Merge pull request #3249 from betagouv/add_missing_login_test

Add missing login test
2019-01-07 08:52:38 +01:00 · 2019-01-07 08:52:38 +01:00 · fcc76c1d36
commit fcc76c1d36
parent 67e92ffa17 7b935a6486
3 changed files with 26 additions and 2 deletions
--- a/app/models/gestionnaire.rb
+++ b/app/models/gestionnaire.rb
@ -3,6 +3,8 @@ class Gestionnaire < ApplicationRecord
  include EmailSanitizableConcern
  include ActiveRecord::SecureToken

+  LOGIN_TOKEN_VALIDITY = 30.minutes
+
  devise :database_authenticatable, :registerable, :async,
    :recoverable, :rememberable, :trackable, :validatable

@ -141,7 +143,7 @@ class Gestionnaire < ApplicationRecord

  def login_token_valid?(login_token)
    BCrypt::Password.new(encrypted_login_token) == login_token &&
-      30.minutes.ago < login_token_created_at
+      LOGIN_TOKEN_VALIDITY.ago < login_token_created_at
  rescue BCrypt::Errors::InvalidHash
    false
  end
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@ -253,13 +253,15 @@ describe Users::SessionsController, type: :controller do
  describe '#sign_in_by_link' do
    context 'when the gestionnaire has non other account' do
      let(:gestionnaire) { create(:gestionnaire) }
+      let!(:good_jeton) { gestionnaire.login_token! }
+
      before do
        allow(controller).to receive(:trust_device)
        post :sign_in_by_link, params: { id: gestionnaire.id, jeton: jeton }
      end

      context 'when the token is valid' do
-        let(:jeton) { gestionnaire.login_token! }
+        let(:jeton) { good_jeton }

        # TODO when the gestionnaire has no other account, and the token is valid, and the user signing in was not starting a demarche,
        # redirect to root_path, then redirect to gestionnaire_procedures_path (see root_controller)
--- a/spec/models/gestionnaire_spec.rb
+++ b/spec/models/gestionnaire_spec.rb
@ -393,6 +393,26 @@ describe Gestionnaire, type: :model do
    end
  end

+  describe '#login_token_valid?' do
+    let!(:gestionnaire) { create(:gestionnaire) }
+    let!(:good_token) { gestionnaire.login_token! }
+
+    it { expect(gestionnaire.login_token_valid?(good_token)).to be true }
+    it { expect(gestionnaire.login_token_valid?('bad_token')).to be false }
+
+    context 'when the token as expired' do
+      before { gestionnaire.update(login_token_created_at: (Gestionnaire::LOGIN_TOKEN_VALIDITY + 1.minute).ago) }
+
+      it { expect(gestionnaire.login_token_valid?(good_token)).to be false }
+    end
+
+    context 'when the gestionnaire does not have a token' do
+      before { gestionnaire.update(encrypted_login_token: nil) }
+
+      it { expect(gestionnaire.login_token_valid?(nil)).to be false }
+    end
+  end
+
  private

  def assign(procedure_to_assign)