Commit Graph

87 Commits (82161d8ae54b94be701cba600536d87957361cea)

Author SHA1 Message Date
Matt Jankowski 6b6a80b407
Remove `body_as_json` in favor of built-in `response.parsed_body` for JSON response specs (#31749) 2024-09-06 09:58:46 +00:00
Matt Jankowski e1b5f3fc6f
Use `response.parsed_body` for html response checks (#31750) 2024-09-04 17:29:05 +00:00
Matt Jankowski f1003b2560
Enable "zero monkey patching" mode in RSpec (#31614) 2024-09-04 05:12:25 +00:00
Matt Jankowski f1300ad284
Rename jobs/attachments rspec tag names (#29762) 2024-07-08 16:01:08 +00:00
Damien Mathieu 1540f42522
Better tests for auth/registrations#update (#29303) 2024-02-26 16:09:56 +00:00
Wolfgang Fournès d51c3ac087
Add a missing spec to `SessionsController#webauthn_options` (#29277) 2024-02-26 16:09:40 +00:00
Matt Jankowski 64f9939e39
Use `capture_emails` helper to improve email assertions in specs (#29245) 2024-02-19 15:57:47 +00:00
Matt Jankowski 3454fcbd71
Reduce round trips in auth/sessions spec (#29233) 2024-02-16 13:38:49 +00:00
Claire e2d9635074
Add notification email on invalid second authenticator (#28822) 2024-01-22 13:55:43 +00:00
Claire 3593ee2e36
Add rate-limit of TOTP authentication attempts at controller level (#28801) 2024-01-19 12:19:49 +00:00
Claire e621c1c44c
Fix registrations not checking MX records for email domain blocks requiring approval (#28608) 2024-01-15 17:10:57 +00:00
Matt Jankowski 00341c70ff
Use Sidekiq `fake!` instead of `inline!` in specs (#25369) 2024-01-10 11:06:58 +00:00
Claire dfdadb92e8
Add ability to require approval when users sign up using specific email domains (#28468) 2024-01-04 09:07:05 +00:00
Matt Jankowski 513d35969e
Fix `RSpec/LetSetup` cop in auth controller specs (#28464) 2023-12-22 08:03:59 +00:00
Claire 6fed0fcbaa
Remove unneeded settings cleanup from specs (#28425) 2023-12-19 15:17:22 +00:00
Matt Jankowski b2c5b20ef2
Fix `RSpec/AnyInstance` cop (#27810) 2023-11-14 14:52:59 +00:00
Matt Jankowski 69d00e2721
Fix `RSpec/InstanceVariable` cop (#27766) 2023-11-08 15:42:30 +00:00
Matt Jankowski e545978076
Use framework helpers instead of i-vars in controller specs (#27767) 2023-11-08 08:17:43 +00:00
Matt Jankowski 2e6bf60f15
Use `deliveries.size` in mailer-related examples in controller specs (#27589) 2023-10-27 15:33:52 +00:00
Matt Jankowski 6c5a2233a8
Fix `RSpec/StubbedMock` cop (#25552)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-07-12 10:20:10 +02:00
Matt Jankowski 05f9e39b32
Fix `RSpec/VerifiedDoubles` cop (#25469) 2023-06-22 14:55:22 +02:00
Matt Jankowski 6c0e3f490a
Fix RSpec/MissingExampleGroupArgument cop (#25310) 2023-06-06 15:51:42 +02:00
Matt Jankowski 0f2c16ac4b
Fix RSpec/NoExpectationExample cop (#25103) 2023-05-26 09:41:12 +02:00
Matt Jankowski 604e1c2b11
Remove usage of random sample values in specs (#24869) 2023-05-15 20:20:13 +02:00
Matt Jankowski a610a02d4f
Fix RSpec/ScatteredSetup cop (#24848) 2023-05-11 10:32:09 +02:00
Matt Jankowski c97b611b6b
Fix RSpec/InferredSpecType cop (#24736) 2023-05-04 05:49:53 +02:00
Matt Jankowski 710745e16b
Fix RSpec/ContextWording cop (#24739) 2023-05-04 05:49:08 +02:00
Matt Jankowski d00e45a7d3
Fix Rails/I18nLocaleAssignment cop (#24693) 2023-04-30 14:07:03 +02:00
Eugen Rochko e98c86050a
Refactor `Cache-Control` and `Vary` definitions (#24347) 2023-04-19 16:07:29 +02:00
Matt Jankowski 688287c59d
Coverage improvement round-out following up previous work (#23987) 2023-03-10 13:33:30 +01:00
Nick Schonning 84cc805cae
Enable Style/FrozenStringLiteralComment for specs (#23790) 2023-02-22 09:55:31 +09:00
Nick Schonning 5116347eb7
Autofix Rubocop RSpec/BeEq (#23740) 2023-02-20 06:14:50 +01:00
Nick Schonning 4552685f6b
Autofix Rubocop RSpec/LeadingSubject (#23670) 2023-02-20 13:24:14 +09:00
Nick Schonning aef0051fd0
Enable Rubocop HTTP status rules (#23717) 2023-02-20 11:16:40 +09:00
Nick Schonning 81ad6c2e39
Autofix Rubocop Style/StringLiterals (#23695) 2023-02-19 07:38:14 +09:00
Nick Schonning 634368c491
Autofix Rubocop Lint/SymbolConversion (#23683) 2023-02-18 03:23:49 +01:00
Nick Schonning 669f6d2c0a
Run rubocop formatting except line length (#23632) 2023-02-18 06:56:20 +09:00
Francis Murillo 5fb1c3e934
Revoke all authorized applications on password reset (#21325)
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 15:47:06 +01:00
Claire 327eed0076
Fix suspicious sign-in mails never being sent (#18599)
* Add tests

