fix(associate_user.with_existing_one): does not leak existing email when trying to choose an alternative email with france connect
This commit is contained in:
parent
b6d0502f39
commit
c0970693f3
4 changed files with 13 additions and 20 deletions
|
@ -61,7 +61,10 @@ class FranceConnect::ParticulierController < ApplicationController
|
||||||
render :confirmation_sent, locals: { email:, destination_path: destination_path(user) }
|
render :confirmation_sent, locals: { email:, destination_path: destination_path(user) }
|
||||||
rescue ActiveRecord::RecordInvalid => e
|
rescue ActiveRecord::RecordInvalid => e
|
||||||
if e.record.errors.where(:email, :taken)
|
if e.record.errors.where(:email, :taken)
|
||||||
redirect_to new_user_session_path, alert: t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path)
|
user = User.find_by(email: e.record.email)
|
||||||
|
@fci.send_custom_confirmation_instructions(user)
|
||||||
|
@fci.delete_merge_token!
|
||||||
|
render :confirmation_sent, locals: { email: user.email, destination_path: destination_path(user) }
|
||||||
else
|
else
|
||||||
redirect_to new_user_session_path, alert: t('errors.messages.france_connect.unknown_error')
|
redirect_to new_user_session_path, alert: t('errors.messages.france_connect.unknown_error')
|
||||||
end
|
end
|
||||||
|
|
|
@ -752,7 +752,6 @@ en:
|
||||||
france_connect:
|
france_connect:
|
||||||
connexion: "Error trying to connect to France Connect."
|
connexion: "Error trying to connect to France Connect."
|
||||||
forbidden_html: "Only citizen can use FranceConnect. As an instructor or administrator, you should <a href='%{reset_link}'>reset your password</a>."
|
forbidden_html: "Only citizen can use FranceConnect. As an instructor or administrator, you should <a href='%{reset_link}'>reset your password</a>."
|
||||||
email_taken: "This email is already in use. You should <a href='%{reset_link}'>reset your password</a>."
|
|
||||||
unknown_error: "An error occured, please retry."
|
unknown_error: "An error occured, please retry."
|
||||||
evil_regexp: The regular expression you have entered is potentially dangerous and could lead to performance issues.
|
evil_regexp: The regular expression you have entered is potentially dangerous and could lead to performance issues.
|
||||||
mismatch_regexp: The provided example must match the regular expression
|
mismatch_regexp: The provided example must match the regular expression
|
||||||
|
|
|
@ -757,7 +757,6 @@ fr:
|
||||||
france_connect:
|
france_connect:
|
||||||
connexion: "Erreur lors de la connexion à France Connect."
|
connexion: "Erreur lors de la connexion à France Connect."
|
||||||
forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant qu’instructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
|
forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant qu’instructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
|
||||||
email_taken: "Cet email est déjà utilisé. Nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
|
|
||||||
unknown_error: "Une erreure est survenue. Veuillez réessayer."
|
unknown_error: "Une erreure est survenue. Veuillez réessayer."
|
||||||
evil_regexp: L'expression régulière que vous avez entrée est potentiellement dangereuse et pourrait entraîner des problèmes de performance
|
evil_regexp: L'expression régulière que vous avez entrée est potentiellement dangereuse et pourrait entraîner des problèmes de performance
|
||||||
mismatch_regexp: L'exemple doit correspondre à l'expression régulière fournie
|
mismatch_regexp: L'exemple doit correspondre à l'expression régulière fournie
|
||||||
|
|
|
@ -187,19 +187,6 @@ describe FranceConnect::ParticulierController, type: :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when association fails due to taken email' do
|
|
||||||
before do
|
|
||||||
allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(User.new))
|
|
||||||
allow_any_instance_of(User).to receive_message_chain(:errors, :where).and_return(['Some error'])
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'redirects to new user session path with taken email alert' do
|
|
||||||
subject
|
|
||||||
expect(response).to redirect_to(new_user_session_path)
|
|
||||||
expect(flash[:alert]).to eq(I18n.t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path))
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'when association fails due to unknown error' do
|
context 'when association fails due to unknown error' do
|
||||||
let(:user) { User.new }
|
let(:user) { User.new }
|
||||||
let(:error) { ActiveRecord::RecordInvalid.new(user) }
|
let(:error) { ActiveRecord::RecordInvalid.new(user) }
|
||||||
|
@ -297,14 +284,13 @@ describe FranceConnect::ParticulierController, type: :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when associating the user conflict with existing one' do
|
context 'when associate_user uses an email of an existing user' do
|
||||||
let(:fci) { instance_double('FranceConnectInformation') }
|
let(:fci) { instance_double('FranceConnectInformation') }
|
||||||
let(:email) { 'user@example.com' }
|
let(:email) { 'user@example.com' }
|
||||||
let(:user) { instance_double('User', id: 1) }
|
let(:user) { instance_double('User', id: 1) }
|
||||||
let(:destination_path) { '/' }
|
let(:destination_path) { '/' }
|
||||||
|
let(:existing_user) { create(:user, email:) }
|
||||||
before do
|
before do
|
||||||
create(:user, email:)
|
|
||||||
invalid_user = build(:user, email:)
|
invalid_user = build(:user, email:)
|
||||||
allow(FranceConnectInformation).to receive(:find_by).with(merge_token: merge_token).and_return(fci)
|
allow(FranceConnectInformation).to receive(:find_by).with(merge_token: merge_token).and_return(fci)
|
||||||
allow(fci).to receive(:valid_for_merge?).and_return(true)
|
allow(fci).to receive(:valid_for_merge?).and_return(true)
|
||||||
|
@ -313,7 +299,13 @@ describe FranceConnect::ParticulierController, type: :controller do
|
||||||
allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(invalid_user))
|
allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(invalid_user))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'fails' do
|
it 'sends confirmation to existing user' do
|
||||||
|
expect(controller).to receive(:render).with(
|
||||||
|
:confirmation_sent,
|
||||||
|
locals: { email: email, destination_path: destination_path }
|
||||||
|
)
|
||||||
|
expect(fci).to receive(:send_custom_confirmation_instructions).with(existing_user)
|
||||||
|
expect(fci).to receive(:delete_merge_token!)
|
||||||
subject
|
subject
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue