kosmos/akkounts
8
1
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Releases 12 Activity

Fix password validation during password reset #83

Merged
raucao merged 4 commits from bugfix/28-password_reset into master 2023-02-19 14:01:25 +00:00
Conversation 1 Commits 4 Files Changed 3 +37 -13
2 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit b67d6139ac - Show all commits

8
app/models/user.rb
View File

@@ -33,10 +33,12 @@ class User < ApplicationRecord
end end
def reset_password(new_password, new_password_confirmation) def reset_password(new_password, new_password_confirmation)
if new_password == new_password_confirmation && ::Devise.ldap_update_password self.password = new_password
self.password_confirmation = new_password_confirmation
return false unless valid?
Devise::LDAP::Adapter.update_password(login_with, new_password) Devise::LDAP::Adapter.update_password(login_with, new_password)
bumi commented 2023-02-19 13:28:27 +00:00
Review
Copy Link

can this fail somehow? do we need to catch some error here?

can this fail somehow? do we need to catch some error here?
raucao commented 2023-02-19 14:00:32 +00:00
Review
Copy Link

Hopefully never, but we have #14 and kosmos/chef#436 open to set up exception tracking.

Hopefully never, but we have #14 and kosmos/chef#436 open to set up exception tracking.
end clear_reset_password_token
clear_reset_password_token if valid?
save save
end end

30
spec/features/devise/password_reset.rb
View File

@@ -16,17 +16,39 @@ RSpec.describe 'Password reset', type: :feature do
expect(user.reload.reset_password_token).to be_a(String) expect(user.reload.reset_password_token).to be_a(String)
end end
scenario "Reset password" do describe "Password reset form" do
# Generate a raw reset token, since the stored one is only a digest # Generate a raw reset token, since the stored one is only a digest
token = user.send(:set_reset_password_token) let(:token) { user.send(:set_reset_password_token) }
before do
logout logout
end
scenario "Submit with invalid passwords" do
expect(Devise::LDAP::Adapter).not_to receive(:update_password)
visit edit_user_password_path(reset_password_token: token) visit edit_user_password_path(reset_password_token: token)
expect(page).to have_content 'Change your password' fill_in :user_password, with: 'nice try'
fill_in :user_password_confirmation, with: 'nice try o'
click_button 'Change my password'
expect(page).to have_content 'Password is too short'
fill_in :user_password, with: 'a new password' fill_in :user_password, with: 'a new password'
fill_in :user_password_confirmation, with: 'a new password with a typo' fill_in :user_password_confirmation, with: 'a new password with a typo'
click_button 'Change my password' click_button 'Change my password'
expect(page).to have_content 'Password confirmation doesn\'t match'
end
expect(page).to have_content 'Confirmation does not match' scenario "Submit with valid passwords" do
expect(Devise::LDAP::Adapter).to receive(:update_password)
.with(user.cn, 'catch me if you can').and_return(true)
visit edit_user_password_path(reset_password_token: token)
fill_in :user_password, with: 'catch me if you can'
fill_in :user_password_confirmation, with: 'catch me if you can'
click_button 'Change my password'
expect(page).to have_content 'Your password has been changed successfully'
expect(user.reload.reset_password_token).to be_nil
end
end end
end end