2017-12-21 17:36:29 +00:00
# frozen_string_literal: true
2010-03-26 10:27:19 +00:00
require 'test_helper'
2009-10-12 11:37:42 +00:00
2015-08-18 23:42:56 +00:00
class PasswordTest < Devise :: IntegrationTest
2009-10-12 11:37:42 +00:00
def visit_new_password_path
2009-10-12 12:56:12 +00:00
visit new_user_session_path
2010-03-30 18:06:56 +00:00
click_link 'Forgot your password?'
2009-10-12 11:37:42 +00:00
end
def request_forgot_password ( & block )
visit_new_password_path
assert_response :success
2016-05-03 16:57:10 +00:00
refute warden . authenticated? ( :user )
2009-10-12 11:37:42 +00:00
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : 'user@test.com'
2009-10-12 11:37:42 +00:00
yield if block_given?
2013-08-06 09:55:13 +00:00
Devise . stubs ( :friendly_token ) . returns ( " abcdef " )
2009-10-12 11:37:42 +00:00
click_button 'Send me reset password instructions'
end
2020-08-31 11:46:43 +00:00
def reset_password ( options = { } , & block )
2013-08-06 09:55:13 +00:00
unless options [ :visit ] == false
2014-02-25 16:42:55 +00:00
visit edit_user_password_path ( reset_password_token : options [ :reset_password_token ] || " abcdef " )
2013-08-06 09:55:13 +00:00
assert_response :success
end
2009-10-12 11:37:42 +00:00
2014-02-25 16:42:55 +00:00
fill_in 'New password' , with : '987654321'
fill_in 'Confirm new password' , with : '987654321'
2009-10-12 11:37:42 +00:00
yield if block_given?
click_button 'Change my password'
end
2019-12-17 05:40:41 +00:00
test 'reset password should send to user record email and avoid case mapping collisions' do
2019-12-17 05:47:40 +00:00
create_user ( email : 'user@github.com' )
2019-12-17 05:40:41 +00:00
request_forgot_password do
2019-12-17 05:47:40 +00:00
fill_in 'email' , with : 'user@gı thub.com'
2019-12-17 05:40:41 +00:00
end
mail = ActionMailer :: Base . deliveries . last
2019-12-17 05:47:40 +00:00
assert_equal [ 'user@github.com' ] , mail . to
2019-12-17 05:40:41 +00:00
end
2010-11-20 14:54:01 +00:00
test 'reset password with email of different case should succeed when email is in the list of case insensitive keys' do
2014-02-25 16:42:55 +00:00
create_user ( email : 'Foo@Bar.com' )
2011-05-20 21:42:11 +00:00
2010-11-20 14:54:01 +00:00
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : 'foo@bar.com'
2010-11-20 14:54:01 +00:00
end
2011-05-20 21:42:11 +00:00
2010-11-20 14:54:01 +00:00
assert_current_url '/users/sign_in'
2013-11-28 16:29:50 +00:00
assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
2010-11-20 14:54:01 +00:00
end
2011-11-05 15:53:27 +00:00
test 'reset password with email should send an email from a custom mailer' do
2014-02-25 16:42:55 +00:00
create_user ( email : 'Foo@Bar.com' )
2011-11-05 15:53:27 +00:00
User . any_instance . stubs ( :devise_mailer ) . returns ( Users :: Mailer )
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : 'foo@bar.com'
2011-11-05 15:53:27 +00:00
end
2013-08-06 09:55:13 +00:00
mail = ActionMailer :: Base . deliveries . last
assert_equal [ 'custom@example.com' ] , mail . from
assert_match edit_user_password_path ( reset_password_token : 'abcdef' ) , mail . body . encoded
2011-11-05 15:53:27 +00:00
end
2010-11-20 14:54:01 +00:00
test 'reset password with email of different case should fail when email is NOT the list of case insensitive keys' do
2014-02-25 16:42:55 +00:00
swap Devise , case_insensitive_keys : [ ] do
create_user ( email : 'Foo@Bar.com' )
2011-05-20 21:42:11 +00:00
2010-11-20 14:54:01 +00:00
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : 'foo@bar.com'
2010-11-20 14:54:01 +00:00
end
2011-05-20 21:42:11 +00:00
2010-11-20 14:54:01 +00:00
