From fec5b77b2a78d5d14e822c23b2d32f3d3e7abe75 Mon Sep 17 00:00:00 2001
From: Rachael Booth <Rachael.Booth@softwire.com>
Date: Tue, 21 Jan 2025 17:40:14 +0000
Subject: [PATCH] CLDC-3838: Unlock users on password reset (#2898)

* CLDC-3838: Update devise settings to allow email unlock strategy

* Try just explicitly doing the unlock on password reset

* Add test for user being unlocked
---
 app/controllers/auth/passwords_controller.rb    |  2 +-
 spec/requests/auth/passwords_controller_spec.rb | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index a990325f9..9a281df16 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -35,7 +35,7 @@ class Auth::PasswordsController < Devise::PasswordsController
     yield resource if block_given?
 
     if resource.errors.empty?
-      resource.unlock_access! if unlockable?(resource)
+      resource.unlock_access! if resource.respond_to?(:unlock_access!)
       if Devise.sign_in_after_reset_password
         set_flash_message!(:notice, password_update_flash_message)
         resource.after_database_authentication
diff --git a/spec/requests/auth/passwords_controller_spec.rb b/spec/requests/auth/passwords_controller_spec.rb
index 2685e19ab..3c0788cd5 100644
--- a/spec/requests/auth/passwords_controller_spec.rb
+++ b/spec/requests/auth/passwords_controller_spec.rb
@@ -72,6 +72,19 @@ RSpec.describe Auth::PasswordsController, type: :request do
         follow_redirect!
         expect(page).to have_css("p", class: "govuk-notification-banner__heading", text: message)
       end
+
+      context "when the user had been locked out" do
+        let(:user) { create(:user, locked_at: Time.zone.now, failed_attempts: 5) }
+
+        it "after password change, unlocks the user account and signs them in" do
+          put "/account/password", params: update_password_params
+          follow_redirect!
+          user.reload
+          expect(user.locked_at).to be_nil
+          expect(user.failed_attempts).to be 0
+          expect(page).to have_content("Welcome back, #{user.name}")
+        end
+      end
     end
   end