demarches-normaliennes/spec/controllers/france_connect/particulier_controller_spec.rb

# frozen_string_literal: true

describe FranceConnect::ParticulierController, type: :controller do
  let(:birthdate) { '20150821' }
  let(:email) { 'EMAIL_from_fc@test.com' }

  let(:user_info) do
    {
      france_connect_particulier_id: 'blablabla',
      given_name: 'titi',
      family_name: 'toto',
      birthdate: birthdate,
      birthplace: '1234',
      gender: 'M',
      email_france_connect: email
    }
  end

  describe '#auth' do
    subject { get :login }

    it { is_expected.to have_http_status(:redirect) }
  end

  describe '#callback' do
    let(:code) { 'plop' }

    subject { get :callback, params: { code: code } }

    context 'when params are missing' do
      subject { get :callback }

      it { is_expected.to redirect_to(new_user_session_path) }
    end

    context 'when param code is missing' do
      let(:code) { nil }

      it { is_expected.to redirect_to(new_user_session_path) }
    end

    context 'when param code is empty' do
      let(:code) { '' }

      it { is_expected.to redirect_to(new_user_session_path) }
    end

    context 'when code is correct' do
      before do
        allow(FranceConnectService).to receive(:retrieve_user_informations_particulier)
          .and_return(FranceConnectInformation.new(user_info))
      end

      context 'when france_connect_particulier_id exists in database' do
        let!(:fci) { FranceConnectInformation.create!(user_info.merge(user_id: fc_user&.id)) }

        context 'and is linked to an user' do
          let(:fc_user) { create(:user, email: 'associated_user@a.com') }

          it { expect { subject }.not_to change { FranceConnectInformation.count } }
          it { expect { subject }.to change { fc_user.reload.last_sign_in_at } }

          it 'signs in with the fci associated user' do
            subject
            expect(controller.current_user).to eq(fc_user)
            expect(fc_user.reload.loged_in_with_france_connect).to eq(User.loged_in_with_france_connects.fetch(:particulier))
          end

          context 'and the user has a stored location' do
            let(:stored_location) { '/plip/plop' }
            before { controller.store_location_for(:user, stored_location) }

            it { is_expected.to redirect_to(stored_location) }
          end
        end

        context 'and is linked an instructeur' do
          let(:fc_user) { create(:instructeur, email: 'another_email@a.com').user }

          before { subject }

          it do
            expect(response).to redirect_to(new_user_session_path)
            expect(flash[:alert]).to be_present
          end
        end

        context 'and is not linked to an user' do
          let(:fc_user) { nil }

          context 'and no user with the same email exists' do
            it 'render the choose email template to select good email' do
              expect { subject }.to change { User.count }.by(0)
              expect(subject).to render_template(:choose_email)
            end
          end

          context 'and an user with the same email exists' do
            let!(:preexisting_user) { create(:user, email: email) }

            it 'renders the merge page' do
              expect { subject }.not_to change { User.count }

              expect(response).to render_template(:merge)
            end
          end
          context 'and an instructeur with the same email exists' do
            let!(:preexisting_user) { create(:instructeur, email: email) }

            it 'redirects to the login path' do
              expect { subject }.not_to change { User.count }

              expect(response).to redirect_to(new_user_session_path)
              expect(flash[:alert]).to eq(I18n.t('errors.messages.france_connect.forbidden_html', reset_link: new_user_password_path))
            end
          end
        end
      end

      context 'when france_connect_particulier_id does not exist in database' do
        it { expect { subject }.to change { FranceConnectInformation.count }.by(1) }

        it { is_expected.to render_template(:choose_email) }
      end
    end

    context 'when code is not correct' do
      before do
        allow(FranceConnectService).to receive(:retrieve_user_informations_particulier) { raise Rack::OAuth2::Client::Error.new(500, error: 'Unknown') }
        subject
      end

      it { expect(response).to redirect_to(new_user_session_path) }

      it { expect(flash[:alert]).to be_present }
    end
  end

  describe '#merge_using_fc_email' do
    subject { post :merge_using_fc_email, params: { merge_token: merge_token } }

    let!(:fci) { FranceConnectInformation.create!(user_info) }
    let(:merge_token) { fci.create_merge_token! }

    before do
      allow(UserMailer).to receive_message_chain(:custom_confirmation_instructions, :deliver_later)
    end

    context 'when the merge token is valid' do
      it do
        expect(User.last.email).not_to eq(email.downcase)

        subject

        user = User.last

        expect(user.email).to eq(email.downcase)
        expect(UserMailer).to have_received(:custom_confirmation_instructions).with(user, user.confirmation_token)
        expect(user.email_verified_at).to be_nil
        expect(fci.reload.merge_token).to be_nil
        expect(response).to render_template(:confirmation_sent)
      end
    end

