DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #4239 from betagouv/fix_4238_bot_and_token

Browse source 
Modifie la connexion par jeton pour éviter l'envoi de mails intempestifs
This commit is contained in:
LeSim 2019-08-27 15:12:36 +02:00 committed by GitHub
commit 0c137cb082
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/users/sessions_controller.rb
View file

@ -51,7 +51,11 @@ class Users::SessionsController < Devise::SessionsController
.trusted_device_tokens
.find_by(token: params[:jeton])
if trusted_device_token&.token_valid?
if trusted_device_token.nil?
flash[:alert] = 'Votre lien est invalide.'
redirect_to root_path
elsif trusted_device_token.token_valid?
trust_device(trusted_device_token.created_at)
period = ((trusted_device_token.created_at + TRUSTED_DEVICE_PERIOD) - Time.zone.now).to_i / ActiveSupport::Duration::SECONDS_PER_DAY
@ -67,7 +71,7 @@ class Users::SessionsController < Devise::SessionsController
redirect_to new_user_session_path
end
else
flash[:alert] = 'Votre lien est invalide ou expiré, un nouveau vient de vous être envoyé.'
flash[:alert] = 'Votre lien est expiré, un nouveau vient de vous être envoyé.'
send_login_token_or_bufferize(instructeur)
redirect_to link_sent_path(email: instructeur.email)

21
spec/controllers/users/sessions_controller_spec.rb
View file

@ -136,7 +136,9 @@ describe Users::SessionsController, type: :controller do
context 'when the instructeur has non other account' do
let(:instructeur) { create(:instructeur) }
let!(:good_jeton) { instructeur.create_trusted_device_token }
let(:jeton) { good_jeton }
let(:logged) { false }
let(:valid_token) { true }
before do
if logged
@ -144,34 +146,41 @@ describe Users::SessionsController, type: :controller do
end
allow(controller).to receive(:trust_device)
allow(controller).to receive(:send_login_token_or_bufferize)
allow_any_instance_of(TrustedDeviceToken).to receive(:token_valid?).and_return(valid_token)
post :sign_in_by_link, params: { id: instructeur.id, jeton: jeton }
end
context 'when the instructeur is not logged in' do
context 'when the token is valid' do
let(:jeton) { good_jeton }
it { is_expected.to redirect_to new_user_session_path }
it { expect(controller.current_instructeur).to be_nil }
it { expect(controller).to have_received(:trust_device) }
end
context 'when the token is invalid' do
let(:jeton) { 'invalid_token' }
let(:valid_token) { false }
it { is_expected.to redirect_to link_sent_path(email: instructeur.email) }
it { expect(controller.current_instructeur).to be_nil }
it { expect(controller).not_to have_received(:trust_device) }
it { expect(controller).to have_received(:send_login_token_or_bufferize) }
end
context 'when the token does not exist' do
let(:jeton) { 'I do not exist' }
it { is_expected.to redirect_to root_path }
it { expect(controller.current_instructeur).to be_nil }
it { expect(controller).not_to have_received(:trust_device) }
it { expect(controller).not_to have_received(:send_login_token_or_bufferize) }
it { expect(flash.alert).to eq('Votre lien est invalide.') }
end
end
context 'when the instructeur is logged in' do
let(:logged) { true }
context 'when the token is valid' do
let(:jeton) { good_jeton }
# redirect to root_path, then redirect to instructeur_procedures_path (see root_controller)
it { is_expected.to redirect_to root_path }
it { expect(controller.current_instructeur).to eq(instructeur) }
@ -179,7 +188,7 @@ describe Users::SessionsController, type: :controller do
end
context 'when the token is invalid' do
let(:jeton) { 'invalid_token' }
let(:valid_token) { false }
it { is_expected.to redirect_to link_sent_path(email: instructeur.email) }
it { expect(controller.current_instructeur).to eq(instructeur) }