Git-3086 Tests (#3645)

* GIT-3086: Fixed the sessions persistent active state after a password update. + TODO: Tests. * GIT-3086: Fixed the sessions persistent active state after a password update (Fixes #3086). Co-authored-by: Ahmad Farhat <ahmad.af.farhat@gmail.com>

Git-3086 Tests (#3645)
931df614 · Khemissi Amir · GitHub · e22d0476 · 931df614 · 931df614
Unverified Commit 931df614 authored Aug 9, 2022 by Khemissi Amir Committed by GitHub Aug 9, 2022
--- a/spec/controllers/main_controller_spec.rb
+++ b/spec/controllers/main_controller_spec.rb
@@ -20,18 +20,78 @@ require "rails_helper"
 describe MainController, type: :controller do
  describe "GET #index" do
-    it "returns success" do
+    it "should have a  successful response for unauthenticated users" do
+      expect(session[:user_id]).to be_nil
      get :index
      expect(response).to be_successful
    end
-    it "redirects signed in user to their home page" do
+    context "redirects signed in user" do
-      user = create(:user)
+      before do
-      @request.session[:user_id] = user.id
+        @user = create(:user)
+        session[:user_id] = @user.id
+        freeze_time
+      end
+      context "to main room for valid sessions" do
+        def expectations(expected_activated_at: Time.zone.now)
+          expect(session[:user_id]).to eql(@user.id)
+          yield
          get :index
+          expect(session[:activated_at]).to eql(expected_activated_at.to_i)
+          expect(response).to redirect_to(@user.main_room)
+        end
+        context "for accounts with no password updates" do
+          it "and with nil activated_at" do
+              expectations {
+                expect(session[:activated_at].nil? && @user.last_pwd_update.nil?).to be
+              }
+          end
+          it "and with alerady updated activated_at" do
+            before_one_hour_stamp = (Time.zone.now - 1.hour).to_i
+            expectations(expected_activated_at: before_one_hour_stamp) {
+              session[:activated_at] = before_one_hour_stamp
+              expect(session[:activated_at].present? && @user.last_pwd_update.nil?).to be
+            }
+          end
+        end
+        it "after a password update" do
+          expectations {
+            @user.update last_pwd_update: Time.zone.now
+            session[:activated_at] = @user.last_pwd_update.to_i
+            expect(session[:activated_at].present? && @user.last_pwd_update.present?).to be
+          }
+        end
+      end
-      expect(response).to redirect_to(user.main_room)
+      context "to root path for invalid sessions" do
+        def expectations
+          expect(session[:user_id]).to eql(@user.id)
+          yield
+          get :index
+          expect(session[:user_id].nil? && session[:activated_at].nil?).to be
+          expect(flash[:alert]).to be_present
+          expect(response).to redirect_to(root_path)
+        end
+        before do
+          @user.update last_pwd_update: Time.zone.now
+        end
+        it "with nil activated_at" do
+          expectations {
+            expect(session[:activated_at].nil? && @user.last_pwd_update.present?).to be
+          }
+        end
+        it "with active sessions before latest password update" do
+          expectations {
+            session[:activated_at] = @user.last_pwd_update.to_i - 1
+            expect(session[:activated_at].present? && @user.last_pwd_update.present?).to be
+          }
+        end
+      end
    end
  end
 end
--- a/spec/controllers/password_resets_controller_spec.rb
+++ b/spec/controllers/password_resets_controller_spec.rb
@@ -33,14 +33,18 @@ end
 describe PasswordResetsController, type: :controller do
  def by_pass_terms_acceptance
+    old_terms = Rails.configuration.terms
    allow(Rails.configuration).to receive(:terms).and_return false
    res = yield
-    allow(Rails.configuration).to receive(:terms).and_return "This is a dummy text!"
+    allow(Rails.configuration).to receive(:terms).and_return(old_terms)
    res
  end
  before {
+    allow(Rails.configuration).to receive(:terms).and_return('This is a dummy text!!')
