Files
fizzy/test/models/identity_test.rb
T
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00

50 lines
1.4 KiB
Ruby

require "test_helper"
class IdentityTest < ActiveSupport::TestCase
include ActionMailer::TestHelper
test "send_magic_link" do
identity = identities(:david)
assert_emails 1 do
magic_link = identity.send_magic_link
assert_not_nil magic_link
assert_equal identity, magic_link.identity
end
end
test "email address format validation" do
invalid_emails = [
"sam smith@example.com", # space in local part
"@example.com", # missing local part
"test@", # missing domain
"test", # missing @ and domain
"<script>@example.com", # angle brackets
"test@example.com\nX-Inject:" # newline (header injection attempt)
]
invalid_emails.each do |email|
identity = Identity.new(email_address: email)
assert_not identity.valid?, "expected #{email.inspect} to be invalid"
assert identity.errors[:email_address].any?, "expected error on email_address for #{email.inspect}"
end
end
test "join" do
identity = identities(:david)
account = accounts(:initech)
Current.without_account do
assert_difference "User.count", 1 do
identity.join(account)
end
user = account.users.find_by!(identity: identity)
assert_not_nil user
assert_equal identity, user.identity
assert_equal identity.email_address, user.name
end
end
end