <%= f.hidden_field :email %>
+    <% end %>
 
-      <%= f.password_field :pass_crypt, :tabindex => 6 %>
-      <%= f.password_field :pass_crypt_confirmation, :tabindex => 7 %>
+    <%= f.text_field :display_name, :help => t(".display name description"), :tabindex => 2 %>
 
-      <div id="auth_prompt">
-        <p><%= link_to t(".use external auth"), "#", :id => "auth_enable" %></p>
+    <% if current_user.auth_uid.nil? %>
+      <div class="row">
+        <div class="col-sm">
+          <%= f.password_field :pass_crypt, :tabindex => 3 %>
+        </div>
+        <div class="col-sm">
+          <%= f.password_field :pass_crypt_confirmation, :tabindex => 4 %>
+        </div>
       </div>
+    <% end %>
 
-      <%= f.primary t(".continue"), :tabindex => 8 %>
+    <p class="mb-3 text-muted fs-6"><%= t(".by_signing_up_html",
+                                          :tou_link => link_to(t("layouts.tou"),
+                                                               "https://wiki.osmfoundation.org/wiki/Terms_of_Use",
+                                                               :target => :new),
+                                          :privacy_policy_link => link_to(t(".privacy_policy"),
+                                                                          t(".privacy_policy_url"),
+                                                                          :title => t(".privacy_policy_title"),
+                                                                          :target => :new),
+                                          :contributor_terms_link => link_to(t(".contributor_terms"),
+                                                                             t(".contributor_terms_url"),
+                                                                             :target => :new)) %></p>
+    <%= f.form_group do %>
+      <%= f.check_box :consider_pd,
+                      :tabindex => 5,
+                      :label => t(".consider_pd_html",
+                                  :consider_pd_link => link_to(t(".consider_pd"),
+                                                               t(".consider_pd_url"),
+                                                               :target => :new)) %>
     <% end %>
-  </div>
+
+    <div class="mb-3">
+      <%= submit_tag(t(".continue"), :name => "continue", :id => "continue", :class => "btn btn-primary", :tabindex => 6) %>
+    </div>
+  <% end %>
+
+  <% if current_user.auth_uid.nil? and @preferred_auth_provider.nil? %>
+    <div class="d-flex justify-content-center align-items-center">
+      <div class="border-bottom border-1 flex-grow-1"></div>
+      <div class="text-secondary mx-3"><%= t ".use external auth" %></div>
+      <div class="border-bottom border-1 flex-grow-1"></div>
+    </div>
+    <%= render :partial => "auth_providers" %>
+  <% end %>
 </div>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 77002268b..4570183d0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -142,7 +142,6 @@ en:
         auth_provider: Authentication Provider
         auth_uid: Authentication UID
         email: "Email"
-        email_confirmation: "Email Confirmation"
         new_email: "New Email Address"
         active: "Active"
         display_name: "Display Name"
@@ -1848,43 +1847,17 @@ en:
   sessions:
     new:
       title: "Log in"
-      heading: "Log in"
+      tab_title: "Log in"
+      login_to_authorize_html: "Log in to OpenStreetMap to access %{client_app_name}."
       email or username: "Email Address or Username"
       password: "Password"
-      openid_html: "%{logo} OpenID"
       remember: "Remember me"
       lost password link: "Lost your password?"
       login_button: "Log in"
       register now: Register now
-      with external: "Alternatively, use a third party to log in:"
-      no account: Don't have an account?
+      with external: "or log in with a third party"
+      or: "or"
       auth failure: "Sorry, could not log in with those details."
-      openid_logo_alt: "Log in with an OpenID"
-      auth_providers:
-        openid:
-          title: Log in with OpenID
-          alt: Log in with an OpenID URL
-        google:
-          title: Log in with Google
-          alt: Log in with a Google OpenID
-        facebook:
-          title: Log in with Facebook
-          alt: Log in with a Facebook Account
-        microsoft:
-          title: Log in with Microsoft
-          alt: Log in with a Microsoft Account
-        github:
-          title: Log in with GitHub
-          alt: Log in with a GitHub Account
-        wikipedia:
-          title: Log in with Wikipedia
-          alt: Log in with a Wikipedia Account
-        wordpress:
-          title: Log in with Wordpress
-          alt: Log in with a Wordpress OpenID
-        aol:
-          title: Log in with AOL
-          alt: Log in with an AOL OpenID
     destroy:
       title: "Logout"
       heading: "Logout from OpenStreetMap"
@@ -2599,6 +2572,34 @@ en:
       oauth2_applications: OAuth 2 applications
       oauth2_authorizations: OAuth 2 authorizations
       muted_users: Muted Users
+    auth_providers:
+      openid_logo_alt: "Log in with an OpenID"
+      openid_html: "%{logo} OpenID"
+      openid_login_button: "Continue"
+      openid:
+        title: Log in with OpenID
+        alt: Log in with an OpenID URL
+      google:
+        title: Log in with Google
+        alt: Log in with a Google OpenID
+      facebook:
+        title: Log in with Facebook
+        alt: Log in with a Facebook Account
+      microsoft:
+        title: Log in with Microsoft
+        alt: Log in with a Microsoft Account
+      github:
+        title: Log in with GitHub
+        alt: Log in with a GitHub Account
+      wikipedia:
+        title: Log in with Wikipedia
+        alt: Log in with a Wikipedia Account
+      wordpress:
+        title: Log in with Wordpress
+        alt: Log in with a Wordpress OpenID
+      aol:
+        title: Log in with AOL
+        alt: Log in with an AOL OpenID
   oauth:
     authorize:
       title: "Authorize access to your account"
@@ -2727,23 +2728,34 @@ en:
   users:
     new:
       title: "Sign Up"
+      tab_title: "Sign up"
+      signup_to_authorize_html: "Sign up with OpenStreetMap to access %{client_app_name}."
       no_auto_account_create: "Unfortunately we are not currently able to create an account for you automatically."
       please_contact_support_html: 'Please contact %{support_link} to arrange for an account to be created - we will try and deal with the request as quickly as possible.'
       support: support
       about:
-        header: Free and editable
+        header: Free and editable.
         paragraph_1: Unlike other maps, OpenStreetMap is completely created by people like you, and it's free for anyone to fix, update, download and use.
-        paragraph_2: Sign up to get started contributing. We'll send an email to confirm your account.
+        paragraph_2: Sign up to get started contributing.
+        welcome: "Welcome to OpenStreetMap"
+      duplicate_social_email: "If you already have an OpenStreetMap account and wish to use a 3rd party identity provider, please log in using your password and modify the settings of your account."
       display name description: "Your publicly displayed username. You can change this later in the preferences."
+      by_signing_up_html: "By signing up, you agree to our %{tou_link}, %{privacy_policy_link} and %{contributor_terms_link}."
+      tou: "terms of use"
+      contributor_terms_url: "https://wiki.osmfoundation.org/wiki/Licence/Contributor_Terms"
+      contributor_terms: "contributor terms"
       external auth: "Third Party Authentication:"
-      use external auth: "Alternatively, use a third party to log in"
-      auth no password: "With third party authentication a password is not required, but some extra tools or server may still need one."
       continue: Sign Up
       terms accepted: "Thanks for accepting the new contributor terms!"
-      email_confirmation_help_html: 'Your address is not displayed publicly, see our %{privacy_policy_link} for more information.'
+      email_help_html: 'Your address is not displayed publicly, see our %{privacy_policy_link} for more information.'
       privacy_policy: privacy policy
       privacy_policy_url: https://wiki.osmfoundation.org/wiki/Privacy_Policy
       privacy_policy_title: OSMF privacy policy including section on email addresses
+      consider_pd_html: "I consider my contributions to be in the %{consider_pd_link}."
+      consider_pd: "public domain"
+      consider_pd_url: https://wiki.osmfoundation.org/wiki/Licence_and_Legal_FAQ/Why_would_I_want_my_contributions_to_be_public_domain
+      or: "or"
+      use external auth: "or sign up with a third party"
     terms:
       title: "Terms"
       heading: "Terms"
diff --git a/test/controllers/confirmations_controller_test.rb b/test/controllers/confirmations_controller_test.rb
index 0f4315e4f..79213441f 100644
--- a/test/controllers/confirmations_controller_test.rb
+++ b/test/controllers/confirmations_controller_test.rb
@@ -38,7 +38,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   def test_confirm_get
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     get user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
@@ -50,7 +49,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     # Get the confirmation page
@@ -71,7 +69,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
@@ -85,7 +82,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
@@ -96,7 +92,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
@@ -111,7 +106,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
@@ -125,7 +119,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
@@ -136,7 +129,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post logout_path
@@ -151,7 +143,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     travel 2.weeks do
@@ -165,7 +156,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string, :referer => new_diary_entry_path }
@@ -183,7 +173,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = build(:user, :pending)
     stub_gravatar_request(user.email)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
     confirm_string = User.find_by(:email => user.email).generate_token_for(:new_user)
 
