From d0ece49c24432e54159c73303f1ef57ba3edab5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Wed, 15 Feb 2023 18:17:46 +0100 Subject: [PATCH 1/6] Fix spam protection for the reset password screen --- .../buyer_password_reset.feature | 14 +++++++++++++ features/step_definitions/password_steps.rb | 20 +++++++++++++++++++ .../admin/account/passwords_controller.rb | 8 +++++++- 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 features/developer_portal/buyer_password_reset.feature diff --git a/features/developer_portal/buyer_password_reset.feature b/features/developer_portal/buyer_password_reset.feature new file mode 100644 index 0000000000..566060e0b3 --- /dev/null +++ b/features/developer_portal/buyer_password_reset.feature @@ -0,0 +1,14 @@ +Feature: Buyer signup + I want to reset my password as a buyer + + Background: + Given a provider exists + And master has a application plan "enterprise" + And the provider account allows signups + + @recaptcha + Scenario: Spam protection detects suspicious behavior + Given the provider has spam protection set to suspicious only + When the buyer wants to reset their password + Then the buyer doesn't need to pass the captcha after reset password form is filled wrong + But the buyer will need to pass the captcha after reset password form is filled in too quickly \ No newline at end of file diff --git a/features/step_definitions/password_steps.rb b/features/step_definitions/password_steps.rb index 065a23d7d1..f4c1ed28ce 100644 --- a/features/step_definitions/password_steps.rb +++ b/features/step_definitions/password_steps.rb @@ -37,3 +37,23 @@ def visit_url_in_email(email, subject) Then 'I should see the password confirmation error' do %q{I should see error "doesn't match Password" for field "Password confirmation"} end + +When "the buyer wants to reset their password" do + step 'the current domain is foo.3scale.localhost' + step 'I go to the login page' + step 'I follow "Forgot password?"' +end + +Then "the buyer doesn't need to pass the captcha after reset password form is filled wrong" do + step %(15 seconds pass) + step %(I fill in "Email" with "invalid email") + step %(I press "Send instructions") + step %(I should not see the captcha) +end + +Then "the buyer will need to pass the captcha after reset password form is filled in too quickly" do + find('ol').find('#account_confirmation').set(1) + step %(I fill in "Email" with "zed@3scale.localhost") + step %(I press "Send instructions") + step %(I should see the captcha) +end diff --git a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb index e8e8d2679b..5b210c17f7 100644 --- a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb +++ b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb @@ -46,13 +46,19 @@ def redirect_to_request_password(error_message) end def buyer - @buyer ||= @provider.buyers.build + @buyer ||= @provider.buyers.build.tap do |account| + account.unflattened_attributes = spam_protection_params + end end def password_params params.require(:user).permit(:password, :password_confirmation) end + def spam_protection_params + params.fetch(:account, {}) + end + def find_user @token = params[:password_reset_token] @user = @provider.buyer_users.find_with_valid_password_token(@token) From 4695436fd4bb321f0751b6b73f591709463ec760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Thu, 16 Feb 2023 14:02:26 +0100 Subject: [PATCH 2/6] Fix captcha steps: assertions were wrong --- features/step_definitions/capcha_steps.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features/step_definitions/capcha_steps.rb b/features/step_definitions/capcha_steps.rb index 1a1a89c06a..2a0cb1daf4 100644 --- a/features/step_definitions/capcha_steps.rb +++ b/features/step_definitions/capcha_steps.rb @@ -3,7 +3,7 @@ RECAPTCHA_SCRIPT = 'script[src^="https://www.google.com/recaptcha/api.js"]' Then /^I should not see the captcha$/ do - page.should_not have_selector(RECAPTCHA_SCRIPT) + page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false) end Then /^I should see the captcha$/ do From 2eaeb1dd7f370f1d332a8a1db7082ae9392aa3ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Thu, 16 Feb 2023 14:11:28 +0100 Subject: [PATCH 3/6] Cukes: Password: avoid calling steps from steps --- .../developer_portal/buyer_password_reset.feature | 1 + features/step_definitions/password_steps.rb | 13 ++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/features/developer_portal/buyer_password_reset.feature b/features/developer_portal/buyer_password_reset.feature