QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-07 22:34:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c4824bf34dd2e5f9f7cd2ef22b857644c19b4121
sure/test/controllers/password_resets_controller_test.rb

91 lines
3.3 KiB
Ruby
Raw Blame History

require "test_helper"
class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
setup do
@user = users(:family_admin)
end
test "new" do
get new_password_reset_path
assert_response :ok
end
test "create" do
assert_enqueued_emails 1 do
post password_reset_path, params: { email: @user.email }
assert_redirected_to new_password_reset_url(step: "pending")
end
end
test "edit" do
get edit_password_reset_path(token: @user.generate_token_for(:password_reset))
assert_response :ok
end
test "update" do
patch password_reset_path(token: @user.generate_token_for(:password_reset)),
params: { user: { password: "password", password_confirmation: "password" } }
assert_redirected_to new_session_url
end
test "all actions redirect when password features are disabled" do
AuthConfig.stubs(:password_features_enabled?).returns(false)
get new_password_reset_path
assert_redirected_to new_session_path
assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
post password_reset_path, params: { email: @user.email }
assert_redirected_to new_session_path
assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
get edit_password_reset_path(token: @user.generate_token_for(:password_reset))
assert_redirected_to new_session_path
assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
patch password_reset_path(token: @user.generate_token_for(:password_reset)),
params: { user: { password: "password", password_confirmation: "password" } }
assert_redirected_to new_session_path
assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
end
# Security: SSO-only users should not receive password reset emails
test "create does not send email for SSO-only user" do
sso_user = users(:sso_only)
assert sso_user.sso_only?, "Test user should be SSO-only"
assert_no_enqueued_emails do
post password_reset_path, params: { email: sso_user.email }
end
# Should still redirect to pending to prevent email enumeration
assert_redirected_to new_password_reset_url(step: "pending")
end
test "create sends email for user with local password" do
assert @user.has_local_password?, "Test user should have local password"
assert_enqueued_emails 1 do
post password_reset_path, params: { email: @user.email }
end
assert_redirected_to new_password_reset_url(step: "pending")
end
# Security: SSO-only users cannot set password via reset
test "update blocks password setting for SSO-only user" do
sso_user = users(:sso_only)
token = sso_user.generate_token_for(:password_reset)
patch password_reset_path(token: token),
params: { user: { password: "NewSecure1!", password_confirmation: "NewSecure1!" } }
assert_redirected_to new_session_path
assert_equal "Your account uses SSO for authentication. Please contact your administrator to manage your credentials.", flash[:alert]
# Verify password was not set
sso_user.reload
assert_nil sso_user.password_digest, "SSO-only user should still have nil password_digest"
end
end
Reference in New Issue View Git Blame Copy Permalink