fix: encode reset password email in param because it's rendered in view later

2024-02-27 18:46:06 +01:00 · 2024-02-27 18:46:06 +01:00 · 9db7b5b864
commit 9db7b5b864
parent 01d6ef3f60
3 changed files with 20 additions and 3 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -117,6 +117,10 @@ class ApplicationController < ActionController::Base
    "window.location.href='#{path}'"
  end

+  def message_verifier
+    @message_verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secret_key_base)
+  end
+
  protected

  def feature_enabled?(feature_name)
--- a/app/controllers/users/passwords_controller.rb
+++ b/app/controllers/users/passwords_controller.rb
@ -26,7 +26,7 @@ class Users::PasswordsController < Devise::PasswordsController
  # end

  def reset_link_sent
-    @email = params[:email]
+    @email = message_verifier.verify(params[:email], purpose: :reset_password) rescue nil
  end

  protected
@ -37,7 +37,8 @@ class Users::PasswordsController < Devise::PasswordsController

  def after_sending_reset_password_instructions_path_for(resource_name)
    flash.discard(:notice)
-    users_password_reset_link_sent_path(email: resource.email)
+    signed_email = message_verifier.generate(resource.email, purpose: :reset_password, expires_in: 1.hour)
+    users_password_reset_link_sent_path(email: signed_email)
  end

  def try_to_authenticate_instructeur
--- a/spec/controllers/users/passwords_controller_spec.rb
+++ b/spec/controllers/users/passwords_controller_spec.rb
@ -43,11 +43,23 @@ describe Users::PasswordsController, type: :controller do
    let(:email) { 'test@example.com' }

    it 'displays the page' do
-      get 'reset_link_sent', params: { email: email }
+      signed_email = controller.message_verifier.generate(email, purpose: :reset_password)
+
+      get 'reset_link_sent', params: { email: signed_email }

      expect(response).to have_http_status(:ok)
      expect(response).to render_template('reset_link_sent')
      expect(assigns(:email)).to eq email
    end
+
+    context 'when signed email is invalid' do
+      it "does not fail" do
+        get 'reset_link_sent', params: { email: "invalid.message" }
+
+        expect(response).to have_http_status(:ok)
+        expect(response).to render_template('reset_link_sent')
+        expect(assigns(:email)).to be_nil
+      end
+    end
  end
 end