     User.find_by(:display_name => user.display_name).hide!
@@ -201,7 +190,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   def test_confirm_resend_success
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
 
     assert_difference "ActionMailer::Base.deliveries.size", 1 do
       perform_enqueued_jobs do
@@ -220,25 +208,9 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
-  def test_confirm_resend_no_token
-    user = build(:user, :pending)
-    # only complete first half of registration
-    post user_new_path, :params => { :user => user.attributes }
-
-    assert_no_difference "ActionMailer::Base.deliveries.size" do
-      perform_enqueued_jobs do
-        get user_confirm_resend_path(user)
-      end
-    end
-
-    assert_redirected_to login_path
-    assert_match "User #{user.display_name} not found.", flash[:error]
-  end
-
   def test_confirm_resend_deleted
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
-    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
 
     User.find_by(:display_name => user.display_name).hide!
 
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 62bb34279..c5566e65d 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -82,7 +82,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
         assert_select "div#content", :count => 1 do
           assert_select "form[action='/user/new'][method='post']", :count => 1 do
             assert_select "input[id='user_email']", :count => 1
-            assert_select "input[id='user_email_confirmation']", :count => 1
             assert_select "input[id='user_display_name']", :count => 1
             assert_select "input[id='user_pass_crypt'][type='password']", :count => 1
             assert_select "input[id='user_pass_crypt_confirmation'][type='password']", :count => 1
@@ -106,18 +105,10 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   def test_new_success
     user = build(:user, :pending)
 
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
     assert_difference "User.count", 1 do
       assert_difference "ActionMailer::Base.deliveries.size", 1 do
         perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+          post user_new_path, :params => { :user => user.attributes }
         end
       end
     end
@@ -151,55 +142,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_select "form > div > input.is-invalid#user_email"
   end
 
-  def test_save_duplicate_email
-    user = build(:user, :pending)
-
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
-    # Now create another user with that email
-    create(:user, :email => user.email)
-
-    # Check that the second half of registration fails
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
-        end
-      end
-    end
-
-    assert_response :success
-    assert_template "new"
-    assert_select "form > div > input.is-invalid#user_email"
-  end
-
-  def test_save_duplicate_email_uppercase
+  def test_new_duplicate_email_uppercase
     user = build(:user, :pending)
-
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
-    # Now create another user with that email, but uppercased
     create(:user, :email => user.email.upcase)
 
