From b67d6139ac32dfd740ea01d3e90b6b41f83c7dfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 19 Feb 2023 15:50:19 +0800
Subject: [PATCH] Fix password validation during password reset

fixes #28
---
 app/models/user.rb                     | 10 ++++---
 spec/features/devise/password_reset.rb | 40 ++++++++++++++++++++------
 2 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 660d53c..a627661 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -33,10 +33,12 @@ class User < ApplicationRecord
   end
 
   def reset_password(new_password, new_password_confirmation)
-    if new_password == new_password_confirmation && ::Devise.ldap_update_password
-      Devise::LDAP::Adapter.update_password(login_with, new_password)
-    end
-    clear_reset_password_token if valid?
+    self.password = new_password
+    self.password_confirmation = new_password_confirmation
+    return false unless valid?
+
+    Devise::LDAP::Adapter.update_password(login_with, new_password)
+    clear_reset_password_token
     save
   end
 
diff --git a/spec/features/devise/password_reset.rb b/spec/features/devise/password_reset.rb
index d31bc80..c12396c 100644
--- a/spec/features/devise/password_reset.rb
+++ b/spec/features/devise/password_reset.rb
@@ -16,17 +16,39 @@ RSpec.describe 'Password reset', type: :feature do
     expect(user.reload.reset_password_token).to be_a(String)
   end
 
-  scenario "Reset password" do
+  describe "Password reset form" do
     # Generate a raw reset token, since the stored one is only a digest
-    token = user.send(:set_reset_password_token)
-    logout
-    visit edit_user_password_path(reset_password_token: token)
-    expect(page).to have_content 'Change your password'
+    let(:token) { user.send(:set_reset_password_token) }
 
-    fill_in :user_password, with: 'a new password'
-    fill_in :user_password_confirmation, with: 'a new password with a typo'
-    click_button 'Change my password'
+    before do
+      logout
+    end
 
-    expect(page).to have_content 'Confirmation does not match'
+    scenario "Submit with invalid passwords" do
+      expect(Devise::LDAP::Adapter).not_to receive(:update_password)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'nice try'
+      fill_in :user_password_confirmation, with: 'nice try o'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password is too short'
+
+      fill_in :user_password, with: 'a new password'
+      fill_in :user_password_confirmation, with: 'a new password with a typo'
+      click_button 'Change my password'
+      expect(page).to have_content 'Password confirmation doesn\'t match'
+    end
+
+    scenario "Submit with valid passwords" do
+      expect(Devise::LDAP::Adapter).to receive(:update_password)
+        .with(user.cn, 'catch me if you can').and_return(true)
+
+      visit edit_user_password_path(reset_password_token: token)
+      fill_in :user_password, with: 'catch me if you can'
+      fill_in :user_password_confirmation, with: 'catch me if you can'
+      click_button 'Change my password'
+      expect(page).to have_content 'Your password has been changed successfully'
+      expect(user.reload.reset_password_token).to be_nil
+    end
   end
 end