Fix sending reset email for admins

app/mailers/devise_notify_mailer.rb

@@ -1,9 +1,6 @@
 class DeviseNotifyMailer < Devise::Mailer
   require "notifications/client"
 
-  RESET_PASSWORD_TEMPLATE_ID = "2c410c19-80a7-481c-a531-2bcb3264f8e6".freeze
-  SET_PASSWORD_TEMPLATE_ID   = "257460a6-6616-4640-a3f9-17c3d73d9e91".freeze
-
   def notify_client
     @notify_client ||= ::Notifications::Client.new(ENV["GOVUK_NOTIFY_API_KEY"])
   end
@@ -21,14 +18,14 @@ class DeviseNotifyMailer < Devise::Mailer
   end
 
   def reset_password_instructions(record, token, _opts = {})
-    template_id = record.last_sign_in_at ? RESET_PASSWORD_TEMPLATE_ID : SET_PASSWORD_TEMPLATE_ID
+    url = public_send("edit_#{record.class.name.underscore}_password_url")
     personalisation = {
-      name: record.name,
+      name: record.name || record.email,
       email: record.email,
-      organisation: record.organisation.name,
-      link: "https://#{host}/users/password/edit?reset_password_token=#{token}",
+      organisation: record.respond_to?(:organisation) ? record.organisation.name : "",
+      link: "#{url}?reset_password_token=#{token}",
     }
-    send_email(record.email, template_id, personalisation)
+    send_email(record.email, record.reset_password_notify_template, personalisation)
   end
 
   # def confirmation_instructions(record, token, _opts = {})

app/models/admin_user.rb

@@ -1,8 +1,8 @@
 class AdminUser < ApplicationRecord
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :omniauthable
   devise :two_factor_authenticatable, :database_authenticatable, :recoverable,
-         :rememberable, :validatable
+         :rememberable, :validatable, :trackable
 
   has_one_time_password(encrypted: true)
 
@@ -11,10 +11,15 @@ class AdminUser < ApplicationRecord
   validates :phone, presence: true, numericality: true
 
   MFA_SMS_TEMPLATE_ID = "bf309d93-804e-4f95-b1f4-bd513c48ecb0".freeze
+  RESET_PASSWORD_TEMPLATE_ID = "fbb2d415-b9b1-4507-ba0a-6e542fa3504d".freeze
 
   def send_two_factor_authentication_code(code)
     template_id = MFA_SMS_TEMPLATE_ID
     personalisation = { otp: code }
     Sms.send(phone, template_id, personalisation)
   end
+
+  def reset_password_notify_template
+    RESET_PASSWORD_TEMPLATE_ID
+  end
 end

app/models/user.rb

@@ -25,4 +25,11 @@ class User < ApplicationRecord
   def not_completed_case_logs
     case_logs.not_completed
   end
+
+  RESET_PASSWORD_TEMPLATE_ID = "2c410c19-80a7-481c-a531-2bcb3264f8e6".freeze
+  SET_PASSWORD_TEMPLATE_ID   = "257460a6-6616-4640-a3f9-17c3d73d9e91".freeze
+
+  def reset_password_notify_template
+    last_sign_in_at ? RESET_PASSWORD_TEMPLATE_ID : SET_PASSWORD_TEMPLATE_ID
+  end
 end

app/views/admin_users/reset_password.html.erb

@@ -0,0 +1,33 @@
+<% content_for :title, "Reset your password" %>
+
+<% content_for :before_content do %>
+  <%= govuk_back_link(
+    text: 'Back',
+    href: :back,
+  ) %>
+<% end %>
+
+<%= form_for(@admin_user, as: :admin_user, url: password_path(AdminUser), html: { method: :put }) do |f| %>
+  <%= f.hidden_field :reset_password_token %>
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary %>
+
+      <h1 class="govuk-heading-l">
+        <%= content_for(:title) %>
+      </h1>
+
+      <%= f.govuk_password_field :password,
+        label: { text: "New password" },
+        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        autocomplete: "new-password"
+      %>
+
+      <%= f.govuk_password_field :password_confirmation,
+        label: { text: "Confirm new password" }
+      %>
+
+      <%= f.govuk_submit "Update" %>
+    </div>
+  </div>
+<% end %>

