Mark user as recently authenticated upon signin

thewca · Feb 10, 2020 · 48c8c6d · 48c8c6d
1 parent 016d37b
commit 48c8c6d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/WcaOnRails/app/controllers/sessions_controller.rb b/WcaOnRails/app/controllers/sessions_controller.rb
@@ -23,6 +23,15 @@ def generate_email_otp
     render json: { status: "ok" }
   end
 
+  def create
+    # Overrides Devise's create sign in method and pass it a block executed
+    # after sign in, to mark use as recently authenticated upon sign in.
+    # See https://www.rubydoc.info/github/plataformatec/devise/Devise/SessionsController#create-instance_method
+    super do |resource|
+      session[:last_authenticated_at] = Time.now
+    end
+  end
+
   private
 
   def two_factor_enabled?

diff --git a/WcaOnRails/spec/models/user_spec.rb b/WcaOnRails/spec/models/user_spec.rb
@@ -586,7 +586,7 @@
     let(:user) { FactoryBot.create(:user, password: "wca") }
 
     context "when the password is not given in the params" do
-      it "updates the attributes if the current_password matches" do
+      it "updates the unconfirmed email" do
         user.update(email: "new@email.com")
         expect(user.reload.unconfirmed_email).to eq "new@email.com"
       end

diff --git a/WcaOnRails/spec/requests/users_spec.rb b/WcaOnRails/spec/requests/users_spec.rb
@@ -26,10 +26,9 @@
   it 'cannot change password when not recently authenticated' do
     user = FactoryBot.create :user
 
-    # sign in
-    post user_session_path, params: { 'user[login]' => user.email, 'user[password]' => user.password }
-    follow_redirect!
-    expect(response).to be_successful
+    # Using sign_in here instead of the post action, as it does *not* trigger setting the
+    # recently_authenticated_at session variable.
+    sign_in user
     get profile_edit_path
     expect(response).to be_successful