Merge branch 'password-reset' into 'develop'

Restore POST /auth/password, fixes #2789 Closes #2789 See merge request pleroma/pleroma!3550
2021-12-03 15:13:10 +00:00 · 2021-12-03 15:13:10 +00:00 · 5c573a8a28
commit 5c573a8a28
parent 235c4139d7 ba2ed3c255
4 changed files with 115 additions and 0 deletions
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -736,6 +736,12 @@ defmodule Pleroma.Web.Router do
    get("/:version", Nodeinfo.NodeinfoController, :nodeinfo)
  end

+  scope "/", Pleroma.Web do
+    pipe_through(:pleroma_html)
+
+    post("/auth/password", TwitterAPI.PasswordController, :request)
+  end
+
  scope "/proxy/", Pleroma.Web do
    get("/preview/:sig/:url", MediaProxy.MediaProxyController, :preview)
    get("/preview/:sig/:url/:filename", MediaProxy.MediaProxyController, :preview)
--- a/lib/pleroma/web/twitter_api/controllers/password_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/password_controller.ex
@ -11,9 +11,23 @@ defmodule Pleroma.Web.TwitterAPI.PasswordController do

  require Logger

+  import Pleroma.Web.ControllerHelper, only: [json_response: 3]
+
  alias Pleroma.PasswordResetToken
  alias Pleroma.Repo
  alias Pleroma.User
+  alias Pleroma.Web.TwitterAPI.TwitterAPI
+
+  plug(Pleroma.Web.Plugs.RateLimiter, [name: :request] when action == :request)
+
+  @doc "POST /auth/password"
+  def request(conn, params) do
+    nickname_or_email = params["email"] || params["nickname"]
+
+    TwitterAPI.password_reset(nickname_or_email)
+
+    json_response(conn, :no_content, "")
+  end

  def reset(conn, %{"token" => token}) do
    with %{used: false} = token <- Repo.get_by(PasswordResetToken, %{token: token}),
--- a/test/pleroma/web/plugs/frontend_static_plug_test.exs
+++ b/test/pleroma/web/plugs/frontend_static_plug_test.exs
@ -94,6 +94,7 @@ test "api routes are detected correctly" do
      "internal",
      ".well-known",
      "nodeinfo",
+      "auth",
      "proxy",
      "test",
      "user_exists",
--- a/test/pleroma/web/twitter_api/password_controller_test.exs
+++ b/test/pleroma/web/twitter_api/password_controller_test.exs
@ -5,10 +5,14 @@
 defmodule Pleroma.Web.TwitterAPI.PasswordControllerTest do
  use Pleroma.Web.ConnCase

+  alias Pleroma.Config
  alias Pleroma.PasswordResetToken
+  alias Pleroma.Repo
+  alias Pleroma.Tests.ObanHelpers
  alias Pleroma.User
  alias Pleroma.Web.OAuth.Token
  import Pleroma.Factory
+  import Swoosh.TestAssertions

  describe "GET /api/pleroma/password_reset/token" do
    test "it returns error when token invalid", %{conn: conn} do
@ -116,4 +120,94 @@ test "it sets password_reset_pending to false", %{conn: conn} do
      assert User.get_by_id(user.id).password_reset_pending == false
    end
  end
+
+  describe "POST /auth/password, with valid parameters" do
+    setup %{conn: conn} do
+      user = insert(:user)
+      conn = post(conn, "/auth/password?email=#{user.email}")
+      %{conn: conn, user: user}
+    end
+
+    test "it returns 204", %{conn: conn} do
+      assert empty_json_response(conn)
+    end
+
+    test "it creates a PasswordResetToken record for user", %{user: user} do
+      token_record = Repo.get_by(Pleroma.PasswordResetToken, user_id: user.id)
+      assert token_record
+    end
+
+    test "it sends an email to user", %{user: user} do
+      ObanHelpers.perform_all()
+      token_record = Repo.get_by(Pleroma.PasswordResetToken, user_id: user.id)
+
+      email = Pleroma.Emails.UserEmail.password_reset_email(user, token_record.token)
+      notify_email = Config.get([:instance, :notify_email])
+      instance_name = Config.get([:instance, :name])
+
+      assert_email_sent(
+        from: {instance_name, notify_email},
+        to: {user.name, user.email},
+        html_body: email.html_body
+      )
+    end
+  end
+
+  describe "POST /auth/password, with nickname" do
+    test "it returns 204", %{conn: conn} do
+      user = insert(:user)
+
+      assert conn
+             |> post("/auth/password?nickname=#{user.nickname}")
+             |> empty_json_response()
+
+      ObanHelpers.perform_all()
+      token_record = Repo.get_by(Pleroma.PasswordResetToken, user_id: user.id)
+
+      email = Pleroma.Emails.UserEmail.password_reset_email(user, token_record.token)
+      notify_email = Config.get([:instance, :notify_email])
+      instance_name = Config.get([:instance, :name])
+
+      assert_email_sent(
+        from: {instance_name, notify_email},
+        to: {user.name, user.email},
+        html_body: email.html_body
+      )
+    end
+
+    test "it doesn't fail when a user has no email", %{conn: conn} do
+      user = insert(:user, %{email: nil})
+
+      assert conn
+             |> post("/auth/password?nickname=#{user.nickname}")
+             |> empty_json_response()
+    end
+  end
+
+  describe "POST /auth/password, with invalid parameters" do
+    setup do
+      user = insert(:user)
+      {:ok, user: user}
+    end
+
+    test "it returns 204 when user is not found", %{conn: conn, user: user} do
+      conn = post(conn, "/auth/password?email=nonexisting_#{user.email}")
+
+      assert empty_json_response(conn)
+    end
+
+    test "it returns 204 when user is not local", %{conn: conn, user: user} do
+      {:ok, user} = Repo.update(Ecto.Changeset.change(user, local: false))
+      conn = post(conn, "/auth/password?email=#{user.email}")
+
+      assert empty_json_response(conn)
+    end
+
+    test "it returns 204 when user is deactivated", %{conn: conn, user: user} do
+      {:ok, user} = Repo.update(Ecto.Changeset.change(user, is_active: false, local: true))
+      conn = post(conn, "/auth/password?email=#{user.email}")
+
+      assert empty_json_response(conn)
+    end
+  end
 end