Merge pull request 'Fix password validation during password reset' (#83) from bugfix/28-password_reset into master

Reviewed-on: #83 Reviewed-by: bumi <bumi@noreply.kosmos.org>
2023-02-19 14:01:25 +00:00 · 2023-02-19 14:01:25 +00:00 · aa0ba18763
commit aa0ba18763
parent 8f9e1c3e84 7dae66959e
3 changed files with 63 additions and 7 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -33,10 +33,12 @@ class User < ApplicationRecord
  end

  def reset_password(new_password, new_password_confirmation)
-    if new_password == new_password_confirmation && ::Devise.ldap_update_password
+    self.password = new_password
+    self.password_confirmation = new_password_confirmation
+    return false unless valid?
+
    Devise::LDAP::Adapter.update_password(login_with, new_password)
-    end
-    clear_reset_password_token if valid?
+    clear_reset_password_token
    save
  end

--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@ -11,7 +11,7 @@
      <%= f.label :password, "New password" %>
    </p>
    <p>
-      <%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
+      <%= f.password_field :password, autofocus: true, autocomplete: "new-password", class: "w-full" %>
      <% if @minimum_password_length %>
        <br><em class="text-sm text-gray-500">(<%= @minimum_password_length %> characters minimum)</em>
      <% end %>
@ -20,10 +20,10 @@
      <%= f.label :password_confirmation, "Confirm new password" %>
    </p>
    <p>
-      <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+      <%= f.password_field :password_confirmation, autocomplete: "new-password", class: "w-full" %>
    </p>
    <p class="mt-8">
-      <%= f.submit "Change my password", class: 'btn-md btn-blue' %>
+      <%= f.submit "Change my password", class: 'btn-md btn-blue w-full' %>
    </p>
  <% end %>

--- a/spec/features/devise/password_reset.rb
+++ b/spec/features/devise/password_reset.rb
@ -0,0 +1,54 @@
+require 'rails_helper'
+
+RSpec.describe 'Password reset', type: :feature do
+  let(:user) { create :user }
+
+  before do
+    login_as user, :scope => :user
+  end
+
+  scenario 'Send password reset email' do
+    expect(user.reset_password_token).to be_nil
+
+    visit settings_account_path
+    click_button "Send me a password reset link"
+    expect(page).to have_content 'Please check your inbox'
+    expect(user.reload.reset_password_token).to be_a(String)
+  end
+
+  describe "Password reset form" do
+    # Generate a raw reset token, since the stored one is only a digest
+    let(:token) { user.send(:set_reset_password_token) }
+
+    before do
+      logout
+    end
+
+    scenario "Submit with invalid passwords" do
+      expect(Devise::LDAP::Adapter).not_to receive(:update_password)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'nice try'
+      fill_in :user_password_confirmation, with: 'nice try o'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password is too short'
+
+      fill_in :user_password, with: 'a new password'
+      fill_in :user_password_confirmation, with: 'a new password with a typo'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password confirmation doesn\'t match'
+    end
+
+    scenario "Submit with valid passwords" do
+      expect(Devise::LDAP::Adapter).to receive(:update_password)
+        .with(user.cn, 'catch me if you can').and_return(true)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'catch me if you can'
+      fill_in :user_password_confirmation, with: 'catch me if you can'
+      click_button 'Change my password'
+      expect(page).to have_content 'Your password has been changed successfully'
+      expect(user.reload.reset_password_token).to be_nil
+    end
+  end
+end