db/migrate/20220216163601_add_trackable_to_admin_user.rb

@@ -0,0 +1,13 @@
+class AddTrackableToAdminUser < ActiveRecord::Migration[7.0]
+  def change
+    change_table :admin_users, bulk: true do |t|
+      t.string :name
+      ## Trackable
+      t.integer  :sign_in_count, default: 0, null: false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+    end
+  end
+end

db/schema.rb

@@ -30,6 +30,12 @@ ActiveRecord::Schema[7.0].define(version: 202202071123100) do
     t.datetime "direct_otp_sent_at", precision: nil
     t.datetime "totp_timestamp", precision: nil
     t.string "phone"
+    t.string "name"
+    t.integer "sign_in_count", default: 0, null: false
+    t.datetime "current_sign_in_at", precision: nil
+    t.datetime "last_sign_in_at", precision: nil
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
     t.index ["encrypted_otp_secret_key"], name: "index_admin_users_on_encrypted_otp_secret_key", unique: true
   end
 

spec/features/admin_user_spec.rb

@@ -0,0 +1,55 @@
+require "rails_helper"
+
+RSpec.describe "Admin Features" do
+  let!(:admin_user) { FactoryBot.create(:admin_user, last_sign_in_at: Time.zone.now) }
+  let(:notify_client) { instance_double(Notifications::Client) }
+  let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
+  let(:devise_notify_mailer) { DeviseNotifyMailer.new }
+
+  before do
+    allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
+    allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
+    allow(notify_client).to receive(:send_email).and_return(true)
+    allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
+  end
+
+  context "when the admin has forgotten their password" do
+    it " is redirected to the reset password page when they click the reset password link" do
+      visit("/admin")
+      click_link("Forgot your password?")
+      expect(page).to have_current_path("/admin/password/new")
+    end
+
+    it " is shown an error message if they submit without entering an email address" do
+      visit("/admin/password/new")
+      click_button("Reset My Password")
+      expect(page).to have_selector("#error_explanation")
+      expect(page).to have_content("can't be blank")
+    end
+
+    it " is redirected to admin login page after reset email is sent" do
+      visit("/admin/password/new")
+      fill_in("admin_user[email]", with: admin_user.email)
+      click_button("Reset My Password")
+      expect(page).to have_current_path("/admin/login")
+    end
+
+    it " is sent a reset password email via Notify" do
+      expect(notify_client).to receive(:send_email).with(
+        {
+          email_address: admin_user.email,
+          template_id: admin_user.reset_password_notify_template,
+          personalisation: {
+            name: admin_user.email,
+            email: admin_user.email,
+            organisation: "",
+            link: "http://localhost:3000/admin/password/edit?reset_password_token=#{reset_password_token}",
+          },
+        },
+      )
+      visit("/admin/password/new")
+      fill_in("admin_user[email]", with: admin_user.email)
+      click_button("Reset My Password")
+    end
+  end
+end

spec/features/organisation_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe "User Features" do
   include Helpers
   let(:organisation) { user.organisation }
   let(:org_id) { organisation.id }
-  let(:set_password_template_id) { DeviseNotifyMailer::SET_PASSWORD_TEMPLATE_ID }
+  let(:set_password_template_id) { User::SET_PASSWORD_TEMPLATE_ID }
   let(:notify_client) { instance_double(Notifications::Client) }
   let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
   let(:devise_notify_mailer) { DeviseNotifyMailer.new }
@@ -13,7 +13,6 @@ RSpec.describe "User Features" do
   before do
     allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
     allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
-    allow(devise_notify_mailer).to receive(:host).and_return("test.com")
     allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
     allow(notify_client).to receive(:send_email).and_return(true)
     sign_in user
@@ -56,7 +55,7 @@ RSpec.describe "User Features" do
               name: "New User",
               email: "new_user@example.com",
               organisation: organisation.name,
-              link: "https://test.com/users/password/edit?reset_password_token=#{reset_password_token}",
+              link: "http://localhost:3000/users/password/edit?reset_password_token=#{reset_password_token}",
             },
           },
         )

