00eee29837
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form field will validate this in the browser, but if bots are creating identities, they can put whatever they want in here. So let's add some protection against that. The HtmlHelper regex was renamed here to avoid confusing Brakeman, which does imprecise constant lookup and was confusing the two constants, one of which uses `\A` and `\z` and the other does not (intentionally). ref: https://app.fizzy.do/5986089/cards/3276
50 lines
1.4 KiB
Ruby
50 lines
1.4 KiB
Ruby
require "test_helper"
|
|
|
|
class IdentityTest < ActiveSupport::TestCase
|
|
include ActionMailer::TestHelper
|
|
|
|
test "send_magic_link" do
|
|
identity = identities(:david)
|
|
|
|
assert_emails 1 do
|
|
magic_link = identity.send_magic_link
|
|
assert_not_nil magic_link
|
|
assert_equal identity, magic_link.identity
|
|
end
|
|
end
|
|
|
|
test "email address format validation" do
|
|
invalid_emails = [
|
|
"sam smith@example.com", # space in local part
|
|
"@example.com", # missing local part
|
|
"test@", # missing domain
|
|
"test", # missing @ and domain
|
|
"<script>@example.com", # angle brackets
|
|
"test@example.com\nX-Inject:" # newline (header injection attempt)
|
|
]
|
|
|
|
invalid_emails.each do |email|
|
|
identity = Identity.new(email_address: email)
|
|
assert_not identity.valid?, "expected #{email.inspect} to be invalid"
|
|
assert identity.errors[:email_address].any?, "expected error on email_address for #{email.inspect}"
|
|
end
|
|
end
|
|
|
|
test "join" do
|
|
identity = identities(:david)
|
|
account = accounts(:initech)
|
|
|
|
Current.without_account do
|
|
assert_difference "User.count", 1 do
|
|
identity.join(account)
|
|
end
|
|
|
|
user = account.users.find_by!(identity: identity)
|
|
|
|
assert_not_nil user
|
|
assert_equal identity, user.identity
|
|
assert_equal identity.email_address, user.name
|
|
end
|
|
end
|
|
end
|