GRN2-233: Made account activation & password reset links based on tokens only (#959)

* GRN2-233: Hiding email in verification link and password reset link

* updating tests

* removing uid from email verificaiton link

* GRN2-233: modifying test cases

* GRN2-233: Removing uid from password reset link

* GRN2-233: Removed email_params and fixed "authenticated?" method

* GRN2-233: Fixed error when trying to sign in unverified

* GRN2-233: Changed how activation tokens are generated

spec/controllers/account_activations_controller_spec.rb

@@ -27,7 +27,7 @@ describe AccountActivationsController, type: :controller do
       user = create(:user, provider: "greenlight")
       @request.session[:user_id] = user.id
 
-      get :show, params: { email: user.email }
+      get :show, params: { uid: user.uid }
 
       expect(response).to redirect_to(user.main_room)
     end
@@ -35,7 +35,8 @@ describe AccountActivationsController, type: :controller do
     it "renders the verify view if the user is not signed in and is not verified" do
       user = create(:user, email_verified: false,  provider: "greenlight")
 
-      get :show, params: { email: user.email }
+      user.create_activation_token
+      get :show, params: { token: user.activation_token }
 
       expect(response).to render_template(:show)
     end
@@ -45,7 +46,8 @@ describe AccountActivationsController, type: :controller do
     it "activates a user if they have the correct activation token" do
       @user = create(:user, email_verified: false, provider: "greenlight")
 
-      get :edit, params: { email: @user.email, token: @user.activation_token }
+      @user.create_activation_token
+      get :edit, params: { token: @user.activation_token }
       @user.reload
 
       expect(@user.email_verified).to eq(true)
@@ -53,22 +55,17 @@ describe AccountActivationsController, type: :controller do
       expect(response).to redirect_to(signin_path)
     end
 
-    it "does not activate a user if they have the correct activation token" do
+    it "should not find user when given fake activation token" do
       @user = create(:user, email_verified: false, provider: "greenlight")
 
-      get :edit, params: { email: @user.email, token: "fake_token" }
-      @user.reload
-
-      expect(@user.email_verified).to eq(false)
-      expect(flash[:alert]).to be_present
-      expect(response).to redirect_to(root_path)
+      expect { get :edit, params: { token: "fake_token" } }.to raise_error(ActiveRecord::RecordNotFound)
     end
 
     it "does not allow the user to click the verify link again" do
       @user = create(:user, provider: "greenlight")
 
-      get :edit, params: { email: @user.email, token: @user.activation_token }
-
+      @user.create_activation_token
+      get :edit, params: { token: @user.activation_token }
       expect(flash[:alert]).to be_present
       expect(response).to redirect_to(root_path)
     end
@@ -78,7 +75,8 @@ describe AccountActivationsController, type: :controller do
 
       @user.add_role :pending
 
-      get :edit, params: { email: @user.email, token: @user.activation_token }
+      @user.create_activation_token
+      get :edit, params: { token: @user.activation_token }
 
       expect(flash[:success]).to be_present
       expect(response).to redirect_to(root_path)
@@ -89,7 +87,8 @@ describe AccountActivationsController, type: :controller do
     it "resends the email to the current user if the resend button is clicked" do
       user = create(:user, email_verified: false, provider: "greenlight")
 
-      expect { get :resend, params: { email: user.email } }.to change { ActionMailer::Base.deliveries.count }.by(1)
+      user.create_activation_token
+      expect { get :resend, params: { token: user.activation_token } }.to change { ActionMailer::Base.deliveries.count }.by(1)
       expect(flash[:success]).to be_present
       expect(response).to redirect_to(root_path)
     end
@@ -97,7 +96,8 @@ describe AccountActivationsController, type: :controller do
     it "redirects a verified user to the root path" do
       user = create(:user, provider: "greenlight")
 
-      get :resend, params: { email: user.email }
+      user.create_activation_token
+      get :resend, params: { token: user.activation_token }
 
       expect(flash[:alert]).to be_present
       expect(response).to redirect_to(root_path)

spec/controllers/password_resets_controller_spec.rb

@@ -116,18 +116,14 @@ describe PasswordResetsController, type: :controller do
 
       it "updates attributes if the password update is a success" do
         user = create(:user, provider: "greenlight")
-        token = "reset_token"
-
-        cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
-        user.reset_digest = BCrypt::Password.create(token, cost: cost)
+        user.create_reset_digest
+        old_digest = user.password_digest
 
         allow(controller).to receive(:valid_user).and_return(nil)
         allow(controller).to receive(:check_expiration).and_return(nil)
-        controller.instance_variable_set(:@user, user)
 
         params = {
-          id: token,
-          email: user.email,
+          id: user.reset_token,
           user: {
             password: :password,
             password_confirmation: :password,
@@ -135,6 +131,10 @@ describe PasswordResetsController, type: :controller do
         }
 
         patch :update, params: params
+
+        user.reload
+
+        expect(old_digest.eql?(user.password_digest)).to be false
         expect(response).to redirect_to(root_path)
       end
     end

spec/controllers/sessions_controller_spec.rb

@@ -143,7 +143,8 @@ describe SessionsController, type: :controller do
       }
 
       expect(@request.session[:user_id]).to be_nil
-      expect(response).to redirect_to(account_activation_path(email: @user3.email))
+      # Expect to redirect to activation path since token is not known here
+      expect(response.location.start_with?(account_activation_url(token: ""))).to be true
     end
 
     it "should not login user if account is deleted" do