assert_response :success
assert_current_url '/users/password'
assert_have_selector " input[type=email][value='foo@bar.com'] "
assert_contain 'not found'
end
end
2011-06-21 21:44:38 +00:00
2011-06-10 08:37:43 +00:00
test 'reset password with email with extra whitespace should succeed when email is in the list of strip whitespace keys' do
2014-02-25 16:42:55 +00:00
create_user ( email : 'foo@bar.com' )
2011-06-21 21:44:38 +00:00
2011-06-10 08:37:43 +00:00
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : ' foo@bar.com '
2011-06-10 08:37:43 +00:00
end
2011-06-21 21:44:38 +00:00
2011-06-10 08:37:43 +00:00
assert_current_url '/users/sign_in'
2013-11-28 16:29:50 +00:00
assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
2011-06-10 08:37:43 +00:00
end
test 'reset password with email with extra whitespace should fail when email is NOT the list of strip whitespace keys' do
2014-02-25 16:42:55 +00:00
swap Devise , strip_whitespace_keys : [ ] do
create_user ( email : 'foo@bar.com' )
2011-06-21 21:44:38 +00:00
2011-06-10 08:37:43 +00:00
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : ' foo@bar.com '
2011-06-10 08:37:43 +00:00
end
2011-06-21 21:44:38 +00:00
2011-06-10 08:37:43 +00:00
assert_response :success
assert_current_url '/users/password'
2011-06-10 09:10:56 +00:00
assert_have_selector " input[type=email][value=' foo@bar.com '] "
2011-06-10 08:37:43 +00:00
assert_contain 'not found'
end
end
2010-11-20 14:54:01 +00:00
2009-10-12 12:56:12 +00:00
test 'authenticated user should not be able to visit forgot password page' do
sign_in_as_user
assert warden . authenticated? ( :user )
2009-10-12 11:37:42 +00:00
2009-10-12 12:56:12 +00:00
get new_user_password_path
2009-10-12 11:37:42 +00:00
assert_response :redirect
assert_redirected_to root_path
end
2009-10-12 12:56:12 +00:00
test 'not authenticated user should be able to request a forgot password' do
create_user
2009-10-12 11:37:42 +00:00
request_forgot_password
2010-09-30 07:05:11 +00:00
assert_current_url '/users/sign_in'
2013-11-28 16:29:50 +00:00
assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
2009-10-12 11:37:42 +00:00
end
2009-10-12 12:56:12 +00:00
test 'not authenticated user with invalid email should receive an error message' do
2009-10-12 11:37:42 +00:00
request_forgot_password do
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : 'invalid.test@test.com'
2009-10-12 11:37:42 +00:00
end
assert_response :success
2010-09-30 07:05:11 +00:00
assert_current_url '/users/password'
assert_have_selector " input[type=email][value='invalid.test@test.com'] "
2010-07-25 17:53:42 +00:00
assert_contain 'not found'
2009-10-12 11:37:42 +00:00
end
2009-10-12 12:56:12 +00:00
test 'authenticated user should not be able to visit edit password page' do
sign_in_as_user
get edit_user_password_path
2009-10-12 11:37:42 +00:00
assert_response :redirect
assert_redirected_to root_path
2009-10-12 12:56:12 +00:00
assert warden . authenticated? ( :user )
2009-10-12 11:37:42 +00:00
end
2012-06-08 08:08:35 +00:00
test 'not authenticated user without a reset password token should not be able to visit the page' do
get edit_user_password_path
assert_response :redirect
assert_redirected_to " /users/sign_in "
end
2013-12-02 09:02:17 +00:00
test 'not authenticated user with invalid reset password token should not be able to change their password' do
2009-10-12 12:56:12 +00:00
user = create_user
2014-02-25 16:42:55 +00:00
reset_password reset_password_token : 'invalid_reset_password'
2009-10-12 11:37:42 +00:00
assert_response :success
2010-09-30 07:05:11 +00:00
assert_current_url '/users/password'
