Welcome to mirror list, hosted at ThFree Co, Russian Federation.

recoverable_by_any_email_spec.rb « concerns « models « spec - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/models/concerns/recoverable_by_any_email_spec.rb
blob: ba0bb99effbba245d1b82e28d8fd13c7a5d61025 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe RecoverableByAnyEmail, feature_category: :system_access do
  describe '.send_reset_password_instructions' do
    include EmailHelpers

    subject(:send_reset_password_instructions) do
      User.send_reset_password_instructions(email: email)
    end

    let_it_be(:user) { create(:user) }
    let_it_be(:user_confirmed_primary_email) { user.email }

    let_it_be(:user_confirmed_secondary_email) do
      create(:email, :confirmed, user: user, email: 'confirmed-secondary-email@example.com').email
    end

    let_it_be(:user_unconfirmed_secondary_email) do
      create(:email, user: user, email: 'unconfirmed-secondary-email@example.com').email
    end

    let_it_be(:unknown_email) { 'attacker@example.com' }
    let_it_be(:invalid_email) { 'invalid_email' }
    let_it_be(:sql_injection_email) { 'sql-injection-email@example.com OR 1=1' }

    let_it_be(:another_user_confirmed_primary_email) { create(:user).email }

    let_it_be(:another_user) { create(:user, :unconfirmed) }
    let_it_be(:another_user_unconfirmed_primary_email) { another_user.email }

    shared_examples "sends 'Reset password instructions' email" do
      it 'finds the user' do
        expect(send_reset_password_instructions).to eq(expected_user)
      end

      it 'sends the email' do
        reset_delivered_emails!

        expect { send_reset_password_instructions }.to have_enqueued_mail(DeviseMailer, :reset_password_instructions)

        perform_enqueued_jobs

        expect_only_one_email_to_be_sent(subject: 'Reset password instructions', to: [email])
      end
    end

    shared_examples "does not send 'Reset password instructions' email" do
      # If user is not found, returns a new user with errors.
      # See https://github.com/heartcombo/devise/blob/main/lib/devise/models/recoverable.rb
      it 'does not find the user' do
        expect(send_reset_password_instructions).to be_instance_of User
        expect(send_reset_password_instructions).to be_new_record
        expect(send_reset_password_instructions.errors).not_to be_empty
      end

      it 'does not send email to anyone' do
        reset_delivered_emails!

        expect { send_reset_password_instructions }
          .not_to have_enqueued_mail(DeviseMailer, :reset_password_instructions)

        perform_enqueued_jobs

        should_not_email_anyone
      end
    end

    context "when email param matches user's confirmed primary email" do
      let(:expected_user) { user }
      let(:email) { user_confirmed_primary_email }

      it_behaves_like "sends 'Reset password instructions' email"
    end

    context "when email param matches user's unconfirmed primary email" do
      let(:expected_user) { another_user }
      let(:email) { another_user_unconfirmed_primary_email }

      it_behaves_like "sends 'Reset password instructions' email"
    end

    context "when email param matches user's confirmed secondary email" do
      let(:expected_user) { user }
      let(:email) { user_confirmed_secondary_email }

      it_behaves_like "sends 'Reset password instructions' email"
    end

    context "when email param matches user's unconfirmed secondary email" do
      let(:email) { user_unconfirmed_secondary_email }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    context 'when email param is unknown email' do
      let(:email) { unknown_email }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    context 'when email param is invalid email' do
      let(:email) { invalid_email }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    context 'when email param with attempt to cause SQL injection' do
      let(:email) { sql_injection_email }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    context 'when email param is nil' do
      let(:email) { nil }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    context 'when email param is empty string' do
      let(:email) { '' }

      it_behaves_like "does not send 'Reset password instructions' email"
    end

    # See https://gitlab.com/gitlab-org/gitlab/-/issues/436084
    context 'when email param with multiple emails' do
      let(:email) do
        [
          user_confirmed_primary_email,
          user_confirmed_secondary_email,
          user_unconfirmed_secondary_email,
          unknown_email,
          another_user_confirmed_primary_email,
          another_user_unconfirmed_primary_email
        ]
      end

      it_behaves_like "does not send 'Reset password instructions' email"
    end
  end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 19:25:54 +0300