baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix sending reset email for admins

pull/313/head
baarkerlounger 3 years ago
parent
070405eba0
commit
24a369a2c4
11 changed files with 228 additions and 16 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      app/mailers/devise_notify_mailer.rb
  2. 9
      app/models/admin_user.rb
  3. 7
      app/models/user.rb
  4. 33
      app/views/admin_users/reset_password.html.erb
  5. 13
      db/migrate/20220216163601_add_trackable_to_admin_user.rb
  6. 6
      db/schema.rb
  7. 55
      spec/features/admin_user_spec.rb
  8. 5
      spec/features/organisation_spec.rb
  9. 33
      spec/features/reset_password.html.erb
  10. 5
      spec/features/user_spec.rb
  11. 65
      spec/requests/active_admin/devise/passwords_controller_spec.rb

13
app/mailers/devise_notify_mailer.rb
Unescape View File

@ -1,9 +1,6 @@
class DeviseNotifyMailer < Devise::Mailer class DeviseNotifyMailer < Devise::Mailer
require "notifications/client" require "notifications/client"
RESET_PASSWORD_TEMPLATE_ID = "2c410c19-80a7-481c-a531-2bcb3264f8e6".freeze
SET_PASSWORD_TEMPLATE_ID = "257460a6-6616-4640-a3f9-17c3d73d9e91".freeze
def notify_client def notify_client
@notify_client ||= ::Notifications::Client.new(ENV["GOVUK_NOTIFY_API_KEY"]) @notify_client ||= ::Notifications::Client.new(ENV["GOVUK_NOTIFY_API_KEY"])
end end
@ -21,14 +18,14 @@ class DeviseNotifyMailer < Devise::Mailer
end end
def reset_password_instructions(record, token, _opts = {}) def reset_password_instructions(record, token, _opts = {})
template_id = record.last_sign_in_at ? RESET_PASSWORD_TEMPLATE_ID : SET_PASSWORD_TEMPLATE_ID url = public_send("edit_#{record.class.name.underscore}_password_url")
personalisation = { personalisation = {
name: record.name, name: record.name || record.email,
email: record.email, email: record.email,
organisation: record.organisation.name, organisation: record.respond_to?(:organisation) ? record.organisation.name : "",
link: "https://#{host}/users/password/edit?reset_password_token=#{token}", link: "#{url}?reset_password_token=#{token}",
} }
send_email(record.email, template_id, personalisation) send_email(record.email, record.reset_password_notify_template, personalisation)
end end
# def confirmation_instructions(record, token, _opts = {}) # def confirmation_instructions(record, token, _opts = {})

9
app/models/admin_user.rb
Unescape View File

@ -1,8 +1,8 @@
class AdminUser < ApplicationRecord class AdminUser < ApplicationRecord
# Include default devise modules. Others available are: # Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable # :confirmable, :lockable, :timeoutable, :omniauthable
devise :two_factor_authenticatable, :database_authenticatable, :recoverable, devise :two_factor_authenticatable, :database_authenticatable, :recoverable,
:rememberable, :validatable :rememberable, :validatable, :trackable
has_one_time_password(encrypted: true) has_one_time_password(encrypted: true)
@ -11,10 +11,15 @@ class AdminUser < ApplicationRecord
validates :phone, presence: true, numericality: true validates :phone, presence: true, numericality: true
MFA_SMS_TEMPLATE_ID = "bf309d93-804e-4f95-b1f4-bd513c48ecb0".freeze MFA_SMS_TEMPLATE_ID = "bf309d93-804e-4f95-b1f4-bd513c48ecb0".freeze
RESET_PASSWORD_TEMPLATE_ID = "fbb2d415-b9b1-4507-ba0a-6e542fa3504d".freeze
def send_two_factor_authentication_code(code) def send_two_factor_authentication_code(code)
template_id = MFA_SMS_TEMPLATE_ID template_id = MFA_SMS_TEMPLATE_ID
personalisation = { otp: code } personalisation = { otp: code }
Sms.send(phone, template_id, personalisation) Sms.send(phone, template_id, personalisation)
end end
def reset_password_notify_template
RESET_PASSWORD_TEMPLATE_ID
end
end end

7
app/models/user.rb
Unescape View File

@ -25,4 +25,11 @@ class User < ApplicationRecord
def not_completed_case_logs def not_completed_case_logs
case_logs.not_completed case_logs.not_completed
end end
RESET_PASSWORD_TEMPLATE_ID = "2c410c19-80a7-481c-a531-2bcb3264f8e6".freeze
SET_PASSWORD_TEMPLATE_ID = "257460a6-6616-4640-a3f9-17c3d73d9e91".freeze
def reset_password_notify_template
last_sign_in_at ? RESET_PASSWORD_TEMPLATE_ID : SET_PASSWORD_TEMPLATE_ID
end
end end

