signup_spec.rb 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe Gql::Mutations::User::Signup, type: :graphql do
  4. context 'when registering a new user' do
  5. let(:query) do
  6. <<~QUERY
  7. mutation userSignup($input: UserSignupInput!) {
  8. userSignup(input: $input) {
  9. success
  10. errors {
  11. message
  12. field
  13. }
  14. }
  15. }
  16. QUERY
  17. end
  18. let(:variables) do
  19. {
  20. input: {
  21. email: 'bender@futurama.fiction',
  22. firstname: 'Bender',
  23. lastname: 'Rodríguez',
  24. password: 'IloveBender1337'
  25. }
  26. }
  27. end
  28. context 'with disabled user signup' do
  29. before do
  30. Setting.set('user_create_account', false)
  31. end
  32. it 'raises an error' do
  33. gql.execute(query, variables: variables)
  34. expect(gql.result.error_message).to eq 'This feature is not enabled.'
  35. end
  36. end
  37. context 'with enabled user signup' do
  38. before do
  39. Setting.set('user_create_account', true)
  40. end
  41. it 'creates a new user', :aggregate_failures do
  42. message = nil
  43. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  44. message = params[:body]
  45. end
  46. gql.execute(query, variables: variables)
  47. expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil })
  48. expect(User.find_by(email: 'bender@futurama.fiction')).to be_present
  49. expect(message).to include("<a href=\"http://zammad.example.com/desktop/signup/verify/#{Token.last[:token]}\">")
  50. end
  51. context 'when the password is weak' do
  52. let(:variables) do
  53. {
  54. input: {
  55. email: 'bender@futurama.fiction',
  56. firstname: 'Bender',
  57. lastname: 'Rodríguez',
  58. password: 'idonotlovebenderandthisiswrong'
  59. }
  60. }
  61. end
  62. it 'raises an error', :aggregate_failures do
  63. gql.execute(query, variables: variables)
  64. errors = gql.result.data[:errors].first
  65. expect(errors.keys).to include('message', 'field')
  66. expect(errors['message']).to include('Invalid password')
  67. expect(errors['field']).to eq('password')
  68. end
  69. end
  70. context 'when the email is already taken' do
  71. before do
  72. create(:user, email: 'bender@futurama.fiction')
  73. end
  74. it 'returns a silent success', :aggregate_failures do
  75. message = nil
  76. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  77. message = params[:body]
  78. end
  79. gql.execute(query, variables: variables)
  80. expect(gql.result.data).to eq({ 'success' => true, 'errors' => nil })
  81. expect(message).to include('You or someone else tried to sign up with this email address.')
  82. expect(message).to include("<a href=\"http://zammad.example.com/desktop/reset-password/verify/#{Token.last[:token]}\">")
  83. end
  84. end
  85. context 'when the request is made more times than throttle allows', :rack_attack do
  86. let(:static_ipv4) { Faker::Internet.unique.ip_v4_address }
  87. it 'blocks due to email address throttling (multiple IPs)' do
  88. 4.times do
  89. gql.execute(query, variables: variables, context: { REMOTE_IP: Faker::Internet.unique.ip_v4_address })
  90. end
  91. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  92. end
  93. it 'blocks due to source IP address throttling (multiple email addresses)' do
  94. new_variables = {
  95. input: {
  96. email: Faker::Internet.unique.email,
  97. firstname: 'Bender',
  98. lastname: 'Rodríguez',
  99. password: 'IloveBender1337'
  100. }
  101. }
  102. 4.times do
  103. gql.execute(query, variables: new_variables, context: { REMOTE_IP: static_ipv4 })
  104. end
  105. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  106. end
  107. end
  108. end
  109. end
  110. end