features/developer_portal/buyer_password_reset.feature

-Original file line number
+Diff line change
@@ -0,0 +1,15 @@
+    Feature: Buyer signup
+      I want to reset my password as a buyer
+      Background:
+        Given a provider exists
+        And master has a application plan "enterprise"
+        And the provider account allows signups
+      @recaptcha
+      Scenario: Spam protection detects suspicious behavior
+        Given the provider has spam protection set to suspicious only
+        When the buyer wants to reset their password
+        Then 15 seconds pass
+        Then the buyer doesn't need to pass the captcha after reset password form is filled wrong
+        But the buyer will need to pass the captcha after reset password form is filled in too quickly

features/step_definitions/capcha_steps.rb

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ @@
     RECAPTCHA_SCRIPT = 'script[src^="https://www.google.com/recaptcha/api.js"]'
     Then /^I should not see the captcha$/ do
-      page.should_not have_selector(RECAPTCHA_SCRIPT)
+      page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false)
     end
     Then /^I should see the captcha$/ do
@@ Expand Down @@

features/step_definitions/password_steps.rb

-Original file line number
+Diff line change
@@ Expand Up / @@ -37,3 +37,22 @@ def visit_url_in_email(email, subject) @@
     Then 'I should see the password confirmation error' do
       %q{I should see error "doesn't match Password" for field "Password confirmation"}
     end
+    When "the buyer wants to reset their password" do
+      step 'the current domain is foo.3scale.localhost'
+      step 'I go to the login page'
+      step 'I follow "Forgot password?"'
+    end
+    Then "the buyer doesn't need to pass the captcha after reset password form is filled wrong" do
+      fill_in("Email", with: "Invalid email")
+      click_on "Send instructions"
+      page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false)
+    end
+    Then "the buyer will need to pass the captcha after reset password form is filled in too quickly" do
+      find('ol').find('#account_confirmation').set(1)
+      fill_in("Email", with: "zed@3scale.localhost")
+      click_on "Send instructions"
+      page.should have_selector(RECAPTCHA_SCRIPT, visible: false)
+    end

-Original file line number
+Diff line change
@@ Expand Up / @@ -46,13 +46,20 @@ def redirect_to_request_password(error_message) @@
       end
       def buyer
-        @buyer ||= @provider.buyers.build
+        @buyer ||= @provider.buyers.build do |account|
+          # We need to get all the account params to run the spam check
+          account.unflattened_attributes = account_params
+        end
       end
       def password_params
         params.require(:user).permit(:password, :password_confirmation)
       end
+      def account_params
+        params.fetch(:account, {})
+      end
       def find_user
         @token = params[:password_reset_token]
         @user = @provider.buyer_users.find_with_valid_password_token(@token)
@@ Expand Down @@

Fix spam protection in the reset password screen #3215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Feb 21, 2023

-Original file line number
+Diff line change
@@ -0,0 +1,15 @@
+    Feature: Buyer signup
+      I want to reset my password as a buyer
+      Background:
+        Given a provider exists
+        And master has a application plan "enterprise"
+        And the provider account allows signups
+      @recaptcha
+      Scenario: Spam protection detects suspicious behavior
+        Given the provider has spam protection set to suspicious only
+        When the buyer wants to reset their password
+        Then 15 seconds pass
+        Then the buyer doesn't need to pass the captcha after reset password form is filled wrong
+        But the buyer will need to pass the captcha after reset password form is filled in too quickly

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ @@
     RECAPTCHA_SCRIPT = 'script[src^="https://www.google.com/recaptcha/api.js"]'
     Then /^I should not see the captcha$/ do
-      page.should_not have_selector(RECAPTCHA_SCRIPT)
+      page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false)
     end
     Then /^I should see the captcha$/ do
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -37,3 +37,22 @@ def visit_url_in_email(email, subject) @@
     Then 'I should see the password confirmation error' do
       %q{I should see error "doesn't match Password" for field "Password confirmation"}
     end
+    When "the buyer wants to reset their password" do
+      step 'the current domain is foo.3scale.localhost'
+      step 'I go to the login page'
+      step 'I follow "Forgot password?"'
+    end
+    Then "the buyer doesn't need to pass the captcha after reset password form is filled wrong" do
+      fill_in("Email", with: "Invalid email")
+      click_on "Send instructions"
+      page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false)
+    end
+    Then "the buyer will need to pass the captcha after reset password form is filled in too quickly" do
+      find('ol').find('#account_confirmation').set(1)
+      fill_in("Email", with: "zed@3scale.localhost")
+      click_on "Send instructions"
+      page.should have_selector(RECAPTCHA_SCRIPT, visible: false)
+    end

-Original file line number
+Diff line change
@@ Expand Up / @@ -46,13 +46,20 @@ def redirect_to_request_password(error_message) @@
       end
       def buyer
-        @buyer ||= @provider.buyers.build
+        @buyer ||= @provider.buyers.build do |account|
+          # We need to get all the account params to run the spam check
+          account.unflattened_attributes = account_params
+        end
       end
       def password_params
         params.require(:user).permit(:password, :password_confirmation)
       end
+      def account_params
+        params.fetch(:account, {})
+      end
       def find_user
         @token = params[:password_reset_token]
         @user = @provider.buyer_users.find_with_valid_password_token(@token)
@@ Expand Down @@

Provide feedback