33
app/views/admin_users/reset_password.html.erb
Unescape View File

@ -0,0 +1,33 @@
<% content_for :title, "Reset your password" %>
<% content_for :before_content do %>
<%= govuk_back_link(
text: 'Back',
href: :back,
) %>
<% end %>
<%= form_for(@admin_user, as: :admin_user, url: password_path(AdminUser), html: { method: :put }) do |f| %>
<%= f.hidden_field :reset_password_token %>
<div class="govuk-grid-row">
<div class="govuk-grid-column-two-thirds">
<%= f.govuk_error_summary %>
<h1 class="govuk-heading-l">
<%= content_for(:title) %>
</h1>
<%= f.govuk_password_field :password,
label: { text: "New password" },
hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
autocomplete: "new-password"
%>
<%= f.govuk_password_field :password_confirmation,
label: { text: "Confirm new password" }
%>
<%= f.govuk_submit "Update" %>
</div>
</div>
<% end %>

13
db/migrate/20220216163601_add_trackable_to_admin_user.rb
Unescape View File

@ -0,0 +1,13 @@
class AddTrackableToAdminUser < ActiveRecord::Migration[7.0]
def change
change_table :admin_users, bulk: true do |t|
t.string :name
## Trackable
t.integer :sign_in_count, default: 0, null: false
t.datetime :current_sign_in_at
t.datetime :last_sign_in_at
t.string :current_sign_in_ip
t.string :last_sign_in_ip
end
end
end

6
db/schema.rb
Unescape View File

@ -30,6 +30,12 @@ ActiveRecord::Schema[7.0].define(version: 202202071123100) do
t.datetime "direct_otp_sent_at", precision: nil t.datetime "direct_otp_sent_at", precision: nil
t.datetime "totp_timestamp", precision: nil t.datetime "totp_timestamp", precision: nil
t.string "phone" t.string "phone"
t.string "name"
t.integer "sign_in_count", default: 0, null: false
t.datetime "current_sign_in_at", precision: nil
t.datetime "last_sign_in_at", precision: nil
t.string "current_sign_in_ip"
t.string "last_sign_in_ip"
t.index ["encrypted_otp_secret_key"], name: "index_admin_users_on_encrypted_otp_secret_key", unique: true t.index ["encrypted_otp_secret_key"], name: "index_admin_users_on_encrypted_otp_secret_key", unique: true
end end

55
spec/features/admin_user_spec.rb
Unescape View File

@ -0,0 +1,55 @@
require "rails_helper"
RSpec.describe "Admin Features" do
let!(:admin_user) { FactoryBot.create(:admin_user, last_sign_in_at: Time.zone.now) }
let(:notify_client) { instance_double(Notifications::Client) }
let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
let(:devise_notify_mailer) { DeviseNotifyMailer.new }
before do
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
allow(notify_client).to receive(:send_email).and_return(true)
allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
end
context "when the admin has forgotten their password" do
it " is redirected to the reset password page when they click the reset password link" do
visit("/admin")
click_link("Forgot your password?")
expect(page).to have_current_path("/admin/password/new")
end
it " is shown an error message if they submit without entering an email address" do
visit("/admin/password/new")
click_button("Reset My Password")
expect(page).to have_selector("#error_explanation")
expect(page).to have_content("can't be blank")
end
it " is redirected to admin login page after reset email is sent" do
visit("/admin/password/new")
fill_in("admin_user[email]", with: admin_user.email)
click_button("Reset My Password")
expect(page).to have_current_path("/admin/login")
end
it " is sent a reset password email via Notify" do
expect(notify_client).to receive(:send_email).with(
{
email_address: admin_user.email,
template_id: admin_user.reset_password_notify_template,
personalisation: {
name: admin_user.email,
email: admin_user.email,
organisation: "",
link: "http://localhost:3000/admin/password/edit?reset_password_token=#{reset_password_token}",
},
},
)
visit("/admin/password/new")
fill_in("admin_user[email]", with: admin_user.email)
click_button("Reset My Password")
end
end
end

5
spec/features/organisation_spec.rb
Unescape View File

@ -5,7 +5,7 @@ RSpec.describe "User Features" do
include Helpers include Helpers
let(:organisation) { user.organisation } let(:organisation) { user.organisation }
let(:org_id) { organisation.id } let(:org_id) { organisation.id }
let(:set_password_template_id) { DeviseNotifyMailer::SET_PASSWORD_TEMPLATE_ID } let(:set_password_template_id) { User::SET_PASSWORD_TEMPLATE_ID }
let(:notify_client) { instance_double(Notifications::Client) } let(:notify_client) { instance_double(Notifications::Client) }
let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" } let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
let(:devise_notify_mailer) { DeviseNotifyMailer.new } let(:devise_notify_mailer) { DeviseNotifyMailer.new }
@ -13,7 +13,6 @@ RSpec.describe "User Features" do
before do before do
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer) allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client) allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
allow(devise_notify_mailer).to receive(:host).and_return("test.com")
allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token) allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
allow(notify_client).to receive(:send_email).and_return(true) allow(notify_client).to receive(:send_email).and_return(true)
sign_in user sign_in user
@ -56,7 +55,7 @@ RSpec.describe "User Features" do
name: "New User", name: "New User",
email: "new_user@example.com", email: "new_user@example.com",
organisation: organisation.name, organisation: organisation.name,
link: "https://test.com/users/password/edit?reset_password_token=#{reset_password_token}", link: "http://localhost:3000/users/password/edit?reset_password_token=#{reset_password_token}",
}, },
}, },
) )

