diff --git a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 index 4311368186c..7e385fb3022 100644 --- a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 +++ b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 @@ -20,48 +20,54 @@ export default Ember.Controller.extend(ModalFunctionality, { }, actions: { - submit() { - if (this.get('submitDisabled')) return false; - - this.set('disabled', true); - - ajax('/session/forgot_password', { - data: { login: this.get('accountEmailOrUsername').trim() }, - type: 'POST' - }).then(data => { - const escaped = escapeExpression(this.get('accountEmailOrUsername')); - const isEmail = this.get('accountEmailOrUsername').match(/@/); - let key = 'forgot_password.complete_' + (isEmail ? 'email' : 'username'); - let extraClass; - - if (data.user_found === true) { - key += '_found'; - this.set('accountEmailOrUsername', ''); - this.set('offerHelp', I18n.t(key, {email: escaped, username: escaped})); - } else { - if (data.user_found === false) { - key += '_not_found'; - extraClass = 'error'; - } - - this.flash(I18n.t(key, {email: escaped, username: escaped}), extraClass); - } - }).catch(e => { - this.flash(extractError(e), 'error'); - }).finally(() => { - setTimeout(() => this.set('disabled', false), 1000); - }); - - return false; - }, - ok() { this.send('closeModal'); }, help() { this.setProperties({ offerHelp: I18n.t('forgot_password.help'), helpSeen: true }); - } - } + }, + resetPassword() { + return this._submit('/session/forgot_password', 'forgot_password.complete'); + }, + + emailLogin() { + return this._submit('/u/email-login', 'email_login.complete'); + } + }, + + _submit(route, translationKey) { + if (this.get('submitDisabled')) return false; + this.set('disabled', true); + + ajax(route, { + data: { login: this.get('accountEmailOrUsername').trim() }, + type: 'POST' + }).then(data => { + const escaped = escapeExpression(this.get('accountEmailOrUsername')); + const isEmail = this.get('accountEmailOrUsername').match(/@/); + let key = `${translationKey}_${isEmail ? 'email' : 'username'}`; + let extraClass; + + if (data.user_found === true) { + key += '_found'; + this.set('accountEmailOrUsername', ''); + this.set('offerHelp', I18n.t(key, { email: escaped, username: escaped })); + } else { + if (data.user_found === false) { + key += '_not_found'; + extraClass = 'error'; + } + + this.flash(I18n.t(key, { email: escaped, username: escaped }), extraClass); + } + }).catch(e => { + this.flash(extractError(e), 'error'); + }).finally(() => { + this.set('disabled', false); + }); + + return false; + }, }); diff --git a/app/assets/javascripts/discourse/templates/modal/forgot-password.hbs b/app/assets/javascripts/discourse/templates/modal/forgot-password.hbs index c739f771979..8b42f88739d 100644 --- a/app/assets/javascripts/discourse/templates/modal/forgot-password.hbs +++ b/app/assets/javascripts/discourse/templates/modal/forgot-password.hbs @@ -9,10 +9,16 @@ {{/d-modal-body}}
{{#unless offerHelp}} - {{d-button action="submit" - label="forgot_password.reset" - disabled=submitDisabled - class="btn-primary"}} + {{d-button action="resetPassword" + label="forgot_password.reset" + disabled=submitDisabled + class="btn-primary"}} + {{#if siteSettings.enable_local_logins_via_email}} + {{d-button action="emailLogin" + label="email_login.label" + disabled=submitDisabled + class="email-login"}} + {{/if}} {{else}} {{d-button class="btn-large btn-primary" label="forgot_password.button_ok" diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index e96566fd25c..079ba724efb 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -7,9 +7,10 @@ class SessionController < ApplicationController render body: nil, status: 500 end - before_action :check_local_login_allowed, only: %i(create forgot_password) + before_action :check_local_login_allowed, only: %i(create forgot_password email_login) + before_action :rate_limit_login, only: %i(create email_login) skip_before_action :redirect_to_login_if_required - skip_before_action :preload_json, :check_xhr, only: ['sso', 'sso_login', 'become', 'sso_provider', 'destroy'] + skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login become sso_provider destroy email_login) ACTIVATE_USER_KEY = "activate_user" @@ -187,9 +188,6 @@ class SessionController < ApplicationController end def create - RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed! - RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed! - params.require(:login) params.require(:password) @@ -208,7 +206,7 @@ class SessionController < ApplicationController # If the site requires user approval and the user is not approved yet if login_not_approved_for?(user) - login_not_approved + render json: login_not_approved return end @@ -220,20 +218,31 @@ class SessionController < ApplicationController return end - if user.suspended? - failed_to_login(user) - return + if payload = login_error_check(user) + render json: payload + else + (user.active && user.email_confirmed?) ? login(user) : not_activated(user) end + end - if ScreenedIpAddress.should_block?(request.remote_ip) - return not_allowed_from_ip_address(user) + def email_login + raise Discourse::NotFound if !SiteSetting.enable_local_logins_via_email + + if EmailToken.valid_token_format?(params[:token]) && (user = EmailToken.confirm(params[:token])) + if login_not_approved_for?