-    # Check that the second half of registration fails
     assert_no_difference "User.count" do
       assert_no_difference "ActionMailer::Base.deliveries.size" do
         perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+          post user_new_path, :params => { :user => user.attributes }
         end
       end
     end
@@ -209,26 +159,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_select "form > div > input.is-invalid#user_email"
   end
 
-  def test_save_duplicate_name
+  def test_new_duplicate_name
     user = build(:user, :pending)
-
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
-    # Now create another user with that display name
     create(:user, :display_name => user.display_name)
 
-    # Check that the second half of registration fails
     assert_no_difference "User.count" do
       assert_no_difference "ActionMailer::Base.deliveries.size" do
         perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+          post user_new_path, :params => { :user => user.attributes }
         end
       end
     end
@@ -238,26 +176,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_select "form > div > input.is-invalid#user_display_name"
   end
 
-  def test_save_duplicate_name_uppercase
+  def test_new_duplicate_name_uppercase
     user = build(:user, :pending)
-
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
-    # Now create another user with that display_name, but uppercased
     create(:user, :display_name => user.display_name.upcase)
 
-    # Check that the second half of registration fails
     assert_no_difference "User.count" do
       assert_no_difference "ActionMailer::Base.deliveries.size" do
         perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+          post user_new_path, :params => { :user => user.attributes }
         end
       end
     end
@@ -267,18 +193,9 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_select "form > div > input.is-invalid#user_display_name"
   end
 
-  def test_save_blocked_domain
+  def test_new_blocked_domain
     user = build(:user, :pending, :email => "user@example.net")
 
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
     # Now block that domain
     create(:acl, :domain => "example.net", :k => "no_account_creation")
 
@@ -286,7 +203,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_no_difference "User.count" do
       assert_no_difference "ActionMailer::Base.deliveries.size" do
         perform_enqueued_jobs do
-          post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+          post user_new_path, :params => { :user => user.attributes }
         end
       end
     end
@@ -298,18 +215,9 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
   def test_save_referer_params
     user = build(:user, :pending)
 
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes, :referer => "/edit?editor=id#map=1/2/3" }
-        end
-      end
-    end
-
     assert_difference "User.count", 1 do
       assert_difference "ActionMailer::Base.deliveries.size", 1 do
-        post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+        post user_new_path, :params => { :user => user.attributes, :referer => "/edit?editor=id#map=1/2/3" }
         assert_enqueued_with :job => ActionMailer::MailDeliveryJob,
                              :args => proc { |args| args[3][:args][2] == welcome_path(:editor => "id", :zoom => 1, :lat => 2, :lon => 3) }
         perform_enqueued_jobs
@@ -319,24 +227,6 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
-  def test_terms_new_user
-    user = build(:user, :pending)
-
-    # Set up our user as being half-way through registration
-    assert_no_difference "User.count" do
-      assert_no_difference "ActionMailer::Base.deliveries.size" do
-        perform_enqueued_jobs do
-          post user_new_path, :params => { :user => user.attributes }
-        end
-      end
-    end
-
-    get user_terms_path
-
-    assert_response :success
-    assert_template :terms
-  end
-
   def test_terms_agreed
     user = create(:user, :terms_seen => true, :terms_agreed => Date.yesterday)
 
diff --git a/test/helpers/user_helper_test.rb b/test/helpers/user_helper_test.rb
index f7d2726db..c2883c2c0 100644
--- a/test/helpers/user_helper_test.rb
+++ b/test/helpers/user_helper_test.rb
@@ -116,8 +116,8 @@ class UserHelperTest < ActionView::TestCase
 
   def test_auth_button
     button = auth_button("google", "google")
-    img_tag = "<img alt=\"Log in with a Google OpenID\" class=\"rounded-3\" src=\"/images/google.svg\" width=\"36\" height=\"36\" />"
-    assert_equal("<a class=\"auth_button\" title=\"Log in with Google\" rel=\"nofollow\" data-method=\"post\" href=\"/auth/google\">#{img_tag}</a>", button)
+    img_tag = "<img alt=\"Log in with a Google OpenID\" class=\"rounded-1\" src=\"/images/google.svg\" width=\"24\" height=\"24\" />"
+    assert_equal("<a class=\"auth_button p-2 d-block\" title=\"Log in with Google\" rel=\"nofollow\" data-method=\"post\" href=\"/auth/google\">#{img_tag}</a>", button)
   end
 
