diff options
| author | Robert Speicher <robert@gitlab.com> | 2015-12-10 01:58:11 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2015-12-10 01:58:11 +0000 |
| commit | ba79d1e5b8e169b680f128539ade3b6786f4ebd0 (patch) | |
| tree | fe24b9fb492572633267bb0eae745a35baabc0ab /spec | |
| parent | 19837682e0e2d8394dedb6432e004cb853d73cb1 (diff) | |
| parent | f4ec906e90b2f8dbf18b359b773e3b31f5da89ff (diff) | |
| download | gitlab-ce-ba79d1e5b8e169b680f128539ade3b6786f4ebd0.tar.gz | |
Merge branch 'devise_paranoid_mode' into 'master'
Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact).
Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed.
I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.
Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624
See merge request !2044
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/features/password_reset_spec.rb | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb index 85e70b4d47f..257d363438c 100644 --- a/spec/features/password_reset_spec.rb +++ b/spec/features/password_reset_spec.rb @@ -3,11 +3,12 @@ require 'spec_helper' feature 'Password reset', feature: true do describe 'throttling' do it 'sends reset instructions when not previously sent' do - visit root_path - forgot_password(create(:user)) + user = create(:user) + forgot_password(user) - expect(page).to have_content(I18n.t('devise.passwords.send_instructions')) + expect(page).to have_content(I18n.t('devise.passwords.send_paranoid_instructions')) expect(current_path).to eq new_user_session_path + expect(user.recently_sent_password_reset?).to be_truthy end it 'sends reset instructions when previously sent more than a minute ago' do @@ -15,26 +16,25 @@ feature 'Password reset', feature: true do user.send_reset_password_instructions user.update_attribute(:reset_password_sent_at, 5.minutes.ago) - visit root_path - forgot_password(user) - - expect(page).to have_content(I18n.t('devise.passwords.send_instructions')) + expect{ forgot_password(user) }.to change{ user.reset_password_sent_at } + expect(page).to have_content(I18n.t('devise.passwords.send_paranoid_instructions')) expect(current_path).to eq new_user_session_path end - it "throttles multiple resets in a short timespan" do + it 'throttles multiple resets in a short timespan' do user = create(:user) user.send_reset_password_instructions + # Reload because PG handles datetime less precisely than Ruby/Rails + user.reload - visit root_path - forgot_password(user) - - expect(page).to have_content(I18n.t('devise.passwords.recently_reset')) - expect(current_path).to eq new_user_password_path + expect{ forgot_password(user) }.not_to change{ user.reset_password_sent_at } + expect(page).to have_content(I18n.t('devise.passwords.send_paranoid_instructions')) + expect(current_path).to eq new_user_session_path end end def forgot_password(user) + visit root_path click_on 'Forgot your password?' fill_in 'Email', with: user.email click_button 'Reset password' |