Merge pull request #614 from kmycode/upstream-20240227

Upstream 20240227
2024-02-27 10:15:06 +09:00 · 2024-02-27 10:15:06 +09:00 · 04b3f9fc4f
commit 04b3f9fc4f
parent 252ea948d5 78446fead4
120 changed files with 499 additions and 373 deletions
--- a/spec/controllers/auth/registrations_controller_spec.rb
+++ b/spec/controllers/auth/registrations_controller_spec.rb
@ -44,27 +44,93 @@ RSpec.describe Auth::RegistrationsController do
    end
  end

-  describe 'GET #update' do
-    let(:user) { Fabricate(:user) }
+  describe 'PUT #update' do
+    let(:current_password) { 'current password' }
+    let(:user) { Fabricate(:user, password: current_password) }

    before do
      request.env['devise.mapping'] = Devise.mappings[:user]
      sign_in(user, scope: :user)
-      post :update
    end

    it 'returns http success' do
+      put :update
      expect(response).to have_http_status(200)
    end

    it 'returns private cache control headers' do
+      put :update
      expect(response.headers['Cache-Control']).to include('private, no-store')
    end

+    it 'can update the user email' do
+      expect do
+        put :update, params: {
+          user: {
+            email: 'newemail@example.com',
+            current_password: current_password,
+          },
+        }
+        expect(response).to redirect_to(edit_user_registration_path)
+      end.to change { user.reload.unconfirmed_email }.to('newemail@example.com')
+    end
+
+    it 'requires the current password to update the email' do
+      expect do
+        put :update, params: {
+          user: {
+            email: 'newemail@example.com',
+            current_password: 'something',
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.unconfirmed_email })
+    end
+
+    it 'can update the user password' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'new password',
+            current_password: current_password,
+          },
+        }
+        expect(response).to redirect_to(edit_user_registration_path)
+      end.to(change { user.reload.encrypted_password })
+    end
+
+    it 'requires the password confirmation' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'something else',
+            current_password: current_password,
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.encrypted_password })
+    end
+
+    it 'requires the current password to update the password' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'new password',
+            current_password: 'something',
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.encrypted_password })
+    end
+
    context 'when suspended' do
      let(:user) { Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }) }

      it 'returns http forbidden' do
+        put :update
        expect(response).to have_http_status(403)
      end
    end
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@ -414,15 +414,17 @@ RSpec.describe Auth::SessionsController do
  end

  describe 'GET #webauthn_options' do
+    subject { get :webauthn_options, session: { attempt_user_id: user.id } }
+
+    let!(:user) do
+      Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+    end
+
    context 'with WebAuthn and OTP enabled as second factor' do
      let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" }

      let(:fake_client) { WebAuthn::FakeClient.new(domain) }

-      let!(:user) do
-        Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
-      end
-
      before do
        user.update(webauthn_id: WebAuthn.generate_user_id)
        public_key_credential = WebAuthn::Credential.from_create(fake_client.create)
@ -436,9 +438,18 @@ RSpec.describe Auth::SessionsController do
      end

      it 'returns http success' do
-        get :webauthn_options
+        subject
+
        expect(response).to have_http_status 200
      end
    end
+
+    context 'when WebAuthn not enabled' do
+      it 'returns http unauthorized' do
+        subject
+
+        expect(response).to have_http_status 401
+      end
+    end
  end
 end
--- a/spec/requests/cache_spec.rb
+++ b/spec/requests/cache_spec.rb
@ -184,7 +184,7 @@ describe 'Caching behavior' do
        get '/users/alice'

        expect(response).to redirect_to('/@alice')
-        expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('accept')
+        expect(response_vary_headers).to include('accept')
      end
    end