   private
diff --git a/test/integration/user_creation_test.rb b/test/integration/user_creation_test.rb
index 1f749f957..4611860d0 100644
--- a/test/integration/user_creation_test.rb
+++ b/test/integration/user_creation_test.rb
@@ -32,10 +32,74 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         perform_enqueued_jobs do
           post "/user/new",
                :params => { :user => { :email => dup_email,
-                                       :email_confirmation => dup_email,
                                        :display_name => display_name,
                                        :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" } }
+                                       :pass_crypt_confirmation => "testtest",
+                                       :consider_pd => "1" } }
+        end
+      end
+    end
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form"
+    assert_select "form > div > input.is-invalid#user_email"
+  end
+
+  def test_user_create_association_bad_auth_provider
+    assert_difference("User.count", 0) do
+      assert_no_difference("ActionMailer::Base.deliveries.size") do
+        perform_enqueued_jobs do
+          post "/user/new",
+               :params => { :user => { :email => "test@example.com",
+                                       :display_name => "new_tester",
+                                       :pass_crypt => "testtest",
+                                       :pass_crypt_confirmation => "testtest",
+                                       :auth_provider => "noprovider",
+                                       :auth_uid => "123454321",
+                                       :consider_pd => "1" } }
+          assert_redirected_to auth_path(:provider => "noprovider", :origin => "/user/new")
+          post response.location
+        end
+      end
+    end
+    assert_response :not_found
+  end
+
+  def test_user_create_association_no_auth_uid
+    OmniAuth.config.mock_auth[:google] = :invalid_credentials
+    assert_difference("User.count", 0) do
+      assert_no_difference("ActionMailer::Base.deliveries.size") do
+        perform_enqueued_jobs do
+          post "/user/new",
+               :params => { :user => { :email => "test@example.com",
+                                       :display_name => "new_tester",
+                                       :pass_crypt => "testtest",
+                                       :pass_crypt_confirmation => "testtest",
+                                       :auth_provider => "google",
+                                       :consider_pd => "1" } }
+          assert_redirected_to auth_path(:provider => "google", :origin => "/user/new")
+          post response.location
+        end
+      end
+    end
+    follow_redirect!
+    assert_redirected_to auth_failure_path(:strategy => "google", :message => "invalid_credentials", :origin => "/user/new")
+  end
+
+  def test_user_create_association_submit_duplicate_email
+    dup_email = create(:user).email
+    display_name = "new_tester"
+    assert_difference("User.count", 0) do
+      assert_no_difference("ActionMailer::Base.deliveries.size") do
+        perform_enqueued_jobs do
+          post "/user/new",
+               :params => { :user => { :email => dup_email,
+                                       :display_name => display_name,
+                                       :pass_crypt => "testtest",
+                                       :pass_crypt_confirmation => "testtest",
+                                       :auth_provider => "google",
+                                       :auth_uid => "123454321",
+                                       :consider_pd => "1" } }
         end
       end
     end
@@ -53,7 +117,6 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         perform_enqueued_jobs do
           post "/user/new",
                :params => { :user => { :email => email,
-                                       :email_confirmation => email,
                                        :display_name => dup_display_name,
                                        :pass_crypt => "testtest",
                                        :pass_crypt_confirmation => "testtest" } }
@@ -73,42 +136,52 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         perform_enqueued_jobs do
           post "/user/new",
                :params => { :user => { :email => email,
-                                       :email_confirmation => email,
                                        :display_name => display_name,
                                        :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "blahblah" } }
+                                       :pass_crypt_confirmation => "blahblah",
+                                       :consider_pd => "1" } }
         end
       end
     end
     assert_response :success
     assert_template "users/new"
-    assert_select "form > div > input.is-invalid#user_pass_crypt_confirmation"
+    assert_select "form > div > div > div > input.is-invalid#user_pass_crypt_confirmation"
   end
 
-  def test_user_create_success
-    new_email = "newtester@osm.org"
-    display_name = "new_tester"
-
+  def test_user_create_association_submit_duplicate_username
+    dup_display_name = create(:user).display_name
+    email = "new_tester"
     assert_difference("User.count", 0) do
-      assert_difference("ActionMailer::Base.deliveries.size", 0) do
+      assert_no_difference("ActionMailer::Base.deliveries.size") do
         perform_enqueued_jobs do
           post "/user/new",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" } }
+               :params => { :user => { :email => email,
+                                       :display_name => dup_display_name,
+                                       :auth_provider => "google",
+                                       :auth_uid => "123454321",
+                                       :consider_pd => "1" } }
         end
       end
     end
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_display_name"
+  end
 
-    assert_redirected_to "/user/terms"
+  def test_user_create_success
+    new_email = "newtester@osm.org"
+    display_name = "new_tester"
 
-    assert_difference("User.count") do
+    assert_difference("User.count", 1) do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
-          post "/user/save",
-               :params => { :read_ct => 1, :read_tou => 1 }
+          post "/user/new",
+               :params => { :user => { :email => new_email,
+                                       :display_name => display_name,
+                                       :pass_crypt => "testtest",
+                                       :pass_crypt_confirmation => "testtest",
+                                       :consider_pd => "1" } }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
           follow_redirect!
         end
       end
@@ -138,33 +211,6 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     assert_equal user, User.authenticate(:username => new_email, :password => "testtest")
   end
 
-  def test_user_create_no_tou_failure
-    new_email = "#newtester@osm.org"
-    display_name = "new_tester"
-
-    assert_difference("User.count", 0) do
-      assert_difference("ActionMailer::Base.deliveries.size", 0) do
-        perform_enqueued_jobs do
-          post "/user/new",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" } }
-        end
-      end
-    end
-
-    assert_redirected_to "/user/terms"
-
-    perform_enqueued_jobs do
-      post "/user/save"
-      assert_redirected_to "/user/terms"
-    end
-
-    ActionMailer::Base.deliveries.clear
-  end
-
   # Check that the user can successfully recover their password
   def test_lost_password_recovery_success
     # Open the lost password form
@@ -185,19 +231,13 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         perform_enqueued_jobs do
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
+                                       :pass_crypt_confirmation => password,
+                                       :consider_pd => "1" },
                             :referer => referer }
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
-                            :read_ct => 1, :read_tou => 1 }
+          assert_response(:redirect)
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
           follow_redirect!
         end
       end
@@ -233,45 +273,61 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_openid_success
-    OmniAuth.config.add_mock(:openid, :uid => "http://localhost:1123/new.tester")
-
     new_email = "newtester-openid@osm.org"
     display_name = "new_tester-openid"
-    password = "testtest"
+    auth_uid = "http://localhost:1123/new.tester"
+
+    OmniAuth.config.add_mock(:openid,
+                             :uid => auth_uid,
+                             :info => { :email => new_email, :name => display_name })
+
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => new_email,
+                               :auth_provider => "openid", :auth_uid => auth_uid
+          follow_redirect!
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "openid",
                                        :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
           post response.location
-          assert_redirected_to auth_success_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
-          follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "openid",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
-                            :read_ct => 1, :read_tou => 1 }
-          assert_response :redirect
           follow_redirect!
         end
       end
     end
 
