refactor(file retrieval): use ciphered query params instead of cookie to move email

This commit is contained in:
simon lehericey 2024-03-15 14:20:31 +01:00
parent 7e6792c616
commit ce3a156a46
3 changed files with 15 additions and 8 deletions

View file

@ -18,15 +18,17 @@ class RecoveriesController < ApplicationController
end
def post_identification
# cookies are used to avoid leaking
# email in url
cookies[:recover_previous_email] = previous_email
# cipher previous_user email
# to avoid leaks in the url
ciphered_email = cipher(previous_email)
redirect_to selection_recovery_path
redirect_to selection_recovery_path(ciphered_email:)
end
def selection
previous_user = User.find_by(email: cookies[:recover_previous_email])
@previous_email = uncipher(params[:ciphered_email])
previous_user = User.find_by(email: @previous_email)
@recoverables = RecoveryService
.recoverable_procedures(previous_user:, siret:)
@ -35,7 +37,7 @@ class RecoveriesController < ApplicationController
end
def post_selection
previous_user = User.find_by(email: cookies[:recover_previous_email])
previous_user = User.find_by(email: previous_email)
RecoveryService.recover_procedure!(previous_user:,
next_user: current_user,
@ -58,6 +60,9 @@ class RecoveriesController < ApplicationController
def previous_email = params[:previous_email]
def procedure_ids = params[:procedure_ids].map(&:to_i)
def cipher(email) = message_verifier.generate(email, purpose: :agent_files_recovery, expires_in: 1.hour)
def uncipher(email) = message_verifier.verified(email, purpose: :agent_files_recovery) rescue nil
def structure_name
# we know that the structure exists because
# of the ensure_collectivite_territoriale guard

View file

@ -16,4 +16,5 @@
= check_box_tag 'procedure_ids[]', procedure_id, false, class: 'fr-checkbox', id: procedure_id
= label_tag procedure_id, libelle, class: 'fr-label'
= hidden_field_tag 'previous_email', @previous_email
%button.fr-btn{ disabled: true, data: { 'enable-submit-if-checked-target': 'submit' } } Continuer

View file

@ -100,8 +100,9 @@ describe RecoveriesController, type: :controller do
subject { post :post_identification, params: { previous_email: 'email@a.com' } }
it do
is_expected.to redirect_to(selection_recovery_path)
expect(cookies[:recover_previous_email]).to eq('email@a.com')
response = subject
expect(response).to have_http_status(:redirect)
expect(response.location).to start_with(selection_recovery_url)
end
end