DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

the merge_token issued for password check can be reused for the confirmation by email route

Browse source 
Thus by passing the password check or the email possession check
This commit is contained in:
simon lehericey 2024-01-10 21:09:57 +01:00
parent 4c7b494c9d
commit 65aa07ecbe
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
spec/controllers/france_connect/particulier_controller_spec.rb
View file

@ -340,6 +340,8 @@ describe FranceConnect::ParticulierController, type: :controller do
context 'when an account with the same email exists' do context 'when an account with the same email exists' do
let!(:user) { create(:user, email: email) } let!(:user) { create(:user, email: email) }
before { allow(controller).to receive(:sign_in).and_call_original }
render_views render_views
it 'asks for the corresponding password' do it 'asks for the corresponding password' do
@ -352,6 +354,15 @@ describe FranceConnect::ParticulierController, type: :controller do
expect(response.body).to include('entrez votre mot de passe') expect(response.body).to include('entrez votre mot de passe')
end end
it 'cannot use the merge token in the email confirmation route' do
subject
fci.reload
get :mail_merge_with_existing_account, params: { merge_token: fci.merge_token }
expect(controller).not_to have_received(:sign_in)
expect(flash[:alert]).to be_present
end
end end
end end