     # Check the page
+    assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
+
+    ActionMailer::Base.deliveries.clear
+  end
+
+  def test_user_create_openid_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-openid"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:openid,
+                             :uid => auth_uid,
+                             :info => { :email => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "openid", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "openid", :origin => "/user/new")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => dup_user.email,
+                         :auth_provider => "openid", :auth_uid => auth_uid
+    follow_redirect!
+
     assert_response :success
-    assert_template "confirmations/confirm"
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
 
     ActionMailer::Base.deliveries.clear
   end
@@ -298,10 +354,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "openid", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -310,38 +363,34 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_openid_redirect
-    OmniAuth.config.add_mock(:openid, :uid => "http://localhost:1123/new.tester")
-
+    auth_uid = "http://localhost:1123/new.tester"
     new_email = "redirect_tester_openid@osm.org"
     display_name = "redirect_tester_openid"
-    # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
+
+    OmniAuth.config.add_mock(:openid,
+                             :uid => auth_uid,
+                             :info => { :email => new_email, :name => display_name })
+
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => new_email,
+                               :auth_provider => "openid", :auth_uid => auth_uid
+          follow_redirect!
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "openid",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "openid",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1, :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
           follow_redirect!
         end
       end
@@ -378,35 +427,37 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
   def test_user_create_google_success
     new_email = "newtester-google@osm.org"
+    email_hmac = UsersController.message_hmac(new_email)
     display_name = "new_tester-google"
-    password = "testtest"
+    auth_uid = "123454321"
 
-    OmniAuth.config.add_mock(:google, :uid => "123454321", :info => { "email" => new_email })
+    OmniAuth.config.add_mock(:google,
+                             :uid => auth_uid,
+                             :extra => { :id_info => { :openid_id => "http://localhost:1123/new.tester" } },
+                             :info => { :email => new_email, :name => display_name })
 
     assert_difference("User.count") do
       assert_no_difference("ActionMailer::Base.deliveries.size") do
         perform_enqueued_jobs do
+          post auth_path(:provider => "google", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "google")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => new_email, :email_hmac => email_hmac,
+                               :auth_provider => "google", :auth_uid => auth_uid
+          follow_redirect!
+
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "google",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" },
+                            :email_hmac => email_hmac }
           assert_redirected_to auth_path(:provider => "google", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "google")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "google",
-                                       :auth_uid => "123454321",
-                                       :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
-                            :read_ct => 1, :read_tou => 1 }
           assert_redirected_to welcome_path
           follow_redirect!
         end
@@ -420,6 +471,31 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
+  def test_user_create_google_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-google"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:google,
+                             :uid => auth_uid,
+                             :extra => { :id_info => { :openid_id => "http://localhost:1123/new.tester" } },
+                             :info => { :email => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "google", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "google")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => dup_user.email,
+                         :email_hmac => UsersController.message_hmac(dup_user.email),
+                         :auth_provider => "google", :auth_uid => auth_uid
+    follow_redirect!
+
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
+
+    ActionMailer::Base.deliveries.clear
+  end
+
   def test_user_create_google_failure
     OmniAuth.config.mock_auth[:google] = :connection_failed
 
@@ -433,6 +509,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
                                        :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "google",
+                                       :auth_uid => "123454321",
                                        :pass_crypt => "",
                                        :pass_crypt_confirmation => "" } }
           assert_redirected_to auth_path(:provider => "google", :origin => "/user/new")
@@ -441,10 +518,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "google", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -453,39 +527,39 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_google_redirect
-    OmniAuth.config.add_mock(:google, :uid => "123454321", :extra => {
-                               :id_info => { "openid_id" => "http://localhost:1123/new.tester" }
-                             })
-
-    new_email = "redirect_tester_google@osm.org"
+    orig_email = "redirect_tester_google_orig@google.com"
+    email_hmac = UsersController.message_hmac(orig_email)
+    new_email =  "redirect_tester_google@osm.org"
     display_name = "redirect_tester_google"
-    # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:google,
+                             :uid => auth_uid,
+                             :extra => { :id_info => { :openid_id => "http://localhost:1123/new.tester" } },
+                             :info => { :email => orig_email, :name => display_name })
+
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "google", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "google")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => orig_email, :email_hmac => email_hmac,
+                               :auth_provider => "google", :auth_uid => auth_uid
+          follow_redirect!
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
+                                       :email_hmac => email_hmac,
                                        :display_name => display_name,
                                        :auth_provider => "google",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "google", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "google")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "google",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1, :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
           follow_redirect!
         end
       end
@@ -522,35 +596,36 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
   def test_user_create_facebook_success
     new_email = "newtester-facebook@osm.org"
+    email_hmac = UsersController.message_hmac(new_email)
     display_name = "new_tester-facebook"
-    password = "testtest"
+    auth_uid = "123454321"
 
