Use `expect` params wrapper for more "auth" and "2FA" "controllers" (#33717)
This commit is contained in:
Matt Jankowski
GitHub
parent
e44b78413a
commit
a1d9c3fb99
|
|
@ -73,7 +73,7 @@ class Auth::SessionsController < Devise::SessionsController
|
||||||
end
|
end
|
||||||
|
|
||||||
def user_params
|
def user_params
|
||||||
params.require(:user).permit(:email, :password, :otp_attempt, credential: {})
|
params.expect(user: [:email, :password, :otp_attempt, credential: {}])
|
||||||
end
|
end
|
||||||
|
|
||||||
def after_sign_in_path_for(resource)
|
def after_sign_in_path_for(resource)
|
||||||
|
|
|
||||||
|
|
@ -60,16 +60,12 @@ class Settings::ApplicationsController < Settings::BaseController
|
||||||
end
|
end
|
||||||
|
|
||||||
def application_params
|
def application_params
|
||||||
params.require(:doorkeeper_application).permit(
|
params
|
||||||
:name,
|
.expect(doorkeeper_application: [:name, :redirect_uri, :scopes, :website])
|
||||||
:redirect_uri,
|
|
||||||
:scopes,
|
|
||||||
:website
|
|
||||||
)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def prepare_scopes
|
def prepare_scopes
|
||||||
scopes = params.fetch(:doorkeeper_application, {}).fetch(:scopes, nil)
|
scopes = application_params.fetch(:doorkeeper_application, {}).fetch(:scopes, nil)
|
||||||
params[:doorkeeper_application][:scopes] = scopes.join(' ') if scopes.is_a? Array
|
params[:doorkeeper_application][:scopes] = scopes.join(' ') if scopes.is_a? Array
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ module Settings
|
||||||
private
|
private
|
||||||
|
|
||||||
def confirmation_params
|
def confirmation_params
|
||||||
params.require(:form_two_factor_confirmation).permit(:otp_attempt)
|
params.expect(form_two_factor_confirmation: [:otp_attempt])
|
||||||
end
|
end
|
||||||
|
|
||||||
def prepare_two_factor_form
|
def prepare_two_factor_form
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ class Settings::VerificationsController < Settings::BaseController
|
||||||
private
|
private
|
||||||
|
|
||||||
def account_params
|
def account_params
|
||||||
params.require(:account).permit(:attribution_domains).tap do |params|
|
params.expect(account: [:attribution_domains]).tap do |params|
|
||||||
params[:attribution_domains] = params[:attribution_domains].split if params[:attribution_domains]
|
params[:attribution_domains] = params[:attribution_domains].split if params[:attribution_domains]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe 'Auth Sessions' do
|
||||||
|
describe 'POST /auth/sign_in' do
|
||||||
|
# The rack-attack check has issues with the non-nested invalid param used here
|
||||||
|
before { Rack::Attack.enabled = false }
|
||||||
|
after { Rack::Attack.enabled = true }
|
||||||
|
|
||||||
|
it 'gracefully handles invalid nested params' do
|
||||||
|
post user_session_path(user: 'invalid')
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(400)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
@ -40,5 +40,23 @@ RSpec.describe 'Settings / Exports' do
|
||||||
expect(response)
|
expect(response)
|
||||||
.to redirect_to(settings_applications_path)
|
.to redirect_to(settings_applications_path)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'gracefully handles invalid nested params' do
|
||||||
|
post settings_applications_path(doorkeeper_application: 'invalid')
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(400)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'PUT /settings/applications/:id' do
|
||||||
|
let(:application) { Fabricate :application, owner: user }
|
||||||
|
|
||||||
|
it 'gracefully handles invalid nested params' do
|
||||||
|
put settings_application_path(application.id, doorkeeper_application: 'invalid')
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(400)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,19 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe 'Settings 2FA Confirmations' do
|
||||||
|
describe 'POST /settings/two_factor_authentication/confirmations' do
|
||||||
|
before do
|
||||||
|
sign_in Fabricate(:user, encrypted_password: '') # Empty encrypted password avoids challengable flow
|
||||||
|
post settings_otp_authentication_path # Sets `session[:new_otp_secret]` which is needed for next step
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'gracefully handles invalid nested params' do
|
||||||
|
post settings_two_factor_authentication_confirmation_path(form_two_factor_confirmation: 'invalid')
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(400)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe 'Settings Verifications' do
|
||||||
|
describe 'PUT /settings/verification' do
|
||||||
|
before { sign_in Fabricate(:user) }
|
||||||
|
|
||||||
|
it 'gracefully handles invalid nested params' do
|
||||||
|
put settings_verification_path(account: 'invalid')
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(400)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
Reference in New Issue