Maintenance: Improve 'Forgot Password' handling.

2022-03-09 13:38:42 +01:00 · 2022-03-09 13:38:42 +01:00 · f052c2a33f
commit f052c2a33f
parent e74af6e4bc
2 changed files with 55 additions and 21 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -490,15 +490,13 @@ returns
    # try second lookup with email
    user ||= User.find_by(email: username.downcase.strip, active: true)

-    # check if email address exists
-    return if !user
-    return if !user.email
+    return if !user || !user.email

-    # generate token
-    token = Token.create(action: 'PasswordReset', user_id: user.id)
+    # Discard any possible previous tokens for safety reasons.
+    Token.where(action: 'PasswordReset', user_id: user.id).destroy_all

    {
-      token: token,
+      token: Token.create(action: 'PasswordReset', user_id: user.id, persistent: false),
      user:  user,
    }
  end
--- a/spec/system/password_reset_spec.rb
+++ b/spec/system/password_reset_spec.rb
@ -3,6 +3,7 @@
 require 'rails_helper'

 RSpec.describe 'Password Reset', type: :system do
+  context 'when logged in already' do
    before do
      visit 'password_reset'
    end
@ -10,24 +11,59 @@ RSpec.describe 'Password Reset', type: :system do
    it 'logged in user cannot open password reset' do
      expect(page).to have_no_text 'password'
    end
+  end

  context 'when not logged in', authenticated_as: false do
-    it 'proceeds with non-existant user' do
-      fill_in 'username', with: 'nonexisting'
-
+    def request_reset
+      visit 'password_reset'
+      fill_in 'username', with: username
      click '.reset_password .btn--primary'
+    end

+    before do
+      freeze_time
+      request_reset
+    end
+
+    context 'with non-existant user' do
+      let(:username) { 'nonexisting' }
+
+      it 'pretends to proceed' do
+        expect(page).to have_text 'sent password reset instructions'
+      end
+    end
+
+    context 'with existing user' do
+      let(:user) { create(:agent) }
+      let(:username) { user.email }
+      let(:generated_tokens) { Token.where(action: 'PasswordReset', user_id: user.id) }
+
+      it 'proceeds' do
        expect(page).to have_text 'sent password reset instructions'
      end

-    it 'proceeds with an actual user' do
-      user = create(:agent)
+      it 'creates a token' do
+        expect(generated_tokens.count).to eq 1
+      end

-      fill_in 'username', with: user.email
+      it 'token will expire' do
+        expect(generated_tokens.first.persistent).to be false
+      end

-      click '.reset_password .btn--primary'
+      context 'when submitting multiple times' do
+        before do
+          refresh
+          request_reset # a second time now
+        end

+        it 'proceeds' do
          expect(page).to have_text 'sent password reset instructions'
        end
+
+        it 'discards the previous token' do
+          expect(generated_tokens.count).to eq 1
+        end
+      end
+    end
  end
 end