Merge pull request #3270 from betagouv/fix_3269_multiple_login_emails

[fix #3269] bufferize login token email
2019-01-10 13:23:33 +01:00 · 2019-01-10 13:23:33 +01:00 · c8560d4c3d
commit c8560d4c3d
parent 3e149e7c8e e55fe2bb91
5 changed files with 81 additions and 19 deletions
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@ -30,8 +30,8 @@ class Users::SessionsController < Sessions::SessionsController
        redirect_to after_sign_in_path_for(:user)
      else
        gestionnaire = current_gestionnaire
-        login_token = gestionnaire.login_token!
-        GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
+
+        send_login_token_or_bufferize(gestionnaire)

        [:user, :gestionnaire, :administrateur].each { |role| sign_out(role) }

@ -103,6 +103,13 @@ class Users::SessionsController < Sessions::SessionsController

  private

+  def send_login_token_or_bufferize(gestionnaire)
+    if !gestionnaire.young_login_token?
+      login_token = gestionnaire.login_token!
+      GestionnaireMailer.send_login_token(gestionnaire, login_token).deliver_later
+    end
+  end
+
  def error_procedure
    session["user_return_to"] = nil
    flash.alert = t('errors.messages.procedure_not_found')
--- a/app/models/gestionnaire.rb
+++ b/app/models/gestionnaire.rb
@ -3,7 +3,8 @@ class Gestionnaire < ApplicationRecord
  include EmailSanitizableConcern
  include ActiveRecord::SecureToken

-  LOGIN_TOKEN_VALIDITY = 30.minutes
+  LOGIN_TOKEN_VALIDITY = 45.minutes
+  LOGIN_TOKEN_YOUTH = 15.minutes

  devise :database_authenticatable, :registerable, :async,
    :recoverable, :rememberable, :trackable, :validatable
@ -211,6 +212,11 @@ class Gestionnaire < ApplicationRecord
    save
  end

+  def young_login_token?
+    login_token_created_at.present? &&
+      LOGIN_TOKEN_YOUTH.ago < login_token_created_at
+  end
+
  private

  def annotations_hash(demande, annotations_privees, avis, messagerie)
--- a/app/views/users/sessions/link_sent.html.haml
+++ b/app/views/users/sessions/link_sent.html.haml
@ -9,6 +9,9 @@

  %p.mail
    Ouvrez votre boite email <b>#{@email}</b> puis cliquez sur le lien d'activation du message <b>Connexion sécurisée à demarches-simplifiees.fr</b>.
+    %br
+    %br
+    <b>Attention</b>, ce message peut mettre jusqu'à <b>15 minutes</b> pour arriver.

  %p.help
    En cas de difficultés, nous restons joignables sur #{link_to 'contact@demarches-simplifiees.fr', 'mailto:contact@demarches-simplifiees.fr'}.
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@ -17,6 +17,10 @@ describe Users::SessionsController, type: :controller do

      before do
        allow(controller).to receive(:trusted_device?).and_return(trusted_device)
+        allow(GestionnaireMailer).to receive(:send_login_token).and_return(double(deliver_later: true))
+      end
+
+      subject do
        post :create, params: { user: { email: email, password: send_password } }
        user.reload
      end
@ -25,28 +29,47 @@ describe Users::SessionsController, type: :controller do
        let(:trusted_device) { false }

        it 'redirects to the confirmation link path' do
-          expect(subject).to redirect_to link_sent_path(email: email)
+          subject
+
+          expect(controller).to redirect_to link_sent_path(email: email)

          # do not know why, should be test related
-          expect(subject.current_user).to eq(user)
+          expect(controller.current_user).to eq(user)

-          expect(subject.current_gestionnaire).to be(nil)
-          expect(subject.current_administrateur).to be(nil)
-          expect(user.reload.loged_in_with_france_connect).to be(nil)
+          expect(controller.current_gestionnaire).to be(nil)
+          expect(controller.current_administrateur).to be(nil)
+          expect(user.loged_in_with_france_connect).to be(nil)
+          expect(GestionnaireMailer).to have_received(:send_login_token)
+        end
+
+        context 'and the user try to connect multiple times in a short period' do
+          before do
+            allow_any_instance_of(Gestionnaire).to receive(:young_login_token?).and_return(true)
+            allow(GestionnaireMailer).to receive(:send_login_token)
+          end
+
+          it 'does not renew nor send a new login token' do
+            subject
+
+            expect(GestionnaireMailer).not_to have_received(:send_login_token)
+          end
        end
      end

      context 'when the device is trusted' do
        it 'signs in as user, gestionnaire and adminstrateur' do
-          expect(@response.redirect?).to be(true)
-          expect(subject).not_to redirect_to link_sent_path(email: email)
-          # TODO when signing in as non-administrateur, and not starting a demarche, log in to gestionnaire path
-          # expect(subject).to redirect_to gestionnaire_procedures_path
+          subject

-          expect(subject.current_user).to eq(user)
-          expect(subject.current_gestionnaire).to eq(gestionnaire)
-          expect(subject.current_administrateur).to eq(administrateur)
+          expect(response.redirect?).to be(true)
+          expect(controller).not_to redirect_to link_sent_path(email: email)
+          # TODO when signing in as non-administrateur, and not starting a demarche, log in to gestionnaire path
+          # expect(controller).to redirect_to gestionnaire_procedures_path
+
+          expect(controller.current_user).to eq(user)
+          expect(controller.current_gestionnaire).to eq(gestionnaire)
+          expect(controller.current_administrateur).to eq(administrateur)
          expect(user.loged_in_with_france_connect).to be(nil)
+          expect(GestionnaireMailer).not_to have_received(:send_login_token)
        end
      end

@ -54,10 +77,12 @@ describe Users::SessionsController, type: :controller do
        let(:send_password) { 'wrong_password' }

        it 'fails to sign in with bad credentials' do
-          expect(@response.unauthorized?).to be(true)
-          expect(subject.current_user).to be(nil)
-          expect(subject.current_gestionnaire).to be(nil)
-          expect(subject.current_administrateur).to be(nil)
+          subject
+
+          expect(response.unauthorized?).to be(true)
+          expect(controller.current_user).to be(nil)
+          expect(controller.current_gestionnaire).to be(nil)
+          expect(controller.current_administrateur).to be(nil)
        end
      end
    end
--- a/spec/models/gestionnaire_spec.rb
+++ b/spec/models/gestionnaire_spec.rb
@ -412,6 +412,27 @@ describe Gestionnaire, type: :model do
    end
  end

+  describe '#young_login_token?' do
+    let!(:gestionnaire) { create(:gestionnaire) }
+
+    context 'when there is a token' do
+      let!(:good_token) { gestionnaire.login_token! }
+
+      context 'when the token has just been created' do
+        it { expect(gestionnaire.young_login_token?).to be true }
+      end
+
+      context 'when the token is a bit old' do
+        before { gestionnaire.update(login_token_created_at: (Gestionnaire::LOGIN_TOKEN_YOUTH + 1.minute).ago) }
+        it { expect(gestionnaire.young_login_token?).to be false }
+      end
+    end
+
+    context 'when there are no token' do
+      it { expect(gestionnaire.young_login_token?).to be false }
+    end
+  end
+
  private

  def assign(procedure_to_assign)