LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat: Improved password security policy (#2345)

Browse Source 
Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
This commit is contained in:
Sojan Jose
2021-06-07 17:26:08 +05:30
committed by GitHub
parent d1b3c7b0c2
commit 467b45b427
36 changed files with 284 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
spec/controllers/api/v1/accounts_controller_spec.rb
View File

@@ -18,13 +18,13 @@ RSpec.describe 'Accounts API', type: :request do
it 'calls account builder' do
allow(account_builder).to receive(:perform).and_return([user, account])
params = { account_name: 'test', email: email, user: nil, user_full_name: user_full_name }
params = { account_name: 'test', email: email, user: nil, user_full_name: user_full_name, password: 'Password1!' }
post api_v1_accounts_url,
params: params,
as: :json
expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
expect(AccountBuilder).to have_received(:new).with(params.except(:password).merge(user_password: params[:password]))
expect(account_builder).to have_received(:perform)
expect(response.headers.keys).to include('access-token', 'token-type', 'client', 'expiry', 'uid')
end
@@ -38,44 +38,11 @@ RSpec.describe 'Accounts API', type: :request do
params: params,
as: :json
expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
expect(AccountBuilder).to have_received(:new).with(params.merge(user_password: params[:password]))
expect(account_builder).to have_received(:perform)
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq({ message: I18n.t('errors.signup.failed') }.to_json)
end
it 'ignores confirmed param when called with out super admin token' do
allow(account_builder).to receive(:perform).and_return(nil)
params = { account_name: 'test', email: email, confirmed: true, user: nil, user_full_name: user_full_name }
post api_v1_accounts_url,
params: params,
as: :json
expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
expect(account_builder).to have_received(:perform)
expect(response).to have_http_status(:forbidden)
expect(response.body).to eq({ message: I18n.t('errors.signup.failed') }.to_json)
end
end
context 'when called with super admin token' do
let(:super_admin) { create(:super_admin) }
it 'calls account builder with confirmed true when confirmed param is passed' do
params = { account_name: 'test', email: email, confirmed: true, user_full_name: user_full_name }
post api_v1_accounts_url,
params: params,
headers: { api_access_token: super_admin.access_token.token },
as: :json
created_user = User.find_by(email: email)
expect(created_user.confirmed?).to eq(true)
expect(response.headers.keys).to include('access-token', 'token-type', 'client', 'expiry', 'uid')
expect(response.body).to include(created_user.access_token.token)
end
end
context 'when ENABLE_ACCOUNT_SIGNUP env variable is set to false' do

2
spec/controllers/api/v1/profiles_controller_spec.rb
View File

@@ -44,7 +44,7 @@ RSpec.describe 'Profile API', type: :request do
it 'updates the name & email' do
new_email = Faker::Internet.email
put '/api/v1/profile',
params: { profile: { name: 'test', 'email': new_email } },
params: { profile: { name: 'test', email: new_email } },
headers: agent.create_new_auth_token,
as: :json

8
spec/controllers/devise/confirmations_controller_spec.rb
View File

@@ -18,12 +18,8 @@ RSpec.describe 'Token Confirmation', type: :request do
expect(response.status).to eq 200
end
it 'returns message "Success"' do
expect(response_json[:message]).to eq 'Success'
end
it 'returns "redirect_url"' do
expect(response_json[:redirect_url]).to include '/app/auth/password/edit?config=default&redirect_url=&reset_password_token'
it 'returns "auth data"' do
expect(response.body).to include('john.doe@gmail.com')
end
end

