remove ambiguity about which resource type to be using for new sessions

app/views/devise/passwords/edit.html.haml

 = render 'devise/shared/tab_single', tab_title:'Change your password'
 .login-box
   .login-body
-    = form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put, class: 'gl-show-field-errors' }) do |f|
+    = form_for(resource, as: resource_name, url: password_path(:user), html: { method: :put, class: 'gl-show-field-errors' }) do |f|
       .devise-errors
         = devise_error_messages!
       = f.hidden_field :reset_password_token
@@ -17,5 +17,5 @@
 .clearfix.prepend-top-20
   %p
     %span.light Didn't receive a confirmation email?
-    = link_to "Request a new one", new_confirmation_path(resource_name)
+    = link_to "Request a new one", new_confirmation_path(:user)
 = render 'devise/shared/sign_in_link'

app/views/devise/sessions/_new_base.html.haml

@@ -11,6 +11,6 @@
         = f.check_box :remember_me, class: 'remember-me-checkbox'
         %span Remember me
       .pull-right.forgot-password
-        = link_to "Forgot your password?", new_password_path(resource_name)
+        = link_to "Forgot your password?", new_password_path(:user)
   .submit-container.move-submit-down
     = f.submit "Sign in", class: "btn btn-save"

app/views/devise/shared/_links.erb

 <%- if controller_name != 'sessions' %>
-  <%= link_to "Sign in", new_session_path(resource_name), class: "btn" %><br />
+  <%= link_to "Sign in", new_session_path(:user, redirect_to_referer: 'yes'), class: "btn" %><br />
 <% end -%>
 
 <%- if devise_mapping.registerable? && controller_name != 'registrations' && allow_signup? %>
-  <%= link_to "Sign up", new_registration_path(resource_name) %><br />
+  <%= link_to "Sign up", new_registration_path(:user) %><br />
 <% end -%>
 
 <%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
-<%= link_to "Forgot your password?", new_password_path(resource_name), class: "btn" %><br />
+<%= link_to "Forgot your password?", new_password_path(:user), class: "btn" %><br />
 <% end -%>
 
 <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
+  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(:user) %><br />
 <% end -%>
 
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
-  <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
+  <%= link_to "Didn't receive unlock instructions?", new_unlock_path(:user) %><br />
 <% end -%>

app/views/devise/shared/_sign_in_link.html.haml

 %p
   %span.light
     Already have login and password?
-    = link_to "Sign in", new_session_path(resource_name)
+    = link_to "Sign in", new_session_path(:user, redirect_to_referer: 'yes')

app/views/devise/shared/_signup_box.html.haml

@@ -31,4 +31,4 @@
   %p
     %span.light Didn't receive a confirmation email?
     = succeed '.' do
-      = link_to "Request a new one", new_confirmation_path(resource_name)
+      = link_to "Request a new one", new_confirmation_path(:user)

app/views/errors/omniauth_error.html.haml

@@ -9,7 +9,7 @@
   %p Try logging in using your username or email. If you have forgotten your password, try recovering it
 
   = link_to "Sign in", new_session_path(:user), class: 'btn primary'
-  = link_to "Recover password", new_password_path(resource_name), class: 'btn secondary'
+  = link_to "Recover password", new_password_path(:user), class: 'btn secondary'
 
   %hr
   %p.light If none of the options work, try contacting a GitLab administrator.

changelogs/unreleased/39367-fix-new-email-session-path.yml

+---
+title: Confirming email with invalid token should no longer generate an error
+merge_request: 15726
+author:
+type: fixed