Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code

Render a friendly error message when using an invalid email change token
This commit is contained in:
Stanko Krtalić
2025-12-03 20:06:24 +01:00
committed by GitHub
8 changed files with 48 additions and 32 deletions
@@ -3,6 +3,7 @@ require "test_helper"
class Users::EmailAddresses::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
setup do
@user = users(:david)
@old_email = @user.identity.email_address
@new_email = "newemail@example.com"
@token = @user.send(:generate_email_address_change_token, to: @new_email)
end
@@ -13,8 +14,6 @@ class Users::EmailAddresses::ConfirmationsControllerTest < ActionDispatch::Integ
end
test "create" do
old_email = @user.identity.email_address
post user_email_address_confirmation_path(user_id: @user.id, email_address_token: @token, script_name: @user.account.slug)
assert_equal @new_email, @user.reload.identity.email_address
@@ -22,8 +21,10 @@ class Users::EmailAddresses::ConfirmationsControllerTest < ActionDispatch::Integ
end
test "create with invalid token" do
assert_raises(ArgumentError) do
post user_email_address_confirmation_path(user_id: @user.id, email_address_token: "invalid", script_name: @user.account.slug)
end
post user_email_address_confirmation_path(user_id: @user.id, email_address_token: "invalid", script_name: @user.account.slug)
assert_equal @user.identity.email_address, @old_email
assert_response :unprocessable_entity
assert_match /Link expired/, response.body
end
end
@@ -7,6 +7,7 @@ class User::EmailAddressChangeableTest < ActiveSupport::TestCase
@identity = identities(:kevin)
@user = @identity.users.find_by!(account: accounts("37s"))
@new_email = "newart@example.com"
@old_email = @identity.email_address
end
test "send_email_address_change_confirmation" do
@@ -42,15 +43,15 @@ class User::EmailAddressChangeableTest < ActiveSupport::TestCase
end
test "change_email_address_using_token with invalid token" do
assert_raises(ArgumentError, match: /invalid/) do
@user.change_email_address_using_token("invalid_token")
end
assert_not @user.change_email_address_using_token("invalid_token")
assert_equal @old_email, @user.reload.identity.email_address
token = @user.send(:generate_email_address_change_token, to: @new_email)
@identity.update!(email_address: "different@example.com")
old_email = "#{SecureRandom.hex(16)}@example.com"
@identity.update!(email_address: old_email)
@user.reload
assert_raises(ArgumentError, match: /different email address/) do
@user.change_email_address_using_token(token)
end
assert_not @user.change_email_address_using_token(token)
assert_equal old_email, @user.reload.identity.email_address
end
end