DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

securely retrieve fci

Browse source
This commit is contained in:
simon lehericey 2021-10-13 09:23:14 +02:00
parent f7299da1e7
commit 218e4633a9
3 changed files with 54 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
app/controllers/france_connect/particulier_controller.rb
View file

@ -1,5 +1,6 @@
class FranceConnect::ParticulierController < ApplicationController class FranceConnect::ParticulierController < ApplicationController
before_action :redirect_to_login_if_fc_aborted, only: [:callback] before_action :redirect_to_login_if_fc_aborted, only: [:callback]
before_action :securely_retrieve_fci, only: [:merge]
def login def login
if FranceConnectService.enabled? if FranceConnectService.enabled?
@ -42,6 +43,16 @@ class FranceConnect::ParticulierController < ApplicationController
private private
def securely_retrieve_fci
@fci = FranceConnectInformation.find_by(merge_token: merge_token_params)
if @fci.nil? || !@fci.valid_for_merge?
flash.alert = 'Votre compte FranceConnect a expiré, veuillez recommencer.'
redirect_to root_path
end
end
def redirect_to_login_if_fc_aborted def redirect_to_login_if_fc_aborted
if params[:code].blank? if params[:code].blank?
redirect_to new_user_session_path redirect_to new_user_session_path
@ -64,4 +75,8 @@ class FranceConnect::ParticulierController < ApplicationController
flash.alert = t('errors.messages.france_connect.connexion') flash.alert = t('errors.messages.france_connect.connexion')
redirect_to(new_user_session_path) redirect_to(new_user_session_path)
end end
def merge_token_params
params[:merge_token]
end
end end

7
app/views/france_connect/particulier/merge.html.haml
View file

@ -3,3 +3,10 @@
.container .container
%h1.page-title Fusion des comptes FranceConnect et #{APPLICATION_NAME} %h1.page-title Fusion des comptes FranceConnect et #{APPLICATION_NAME}
%p
Bonjour,
%br
%br
Votre compte FranceConnect utilise <b class='bold'>#{@fci.email_france_connect}</b> comme email de contact.
%br
Or il existe un compte sur #{APPLICATION_NAME} avec cet email.

32
spec/controllers/france_connect/particulier_controller_spec.rb
View file

@ -135,4 +135,36 @@ describe FranceConnect::ParticulierController, type: :controller do
it { expect(flash[:alert]).to be_present } it { expect(flash[:alert]).to be_present }
end end
end end
describe '#merge' do
let(:fci) { FranceConnectInformation.create!(user_info) }
let(:merge_token) { fci.create_merge_token! }
subject { get :merge, params: { merge_token: merge_token } }
context 'when the merge token is valid' do
it { expect(subject).to have_http_status(:ok) }
end
context 'when the merge token is invalid' do
before do
merge_token
fci.update(merge_token_created_at: 2.years.ago)
end
it do
expect(subject).to redirect_to root_path
expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
end
end
context 'when the merge token does not exist' do
let(:merge_token) { 'i do not exist' }
it do
expect(subject).to redirect_to root_path
expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
end
end
end
end end