Files
fizzy/test/controllers/join_codes_controller_test.rb
T
Mike Dalessio 661a7e5e2d Validate email before creating identity during join code redemption
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00

98 lines
3.3 KiB
Ruby

require "test_helper"
class JoinCodesControllerTest < ActionDispatch::IntegrationTest
setup do
@account = accounts("37s")
@join_code = account_join_codes(:"37s")
end
test "new" do
get join_path(code: @join_code.code, script_name: @account.slug)
assert_response :success
assert_in_body "37signals"
end
test "new with an invalid code" do
get join_path(code: "INVALID-CODE", script_name: @account.slug)
assert_response :not_found
end
test "new with an inactive code" do
@join_code.update!(usage_count: @join_code.usage_limit)
get join_path(code: @join_code.code, script_name: @account.slug)
assert_response :gone
assert_in_body "That code is all used up"
end
test "create" do
assert_difference -> { Identity.count }, 1 do
assert_difference -> { User.count }, 1 do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "new_user@example.com" }
end
end
assert_redirected_to session_magic_link_url(script_name: nil)
assert_equal new_users_verification_url(script_name: @account.slug), session[:return_to_after_authenticating]
end
test "create for existing identity" do
identity = identities(:jz)
sign_in_as :jz
assert identity.users.exists?(account: @account), "JZ should be a member of 37s for this test"
assert identity.users.find_by!(account: @account).setup?, "JZ's user should be setup for this test"
assert_no_difference -> { Identity.count } do
assert_no_difference -> { User.count } do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: identity.email_address }
end
end
assert_redirected_to landing_url(script_name: @account.slug)
end
test "create for signed-in identity without a user in the account redirects to verification" do
identity = identities(:mike)
sign_in_as :mike
assert_not identity.users.exists?(account: @account), "Mike should not be a member of 37s for this test"
assert_no_difference -> { Identity.count } do
assert_difference -> { User.count }, 1 do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: identity.email_address }
end
end
assert_redirected_to new_users_verification_url(script_name: @account.slug)
end
test "create for different identity terminates existing session" do
sign_in_as :kevin
assert_difference -> { Identity.count }, 1 do
assert_difference -> { User.count }, 1 do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "new_user@example.com" }
end
end
assert_redirected_to session_magic_link_url(script_name: nil)
assert_not_predicate cookies[:session_token], :present?
end
test "create with invalid email address" do
# Avoid Sentry exceptions when attackers try to stuff invalid emails into the system
without_action_dispatch_exception_handling do
assert_no_difference -> { Identity.count } do
assert_no_difference -> { User.count } do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "not-a-valid-email" }
end
end
assert_response :unprocessable_entity
end
end
end