send_spec.rb 2.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe Gql::Mutations::User::PasswordReset::Send, type: :graphql do
  4. context 'when resetting a password for a user' do
  5. let(:user) { create(:user) }
  6. let(:query) do
  7. <<~QUERY
  8. mutation userPasswordResetSend($username: String!) {
  9. userPasswordResetSend(username: $username) {
  10. success
  11. errors {
  12. message
  13. }
  14. }
  15. }
  16. QUERY
  17. end
  18. let(:variables) do
  19. {
  20. username: user.login
  21. }
  22. end
  23. context 'with disabled lost password feature' do
  24. before do
  25. Setting.set('user_lost_password', false)
  26. end
  27. it 'raises an error' do
  28. gql.execute(query, variables: variables)
  29. expect(gql.result.error_message).to eq 'This feature is not enabled.'
  30. end
  31. end
  32. context 'with existing user' do
  33. it 'sends a password reset link', :aggregate_failures do
  34. message = nil
  35. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  36. message = params[:body]
  37. end
  38. expect { gql.execute(query, variables: variables) }.to change(Token, :count)
  39. expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil })
  40. expect(message).to include("<a href=\"http://zammad.example.com/desktop/reset-password/verify/#{Token.last[:token]}\">")
  41. end
  42. end
  43. context 'with an invalid user' do
  44. let(:variables) do
  45. {
  46. username: 'foobar'
  47. }
  48. end
  49. it 'returns success, but does nothing', :aggregate_failures do
  50. expect { gql.execute(query, variables: variables) }.to not_change(Token, :count)
  51. expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil })
  52. end
  53. end
  54. context 'when request is made more times than throttle allows', :rack_attack do
  55. let(:static_ipv4) { Faker::Internet.ip_v4_address }
  56. it 'blocks due to username throttling (multiple IPs)' do
  57. 4.times do
  58. gql.execute(query, variables: variables, context: { REMOTE_IP: Faker::Internet.ip_v4_address })
  59. end
  60. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  61. end
  62. it 'blocks due to source IP address throttling (multiple usernames)' do
  63. 4.times do
  64. gql.execute(query, variables: variables.merge(username: create(:user).login), context: { REMOTE_IP: static_ipv4 })
  65. end
  66. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  67. end
  68. end
  69. end
  70. end