None of Special:ConfirmEmail, User::newFromConfirmationCode, and User::confirmEmail check if an email is already confirmed. newFromConfirmationCode just checks if it's a valid non-expired code, but using a code does not expire it.
It's fine not to show an error for double confirmations, but the hook should not fire twice. I don't think setEmailAuthenticationTimestamp should be called again either, so my patch will avoid doing so.
Version: 1.21.x
Severity: normal