From 7738499978130994263a516f87c33c186009b9d9 Mon Sep 17 00:00:00 2001
From: Ahmad Farhat <ahmad.af.farhat@gmail.com>
Date: Thu, 16 Apr 2020 12:42:27 -0400
Subject: [PATCH] Add check to make sure ldap username isn't blank (#1252)

Co-authored-by: Jesus Federico <jesus@123it.ca>
---
 app/controllers/sessions_controller.rb       |  4 +++-
 spec/controllers/sessions_controller_spec.rb | 24 ++++++++++++++++----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index e7eee46b..ef263232 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -139,7 +139,9 @@ class SessionsController < ApplicationController
     ldap_config[:base] = ENV['LDAP_BASE']
     ldap_config[:uid] = ENV['LDAP_UID']
 
-    return redirect_to(ldap_signin_path, alert: I18n.t("invalid_credentials")) unless session_params[:password].present?
+    if params[:session][:username].blank? || session_params[:password].blank?
+      return redirect_to(ldap_signin_path, alert: I18n.t("invalid_credentials"))
+    end
 
     result = send_ldap_request(params[:session], ldap_config)
 
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index abf0cdfc..4e93c185 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -522,7 +522,7 @@ describe SessionsController, type: :controller do
 
       post :ldap, params: {
         session: {
-          user: "test",
+          username: "test",
           password: 'password',
         },
       }
@@ -544,7 +544,7 @@ describe SessionsController, type: :controller do
 
       post :ldap, params: {
         session: {
-          user: "test",
+          username: "test",
           password: 'password',
         },
       }
@@ -567,7 +567,7 @@ describe SessionsController, type: :controller do
 
       post :ldap, params: {
         session: {
-          user: "test",
+          username: "test",
           password: 'password',
         },
       }
@@ -583,7 +583,7 @@ describe SessionsController, type: :controller do
 
       post :ldap, params: {
         session: {
-          user: "test",
+          username: "test",
           password: 'passwor',
         },
       }
@@ -597,7 +597,7 @@ describe SessionsController, type: :controller do
 
       post :ldap, params: {
         session: {
-          user: "test",
+          username: "test",
           password: '',
         },
       }
@@ -605,5 +605,19 @@ describe SessionsController, type: :controller do
       expect(response).to redirect_to(ldap_signin_path)
       expect(flash[:alert]).to eq(I18n.t("invalid_credentials"))
     end
+
+    it "redirects to signin if no username provided" do
+      allow_any_instance_of(Net::LDAP).to receive(:bind_as).and_return(false)
+
+      post :ldap, params: {
+        session: {
+          username: "",
+          password: 'test',
+        },
+      }
+
+      expect(response).to redirect_to(ldap_signin_path)
+      expect(flash[:alert]).to eq(I18n.t("invalid_credentials"))
+    end
   end
 end