    context 'when the merge token is invalid' do
      let(:merge_token) { 'invalid_token' }

      it 'redirects to root_path with an alert' do
        subject
        expect(response).to redirect_to(root_path)
        expect(flash[:alert]).to eq("Le délai pour fusionner les comptes FranceConnect et demarches-simplifiees.fr est expiré. Veuillez recommencer la procédure pour vous fusionner les comptes.")
      end
    end

    context 'when @fci is not valid for merge' do
      before do
        merge_token
        fci.update!(merge_token_created_at: 2.years.ago)
      end

      it 'redirects to root_path with an alert' do
        subject

        expect(response).to redirect_to(root_path)
        expect(flash[:alert]).to eq('Le délai pour fusionner les comptes FranceConnect et demarches-simplifiees.fr est expiré. Veuillez recommencer la procédure pour vous fusionner les comptes.')
      end
    end
  end

  describe '#confirm_email' do
    let!(:user) { create(:user) }
    let!(:fci) { create(:france_connect_information, user: user) }

    before { fci.send_custom_confirmation_instructions }

    context 'when the confirmation token is valid' do
      before do
        get :confirm_email, params: { token: user.confirmation_token }
        user.reload
      end

      it do
        expect(user.email_verified_at).to be_present
        expect(user.confirmation_token).to be_nil

        expect(response).to redirect_to(root_path(user))
        expect(flash[:notice]).to eq('Votre email est bien vérifié')
      end
    end

    context 'when invites are pending' do
      let!(:invite) { create(:invite, email: user.email, user: nil) }

      it 'links pending invites' do
        get :confirm_email, params: { token: user.confirmation_token }
        invite.reload
        expect(invite.user).to eq(user)
      end
    end

    context 'when the confirmation token is expired' do
      let!(:expired_user_confirmation) do
        create(:user, confirmation_token: 'expired_token', confirmation_sent_at: 3.days.ago)
      end

      it 'redirects to root path with an alert when FranceConnectInformation is not found' do
        get :confirm_email, params: { token: 'expired_token' }

        expect(response).to redirect_to(root_path)
        expect(flash[:alert]).to eq(I18n.t('france_connect.particulier.flash.confirmation_mail_resent_error'))
      end

      context 'when FranceConnectInformation exists' do
        let!(:france_connect_information) do
          create(:france_connect_information, user: expired_user_confirmation)
        end

        before do
          allow(UserMailer).to receive_message_chain(:custom_confirmation_instructions, :deliver_later)
        end

        it 'resends the confirmation email and redirects to root path with a notice' do
          get :confirm_email, params: { token: 'expired_token' }

          expect(UserMailer).to have_received(:custom_confirmation_instructions)
            .with(expired_user_confirmation, expired_user_confirmation.reload.confirmation_token)

          expect(response).to redirect_to(root_path)
          expect(flash[:notice]).to eq(I18n.t('france_connect.particulier.flash.confirmation_mail_resent'))
        end
      end
    end

    context 'when a different user is signed in' do
      let!(:expired_user_confirmation) do
        create(:user, confirmation_token: 'expired_token', confirmation_sent_at: 3.days.ago)
      end

      let(:another_user) { create(:user) }

      before { sign_in(another_user) }

      it 'signs out the current user and redirects to sign in path' do
        expect_any_instance_of(FranceConnectInformation).not_to receive(:send_custom_confirmation_instructions)
        expect(controller).to receive(:sign_out).with(:user)

        get :confirm_email, params: { token: 'expired_token' }

        expect(response).to redirect_to(new_user_session_path)
        expect(flash[:alert]).to eq(I18n.t('france_connect.particulier.flash.redirect_new_user_session'))
      end
    end
  end

  describe '#set_user_by_confirmation_token' do
    let(:current_user) { create(:user) }
    let!(:confirmation_user) { create(:user, confirmation_token: 'valid_token') }

    before { sign_in current_user }

    it 'signs out current user and redirects to new session path when users do not match' do
      expect(controller).to receive(:sign_out).with(:user)

      get :confirm_email, params: { token: 'valid_token' }

      expect(response).to redirect_to(new_user_session_path)
      expect(flash[:alert]).to eq(I18n.t('france_connect.particulier.flash.redirect_new_user_session'))
    end

    context 'when user is not found' do
      it 'redirects to root path with user not found alert' do
        get :confirm_email, params: { token: 'invalid_token' }

        expect(response).to redirect_to(root_path)
        expect(flash[:alert]).to eq(I18n.t('france_connect.particulier.flash.user_not_found'))
      end
    end
  end