-    OmniAuth.config.add_mock(:facebook, :uid => "123454321", :info => { "email" => new_email })
+    OmniAuth.config.add_mock(:facebook,
+                             :uid => auth_uid,
+                             :info => { "email" => new_email, :name => display_name })
 
     assert_difference("User.count") do
       assert_no_difference("ActionMailer::Base.deliveries.size") do
         perform_enqueued_jobs do
+          post auth_path(:provider => "facebook", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "facebook")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => new_email, :email_hmac => email_hmac,
+                               :auth_provider => "facebook", :auth_uid => auth_uid
+          follow_redirect!
+
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "facebook",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" },
+                            :email_hmac => email_hmac }
           assert_redirected_to auth_path(:provider => "facebook", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "facebook")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "facebook",
-                                       :auth_uid => "123454321",
-                                       :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
-                            :read_ct => 1, :read_tou => 1 }
           assert_redirected_to welcome_path
           follow_redirect!
         end
@@ -564,6 +639,30 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
+  def test_user_create_facebook_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-facebook"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:facebook,
+                             :uid => auth_uid,
+                             :info => { :email => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "facebook", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "facebook")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => dup_user.email,
+                         :email_hmac => UsersController.message_hmac(dup_user.email),
+                         :auth_provider => "facebook", :auth_uid => auth_uid
+    follow_redirect!
+
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
+
+    ActionMailer::Base.deliveries.clear
+  end
+
   def test_user_create_facebook_failure
     OmniAuth.config.mock_auth[:facebook] = :connection_failed
 
@@ -577,6 +676,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
                                        :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "facebook",
+                                       :auth_uid => "123454321",
                                        :pass_crypt => "",
                                        :pass_crypt_confirmation => "" } }
           assert_redirected_to auth_path(:provider => "facebook", :origin => "/user/new")
@@ -585,10 +685,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "facebook", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -597,37 +694,41 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_facebook_redirect
-    OmniAuth.config.add_mock(:facebook, :uid => "123454321")
-
+    orig_email = "redirect_tester_facebook_orig@osm.org"
+    email_hmac = UsersController.message_hmac(orig_email)
     new_email = "redirect_tester_facebook@osm.org"
     display_name = "redirect_tester_facebook"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:facebook,
+                             :uid => auth_uid,
+                             :info => { :email => orig_email, :name => display_name })
+
     # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "facebook", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "facebook")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => orig_email, :email_hmac => email_hmac,
+                               :auth_provider => "facebook", :auth_uid => auth_uid
+          follow_redirect!
+
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
+                                       :email_hmac => email_hmac,
                                        :display_name => display_name,
                                        :auth_provider => "facebook",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "facebook", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "facebook")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "facebook",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1, :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
+          assert_response :redirect
           follow_redirect!
         end
       end
@@ -664,35 +765,35 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
   def test_user_create_microsoft_success
     new_email = "newtester-microsoft@osm.org"
+    email_hmac = UsersController.message_hmac(new_email)
     display_name = "new_tester-microsoft"
-    password = "testtest"
+    auth_uid = "123454321"
 
-    OmniAuth.config.add_mock(:microsoft, :uid => "123454321", :info => { "email" => new_email })
+    OmniAuth.config.add_mock(:microsoft,
+                             :uid => auth_uid,
+                             :info => { "email" => new_email, :name => display_name })
 
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 0) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "microsoft", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "microsoft")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => new_email, :email_hmac => email_hmac,
+                               :auth_provider => "microsoft", :auth_uid => auth_uid
+          follow_redirect!
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "microsoft",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" },
+                            :email_hmac => email_hmac }
           assert_redirected_to auth_path(:provider => "microsoft", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "microsoft")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "microsoft",
-                                       :auth_uid => "123454321",
-                                       :pass_crypt => password,
-                                       :pass_crypt_confirmation => password },
-                            :read_ct => 1, :read_tou => 1 }
           assert_redirected_to welcome_path
           follow_redirect!
         end
@@ -706,6 +807,30 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
+  def test_user_create_microsoft_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-microsoft"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:microsoft,
+                             :uid => auth_uid,
+                             :info => { :email => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "microsoft", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "microsoft")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name, :email => dup_user.email,
+                         :email_hmac => UsersController.message_hmac(dup_user.email),
+                         :auth_provider => "microsoft", :auth_uid => auth_uid
+    follow_redirect!
+
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
+
+    ActionMailer::Base.deliveries.clear
+  end
+
   def test_user_create_microsoft_failure
     OmniAuth.config.mock_auth[:microsoft] = :connection_failed
 
@@ -719,6 +844,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
                                        :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "microsoft",
+                                       :auth_uid => "123454321",
                                        :pass_crypt => "",
                                        :pass_crypt_confirmation => "" } }
           assert_redirected_to auth_path(:provider => "microsoft", :origin => "/user/new")
@@ -727,10 +853,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "microsoft", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -739,37 +862,40 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_microsoft_redirect
-    OmniAuth.config.add_mock(:microsoft, :uid => "123454321")
-
+    orig_email = "redirect_tester_microsoft_orig@osm.org"
+    email_hmac = UsersController.message_hmac(orig_email)
     new_email = "redirect_tester_microsoft@osm.org"
     display_name = "redirect_tester_microsoft"
-    # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:microsoft,
+                             :uid => auth_uid,
+                             :info => { :email => orig_email, :name => display_name })
+
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "microsoft", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "microsoft")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => orig_email, :email_hmac => email_hmac,
+                               :auth_provider => "microsoft", :auth_uid => auth_uid
+          follow_redirect!
+
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
+                                       :email_hmac => email_hmac,
                                        :display_name => display_name,
                                        :auth_provider => "microsoft",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "microsoft", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "microsoft")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "microsoft",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1, :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
+          assert_response :redirect
           follow_redirect!
         end
       end
@@ -806,36 +932,40 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
   def test_user_create_github_success
     new_email = "newtester-github@osm.org"
+    email_hmac = UsersController.message_hmac(new_email)
     display_name = "new_tester-github"
     password = "testtest"
+    auth_uid = "123454321"
 
