fix: encode reset password email in param because it's rendered in view later

This commit is contained in:
Colin Darie 2024-02-27 18:46:06 +01:00
parent 01d6ef3f60
commit 9db7b5b864
No known key found for this signature in database
GPG key ID: 8C76CADD40253590
3 changed files with 20 additions and 3 deletions

View file

@ -117,6 +117,10 @@ class ApplicationController < ActionController::Base
"window.location.href='#{path}'"
end
def message_verifier
@message_verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secret_key_base)
end
protected
def feature_enabled?(feature_name)

View file

@ -26,7 +26,7 @@ class Users::PasswordsController < Devise::PasswordsController
# end
def reset_link_sent
@email = params[:email]
@email = message_verifier.verify(params[:email], purpose: :reset_password) rescue nil
end
protected
@ -37,7 +37,8 @@ class Users::PasswordsController < Devise::PasswordsController
def after_sending_reset_password_instructions_path_for(resource_name)
flash.discard(:notice)
users_password_reset_link_sent_path(email: resource.email)
signed_email = message_verifier.generate(resource.email, purpose: :reset_password, expires_in: 1.hour)
users_password_reset_link_sent_path(email: signed_email)
end
def try_to_authenticate_instructeur

View file

@ -43,11 +43,23 @@ describe Users::PasswordsController, type: :controller do
let(:email) { 'test@example.com' }
it 'displays the page' do
get 'reset_link_sent', params: { email: email }
signed_email = controller.message_verifier.generate(email, purpose: :reset_password)
get 'reset_link_sent', params: { email: signed_email }
expect(response).to have_http_status(:ok)
expect(response).to render_template('reset_link_sent')
expect(assigns(:email)).to eq email
end
context 'when signed email is invalid' do
it "does not fail" do
get 'reset_link_sent', params: { email: "invalid.message" }
expect(response).to have_http_status(:ok)
expect(response).to render_template('reset_link_sent')
expect(assigns(:email)).to be_nil
end
end
end
end