fix(associate_user.with_existing_one): does not leak existing email when trying to choose an alternative email with france connect

This commit is contained in:
mfo 2024-07-26 14:04:23 +02:00 committed by Kara Diaby
parent b6d0502f39
commit c0970693f3
No known key found for this signature in database
GPG key ID: C4D1B0CF9F24D759
4 changed files with 13 additions and 20 deletions

View file

@ -61,7 +61,10 @@ class FranceConnect::ParticulierController < ApplicationController
render :confirmation_sent, locals: { email:, destination_path: destination_path(user) } render :confirmation_sent, locals: { email:, destination_path: destination_path(user) }
rescue ActiveRecord::RecordInvalid => e rescue ActiveRecord::RecordInvalid => e
if e.record.errors.where(:email, :taken) if e.record.errors.where(:email, :taken)
redirect_to new_user_session_path, alert: t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path) user = User.find_by(email: e.record.email)
@fci.send_custom_confirmation_instructions(user)
@fci.delete_merge_token!
render :confirmation_sent, locals: { email: user.email, destination_path: destination_path(user) }
else else
redirect_to new_user_session_path, alert: t('errors.messages.france_connect.unknown_error') redirect_to new_user_session_path, alert: t('errors.messages.france_connect.unknown_error')
end end

View file

@ -752,7 +752,6 @@ en:
france_connect: france_connect:
connexion: "Error trying to connect to France Connect." connexion: "Error trying to connect to France Connect."
forbidden_html: "Only citizen can use FranceConnect. As an instructor or administrator, you should <a href='%{reset_link}'>reset your password</a>." forbidden_html: "Only citizen can use FranceConnect. As an instructor or administrator, you should <a href='%{reset_link}'>reset your password</a>."
email_taken: "This email is already in use. You should <a href='%{reset_link}'>reset your password</a>."
unknown_error: "An error occured, please retry." unknown_error: "An error occured, please retry."
evil_regexp: The regular expression you have entered is potentially dangerous and could lead to performance issues. evil_regexp: The regular expression you have entered is potentially dangerous and could lead to performance issues.
mismatch_regexp: The provided example must match the regular expression mismatch_regexp: The provided example must match the regular expression

View file

@ -757,7 +757,6 @@ fr:
france_connect: france_connect:
connexion: "Erreur lors de la connexion à France Connect." connexion: "Erreur lors de la connexion à France Connect."
forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant quinstructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>." forbidden_html: "Seul-e-s les usagers peuvent se connecter via France Connect. En tant quinstructeur ou administrateur, nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
email_taken: "Cet email est déjà utilisé. Nous vous invitons à <a href='%{reset_link}'>réininitialiser votre mot de passe</a>."
unknown_error: "Une erreure est survenue. Veuillez réessayer." unknown_error: "Une erreure est survenue. Veuillez réessayer."
evil_regexp: L'expression régulière que vous avez entrée est potentiellement dangereuse et pourrait entraîner des problèmes de performance evil_regexp: L'expression régulière que vous avez entrée est potentiellement dangereuse et pourrait entraîner des problèmes de performance
mismatch_regexp: L'exemple doit correspondre à l'expression régulière fournie mismatch_regexp: L'exemple doit correspondre à l'expression régulière fournie

View file

@ -187,19 +187,6 @@ describe FranceConnect::ParticulierController, type: :controller do
end end
end end
context 'when association fails due to taken email' do
before do
allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(User.new))
allow_any_instance_of(User).to receive_message_chain(:errors, :where).and_return(['Some error'])
end
it 'redirects to new user session path with taken email alert' do
subject
expect(response).to redirect_to(new_user_session_path)
expect(flash[:alert]).to eq(I18n.t('errors.messages.france_connect.email_taken', reset_link: new_user_password_path))
end
end
context 'when association fails due to unknown error' do context 'when association fails due to unknown error' do
let(:user) { User.new } let(:user) { User.new }
let(:error) { ActiveRecord::RecordInvalid.new(user) } let(:error) { ActiveRecord::RecordInvalid.new(user) }
@ -297,14 +284,13 @@ describe FranceConnect::ParticulierController, type: :controller do
end end
end end
context 'when associating the user conflict with existing one' do context 'when associate_user uses an email of an existing user' do
let(:fci) { instance_double('FranceConnectInformation') } let(:fci) { instance_double('FranceConnectInformation') }
let(:email) { 'user@example.com' } let(:email) { 'user@example.com' }
let(:user) { instance_double('User', id: 1) } let(:user) { instance_double('User', id: 1) }
let(:destination_path) { '/' } let(:destination_path) { '/' }
let(:existing_user) { create(:user, email:) }
before do before do
create(:user, email:)
invalid_user = build(:user, email:) invalid_user = build(:user, email:)
allow(FranceConnectInformation).to receive(:find_by).with(merge_token: merge_token).and_return(fci) allow(FranceConnectInformation).to receive(:find_by).with(merge_token: merge_token).and_return(fci)
allow(fci).to receive(:valid_for_merge?).and_return(true) allow(fci).to receive(:valid_for_merge?).and_return(true)
@ -313,7 +299,13 @@ describe FranceConnect::ParticulierController, type: :controller do
allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(invalid_user)) allow(fci).to receive(:associate_user!).and_raise(ActiveRecord::RecordInvalid.new(invalid_user))
end end
it 'fails' do it 'sends confirmation to existing user' do
expect(controller).to receive(:render).with(
:confirmation_sent,
locals: { email: email, destination_path: destination_path }
)
expect(fci).to receive(:send_custom_confirmation_instructions).with(existing_user)
expect(fci).to receive(:delete_merge_token!)
subject subject
end end
end end