Update to always return a pending auth token for JSON responses.
This commit is contained in:
committed by
Stanko K.R.
parent
fbf829b346
commit
6e8d6a3df0
@@ -125,12 +125,13 @@ class ApiTest < ActionDispatch::IntegrationTest
|
||||
end
|
||||
end
|
||||
|
||||
test "create session with invalid email via JSON" do
|
||||
test "create session with invalid email via JSON still returns token to prevent enumeration" do
|
||||
untenanted do
|
||||
assert_no_difference -> { Identity.count } do
|
||||
post session_path(format: :json), params: { email_address: "not-a-valid-email" }
|
||||
end
|
||||
assert_response :unprocessable_entity
|
||||
assert_response :created
|
||||
assert @response.parsed_body["pending_authentication_token"].present?
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -55,23 +55,18 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
|
||||
end
|
||||
end
|
||||
|
||||
assert_response :unprocessable_entity
|
||||
assert_redirected_to session_magic_link_path
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
test "create with invalid email address" do
|
||||
# Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form
|
||||
# field validation that should normally prevent this from occurring, so I'm not worried about
|
||||
# returning proper validation errors.
|
||||
without_action_dispatch_exception_handling do
|
||||
untenanted do
|
||||
assert_no_difference -> { Identity.count } do
|
||||
post session_path, params: { email_address: "not-a-valid-email" }
|
||||
end
|
||||
|
||||
assert_response :unprocessable_entity
|
||||
test "create with invalid email address still redirects to prevent enumeration" do
|
||||
untenanted do
|
||||
assert_no_difference -> { Identity.count } do
|
||||
post session_path, params: { email_address: "not-a-valid-email" }
|
||||
end
|
||||
|
||||
assert_redirected_to session_magic_link_path
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user