spec/features/reset_password.html.erb

@@ -0,0 +1,33 @@
+<% content_for :title, "Reset your password" %>
+
+<% content_for :before_content do %>
+  <%= govuk_back_link(
+    text: 'Back',
+    href: :back,
+  ) %>
+<% end %>
+
+<%= form_for(@user, as: :user, url: password_path(User), html: { method: :put }) do |f| %>
+  <%= f.hidden_field :reset_password_token %>
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary %>
+
+      <h1 class="govuk-heading-l">
+        <%= content_for(:title) %>
+      </h1>
+
+      <%= f.govuk_password_field :password,
+        label: { text: "New password" },
+        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        autocomplete: "new-password"
+      %>
+
+      <%= f.govuk_password_field :password_confirmation,
+        label: { text: "Confirm new password" }
+      %>
+
+      <%= f.govuk_submit "Update" %>
+    </div>
+  </div>
+<% end %>

spec/features/user_spec.rb

@@ -2,7 +2,7 @@ require "rails_helper"
 
 RSpec.describe "User Features" do
   let!(:user) { FactoryBot.create(:user, last_sign_in_at: Time.zone.now) }
-  let(:reset_password_template_id) { DeviseNotifyMailer::RESET_PASSWORD_TEMPLATE_ID }
+  let(:reset_password_template_id) { User::RESET_PASSWORD_TEMPLATE_ID }
   let(:notify_client) { instance_double(Notifications::Client) }
   let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" }
   let(:devise_notify_mailer) { DeviseNotifyMailer.new }
@@ -10,7 +10,6 @@ RSpec.describe "User Features" do
   before do
     allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
     allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
-    allow(devise_notify_mailer).to receive(:host).and_return("test.com")
     allow(notify_client).to receive(:send_email).and_return(true)
     allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token)
   end
@@ -109,7 +108,7 @@ RSpec.describe "User Features" do
             name: user.name,
             email: user.email,
             organisation: user.organisation.name,
-            link: "https://test.com/users/password/edit?reset_password_token=#{reset_password_token}",
+            link: "http://localhost:3000/users/password/edit?reset_password_token=#{reset_password_token}",
           },
         },
       )

spec/requests/active_admin/devise/passwords_controller_spec.rb

@@ -0,0 +1,65 @@
+require "rails_helper"
+
+RSpec.describe ActiveAdmin::Devise::PasswordsController, type: :request do
+  let(:admin_user) { FactoryBot.create(:admin_user) }
+  let(:headers) { { "Accept" => "text/html" } }
+  let(:page) { Capybara::Node::Simple.new(response.body) }
+  let(:new_value) { "new-password" }
+  let(:notify_client) { instance_double(Notifications::Client) }
+  let(:devise_notify_mailer) { DeviseNotifyMailer.new }
+
+  before do
+    allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
+    allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
+    allow(notify_client).to receive(:send_email).and_return(true)
+  end
+
+  describe "reset password" do
+    it "renders the user edit password view" do
+      _raw, enc = Devise.token_generator.generate(AdminUser, :reset_password_token)
+      get "/admin/password/edit?reset_password_token=#{enc}"
+      expect(page).to have_css("h2", text: "DLUHC CORE Change your password")
+    end
+
+    context "when passwords entered don't match" do
+      let(:raw) { admin_user.send_reset_password_instructions }
+      let(:params) do
+        {
+          id: admin_user.id,
+          admin_user: {
+            password: new_value,
+            password_confirmation: "something_else",
+            reset_password_token: raw,
+          },
+        }
+      end
+
+      it "shows an error" do
+        put "/admin/password", headers: headers, params: params
+        expect(response).to have_http_status(:unprocessable_entity)
+        expect(page).to have_content("doesn't match Password")
+      end
+    end
+
+    context "when passwords is reset" do
+      let(:raw) { admin_user.send_reset_password_instructions }
+      let(:params) do
+        {
+          id: admin_user.id,
+          admin_user: {
+            password: new_value,
+            password_confirmation: new_value,
+            reset_password_token: raw,
+          },
+        }
+      end
+
+      it "updates the password" do
+        expect {
+          put "/admin/password", headers: headers, params: params
+          admin_user.reload
+        }.to change(admin_user, :encrypted_password)
+      end
+    end
+  end
+end