Add reset api option on change password

ref rubygems#1951
spk · Jun 10, 2019 · d0d7d80 · d0d7d80
1 parent c50c5d1
commit d0d7d80
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 0 deletions.
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
@@ -9,6 +9,20 @@ def edit
     end
   end
 
+  def update
+    @user = find_user_for_update
+
+    if @user.update_password password_reset_params
+      @user.reset_api_key! if params[:password_reset] && params[:password_reset][:reset_api_key].in?([true, '1', 1])
+      sign_in @user
+      redirect_to url_after_update
+      session[:password_reset_token] = nil
+    else
+      flash_failure_after_update
+      render template: "passwords/edit"
+    end
+  end
+
   def mfa_edit
     if @user.mfa_enabled? && @user.otp_verified?(params[:otp])
       render template: 'passwords/edit'

diff --git a/app/views/passwords/edit.html.erb b/app/views/passwords/edit.html.erb
@@ -8,6 +8,10 @@
     <%= form.label :password, "Password", :class => 'form__label' %>
     <%= form.password_field :password, :class => 'form__input' %>
   </div>
+  <div class="form__checkbox">
+    <%= form.check_box :reset_api_key, :class => 'form__checkbox__input' %>
+    <%= form.label :reset_api_key, t('profiles.edit.api_access.reset'), :class => 'form__checkbox__label' %>
+  </div>
 
   <div class="form_bottom">
     <%= form.submit t('.submit'), :data => {:disable_with => t('form_disable_with')}, :class => 'form__submit' %>

diff --git a/test/functional/passwords_controller_test.rb b/test/functional/passwords_controller_test.rb
@@ -96,4 +96,66 @@ class PasswordsControllerTest < ActionController::TestCase
       end
     end
   end
+
+  context 'on PUT to update' do
+    setup do
+      @user = create(:user)
+      @api_key = @user.api_key
+      @old_encrypted_password = @user.encrypted_password
+    end
+
+    context "with reset_api_key and invalid password" do
+      setup do
+        put :update, params: {
+          user_id: @user.id,
+          token: @user.confirmation_token,
+          password_reset: { reset_api_key: '1', password: 'pass' }
+        }
+      end
+
+      should respond_with :success
+      should "not change api_key" do
+        assert(@user.reload.api_key == @api_key)
+      end
+      should "not change password" do
+        assert(@user.reload.encrypted_password == @old_encrypted_password)
+      end
+    end
+
+    context "without reset_api_key and valid password" do
+      setup do
+        put :update, params: {
+          user_id: @user.id,
+          token: @user.confirmation_token,
+          password_reset: { password: 'password1234' }
+        }
+      end
+
+      should respond_with :found
+      should "not change api_key" do
+        assert(@user.reload.api_key == @api_key)
+      end
+      should "change password" do
+        assert(@user.reload.encrypted_password != @old_encrypted_password)
+      end
+    end
+
+    context "with reset_api_key and valid password" do
+      setup do
+        put :update, params: {
+          user_id: @user.id,
+          token: @user.confirmation_token,
+          password_reset: { reset_api_key: '1', password: 'password1234' }
+        }
+      end
+
+      should respond_with :found
+      should "change api_key" do
+        assert(@user.reload.api_key != @api_key)
+      end
+      should "change password" do
+        assert(@user.reload.encrypted_password != @old_encrypted_password)
+      end
+    end
+  end
 end