diff options
author | Robert Speicher <rspeicher@gmail.com> | 2015-09-30 15:38:21 -0400 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2015-09-30 15:38:21 -0400 |
commit | 292bca0546c59b9816c696371cd9bbf04ba19fb2 (patch) | |
tree | c9f3ed1df55ed2fee0dfef6ad685ea57b7aac932 /spec/features/password_reset_spec.rb | |
parent | 3a4274e19e1a1fbc23fb5fe0d6101ad62099aadb (diff) | |
download | gitlab-ce-292bca0546c59b9816c696371cd9bbf04ba19fb2.tar.gz |
Only allow password reset emails once per minute
Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611
Diffstat (limited to 'spec/features/password_reset_spec.rb')
-rw-r--r-- | spec/features/password_reset_spec.rb | 43 |
1 files changed, 36 insertions, 7 deletions
diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb index abf66f2356d..ce7a66a0da9 100644 --- a/spec/features/password_reset_spec.rb +++ b/spec/features/password_reset_spec.rb @@ -1,13 +1,44 @@ require 'spec_helper' feature 'Password reset', feature: true do - describe 'with two-factor authentication' do - let(:user) { create(:user, :two_factor) } + describe 'throttling' do + it 'sends reset instructions when not previously sent' do + visit root_path + forgot_password(create(:user)) + + expect(page).to have_content(I18n.t('devise.passwords.send_instructions')) + expect(current_path).to eq new_user_session_path + end + it 'sends reset instructions when previously sent more than a minute ago' do + user = create(:user) + user.send_reset_password_instructions + user.update_attribute(:reset_password_sent_at, 5.minutes.ago) + + visit root_path + forgot_password(user) + + expect(page).to have_content(I18n.t('devise.passwords.send_instructions')) + expect(current_path).to eq new_user_session_path + end + + it "throttles multiple resets in a short timespan" do + user = create(:user) + user.send_reset_password_instructions + + visit root_path + forgot_password(user) + + expect(page).to have_content("Instructions about how to reset your password have already been sent recently. Please wait a few minutes to try again.") + expect(current_path).to eq new_user_password_path + end + end + + describe 'with two-factor authentication' do it 'requires login after password reset' do visit root_path - forgot_password + forgot_password(create(:user, :two_factor)) reset_password expect(page).to have_content("Your password was changed successfully.") @@ -17,12 +48,10 @@ feature 'Password reset', feature: true do end describe 'without two-factor authentication' do - let(:user) { create(:user) } - it 'requires login after password reset' do visit root_path - forgot_password + forgot_password(create(:user)) reset_password expect(page).to have_content("Your password was changed successfully.") @@ -30,7 +59,7 @@ feature 'Password reset', feature: true do end end - def forgot_password + def forgot_password(user) click_on 'Forgot your password?' fill_in 'Email', with: user.email click_button 'Reset password' |