From e5139749546d8b6531aea3f7aa797288fc68a652 Mon Sep 17 00:00:00 2001
From: Philippe Virouleau <philippe.44@gmail.com>
Date: Mon, 10 Feb 2020 17:58:42 +0100
Subject: [PATCH] Mark user as recently authenticated upon signin

---
 WcaOnRails/app/controllers/sessions_controller.rb | 9 +++++++++
 WcaOnRails/spec/models/user_spec.rb               | 2 +-
 WcaOnRails/spec/requests/users_spec.rb            | 7 +++----
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/WcaOnRails/app/controllers/sessions_controller.rb b/WcaOnRails/app/controllers/sessions_controller.rb
index 765c5bf038..598d7469fd 100644
--- a/WcaOnRails/app/controllers/sessions_controller.rb
+++ b/WcaOnRails/app/controllers/sessions_controller.rb
@@ -23,6 +23,15 @@ def generate_email_otp
     render json: { status: "ok" }
   end
 
+  def create
+    # Overrides Devise's create sign in method and pass it a block executed
+    # after sign in, to mark use as recently authenticated upon sign in.
+    # See https://www.rubydoc.info/github/plataformatec/devise/Devise/SessionsController#create-instance_method
+    super do |resource|
+      session[:last_authenticated_at] = Time.now
+    end
+  end
+
   private
 
   def two_factor_enabled?
diff --git a/WcaOnRails/spec/models/user_spec.rb b/WcaOnRails/spec/models/user_spec.rb
index b6ff3c810c..d5bfdaf6aa 100644
--- a/WcaOnRails/spec/models/user_spec.rb
+++ b/WcaOnRails/spec/models/user_spec.rb
@@ -586,7 +586,7 @@
     let(:user) { FactoryBot.create(:user, password: "wca") }
 
     context "when the password is not given in the params" do
-      it "updates the attributes if the current_password matches" do
+      it "updates the unconfirmed email" do
         user.update(email: "new@email.com")
         expect(user.reload.unconfirmed_email).to eq "new@email.com"
       end
diff --git a/WcaOnRails/spec/requests/users_spec.rb b/WcaOnRails/spec/requests/users_spec.rb
index 25932bb97a..f21f77da7a 100644
--- a/WcaOnRails/spec/requests/users_spec.rb
+++ b/WcaOnRails/spec/requests/users_spec.rb
@@ -26,10 +26,9 @@
   it 'cannot change password when not recently authenticated' do
     user = FactoryBot.create :user
 
-    # sign in
-    post user_session_path, params: { 'user[login]' => user.email, 'user[password]' => user.password }
-    follow_redirect!
-    expect(response).to be_successful
+    # Using sign_in here instead of the post action, as it does *not* trigger setting the
+    # recently_authenticated_at session variable.
+    sign_in user
     get profile_edit_path
     expect(response).to be_successful