# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/ require 'rails_helper' RSpec.describe Gql::Mutations::User::Signup, type: :graphql do context 'when registering a new user' do let(:query) do <<~QUERY mutation userSignup($input: UserSignupInput!) { userSignup(input: $input) { success errors { message field } } } QUERY end let(:variables) do { input: { email: 'bender@futurama.fiction', firstname: 'Bender', lastname: 'Rodríguez', password: 'IloveBender1337' } } end context 'with disabled user signup' do before do Setting.set('user_create_account', false) end it 'raises an error' do gql.execute(query, variables: variables) expect(gql.result.error_message).to eq 'This feature is not enabled.' end end context 'with enabled user signup' do before do Setting.set('user_create_account', true) end it 'creates a new user', :aggregate_failures do message = nil allow(NotificationFactory::Mailer).to receive(:deliver) do |params| message = params[:body] end gql.execute(query, variables: variables) expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil }) expect(User.find_by(email: 'bender@futurama.fiction')).to be_present expect(message).to include("") end context 'when the password is weak' do let(:variables) do { input: { email: 'bender@futurama.fiction', firstname: 'Bender', lastname: 'Rodríguez', password: 'idonotlovebenderandthisiswrong' } } end it 'raises an error', :aggregate_failures do gql.execute(query, variables: variables) errors = gql.result.data[:errors].first expect(errors.keys).to include('message', 'field') expect(errors['message']).to include('Invalid password') expect(errors['field']).to eq('password') end end context 'when the email is already taken' do before do create(:user, email: 'bender@futurama.fiction') end it 'returns a silent success', :aggregate_failures do message = nil allow(NotificationFactory::Mailer).to receive(:deliver) do |params| message = params[:body] end gql.execute(query, variables: variables) expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil }) expect(message).to include('You or someone else tried to sign up with this email address.') expect(message).to include("") end end context 'when the request is made more times than throttle allows', :rack_attack do let(:static_ipv4) { Faker::Internet.unique.ip_v4_address } it 'blocks due to email address throttling (multiple IPs)' do 4.times do gql.execute(query, variables: variables, context: { REMOTE_IP: Faker::Internet.unique.ip_v4_address }) end expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.' end it 'blocks due to source IP address throttling (multiple email addresses)' do new_variables = { input: { email: Faker::Internet.unique.email, firstname: 'Bender', lastname: 'Rodríguez', password: 'IloveBender1337' } } 4.times do gql.execute(query, variables: new_variables, context: { REMOTE_IP: static_ipv4 }) end expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.' end end end end end