1 files changed, 36 insertions, 7 deletions

diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb
index abf66f2356d..ce7a66a0da9 100644
--- a/spec/features/password_reset_spec.rb
+++ b/spec/features/password_reset_spec.rb
@@ -1,13 +1,44 @@
 require 'spec_helper'
 
 feature 'Password reset', feature: true do
-  describe 'with two-factor authentication' do
-    let(:user) { create(:user, :two_factor) }
+  describe 'throttling' do
+    it 'sends reset instructions when not previously sent' do
+      visit root_path
+      forgot_password(create(:user))
+
+      expect(page).to have_content(I18n.t('devise.passwords.send_instructions'))
+      expect(current_path).to eq new_user_session_path
+    end
 
+    it 'sends reset instructions when previously sent more than a minute ago' do
+      user = create(:user)
+      user.send_reset_password_instructions
+      user.update_attribute(:reset_password_sent_at, 5.minutes.ago)
+
+      visit root_path
+      forgot_password(user)
+
+      expect(page).to have_content(I18n.t('devise.passwords.send_instructions'))
+      expect(current_path).to eq new_user_session_path
+    end
+
+    it "throttles multiple resets in a short timespan" do
+      user = create(:user)
+      user.send_reset_password_instructions
+
+      visit root_path
+      forgot_password(user)
+
+      expect(page).to have_content("Instructions about how to reset your password have already been sent recently. Please wait a few minutes to try again.")
+      expect(current_path).to eq new_user_password_path
+    end
+  end
+
+  describe 'with two-factor authentication' do
     it 'requires login after password reset' do
       visit root_path
 
-      forgot_password
+      forgot_password(create(:user, :two_factor))
       reset_password
 
       expect(page).to have_content("Your password was changed successfully.")
@@ -17,12 +48,10 @@ feature 'Password reset', feature: true do
   end
 
   describe 'without two-factor authentication' do
-    let(:user) { create(:user) }
-
     it 'requires login after password reset' do
       visit root_path
 
-      forgot_password
+      forgot_password(create(:user))
       reset_password
 
       expect(page).to have_content("Your password was changed successfully.")
@@ -30,7 +59,7 @@ feature 'Password reset', feature: true do
     end
   end
 
-  def forgot_password
+  def forgot_password(user)
     click_on 'Forgot your password?'
     fill_in 'Email', with: user.email
     click_button 'Reset password'