    @user = by_pass_terms_acceptance { create(:user, accepted_terms: false) }
  }
  describe "POST #create" do
    context "allow mail notifications" do
      before {
@@ -111,47 +115,46 @@ describe PasswordResetsController, type: :controller do
  describe "PATCH #update" do
    before do
      allow(Rails.configuration).to receive(:enable_email_verification).and_return(true)
-      by_pass_terms_acceptance { @user.update provider: "greenlight" }
+      @user = by_pass_terms_acceptance { create(:user, provider: "greenlight", accepted_terms: false) }
+      @user1 = by_pass_terms_acceptance { create(:user, provider: "greenlight", accepted_terms: false) }
    end
    context "valid user" do
-      it "reloads page with notice if password is empty" do
+      before do
-        token = @user.create_reset_digest
+        freeze_time
        allow(controller).to receive(:check_expiration).and_return(nil)
+        @before_one_sec_stamp = (Time.zone.now - 1.second).to_i
-        params = {
+        session[:activated_at] = @before_one_sec_stamp
-          id: token,
-          user: {
-            password: nil,
-          },
-        }
-        patch :update, params: params
-        expect(response).to render_template(:edit)
      end
-      it "reloads page with notice if password is confirmation doesn't match" do
+      context "if the password update is NOT a success it" do
-        token = @user.create_reset_digest
+        def expectations(password:, password_confirmation:)
-        allow(controller).to receive(:check_expiration).and_return(nil)
          params = {
-          id: token,
+            id: @user.create_reset_digest,
            user: {
-            password: :password,
+              password: password,
-            password_confirmation: nil,
+              password_confirmation: password_confirmation,
            },
          }
          patch :update, params: params
+          expect(session[:activated_at]).to eql(@before_one_sec_stamp)
+          expect(flash[:alert]).to be_present
          expect(response).to render_template(:edit)
        end
-      it "updates attributes if the password update is a success" do
+        it "renders :edit page with notice when password is empty" do
-        old_digest = @user.password_digest
+          expectations(password: '', password_confirmation: '')
+        end
-        allow(controller).to receive(:check_expiration).and_return(nil)
+        it "renders :edit page with notice when password confirmation mismatches" do
+          expectations(password: 'Example1!', password_confirmation: 'NotAnExample1!')
+        end
+      end
+      context "if the password update is a success" do
+        def expectations(user_id: nil)
+          session[:user_id] = user_id
          params = {
            id: @user.create_reset_digest,
            user: {
@@ -161,11 +164,27 @@ describe PasswordResetsController, type: :controller do
          }
          patch :update, params: params
          @user.reload
-        expect(old_digest.eql?(@user.password_digest)).to be false
+          expect(@user.last_pwd_update.to_i).to eql(Time.zone.now.to_i)
          expect(@user.reset_digest.nil? && @user.reset_sent_at.nil?).to be
+          expect(@user.authenticate('Example1!')).to be_truthy
+          expect(flash[:success]).to be_present
          expect(response).to redirect_to(root_path)
+          yield
+        end
+        it "does NOT update :activated_at for unauthenticated reset requests" do
+          expectations { expect(session[:activated_at]).to eql(@before_one_sec_stamp) }
+        end
+        context "for authenticated requests it" do
+          it "update :activated_at when reset for the same authenticated user" do
+            expectations(user_id: @user.id) { expect(session[:activated_at]).to eql(@user.last_pwd_update.to_i) }
+          end
+        end
+        it "does not update :activated_at when reset from another user" do
+          expectations(user_id: @user1.id) { expect(session[:activated_at]).to eql(@before_one_sec_stamp) }
+        end
      end
    end
  end

--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -96,9 +96,11 @@ describe SessionsController, type: :controller do
    before(:each) do
      @user1 = create(:user, provider: 'greenlight', password: 'Example1!', password_confirmation: 'example')
      @user2 = create(:user, password: 'Example1!', password_confirmation: "example")
+      session[:activated_at] = 1_626_184_775
    end
    it "should login user in if credentials valid" do
+      expect(session[:activated_at]).not_to eql(@user1.last_login.to_i)
      post :create, params: {
        session: {
          email: @user1.email,
@@ -106,7 +108,8 @@ describe SessionsController, type: :controller do
        },
      }
-      expect(@request.session[:user_id]).to eql(@user1.id)
+      expect(session[:user_id]).to eql(@user1.id)
+      expect(session[:activated_at]).to eql(@user1.reload.last_login.to_i)
    end
    it "should not login user in if credentials invalid" do
@@ -117,7 +120,8 @@ describe SessionsController, type: :controller do
        },
      }
-      expect(@request.session[:user_id]).to be_nil
+      expect(session[:user_id]).to be_nil
+      expect(session[:activated_at]).to eql(1_626_184_775)
    end
    it "should not login user in if account mismatch" do
@@ -129,6 +133,7 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to be_nil
+      expect(session[:activated_at]).to eql(1_626_184_775)
    end
    it "should not login user if account is not verified" do
@@ -143,6 +148,7 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to be_nil
+      expect(session[:activated_at]).to eql(1_626_184_775)
      # Expect to redirect to activation path since token is not known here
      expect(response.location.start_with?(account_activation_url(digest: @user3.activation_digest))).to be true
    end
@@ -150,7 +156,6 @@ describe SessionsController, type: :controller do
    it "should not login user if account is deleted" do
      user = create(:user, provider: "greenlight",
        password: "Example1!", password_confirmation: 'example')
      user.delete
      user.reload
      expect(user.deleted?).to be true
@@ -174,7 +179,7 @@ describe SessionsController, type: :controller do
      url = "http://test.host/test"
      @request.cookies[:return_to] = url
+      expect(@request.session[:activated_at]).not_to eql(user.last_login.to_i)
      post :create, params: {
        session: {
          email: user.email,
@@ -183,6 +188,7 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to eql(user.id)
+      expect(@request.session[:activated_at]).to eql(user.reload.last_login.to_i)
      expect(response).to redirect_to(url)
    end
@@ -191,7 +197,7 @@ describe SessionsController, type: :controller do
        password: "Example1!", password_confirmation: 'example')
      @request.cookies[:return_to] = root_url
+      expect(@request.session[:activated_at]).not_to eql(user.last_login.to_i)
      post :create, params: {
        session: {
          email: user.email,
@@ -200,13 +206,14 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to eql(user.id)
+      expect(@request.session[:activated_at]).to eql(user.reload.last_login.to_i)
      expect(response).to redirect_to(user.main_room)
    end
    it "redirects the user to their home room if return_to cookie doesn't exist" do
      user = create(:user, provider: "greenlight",
        password: "Example1!", password_confirmation: 'Example1!')
