fix(associate_user.with_existing_one): does not leak existing email when trying to choose an alternative email with france connect

2024-07-26 14:04:23 +02:00 · 2024-07-26 14:04:23 +02:00 · c0970693f3
commit c0970693f3
parent b6d0502f39
4 changed files with 13 additions and 20 deletions
--- a/app/controllers/france_connect/particulier_controller.rb
+++ b/app/controllers/france_connect/particulier_controller.rb
@ -61,7 +61,10 @@ class FranceConnect::ParticulierController < ApplicationController
    render :confirmation_sent, locals: { email:, destination_path: destination_path(user) }
  rescue ActiveRecord::RecordInvalid => e
    if e.record.errors.where(:email, :taken)
-      redirect_to new_user_session_path, alert: t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path)
+      user = User.find_by(email: e.record.email)
+      @fci.send_custom_confirmation_instructions(user)
+      @fci.delete_merge_token!
+      render :confirmation_sent, locals: { email: user.email, destination_path: destination_path(user) }
    else
      redirect_to new_user_session_path, alert: t('errors.messages.france_connect.unknown_error')
    end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -752,7 +752,6 @@ en:
      france_connect:
        connexion: "Error trying to connect to France Connect."
        forbidden_html: "Only citizen can use FranceConnect. As an instructor or administrator, you should <a href='%{reset_link}'>reset your password</a>."
-        email_taken: "This email is already in use. You should <a href='%{reset_link}'>reset your password</a>."
        unknown_error: "An error occured, please retry."
      evil_regexp: The regular expression you have entered is potentially dangerous and could lead to performance issues.
      mismatch_regexp: The provided example must match the regular expression
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@ -757,7 +757,6 @@ fr:
      france_connect:
        connexion: "Erreur lors de la connexion à France Connect."
        forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant qu’instructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
-        email_taken: "Cet email est déjà utilisé. Nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
        unknown_error: "Une erreure est survenue. Veuillez réessayer."
      evil_regexp: L'expression régulière que vous avez entrée est potentiellement dangereuse et pourrait entraîner des problèmes de performance
      mismatch_regexp: L'exemple doit correspondre à l'expression régulière fournie
--- a/spec/controllers/france_connect/particulier_controller_spec.rb
+++ b/spec/controllers/france_connect/particulier_controller_spec.rb
@ -187,19 +187,6 @@ describe FranceConnect::ParticulierController, type: :controller do
        end
      end

-      context 'when association fails due to taken email' do
-        before do
-          allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(User.new))
-          allow_any_instance_of(User).to receive_message_chain(:errors, :where).and_return(['Some error'])
-        end
-
-        it 'redirects to new user session path with taken email alert' do
-          subject
-          expect(response).to redirect_to(new_user_session_path)
-          expect(flash[:alert]).to eq(I18n.t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path))
-        end
-      end
-
      context 'when association fails due to unknown error' do
        let(:user) { User.new }
        let(:error) { ActiveRecord::RecordInvalid.new(user) }
@ -297,14 +284,13 @@ describe FranceConnect::ParticulierController, type: :controller do
      end
    end

-    context 'when associating the user conflict with existing one' do
+    context 'when associate_user uses an email of an existing user' do
      let(:fci) { instance_double('FranceConnectInformation') }
      let(:email) { 'user@example.com' }
      let(:user) { instance_double('User', id: 1) }
      let(:destination_path) { '/' }
-
+      let(:existing_user) { create(:user, email:) }
      before do
-        create(:user, email:)
        invalid_user = build(:user, email:)
        allow(FranceConnectInformation).to receive(:find_by).with(merge_token: merge_token).and_return(fci)
        allow(fci).to receive(:valid_for_merge?).and_return(true)
@ -313,7 +299,13 @@ describe FranceConnect::ParticulierController, type: :controller do
        allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(invalid_user))
      end

-      it 'fails' do
+      it 'sends confirmation to existing user' do
+        expect(controller).to receive(:render).with(
+          :confirmation_sent,
+          locals: { email: email, destination_path: destination_path }
+        )
+        expect(fci).to receive(:send_custom_confirmation_instructions).with(existing_user)
+        expect(fci).to receive(:delete_merge_token!)
        subject
      end
    end