* Fix suspicious sign-in mails never being sent
2022-06-21 15:16:22 +02:00
Eugen Rochko 6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in (#17970) 2022-04-06 20:58:12 +02:00
Claire e38fc319dc
Refactor and improve tests (#17386)
* Change account and user fabricators to simplify and improve tests

- `Fabricate(:account)` implicitly fabricates an associated `user` if
  no `domain` attribute is given (an account with `domain: nil` is
  considered a local account, but no user record was created), unless
  `user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
  but is discouraged.

* Fix and refactor tests

- avoid passing unneeded attributes to `Fabricate(:user)` or
  `Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
  way around
- prefer `Fabricate(:user, account_attributes: …)` to
  `Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
  not representative of production code.
2022-01-28 00:46:42 +01:00
Eugen Rochko 8e84ebf0cb
Remove IP tracking columns from users table (#16409) 2022-01-16 13:23:50 +01:00
Claire 24f9ea7818
Fix webauthn secure key authentication (#16792)
* Add tests

* Fix webauthn secure key authentication

Fixes #16769
2021-09-30 05:26:29 +02:00
Claire 94bcf45321
Fix authentication failures after going halfway through a sign-in attempt (#16607)
* Add tests

* Add security-related tests

My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.

* Fix authentication failures after going halfway through a sign-in attempt

* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25 22:52:41 +02:00
Claire 8c44b723bb
Change confirmations controller to redirect to / for approved users (#16151)
Clicking the confirmation link multiple times currently leads to entering
account settings, which can be confusing. This commit changes that so that
it redirects to the root path, so it behaves the same way as clicking only
once in most cases.
2021-05-03 15:45:19 +02:00
Eugen Rochko 9aa37b32c3
Add `details` to error response for `POST /api/v1/accounts` in REST API (#15803) 2021-03-01 04:59:13 +01:00
ThibG 1cf2c3a810
Fix external user creation failing when invite request text is required (#15405)
* Fix external user creation failing when invite request text is required

Also fixes tootctl-based user creation.

* Add test about invites when invite request text is otherwise required

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-22 17:14:32 +01:00
ThibG 49eb4d4ddf
Add honeypot fields and minimum fill-out time for sign-up form (#15276)
* Add honeypot fields to limit non-specialized spam

Add two honeypot fields: a fake website input and a fake password confirmation
one. The label/placeholder/aria-label tells not to fill them, and they are
hidden in CSS, so legitimate users should not fall into these.

This should cut down on some non-Mastodon-specific spambots.

* Require a 3 seconds delay before submitting the registration form

* Fix tests

* Move registration form time check to model validation

* Give people a chance to clear the honeypot fields

* Refactor honeypot translation strings

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
Eugen Rochko 8532429af7
Fix 2FA/sign-in token sessions being valid after password change (#14802)
If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00
Eugen Rochko ed099d8bdc
Change account suspensions to be reversible by default (#14726) 2020-09-15 14:37:58 +02:00