password_reset_verify_spec.rb 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User password reset verify endpoint', authenticated_as: false, type: :request do
  4. let(:user) { create(:user) }
  5. let(:token) { User.password_reset_new_token(user.login)[:token].token }
  6. let(:send_request) do
  7. post api_v1_users_password_reset_verify_path, params: params
  8. end
  9. shared_examples 'returning unprocessable entity' do |message:|
  10. it 'returns unprocessable entity' do
  11. send_request
  12. expect(response).to have_http_status(:unprocessable_entity).and have_attributes(body: include(message))
  13. end
  14. end
  15. shared_examples 'returning success' do |with_password_change: false|
  16. it 'returns success' do
  17. send_request
  18. expect(json_response).to include({ 'message' => 'ok', 'user_login' => user.login })
  19. end
  20. it 'does not change user password', if: !with_password_change do
  21. expect { send_request }.to not_change { user.reload.password }
  22. end
  23. it 'changes user password', if: with_password_change do
  24. expect { send_request }.to change { user.reload.password }
  25. end
  26. it 'sends an email notification to the user', if: with_password_change do
  27. message = nil
  28. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  29. message = params[:body]
  30. end
  31. send_request
  32. expect(message).to include('This activity is not known to you? If not, contact your system administrator.')
  33. end
  34. end
  35. shared_examples 'returning failure' do |notice: nil|
  36. it 'returns failure with notice', if: !notice do
  37. send_request
  38. expect(json_response).to include({ 'message' => 'failed' })
  39. end
  40. it 'returns failure with notice', if: notice do
  41. send_request
  42. expect(json_response).to include({ 'message' => 'failed', 'notice' => include(start_with(notice)) })
  43. end
  44. end
  45. context 'when user verifies with a token only' do
  46. let(:params) { { token: token } }
  47. context 'with disabled user signup' do
  48. before do
  49. Setting.set('user_lost_password', false)
  50. end
  51. it_behaves_like 'returning unprocessable entity', message: 'This feature is not enabled.'
  52. end
  53. context 'with a valid token' do
  54. it_behaves_like 'returning success'
  55. end
  56. context 'without a token parameter' do
  57. let(:params) { { foo: 'bar' } }
  58. it_behaves_like 'returning unprocessable entity', message: 'token param needed!'
  59. end
  60. context 'with an invalid token' do
  61. let(:token) { SecureRandom.urlsafe_base64(48) }
  62. it_behaves_like 'returning failure'
  63. end
  64. end
  65. context 'when user verifies with a token and a password' do
  66. let(:password) { 'cMeSMvAP2o' }
  67. let(:params) { { token: token, password: password } }
  68. context 'with disabled user signup' do
  69. before do
  70. Setting.set('user_lost_password', false)
  71. end
  72. it_behaves_like 'returning unprocessable entity', message: 'This feature is not enabled.'
  73. end
  74. context 'with a valid password' do
  75. it_behaves_like 'returning success', with_password_change: true
  76. end
  77. context 'with an invalid password' do
  78. let(:password) { 'foobar9' }
  79. it_behaves_like 'returning failure', notice: 'Invalid password'
  80. end
  81. end
  82. end