  RSpec.shared_examples "a method that needs a valid merge token" do
    context 'when the merge token is invalid' do
      before do
        allow(Current).to receive(:application_name).and_return('demarches-simplifiees.fr')
        merge_token
        fci.update(merge_token_created_at: 2.years.ago)
      end

      it do
        if format == :js
          subject
          expect(response.body).to eq("window.location.href='/'")
        else
          expect(subject).to redirect_to root_path
        end
        expect(flash.alert).to eq('Le délai pour fusionner les comptes FranceConnect et demarches-simplifiees.fr est expiré. Veuillez recommencer la procédure pour vous fusionner les comptes.')
      end
    end
  end

  describe '#merge_using_password' do
    let(:fci) { FranceConnectInformation.create!(user_info) }
    let(:merge_token) { fci.create_merge_token! }
    let(:email) { 'EXISTING_account@a.com ' }
    let(:password) { SECURE_PASSWORD }
    let(:format) { :turbo_stream }

    subject { post :merge_using_password, params: { merge_token: merge_token, password: password }, format: format }

    it_behaves_like "a method that needs a valid merge token"

    context 'when the user is not found' do
      it 'does not log' do
        subject
        fci.reload

        expect(fci.user).to be_nil
        expect(fci.merge_token).not_to be_nil
        expect(controller.current_user).to be_nil
      end
    end

    context 'when the credentials are ok' do
      let!(:user) { create(:user, email: email, password: password) }

      it 'merges the account, signs in, and delete the merge token' do
        subject
        fci.reload

        expect(fci.user).to eq(user)
        expect(fci.merge_token).to be_nil
        expect(controller.current_user).to eq(user)
      end

      context 'but the targeted user is an instructeur' do
        let!(:user) { create(:instructeur, email: email, password: password).user }

        it 'redirects to the root page' do
          subject

          expect { fci.reload }.to raise_error(ActiveRecord::RecordNotFound)

          expect(fci.merge_token).not_to be_nil
          expect(controller.current_user).to be_nil
        end
      end
    end

    context 'when the credentials are not ok' do
      let!(:user) { create(:user, email: email, password: 'another password #$21$%%') }

      it 'increases the failed attempts counter' do
        subject
        fci.reload

        expect(fci.user).to be_nil
        expect(fci.merge_token).not_to be_nil
        expect(controller.current_user).to be_nil
        expect(user.reload.failed_attempts).to eq(1)
      end
    end
  end

  describe '#merge_using_email_link' do
    let(:fci) { FranceConnectInformation.create!(user_info) }
    let!(:email_merge_token) { fci.create_email_merge_token! }

    context 'when the merge_token is ok and the user is found' do
      subject do
        post :merge_using_email_link, params: { email_merge_token: }
      end

      before do
        allow(Current).to receive(:application_name).and_return('demarches-simplifiees.fr')
        fci.update!(requested_email: email.downcase)
      end

      let!(:user) { create(:user, email:, password: 'abcdefgh') }

      it 'merges the account, signs in, and delete the merge token' do
        subject
        fci.reload

        expect(fci.user).to eq(user)
        expect(fci.merge_token).to be_nil
        expect(fci.email_merge_token).to be_nil
        expect(controller.current_user).to eq(user)
        expect(flash[:notice]).to eq("Les comptes FranceConnect et #{Current.application_name} sont à présent fusionnés")
      end

      context 'but the targeted user is an instructeur' do
        let!(:user) { create(:instructeur, email: email, password: 'abcdefgh').user }

        it 'redirects to the new session' do
          subject
          expect(FranceConnectInformation.exists?(fci.id)).to be_falsey
          expect(controller.current_user).to be_nil
          expect(response).to redirect_to(new_user_session_path)
          expect(flash[:alert]).to eq(I18n.t('errors.messages.france_connect.forbidden_html', reset_link: new_user_password_path))
        end
      end
    end
  end

  describe '#send_email_merge_request' do
    let(:fci) { FranceConnectInformation.create!(user_info) }
    let(:merge_token) { fci.create_merge_token! }
    let(:email) { 'requested_email@.a.com' }

    subject { post :send_email_merge_request, params: { merge_token: merge_token, email: } }

    it 'renew token' do
      allow(UserMailer).to receive_message_chain(:france_connect_merge_confirmation, :deliver_later)
      subject

      fci.reload
      expect(fci.requested_email).to eq(email)
      expect(fci.email_merge_token).to be_present

      expect(UserMailer).to have_received(:france_connect_merge_confirmation).with(email, fci.email_merge_token, fci.email_merge_token_created_at)

      expect(response).to redirect_to(root_path)
    end
  end
end