8
spec/controllers/devise/session_controller_spec.rb
View File

@@ -17,10 +17,10 @@ RSpec.describe 'Session', type: :request do
end
context 'when it is valid credentials' do
let!(:user) { create(:user, password: 'test1234', account: account) }
let!(:user) { create(:user, password: 'Password1!', account: account) }
it 'returns successful auth response' do
params = { email: user.email, password: 'test1234' }
params = { email: user.email, password: 'Password1!' }
post new_user_session_url,
params: params,
@@ -32,7 +32,7 @@ RSpec.describe 'Session', type: :request do
end
context 'when it is invalid sso auth token' do
let!(:user) { create(:user, password: 'test1234', account: account) }
let!(:user) { create(:user, password: 'Password1!', account: account) }
it 'returns unauthorized' do
params = { email: user.email, sso_auth_token: SecureRandom.hex(32) }
@@ -46,7 +46,7 @@ RSpec.describe 'Session', type: :request do
end
context 'when with valid sso auth token' do
let!(:user) { create(:user, password: 'test1234', account: account) }
let!(:user) { create(:user, password: 'Password1!', account: account) }
it 'returns successful auth response' do
params = { email: user.email, sso_auth_token: user.generate_sso_auth_token }

4
spec/controllers/platform/api/v1/users_controller_spec.rb
View File

@@ -94,7 +94,7 @@ RSpec.describe 'Platform Users API', type: :request do
let(:platform_app) { create(:platform_app) }
it 'creates a new user and permissible for the user' do
post '/platform/api/v1/users/', params: { name: 'test', email: 'test@test.com', password: 'password123' },
post '/platform/api/v1/users/', params: { name: 'test', email: 'test@test.com', password: 'Password1!' },
headers: { api_access_token: platform_app.access_token.token }, as: :json
expect(response).to have_http_status(:success)
@@ -105,7 +105,7 @@ RSpec.describe 'Platform Users API', type: :request do
it 'fetch existing user and creates permissible for the user' do
create(:user, name: 'old test', email: 'test@test.com')
post '/platform/api/v1/users/', params: { name: 'test', email: 'test@test.com', password: 'password123' },
post '/platform/api/v1/users/', params: { name: 'test', email: 'test@test.com', password: 'Password1!' },
headers: { api_access_token: platform_app.access_token.token }, as: :json
expect(response).to have_http_status(:success)

3
spec/controllers/super_admin/access_tokens_controller_spec.rb
View File

@@ -2,6 +2,7 @@ require 'rails_helper'
RSpec.describe 'Super Admin access tokens API', type: :request do
let(:super_admin) { create(:super_admin) }
let!(:platform_app) { create(:platform_app) }
describe 'GET /super_admin/access_tokens' do
context 'when it is an unauthenticated super admin' do
@@ -16,7 +17,7 @@ RSpec.describe 'Super Admin access tokens API', type: :request do
sign_in super_admin
get '/super_admin/access_tokens'
expect(response).to have_http_status(:success)
expect(response.body).to include(super_admin.access_token.token)
expect(response.body).to include(platform_app.access_token.token)
end
end
end

2
spec/factories/super_admins.rb
View File

@@ -1,6 +1,6 @@
FactoryBot.define do
factory :super_admin do
email { "admin@#{SecureRandom.uuid}.com" }
password { 'password' }
password { 'Password1!' }
end
end

2
spec/factories/users.rb
View File

@@ -14,7 +14,7 @@ FactoryBot.define do
name { Faker::Name.name }
display_name { Faker::Name.first_name }
email { display_name + "@#{SecureRandom.uuid}.com" }
password { 'password' }
password { 'Password1!' }
after(:build) do |user, evaluator|
user.skip_confirmation! if evaluator.skip_confirmation

2
spec/lib/chatwoot_hub_spec.rb
View File

@@ -3,7 +3,7 @@ require 'rails_helper'
describe ChatwootHub do
it 'get latest version from chatwoot hub' do
version = '1.1.1'
allow(RestClient).to receive(:get).and_return({ 'version': version }.to_json)
allow(RestClient).to receive(:get).and_return({ version: version }.to_json)
expect(described_class.latest_version).to eq version
expect(RestClient).to have_received(:get).with(described_class::BASE_URL, { params: described_class.instance_config })
end