avoid phishing

2021-12-15 13:44:12 +01:00 · 2021-12-15 13:44:12 +01:00 · c7f7855f14
commit c7f7855f14
parent 0e7a6f5acf
2 changed files with 23 additions and 1 deletions
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@ -19,7 +19,11 @@ class Users::SessionsController < Devise::SessionsController
  end

  def link_sent
-    @email = params[:email]
+    if Devise.email_regexp.match?(params[:email])
+      @email = params[:email]
+    else
+      redirect_to root_path
+    end
  end

  # DELETE /resource/sign_out
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@ -221,4 +221,22 @@ describe Users::SessionsController, type: :controller do
      it { is_expected.to be true }
    end
  end
+
+  describe '#link_sent' do
+    render_views
+
+    before { get :link_sent, params: { email: link_email } }
+
+    context 'when the email is legit' do
+      let(:link_email) { 'a@a.com' }
+
+      it { expect(response.body).to include(link_email) }
+    end
+
+    context 'when the email is evil' do
+      let(:link_email) { 'Hello, I am an evil email' }
+
+      it { expect(response).to redirect_to(root_path) }
+    end
+  end
 end