2010-04-13 21:28:13 +00:00
assert_have_selector '#error_explanation'
2016-05-02 13:46:57 +00:00
assert_contain %r{ Reset password token(.*)invalid }
2016-05-03 16:57:10 +00:00
refute user . reload . valid_password? ( '987654321' )
2009-10-12 11:37:42 +00:00
end
2013-12-02 09:02:17 +00:00
test 'not authenticated user with valid reset password token but invalid password should not be able to change their password' do
2009-10-12 12:56:12 +00:00
user = create_user
2009-10-15 20:36:44 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password do
2014-02-25 16:42:55 +00:00
fill_in 'Confirm new password' , with : 'other_password'
2009-10-12 11:37:42 +00:00
end
assert_response :success
2010-09-30 07:05:11 +00:00
assert_current_url '/users/password'
2010-04-13 21:28:13 +00:00
assert_have_selector '#error_explanation'
2015-08-18 23:42:56 +00:00
assert_contain " Password confirmation doesn't match Password "
2016-05-03 16:57:10 +00:00
refute user . reload . valid_password? ( '987654321' )
2009-10-12 11:37:42 +00:00
end
2013-12-02 09:02:17 +00:00
test 'not authenticated user with valid data should be able to change their password' do
2009-10-12 12:56:12 +00:00
user = create_user
2009-10-15 20:36:44 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2009-10-12 11:37:42 +00:00
2010-09-30 07:05:11 +00:00
assert_current_url '/'
2014-02-28 20:18:22 +00:00
assert_contain 'Your password has been changed successfully. You are now signed in.'
2009-10-12 12:56:12 +00:00
assert user . reload . valid_password? ( '987654321' )
2009-10-12 11:37:42 +00:00
end
2009-10-18 11:54:53 +00:00
2013-12-02 09:02:17 +00:00
test 'after entering invalid data user should still be able to change their password' do
2009-10-18 11:54:53 +00:00
user = create_user
request_forgot_password
2013-08-06 09:55:13 +00:00
2014-02-25 16:42:55 +00:00
reset_password { fill_in 'Confirm new password' , with : 'other_password' }
2009-10-18 11:54:53 +00:00
assert_response :success
2010-04-13 21:28:13 +00:00
assert_have_selector '#error_explanation'
2016-05-03 16:57:10 +00:00
refute user . reload . valid_password? ( '987654321' )
2009-10-18 11:54:53 +00:00
2014-02-25 16:42:55 +00:00
reset_password visit : false
2014-02-28 20:18:22 +00:00
assert_contain 'Your password has been changed successfully.'
2009-10-18 11:54:53 +00:00
assert user . reload . valid_password? ( '987654321' )
end
2009-10-18 12:36:20 +00:00
2011-07-29 21:17:31 +00:00
test 'sign in user automatically after changing its password' do
2013-09-14 20:22:53 +00:00
create_user
2009-10-18 12:36:20 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2009-10-18 12:36:20 +00:00
assert warden . authenticated? ( :user )
end
2010-02-05 20:34:05 +00:00
2015-02-13 10:14:02 +00:00
test 'does not sign in user automatically after changing its password if config.sign_in_after_reset_password is false' do
swap Devise , sign_in_after_reset_password : false do
create_user
request_forgot_password
reset_password
assert_contain 'Your password has been changed successfully.'
assert_not_contain 'You are now signed in.'
assert_equal new_user_session_path , @request . path
assert ! warden . authenticated? ( :user )
end
end
2012-11-07 09:45:46 +00:00
test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
[ :none , :time ] . each do | strategy |
2014-02-25 16:42:55 +00:00
swap Devise , unlock_strategy : strategy do
2016-05-02 13:46:57 +00:00
create_user ( locked : true )
2012-11-07 09:45:46 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2012-11-07 09:45:46 +00:00
2014-02-28 20:18:22 +00:00
assert_contain 'Your password has been changed successfully.'