index 566060e0b3..ec5874bc29 100644 --- a/features/developer_portal/buyer_password_reset.feature +++ b/features/developer_portal/buyer_password_reset.feature @@ -10,5 +10,6 @@ Feature: Buyer signup Scenario: Spam protection detects suspicious behavior Given the provider has spam protection set to suspicious only When the buyer wants to reset their password + Then 15 seconds pass Then the buyer doesn't need to pass the captcha after reset password form is filled wrong But the buyer will need to pass the captcha after reset password form is filled in too quickly \ No newline at end of file diff --git a/features/step_definitions/password_steps.rb b/features/step_definitions/password_steps.rb index f4c1ed28ce..90deae8297 100644 --- a/features/step_definitions/password_steps.rb +++ b/features/step_definitions/password_steps.rb @@ -45,15 +45,14 @@ def visit_url_in_email(email, subject) end Then "the buyer doesn't need to pass the captcha after reset password form is filled wrong" do - step %(15 seconds pass) - step %(I fill in "Email" with "invalid email") - step %(I press "Send instructions") - step %(I should not see the captcha) + fill_in("Email", with: "Invalid email") + click_on "Send instructions" + page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false) end Then "the buyer will need to pass the captcha after reset password form is filled in too quickly" do find('ol').find('#account_confirmation').set(1) - step %(I fill in "Email" with "zed@3scale.localhost") - step %(I press "Send instructions") - step %(I should see the captcha) + fill_in("Email", with: "zed@3scale.localhost") + click_on "Send instructions" + page.should have_selector(RECAPTCHA_SCRIPT, visible: false) end From 8beac624d12c1f3cc3cb288e42919bae3c114052 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Mon, 20 Feb 2023 09:53:35 +0100 Subject: [PATCH 4/6] Add new line at the end: care about coworkers mental health. --- features/developer_portal/buyer_password_reset.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features/developer_portal/buyer_password_reset.feature b/features/developer_portal/buyer_password_reset.feature index ec5874bc29..2d454f3032 100644 --- a/features/developer_portal/buyer_password_reset.feature +++ b/features/developer_portal/buyer_password_reset.feature @@ -12,4 +12,4 @@ Feature: Buyer signup When the buyer wants to reset their password Then 15 seconds pass Then the buyer doesn't need to pass the captcha after reset password form is filled wrong - But the buyer will need to pass the captcha after reset password form is filled in too quickly \ No newline at end of file + But the buyer will need to pass the captcha after reset password form is filled in too quickly From 4a9639ff8013fcdd5714493321fd52cf0653d1b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Mon, 20 Feb 2023 10:05:26 +0100 Subject: [PATCH 5/6] Dev. port. Forgot password screen: rename account params sanitizer --- .../developer_portal/admin/account/passwords_controller.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb index 5b210c17f7..6cda92a18f 100644 --- a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb +++ b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb @@ -47,7 +47,8 @@ def redirect_to_request_password(error_message) def buyer @buyer ||= @provider.buyers.build.tap do |account| - account.unflattened_attributes = spam_protection_params + # We need to get all the account params to run the spam check + account.unflattened_attributes = account_params end end @@ -55,7 +56,7 @@ def password_params params.require(:user).permit(:password, :password_confirmation) end - def spam_protection_params + def account_params params.fetch(:account, {}) end From 3b787766b2c3fd4f98ff5bed219ea33ddc446507 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Mon, 20 Feb 2023 10:08:49 +0100 Subject: [PATCH 6/6] Dev. Port. Forgot password: Remove superfluous tap --- .../developer_portal/admin/account/passwords_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb index 6cda92a18f..0c23f609b2 100644 --- a/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb +++ b/lib/developer_portal/app/controllers/developer_portal/admin/account/passwords_controller.rb @@ -46,7 +46,7 @@ def redirect_to_request_password(error_message) end def buyer - @buyer ||= @provider.buyers.build.tap do |account| + @buyer ||= @provider.buyers.build do |account| # We need to get all the account params to run the spam check account.unflattened_attributes = account_params end