securely retrieve fci

2021-10-13 09:23:14 +02:00 · 2021-10-13 09:23:14 +02:00 · 218e4633a9
commit 218e4633a9
parent f7299da1e7
3 changed files with 54 additions and 0 deletions
--- a/app/controllers/france_connect/particulier_controller.rb
+++ b/app/controllers/france_connect/particulier_controller.rb
@ -1,5 +1,6 @@
 class FranceConnect::ParticulierController < ApplicationController
  before_action :redirect_to_login_if_fc_aborted, only: [:callback]
+  before_action :securely_retrieve_fci, only: [:merge]

  def login
    if FranceConnectService.enabled?
@ -42,6 +43,16 @@ class FranceConnect::ParticulierController < ApplicationController

  private

+  def securely_retrieve_fci
+    @fci = FranceConnectInformation.find_by(merge_token: merge_token_params)
+
+    if @fci.nil? || !@fci.valid_for_merge?
+      flash.alert = 'Votre compte FranceConnect a expiré, veuillez recommencer.'
+
+      redirect_to root_path
+    end
+  end
+
  def redirect_to_login_if_fc_aborted
    if params[:code].blank?
      redirect_to new_user_session_path
@ -64,4 +75,8 @@ class FranceConnect::ParticulierController < ApplicationController
    flash.alert = t('errors.messages.france_connect.connexion')
    redirect_to(new_user_session_path)
  end
+
+  def merge_token_params
+    params[:merge_token]
+  end
 end
--- a/app/views/france_connect/particulier/merge.html.haml
+++ b/app/views/france_connect/particulier/merge.html.haml
@ -3,3 +3,10 @@
 .container
  %h1.page-title Fusion des comptes FranceConnect et #{APPLICATION_NAME}

+  %p
+    Bonjour,
+    %br
+    %br
+    Votre compte FranceConnect utilise <b class='bold'>#{@fci.email_france_connect}</b> comme email de contact.
+    %br
+    Or il existe un compte sur #{APPLICATION_NAME} avec cet email.
--- a/spec/controllers/france_connect/particulier_controller_spec.rb
+++ b/spec/controllers/france_connect/particulier_controller_spec.rb
@ -135,4 +135,36 @@ describe FranceConnect::ParticulierController, type: :controller do
      it { expect(flash[:alert]).to be_present }
    end
  end
+
+  describe '#merge' do
+    let(:fci) { FranceConnectInformation.create!(user_info) }
+    let(:merge_token) { fci.create_merge_token! }
+
+    subject { get :merge, params: { merge_token: merge_token } }
+
+    context 'when the merge token is valid' do
+      it { expect(subject).to have_http_status(:ok) }
+    end
+
+    context 'when the merge token is invalid' do
+      before do
+        merge_token
+        fci.update(merge_token_created_at: 2.years.ago)
+      end
+
+      it do
+        expect(subject).to redirect_to root_path
+        expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
+      end
+    end
+
+    context 'when the merge token does not exist' do
+      let(:merge_token) { 'i do not exist' }
+
+      it do
+        expect(subject).to redirect_to root_path
+        expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
+      end
+    end
+  end
 end