-    OmniAuth.config.add_mock(:github, :uid => "123454321", :info => { "email" => new_email })
+    OmniAuth.config.add_mock(:github,
+                             :uid => auth_uid,
+                             :info => { "email" => new_email, :name => display_name })
 
     assert_difference("User.count") do
       assert_no_difference("ActionMailer::Base.deliveries.size") do
         perform_enqueued_jobs do
-          post "/user/new",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "github",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
-          assert_redirected_to auth_path(:provider => "github", :origin => "/user/new")
-          post response.location
+          post auth_path(:provider => "github", :origin => "/user/new")
           assert_redirected_to auth_success_path(:provider => "github")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => new_email, :email_hmac => email_hmac,
+                               :auth_provider => "github", :auth_uid => auth_uid
+          follow_redirect!
+
+          post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "github",
                                        :auth_uid => "123454321",
                                        :pass_crypt => password,
                                        :pass_crypt_confirmation => password },
                             :read_ct => 1,
-                            :read_tou => 1 }
+                            :read_tou => 1,
+                            :email_hmac => email_hmac }
+          assert_redirected_to auth_path(:provider => "github", :origin => "/user/new")
+          post response.location
+          assert_redirected_to auth_success_path(:provider => "github")
+          follow_redirect!
           assert_redirected_to welcome_path
           follow_redirect!
         end
@@ -849,6 +979,31 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     ActionMailer::Base.deliveries.clear
   end
 
+  def test_user_create_github_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-github"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:github,
+                             :uid => auth_uid,
+                             :extra => { :id_info => { :openid_id => "http://localhost:1123/new.tester" } },
+                             :info => { :email => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "github", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "github")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                         :email => dup_user.email, :email_hmac => UsersController.message_hmac(dup_user.email),
+                         :auth_provider => "github", :auth_uid => auth_uid
+    follow_redirect!
+
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
+
+    ActionMailer::Base.deliveries.clear
+  end
+
   def test_user_create_github_failure
     OmniAuth.config.mock_auth[:github] = :connection_failed
 
@@ -862,6 +1017,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
                                        :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "github",
+                                       :auth_uid => "123454321",
                                        :pass_crypt => "",
                                        :pass_crypt_confirmation => "" } }
           assert_redirected_to auth_path(:provider => "github", :origin => "/user/new")
@@ -870,10 +1026,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "github", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -882,38 +1035,39 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_github_redirect
-    OmniAuth.config.add_mock(:github, :uid => "123454321")
-
+    orig_email = "redirect_tester_github_orig@osm.org"
+    email_hmac = UsersController.message_hmac(orig_email)
     new_email = "redirect_tester_github@osm.org"
     display_name = "redirect_tester_github"
-    # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:github,
+                             :uid => auth_uid,
+                             :info => { :email => orig_email, :name => display_name })
+
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "github", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "github")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => orig_email, :email_hmac => email_hmac,
+                               :auth_provider => "github", :auth_uid => auth_uid
+          follow_redirect!
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
+                                       :email_hmac => email_hmac,
                                        :display_name => display_name,
                                        :auth_provider => "github",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "github", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "github")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "github",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1,
-                            :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
+          assert_response :redirect
           follow_redirect!
         end
       end
@@ -950,36 +1104,39 @@ class UserCreationTest < ActionDispatch::IntegrationTest
 
   def test_user_create_wikipedia_success
     new_email = "newtester-wikipedia@osm.org"
+    email_hmac = UsersController.message_hmac(new_email)
     display_name = "new_tester-wikipedia"
     password = "testtest"
+    auth_uid = "123454321"
 
-    OmniAuth.config.add_mock(:wikipedia, :uid => "123454321", :info => { "email" => new_email })
+    OmniAuth.config.add_mock(:wikipedia,
+                             :uid => auth_uid,
+                             :info => { :email => new_email, :name => display_name })
 
     assert_difference("User.count") do
       assert_no_difference("ActionMailer::Base.deliveries.size") do
         perform_enqueued_jobs do
-          post "/user/new",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "wikipedia",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" } }
-          assert_redirected_to auth_path(:provider => "wikipedia", :origin => "/user/new")
-          post response.location
+          post auth_path(:provider => "wikipedia", :origin => "/user/new")
           assert_redirected_to auth_success_path(:provider => "wikipedia", :origin => "/user/new")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => new_email, :email_hmac => email_hmac,
+                               :auth_provider => "wikipedia", :auth_uid => auth_uid
+          follow_redirect!
+          post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "wikipedia",
                                        :auth_uid => "123454321",
                                        :pass_crypt => password,
                                        :pass_crypt_confirmation => password },
                             :read_ct => 1,
-                            :read_tou => 1 }
+                            :read_tou => 1,
+                            :email_hmac => email_hmac }
+          assert_redirected_to auth_path(:provider => "wikipedia", :origin => "/user/new")
+          post response.location
+          assert_redirected_to auth_success_path(:provider => "wikipedia", :origin => "/user/new")
+          follow_redirect!
           assert_redirected_to welcome_path
           follow_redirect!
         end
@@ -989,6 +1146,28 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     # Check the page
     assert_response :success
     assert_template "site/welcome"
+  end
+
+  def test_user_create_wikipedia_duplicate_email
+    dup_user = create(:user)
+    display_name = "new_tester-wikipedia"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:wikipedia,
+                             :uid => auth_uid,
+                             :info => { "email" => dup_user.email, :name => display_name })
+
+    post auth_path(:provider => "wikipedia", :origin => "/user/new")
+    assert_redirected_to auth_success_path(:provider => "wikipedia", :origin => "/user/new")
+    follow_redirect!
+    assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                         :email => dup_user.email, :email_hmac => UsersController.message_hmac(dup_user.email),
+                         :auth_provider => "wikipedia", :auth_uid => auth_uid
+    follow_redirect!
+
+    assert_response :success
+    assert_template "users/new"
+    assert_select "form > div > input.is-invalid#user_email"
 
