CLDC-3838: Unlock users on password reset (#2898)

* CLDC-3838: Update devise settings to allow email unlock strategy * Try just explicitly doing the unlock on password reset * Add test for user being unlocked
5 days ago · fec5b77b2a
2 changed files with 14 additions and 1 deletions
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -35,7 +35,7 @@ class Auth::PasswordsController < Devise::PasswordsController
    yield resource if block_given?

    if resource.errors.empty?
-      resource.unlock_access! if unlockable?(resource)
+      resource.unlock_access! if resource.respond_to?(:unlock_access!)
      if Devise.sign_in_after_reset_password
        set_flash_message!(:notice, password_update_flash_message)
        resource.after_database_authentication
--- a/spec/requests/auth/passwords_controller_spec.rb
+++ b/spec/requests/auth/passwords_controller_spec.rb
@ -72,6 +72,19 @@ RSpec.describe Auth::PasswordsController, type: :request do
        follow_redirect!
        expect(page).to have_css("p", class: "govuk-notification-banner__heading", text: message)
      end
+
+      context "when the user had been locked out" do
+        let(:user) { create(:user, locked_at: Time.zone.now, failed_attempts: 5) }
+
+        it "after password change, unlocks the user account and signs them in" do
+          put "/account/password", params: update_password_params
+          follow_redirect!
+          user.reload
+          expect(user.locked_at).to be_nil
+          expect(user.failed_attempts).to be 0
+          expect(page).to have_content("Welcome back, #{user.name}")
+        end
+      end
    end
  end