+      expect(@request.session[:activated_at]).not_to eql(user.last_login.to_i)
      post :create, params: {
        session: {
          email: user.email,
@@ -215,6 +222,7 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to eql(user.id)
+      expect(@request.session[:activated_at]).to eql(user.reload.last_login.to_i)
      expect(response).to redirect_to(user.main_room)
    end
@@ -222,7 +230,7 @@ describe SessionsController, type: :controller do
      user = create(:user, provider: "greenlight",
        password: "Example1!", password_confirmation: 'example')
      user.set_role :super_admin
+      expect(@request.session[:activated_at]).not_to eql(user.last_login.to_i)
      post :create, params: {
        session: {
          email: user.email,
@@ -231,6 +239,7 @@ describe SessionsController, type: :controller do
      }
      expect(@request.session[:user_id]).to eql(user.id)
+      expect(@request.session[:activated_at]).to eql(user.reload.last_login.to_i)
      expect(response).to redirect_to(admins_path)
    end

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -444,42 +444,60 @@ describe UsersController, type: :controller do
  end
  describe "POST #update_password" do
-    def params(mode = 0)
-      {
-        user: {
-          old_password: mode == 0 ? @user.password : "incorrect_password",
-          password: @password,
-          password_confirmation: mode == 2 ? "#{@password}_random_string" : @password,
-        }
-      }
-    end
    context "with 'terms and conditions' exist and without acceptance." do
      before do
        @user = create(:user, accepted_terms: false)
+        @password = "#{Faker::Internet.password(min_length: 8, mix_case: true, special_characters: true)}1aB+"
+        @datetime = Time.zone.now - 1.hours
        @request.session[:user_id] = @user.id
+        @request.session[:activated_at] = @datetime.to_i
        allow(Rails.configuration).to receive(:terms).and_return "This is a dummy text!"
-        @password = "#{Faker::Internet.password(min_length: 8, mix_case: true, special_characters: true)}1aB"
+        freeze_time
      end
-      it "properly updates users password" do
-        post :update_password, params: params.merge!(user_uid: @user)
+      def expectations(data = {})
+        params = {
+          user: {
+            old_password: data[:pwd] || "incorrect_password",
+            password: @password,
+            password_confirmation: data[:new_pwd_conf] || @password,
+          }
+        }
+        post :update_password, params: params.merge!(user_uid: @user.uid)
        @user.reload
+        yield
+      end
+      it "properly updates users password" do
+        expect(@user.last_pwd_update).to be_nil
+        expectations(pwd: @user.password) {
+          expect(@user.last_pwd_update.to_i).to eql(Time.zone.now.to_i)
+          expect(@request.session[:activated_at]).to eql(@user.last_pwd_update.to_i)
          expect(@user.authenticate(@password)).not_to be false
          expect(@user.errors).to be_empty
          expect(flash[:success]).to be_present
          expect(response).to redirect_to(change_password_path(@user))
+        }
      end
      it "doesn't update the users password if initial password is incorrect" do
-        post :update_password, params: params(1).merge!(user_uid: @user)
+        last_pwd_update_before = @user.last_pwd_update
-        @user.reload
+        expectations {
+          expect(@user.last_pwd_update.to_i).to eql(last_pwd_update_before.to_i)
+          expect(@request.session[:activated_at]).to eql(@datetime.to_i)
          expect(@user.authenticate(@password)).to be false
          expect(response).to render_template(:change_password)
+        }
      end
      it "doesn't update the users password if new passwords don't match" do
-        post :update_password, params: params(2).merge!(user_uid: @user)
+        last_pwd_update_before = @user.last_pwd_update
-        @user.reload
+        expectations(new_pwd_conf: "#{@password}_random_string") {
+          expect(@user.last_pwd_update.to_i).to eql(last_pwd_update_before.to_i)
+          expect(@request.session[:activated_at]).to eql(@datetime.to_i)
          expect(@user.authenticate(@password)).to be false
          expect(response).to render_template(:change_password)
+        }
      end
    end
  end