2012-11-07 09:45:46 +00:00
assert_not_contain 'You are now signed in.'
assert_equal new_user_session_path , @request . path
assert ! warden . authenticated? ( :user )
end
end
end
2010-02-05 20:34:05 +00:00
2012-11-07 09:45:46 +00:00
test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :email' do
2014-02-25 16:42:55 +00:00
swap Devise , unlock_strategy : :email do
user = create_user ( locked : true )
2012-11-07 09:45:46 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2012-11-07 09:45:46 +00:00
2014-02-28 20:18:22 +00:00
assert_contain 'Your password has been changed successfully.'
2012-11-07 09:45:46 +00:00
assert ! user . reload . access_locked?
assert warden . authenticated? ( :user )
end
end
test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :both' do
2014-02-25 16:42:55 +00:00
swap Devise , unlock_strategy : :both do
user = create_user ( locked : true )
2012-11-07 09:45:46 +00:00
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2012-11-07 09:45:46 +00:00
2014-02-28 20:18:22 +00:00
assert_contain 'Your password has been changed successfully.'
2012-11-07 09:45:46 +00:00
assert ! user . reload . access_locked?
assert warden . authenticated? ( :user )
end
2010-02-05 20:34:05 +00:00
end
2011-01-15 19:33:54 +00:00
test 'reset password request with valid E-Mail in XML format should return valid response' do
create_user
2015-08-18 23:42:56 +00:00
post user_password_path ( format : 'xml' ) , params : { user : { email : " user@test.com " } }
2011-01-15 19:33:54 +00:00
assert_response :success
2020-08-27 12:05:16 +00:00
assert_equal ( { } . to_xml , response . body )
2011-01-15 19:33:54 +00:00
end
test 'reset password request with invalid E-Mail in XML format should return valid response' do
create_user
2015-08-18 23:42:56 +00:00
post user_password_path ( format : 'xml' ) , params : { user : { email : " invalid.test@test.com " } }
2011-01-15 19:33:54 +00:00
assert_response :unprocessable_entity
2020-08-27 21:38:26 +00:00
assert_includes response . body , %( <?xml version= \" 1.0 \" encoding= \" UTF-8 \" ?> \n <errors> )
2011-01-15 19:33:54 +00:00
end
2011-10-12 21:12:20 +00:00
test 'reset password request with invalid E-Mail in XML format should return empty and valid response' do
2014-02-25 16:42:55 +00:00
swap Devise , paranoid : true do
2011-10-12 21:12:20 +00:00
create_user
2015-08-18 23:42:56 +00:00
post user_password_path ( format : 'xml' ) , params : { user : { email : " invalid@test.com " } }
2011-10-12 21:12:20 +00:00
assert_response :success
2020-08-27 12:05:16 +00:00
assert_equal ( { } . to_xml , response . body )
2011-10-12 21:12:20 +00:00
end
end
2011-01-15 19:33:54 +00:00
test 'change password with valid parameters in XML format should return valid response' do
2013-09-14 20:22:53 +00:00
create_user
2011-01-15 19:33:54 +00:00
request_forgot_password
2015-08-18 23:42:56 +00:00
put user_password_path ( format : 'xml' ) , params : { user : {
2014-02-25 16:42:55 +00:00
reset_password_token : 'abcdef' , password : '987654321' , password_confirmation : '987654321'
2015-08-18 23:42:56 +00:00
}
2013-08-06 09:55:13 +00:00
}
2011-01-15 19:33:54 +00:00
assert_response :success
assert warden . authenticated? ( :user )
end
test 'change password with invalid token in XML format should return invalid response' do
2013-04-18 04:54:38 +00:00
create_user
2011-01-15 19:33:54 +00:00
request_forgot_password
2015-08-18 23:42:56 +00:00
put user_password_path ( format : 'xml' ) , params : { user : { reset_password_token : 'invalid.token' , password : '987654321' , password_confirmation : '987654321' } }
