FIX: only invalidate password reset links using javascript

2025-09-08 12:06:51 +08:00 · 2016-01-04 11:48:54 -05:00 · 2016-01-04 11:48:54 -05:00 · c7df6783a9
commit c7df6783a9
parent 0ba1e8a76f
5 changed files with 54 additions and 2 deletions
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -326,6 +326,16 @@ describe UsersController do
        expect(user.auth_token).to_not eq old_token
        expect(user.auth_token.length).to eq 32
      end
+
+      it "doesn't invalidate the token when loading the page" do
+        user = Fabricate(:user, auth_token: SecureRandom.hex(16))
+        email_token = user.email_tokens.create(email: user.email)
+
+        get :password_reset, token: email_token.token
+
+        email_token.reload
+        expect(email_token.confirmed).to eq(false)
+      end
    end

    context 'submit change' do
@ -361,6 +371,24 @@ describe UsersController do
    end
  end

+  describe '.confirm_email_token' do
+    let(:user) { Fabricate(:user) }
+
+    it "token doesn't match any records" do
+      email_token = user.email_tokens.create(email: user.email)
+      get :confirm_email_token, token: SecureRandom.hex, format: :json
+      expect(response).to be_success
+      expect(email_token.reload.confirmed).to eq(false)
+    end
+
+    it "token matches" do
+      email_token = user.email_tokens.create(email: user.email)
+      get :confirm_email_token, token: email_token.token, format: :json
+      expect(response).to be_success
+      expect(email_token.reload.confirmed).to eq(true)
+    end
+  end
+
  describe '.admin_login' do
    let(:admin) { Fabricate(:admin) }
    let(:user) { Fabricate(:user) }