33
spec/features/reset_password.html.erb
Unescape View File

@ -0,0 +1,33 @@
<% content_for :title, "Reset your password" %>
<% content_for :before_content do %>
<%= govuk_back_link(
text: 'Back',
href: :back,
) %>
<% end %>
<%= form_for(@user, as: :user, url: password_path(User), html: { method: :put }) do |f| %>
<%= f.hidden_field :reset_password_token %>
<div class="govuk-grid-row">
<div class="govuk-grid-column-two-thirds">
<%= f.govuk_error_summary %>
<h1 class="govuk-heading-l">
<%= content_for(:title) %>
</h1>
<%= f.govuk_password_field :password,
label: { text: "New password" },
hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
autocomplete: "new-password"
%>
<%= f.govuk_password_field :password_confirmation,
label: { text: "Confirm new password" }
%>
<%= f.govuk_submit "Update" %>
</div>
</div>
<% end %>

5
spec/features/user_spec.rb
Unescape View File

@ -2,7 +2,7 @@ require "rails_helper"
RSpec.describe "User Features" do RSpec.describe "User Features" do
let!(:user) { FactoryBot.create(:user, last_sign_in_at: Time.zone.now) } let!(:user) { FactoryBot.create(:user, last_sign_in_at: Time.zone.now) }
let(:reset_password_template_id) { DeviseNotifyMailer::RESET_PASSWORD_TEMPLATE_ID } let(:reset_password_template_id) { User::RESET_PASSWORD_TEMPLATE_ID }
let(:notify_client) { instance_double(Notifications::Client) } let(:notify_client) { instance_double(Notifications::Client) }
let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" } let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
let(:devise_notify_mailer) { DeviseNotifyMailer.new } let(:devise_notify_mailer) { DeviseNotifyMailer.new }
@ -10,7 +10,6 @@ RSpec.describe "User Features" do
before do before do
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer) allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client) allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
allow(devise_notify_mailer).to receive(:host).and_return("test.com")
allow(notify_client).to receive(:send_email).and_return(true) allow(notify_client).to receive(:send_email).and_return(true)
allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token) allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
end end
@ -109,7 +108,7 @@ RSpec.describe "User Features" do
name: user.name, name: user.name,
email: user.email, email: user.email,
organisation: user.organisation.name, organisation: user.organisation.name,
link: "https://test.com/users/password/edit?reset_password_token=#{reset_password_token}", link: "http://localhost:3000/users/password/edit?reset_password_token=#{reset_password_token}",
}, },
}, },
) )

65
spec/requests/active_admin/devise/passwords_controller_spec.rb
Unescape View File

@ -0,0 +1,65 @@
require "rails_helper"
RSpec.describe ActiveAdmin::Devise::PasswordsController, type: :request do
let(:admin_user) { FactoryBot.create(:admin_user) }
let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) }
let(:new_value) { "new-password" }
let(:notify_client) { instance_double(Notifications::Client) }
let(:devise_notify_mailer) { DeviseNotifyMailer.new }
before do
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
allow(notify_client).to receive(:send_email).and_return(true)
end
describe "reset password" do
it "renders the user edit password view" do
_raw, enc = Devise.token_generator.generate(AdminUser, :reset_password_token)
get "/admin/password/edit?reset_password_token=#{enc}"
expect(page).to have_css("h2", text: "DLUHC CORE Change your password")
end
context "when passwords entered don't match" do
let(:raw) { admin_user.send_reset_password_instructions }
let(:params) do
{
id: admin_user.id,
admin_user: {
password: new_value,
password_confirmation: "something_else",
reset_password_token: raw,
},
}
end
it "shows an error" do
put "/admin/password", headers: headers, params: params
expect(response).to have_http_status(:unprocessable_entity)
expect(page).to have_content("doesn't match Password")
end
end
context "when passwords is reset" do
let(:raw) { admin_user.send_reset_password_instructions }
let(:params) do
{
id: admin_user.id,
admin_user: {
password: new_value,
password_confirmation: new_value,
reset_password_token: raw,
},
}
end
it "updates the password" do
expect {
put "/admin/password", headers: headers, params: params
admin_user.reload
}.to change(admin_user, :encrypted_password)
end
end
end
end
Write Preview
Loading…
Cancel
Save