submit-social-housing-letti.../spec/features/auth/user_lockout_spec.rb

require "rails_helper"

RSpec.describe "User Lockout" do
  let(:user) { FactoryBot.create(:user) }
  let(:admin) { FactoryBot.create(:admin_user) }
  let(:max_login_attempts) { Devise.maximum_attempts }
  let(:max_2fa_attempts) { Devise.max_login_attempts }
  let(:notify_client) { instance_double(Notifications::Client) }

  context "when login-in with the wrong user password up to a maximum number of attempts" do
    before do
      visit("/users/sign-in")
      max_login_attempts.times do
        fill_in("user[email]", with: user.email)
        fill_in("user[password]", with: "wrong_password")
        click_button("Sign in")
      end
    end

    it "locks the user account" do
      visit("/users/sign-in")
      fill_in("user[email]", with: user.email)
      fill_in("user[password]", with: user.password)
      click_button("Sign in")
      expect(page).to have_http_status(:unprocessable_entity)
      expect(page).to have_content("Your account is locked.")
    end
  end

  context "when login-in with the wrong admin password up to a maximum number of attempts" do
    before do
      visit("/admin/sign-in")
      max_login_attempts.times do
        fill_in("admin_user[email]", with: admin.email)
        fill_in("admin_user[password]", with: "wrong_password")
        click_button("Sign in")
      end
    end

    it "locks the admin account" do
      visit("/admin/sign-in")
      fill_in("admin_user[email]", with: admin.email)
      fill_in("admin_user[password]", with: admin.password)
      click_button("Sign in")
      expect(page).to have_http_status(:unprocessable_entity)
      expect(page).to have_content("Your account is locked.")
    end
  end

  context "when login-in with the right admin password and incorrect 2FA token up to a maximum number of attempts" do
    before do
      allow(Sms).to receive(:notify_client).and_return(notify_client)
      allow(notify_client).to receive(:send_sms).and_return(true)

      visit("/admin/sign-in")
      fill_in("admin_user[email]", with: admin.email)
      fill_in("admin_user[password]", with: admin.password)
      click_button("Sign in")

      max_2fa_attempts.times do
        fill_in("code", with: "random")
        click_button("Submit")
      end
    end

    it "locks the admin account" do
      visit("/admin/sign-in")
      fill_in("admin_user[email]", with: admin.email)
      fill_in("admin_user[password]", with: admin.password)
      click_button("Sign in")
      expect(page).to have_http_status(:unprocessable_entity)
      expect(page).to have_content(I18n.t("devise.two_factor_authentication.account_locked"))
    end
  end
end
CLDC-996 Login lockout (#377) 3 years ago			`require "rails_helper"`

			`RSpec.describe "User Lockout" do`
			`let(:user) { FactoryBot.create(:user) }`
			`let(:admin) { FactoryBot.create(:admin_user) }`
			`let(:max_login_attempts) { Devise.maximum_attempts }`
			`let(:max_2fa_attempts) { Devise.max_login_attempts }`
			`let(:notify_client) { instance_double(Notifications::Client) }`

			`context "when login-in with the wrong user password up to a maximum number of attempts" do`
			`before do`
			`visit("/users/sign-in")`
			`max_login_attempts.times do`
			`fill_in("user[email]", with: user.email)`
			`fill_in("user[password]", with: "wrong_password")`
			`click_button("Sign in")`
			`end`
			`end`

			`it "locks the user account" do`
			`visit("/users/sign-in")`
			`fill_in("user[email]", with: user.email)`
			`fill_in("user[password]", with: user.password)`
			`click_button("Sign in")`
			`expect(page).to have_http_status(:unprocessable_entity)`
			`expect(page).to have_content("Your account is locked.")`
			`end`
			`end`

			`context "when login-in with the wrong admin password up to a maximum number of attempts" do`
			`before do`
			`visit("/admin/sign-in")`
			`max_login_attempts.times do`
			`fill_in("admin_user[email]", with: admin.email)`
			`fill_in("admin_user[password]", with: "wrong_password")`
			`click_button("Sign in")`
			`end`
			`end`

			`it "locks the admin account" do`
			`visit("/admin/sign-in")`
			`fill_in("admin_user[email]", with: admin.email)`
			`fill_in("admin_user[password]", with: admin.password)`
			`click_button("Sign in")`
			`expect(page).to have_http_status(:unprocessable_entity)`
			`expect(page).to have_content("Your account is locked.")`
			`end`
			`end`

			`context "when login-in with the right admin password and incorrect 2FA token up to a maximum number of attempts" do`
			`before do`
			`allow(Sms).to receive(:notify_client).and_return(notify_client)`
			`allow(notify_client).to receive(:send_sms).and_return(true)`

			`visit("/admin/sign-in")`
			`fill_in("admin_user[email]", with: admin.email)`
			`fill_in("admin_user[password]", with: admin.password)`
			`click_button("Sign in")`

			`max_2fa_attempts.times do`
			`fill_in("code", with: "random")`
			`click_button("Submit")`
			`end`
			`end`

			`it "locks the admin account" do`
			`visit("/admin/sign-in")`
			`fill_in("admin_user[email]", with: admin.email)`
			`fill_in("admin_user[password]", with: admin.password)`
			`click_button("Sign in")`
			`expect(page).to have_http_status(:unprocessable_entity)`
			`expect(page).to have_content(I18n.t("devise.two_factor_authentication.account_locked"))`
			`end`
			`end`
			`end`