     ActionMailer::Base.deliveries.clear
   end
@@ -1006,6 +1185,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
                                        :email_confirmation => new_email,
                                        :display_name => display_name,
                                        :auth_provider => "wikipedia",
+                                       :auth_uid => "123454321",
                                        :pass_crypt => "",
                                        :pass_crypt_confirmation => "" } }
           assert_redirected_to auth_path(:provider => "wikipedia", :origin => "/user/new")
@@ -1014,10 +1194,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
           follow_redirect!
           assert_redirected_to auth_failure_path(:strategy => "wikipedia", :message => "connection_failed", :origin => "/user/new")
           follow_redirect!
-          assert_response :redirect
-          follow_redirect!
-          assert_response :success
-          assert_template "users/new"
+          assert_redirected_to "/user/new"
         end
       end
     end
@@ -1026,38 +1203,41 @@ class UserCreationTest < ActionDispatch::IntegrationTest
   end
 
   def test_user_create_wikipedia_redirect
-    OmniAuth.config.add_mock(:wikipedia, :uid => "123454321")
-
+    orig_email = "redirect_tester_wikipedia_orig@osm.org"
+    email_hmac = UsersController.message_hmac(orig_email)
     new_email = "redirect_tester_wikipedia@osm.org"
     display_name = "redirect_tester_wikipedia"
+    auth_uid = "123454321"
+
+    OmniAuth.config.add_mock(:wikipedia,
+                             :uid => auth_uid,
+                             :info => { :email => orig_email, :name => display_name })
+
     # nothing special about this page, just need a protected page to redirect back to.
-    referer = "/traces/mine"
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         perform_enqueued_jobs do
+          post auth_path(:provider => "wikipedia", :origin => "/user/new")
+          assert_redirected_to auth_success_path(:provider => "wikipedia", :origin => "/user/new")
+          follow_redirect!
+          assert_redirected_to :controller => :users, :action => "new", :nickname => display_name,
+                               :email => orig_email, :email_hmac => email_hmac,
+                               :auth_provider => "wikipedia", :auth_uid => auth_uid
+          follow_redirect!
+
           post "/user/new",
                :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
+                                       :email_hmac => email_hmac,
                                        :display_name => display_name,
                                        :auth_provider => "wikipedia",
-                                       :pass_crypt => "",
-                                       :pass_crypt_confirmation => "" },
-                            :referer => referer }
+                                       :auth_uid => auth_uid,
+                                       :consider_pd => "1" } }
           assert_redirected_to auth_path(:provider => "wikipedia", :origin => "/user/new")
           post response.location
           assert_redirected_to auth_success_path(:provider => "wikipedia", :origin => "/user/new")
           follow_redirect!
-          assert_redirected_to "/user/terms"
-          post "/user/save",
-               :params => { :user => { :email => new_email,
-                                       :email_confirmation => new_email,
-                                       :display_name => display_name,
-                                       :auth_provider => "wikipedia",
-                                       :auth_uid => "http://localhost:1123/new.tester",
-                                       :pass_crypt => "testtest",
-                                       :pass_crypt_confirmation => "testtest" },
-                            :read_ct => 1,
-                            :read_tou => 1 }
+          assert_redirected_to :controller => :confirmations, :action => :confirm, :display_name => display_name
+          assert_response :redirect
           follow_redirect!
         end
       end
diff --git a/test/system/confirmation_resend_test.rb b/test/system/confirmation_resend_test.rb
index 31b9ed7bb..6ef85818a 100644
--- a/test/system/confirmation_resend_test.rb
+++ b/test/system/confirmation_resend_test.rb
@@ -7,16 +7,11 @@ class ConfirmationResendSystemTest < ApplicationSystemTestCase
 
     within ".new_user" do
       fill_in "Email", :with => @user.email
-      fill_in "Email Confirmation", :with => @user.email
       fill_in "Display Name", :with => @user.display_name
       fill_in "Password", :with => "testtest"
       fill_in "Confirm Password", :with => "testtest"
       click_on "Sign Up"
     end
-
-    check "I have read and agree to the above contributor terms"
-    check "I have read and agree to the Terms of Use"
-    click_on "Continue"
   end
 
   test "flash message should not contain raw html" do
diff --git a/test/system/user_signup_test.rb b/test/system/user_signup_test.rb
index e97046800..0835df741 100644
--- a/test/system/user_signup_test.rb
+++ b/test/system/user_signup_test.rb
@@ -4,29 +4,8 @@ class UserSignupTest < ApplicationSystemTestCase
   test "Sign up from login page" do
     visit login_path
 
-    click_on "Register now"
+    click_on "Sign up"
 
     assert_content "Confirm Password"
   end
-
-  test "externally redirect when contributor terms declined" do
-    user = build(:user)
-
-    visit root_path
-    click_on "Sign Up"
-
-    within ".new_user" do
-      fill_in "Email", :with => user.email
-      fill_in "Email Confirmation", :with => user.email
-      fill_in "Display Name", :with => user.display_name
-      fill_in "Password", :with => "testtest"
-      fill_in "Confirm Password", :with => "testtest"
-      click_on "Sign Up"
-    end
-
-    assert_content "Contributor terms"
-    click_on "Cancel"
-
-    assert_current_path "https://wiki.openstreetmap.org/wiki/Contributor_Terms_Declined"
-  end
 end