2011-01-15 19:33:54 +00:00
assert_response :unprocessable_entity
2020-08-27 21:38:26 +00:00
assert_includes response . body , %( <?xml version= \" 1.0 \" encoding= \" UTF-8 \" ?> \n <errors> )
2011-01-15 19:33:54 +00:00
end
test 'change password with invalid new password in XML format should return invalid response' do
user = create_user
request_forgot_password
2015-08-18 23:42:56 +00:00
put user_password_path ( format : 'xml' ) , params : { user : { reset_password_token : user . reload . reset_password_token , password : '' , password_confirmation : '987654321' } }
2011-01-15 19:33:54 +00:00
assert_response :unprocessable_entity
2020-08-27 21:38:26 +00:00
assert_includes response . body , %( <?xml version= \" 1.0 \" encoding= \" UTF-8 \" ?> \n <errors> )
2011-01-15 19:33:54 +00:00
end
2011-05-20 21:42:11 +00:00
2011-06-23 00:04:50 +00:00
test " when using json requests to ask a confirmable request, should not return the object " do
2014-02-25 16:42:55 +00:00
user = create_user ( confirm : false )
2011-06-23 00:04:50 +00:00
2015-08-18 23:42:56 +00:00
post user_password_path ( format : :json ) , params : { user : { email : user . email } }
2011-06-23 00:04:50 +00:00
assert_response :success
2020-08-27 12:05:16 +00:00
assert_equal " {} " , response . body
2011-06-23 00:04:50 +00:00
end
2011-05-20 22:41:26 +00:00
test " when in paranoid mode and with an invalid e-mail, asking to reset a password should display a message that does not indicates that the e-mail does not exists in the database " do
2014-02-25 16:42:55 +00:00
swap Devise , paranoid : true do
2011-05-20 22:41:26 +00:00
visit_new_password_path
2014-02-25 16:42:55 +00:00
fill_in " email " , with : " arandomemail@test.com "
2011-05-20 22:41:26 +00:00
click_button 'Send me reset password instructions'
2011-06-16 14:27:27 +00:00
assert_not_contain " 1 error prohibited this user from being saved: "
assert_not_contain " Email not found "
2012-05-14 20:53:34 +00:00
assert_contain " If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes. "
2011-10-12 21:12:20 +00:00
assert_current_url " /users/sign_in "
2011-05-20 21:42:11 +00:00
end
2011-05-20 22:41:26 +00:00
end
2011-05-20 21:42:11 +00:00
2011-06-16 14:27:27 +00:00
test " when in paranoid mode and with a valid e-mail, asking to reset password should display a message that does not indicates that the email exists in the database and redirect to the failure route " do
2014-02-25 16:42:55 +00:00
swap Devise , paranoid : true do
2011-05-20 22:41:26 +00:00
user = create_user
visit_new_password_path
2014-02-25 16:42:55 +00:00
fill_in 'email' , with : user . email
2011-05-20 22:41:26 +00:00
click_button 'Send me reset password instructions'
2011-06-16 14:27:27 +00:00
2012-05-14 20:53:34 +00:00
assert_contain " If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes. "
2011-10-12 21:12:20 +00:00
assert_current_url " /users/sign_in "
2011-05-20 22:41:26 +00:00
end
2011-05-20 21:42:11 +00:00
end
2012-03-19 20:09:22 +00:00
test " after recovering a password, should set failed attempts to 0 " do
user = create_user
2012-08-05 12:24:10 +00:00
user . update_attribute ( :failed_attempts , 10 )
2012-03-19 20:09:22 +00:00
assert_equal 10 , user . failed_attempts
request_forgot_password
2013-08-06 09:55:13 +00:00
reset_password
2012-03-19 20:09:22 +00:00
assert warden . authenticated? ( :user )
user . reload
assert_equal 0 , user . failed_attempts
end
2009-10-12 11:37:42 +00:00
end