Added recaptcha to reset password if enabled (#2475)

2021-01-26 19:44:23 -05:00 · 2021-01-26 19:44:23 -05:00 · 6ee92c839b
parent b8575bd512
commit 6ee92c839b
4 changed files with 60 additions and 10 deletions
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@ -23,13 +23,14 @@ class PasswordResetsController < ApplicationController
  before_action :find_user, only: [:edit, :update]
  before_action :check_expiration, only: [:edit, :update]

-  # POST /password_resets/new
+  # GET /password_resets/new
  def new
  end

  # POST /password_resets
  def create
-    begin
+    return redirect_to new_password_reset_path, flash: { alert: I18n.t("reset_password.captcha") } unless valid_captcha
+
    # Check if user exists and throw an error if he doesn't
    @user = User.find_by!(email: params[:password_reset][:email].downcase, provider: @user_domain)

@ -39,7 +40,6 @@ class PasswordResetsController < ApplicationController
    # User doesn't exist
    redirect_to root_path, flash: { success: I18n.t("email_sent", email_type: t("reset_password.subtitle")) }
  end
-  end

  # GET /password_resets/:id/edit
  def edit
@ -84,4 +84,10 @@ class PasswordResetsController < ApplicationController
  def disable_password_reset
    redirect_to '/404'
  end
+
+  # Checks that the captcha passed is valid
+  def valid_captcha
+    return true unless Rails.configuration.recaptcha_enabled
+    verify_recaptcha
+  end
 end
--- a/app/views/password_resets/new.html.erb
+++ b/app/views/password_resets/new.html.erb
@ -26,6 +26,12 @@
            <%= f.email_field :email, class: "form-control" %>
            <br>

+            <% if recaptcha_enabled? %>
+              <div class="form-group">
+                <%= recaptcha_tags %>
+              </div>
+            <% end %>
+      
            <%= f.submit t("forgot_password.submit"), class: "btn btn-primary" %>
          <% end %>
        </div>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -526,6 +526,7 @@ en:
  remove: Remove
  rename: Rename
  reset_password:
+    captcha: reCAPTCHA verification failed, please try again.
    invalid_token: Password reset token is invalid. Please try resetting your password again.
    subtitle: Reset Password
    password: New Password
--- a/spec/controllers/password_resets_controller_spec.rb
+++ b/spec/controllers/password_resets_controller_spec.rb
@ -71,6 +71,43 @@ describe PasswordResetsController, type: :controller do
        expect(response).to redirect_to("/404")
      end
    end
+
+    context "reCAPTCHA enabled" do
+      before do
+        allow(Rails.configuration).to receive(:enable_email_verification).and_return(true)
+        allow(Rails.configuration).to receive(:recaptcha_enabled).and_return(true)
+      end
+
+      it "sends a reset email if the recaptcha was passed" do
+        allow(controller).to receive(:valid_captcha).and_return(true)
+
+        user = create(:user, provider: "greenlight")
+
+        params = {
+          password_reset: {
+            email: user.email,
+          },
+        }
+
+        expect { post :create, params: params }.to change { ActionMailer::Base.deliveries.count }.by(1)
+      end
+
+      it "doesn't send an email if the recaptcha was failed" do
+        allow(controller).to receive(:valid_captcha).and_return(false)
+
+        user = create(:user)
+
+        params = {
+          password_reset: {
+            email: user.email,
+          },
+        }
+
+        post :create, params: params
+        expect(response).to redirect_to(new_password_reset_path)
+        expect(flash[:alert]).to be_present
+      end
+    end
  end

  describe "PATCH #update" do