(user) + @error = login_not_approved[:error] + return render layout: 'no_ember' + elsif payload = login_error_check(user) + @error = payload[:error] + return render layout: 'no_ember' + else + log_on_user(user) + redirect_to path("/") + end + else + @error = I18n.t('email_login.invalid_token') + return render layout: 'no_ember' end - - if ScreenedIpAddress.block_admin_login?(user, request.remote_ip) - return admin_not_allowed_from_ip_address(user) - end - - (user.active && user.email_confirmed?) ? login(user) : not_activated(user) end def forgot_password @@ -291,6 +300,18 @@ class SessionController < ApplicationController private + def login_error_check(user) + return failed_to_login(user) if user.suspended? + + if ScreenedIpAddress.should_block?(request.remote_ip) + return not_allowed_from_ip_address(user) + end + + if ScreenedIpAddress.block_admin_login?(user, request.remote_ip) + return admin_not_allowed_from_ip_address(user) + end + end + def login_not_approved_for?(user) SiteSetting.must_approve_users? && !user.approved? && !user.admin? end @@ -300,7 +321,7 @@ class SessionController < ApplicationController end def login_not_approved - render json: { error: I18n.t("login.not_approved") } + { error: I18n.t("login.not_approved") } end def not_activated(user) @@ -314,19 +335,21 @@ class SessionController < ApplicationController end def not_allowed_from_ip_address(user) - render json: { error: I18n.t("login.not_allowed_from_ip_address", username: user.username) } + { error: I18n.t("login.not_allowed_from_ip_address", username: user.username) } end def admin_not_allowed_from_ip_address(user) - render json: { error: I18n.t("login.admin_not_allowed_from_ip_address", username: user.username) } + { error: I18n.t("login.admin_not_allowed_from_ip_address", username: user.username) } end def failed_to_login(user) message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended" - render json: { - error: I18n.t(message, date: I18n.l(user.suspended_till, format: :date_only), - reason: Rack::Utils.escape_html(user.suspend_reason)), + { + error: I18n.t(message, + date: I18n.l(user.suspended_till, format: :date_only), + reason: Rack::Utils.escape_html(user.suspend_reason) + ), reason: 'suspended' } end @@ -342,6 +365,22 @@ class SessionController < ApplicationController end end + def rate_limit_login + RateLimiter.new( + nil, + "login-hr-#{request.remote_ip}", + SiteSetting.max_logins_per_ip_per_hour, + 1.hour + ).performed! + + RateLimiter.new( + nil, + "login-min-#{request.remote_ip}", + SiteSetting.max_logins_per_ip_per_minute, + 1.minute + ).performed! + end + def render_sso_error(status:, text:) @sso_error = text render status: status, layout: 'no_ember' diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index b26f1a5312d..613215df520 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -18,7 +18,7 @@ class UsersController < ApplicationController skip_before_action :check_xhr, only: [ :show, :badges, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, - :my_redirect, :toggle_anon, :admin_login, :confirm_admin + :my_redirect, :toggle_anon, :admin_login, :confirm_admin, :email_login ] before_action :respond_to_suspicious_request, only: [:create] @@ -37,6 +37,7 @@ class UsersController < ApplicationController :update_activation_email, :password_reset, :confirm_email_token, + :email_login, :admin_login, :confirm_admin] @@ -563,6 +564,7 @@ class UsersController < ApplicationController elsif params[:token].present? if EmailToken.valid_token_format?(params[:token]) @user = EmailToken.confirm(params[:token]) + if @user&.admin? log_on_user(@user) return redirect_to path("/") @@ -580,6 +582,40 @@ class UsersController < ApplicationController render layout: false end + def email_login + raise Discourse::NotFound if !SiteSetting.enable_local_logins_via_email + return redirect_to path("/") if current_user + + expires_now + params.require(:login) + + RateLimiter.new(nil, "email-login-hour-#{request.remote_ip}", 6, 1.hour).performed! + RateLimiter.new(nil, "email-login-min-#{request.remote_ip}", 3, 1.minute).performed! + user = User.human_users.find_by_username_or_email(params[:login]) + user_presence = user.present? && !user.staged + + if user + RateLimiter.new(nil, "email-login-hour-#{user.id}", 6, 1.hour).performed! + RateLimiter.new(nil, "email-login-min-#{user.id}", 3, 1.minute).performed! + + if user_presence + email_token = user.email_tokens.create!(email: user.email) + + Jobs.enqueue(:critical_user_email, + type: :email_login, + user_id: user.id, + email_token: email_token.token + ) + end + end + + json = { result: "ok" } + json[:user_found] = user_presence unless SiteSetting.hide_email_address_taken + render json: json + rescue RateLimiter::LimitExceeded + render_json_error(I18n.t("rate_limiter.slow_down")) + end + def toggle_anon user = AnonymousShadowCreator.get_master(current_user) || AnonymousShadowCreator.get(current_user) diff --git a/app/mailers/user_notifications.rb b/app/mailers/user_notifications.rb index 17260a5d8e1..f5d8e537ecb 100644 --- a/app/mailers/user_notifications.rb +++ b/app/mailers/user_notifications.rb @@ -12,10 +12,11 @@ class UserNotifications < ActionMailer::Base include Email::BuildEmailHelper def signup(user, opts = {}) - build_email(user.email, - template: "user_notifications.signup", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + "user_notifications.signup", + user, + opts[:email_token] + ) end def signup_after_approval(user, opts = {}) @@ -33,38 +34,51 @@ class UserNotifications < ActionMailer::Base end def confirm_old_email(user, opts = {}) - build_email(user.email, - template: "user_notifications.confirm_old_email", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + "user_notifications.confirm_old_email", + user, + opts[:email_token] + ) end def confirm_new_email(user, opts = {}) - build_email(user.email, - template: "user_notifications.confirm_new_email", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + "user_notifications.confirm_new_email", + user, + opts[:email_token] + ) end def forgot_password(user, opts = {}) - build_email(user.email, - template: user.has_password? ? "user_notifications.forgot_password" : "user_notifications.set_password", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + user.has_password? ? "user_notifications.forgot_password" : "user_notifications.set_password", + user, + opts[:email_token] + ) + end + + def email_login(user, opts = {}) + build_user_email_token_by_template( + "user_notifications.email_login", + user, + opts[:email_token] + ) end def admin_login(user, opts = {}) - build_email(user.email, - template: "user_notifications.admin_login", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + "user_notifications.admin_login", + user, + opts[:email_token] + ) end def account_created(user, opts = {}) - build_email(user.email, - template: "user_notifications.account_created", - locale: user_locale(user), - email_token: opts[:email_token]) + build_user_email_token_by_template( + "user_notifications.account_created", + user, + opts[:email_token] + ) end def account_silenced(user, opts = nil) @@ -532,6 +546,15 @@ class UserNotifications < ActionMailer::Base private + def build_user_email_token_by_template(template, user, email_token) + build_email( + user.email, + template: template, + locale: user_locale(user), + email_token: email_token + ) + end + def build_summary_for(user) @site_name = SiteSetting.email_prefix.presence || SiteSetting.title # used by I18n @user = user diff --git a/app/views/session/email_login.html.erb b/app/views/session/email_login.html.erb new file mode 100644 index 00000000000..7bd6cf03fd9 --- /dev/null +++ b/app/views/session/email_login.html.erb @@ -0,0 +1,17 @@ +<%if @error%> +
+ <%= @error %> +
+<%end%> + +<% content_for :title do %><%=t "email_login.title" %><% end %> + +<%- content_for(:no_ember_head) do %> + + <%= preload_script "ember_jquery" %> + <%= render_google_universal_analytics_code %> +<%- end %> + +<%- content_for(:head) do %> + +<%- end %> diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml index 46f59e97716..49d0be51dc3 100644 --- a/config/locales/client.en.yml +++ b/config/locales/client.en.yml @@ -1083,6 +1083,16 @@ en: help: "Email not arriving? Be sure to check your spam folder first.

Not sure which email address you used? Enter an email address and we’ll let you know if it exists here.

If you no longer have access to the email address on your account, please contact our helpful staff.

" button_ok: "OK" button_help: "Help" + + email_login: + label: "Login With Email" + complete_username: "If an account matches the username %{username}, you should receive an email with a magic login link shortly." + complete_email: "If an account matches %{email}, you should receive an email with a magic login link shortly." + complete_username_found: "We found an account that matches the username %{username}, you should receive an email with a magic login link shortly." + complete_email_found: "We found an account that matches %{email}, you should receive an email with a magic login link shortly." + complete_username_not_found: "No account matches the username %{username}" + complete_email_not_found: "No account matches %{email}" + login: title: "Log In" username: "User" diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 4e2b817c0f8..d5ef33a877f 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -648,6 +648,10 @@ en: success: "You successfully changed your password and are now logged in." success_unapproved: "You successfully changed your password." + email_login: + invalid_token: "Sorry, that email login link is too old. Select the Log In button and use 'I forgot my password' to get a new link." + title: "Email login" + change_email: confirmed: "Your email has been updated." please_continue: "Continue to %{site_name}" @@ -1149,6 +1153,7 @@ en: sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)" enable_local_logins: "Enable local username and password login based accounts. (Note: this must be enabled for invites to work)" + enable_local_logins_via_email: "Email user logins via email." allow_new_registrations: "Allow new user registrations. Uncheck this to prevent anyone from creating a new account." enable_signup_cta: "Show a notice to returning anonymous users prompting them to sign up for an account." enable_yahoo_logins: "Enable Yahoo authentication" @@ -1640,6 +1645,7 @@ en: staged_users_disabled: "You must first enable 'staged users' before enabling this setting." reply_by_email_disabled: "You must first enable 'reply by email' before enabling this setting." sso_url_is_empty: "You must set a 'sso url' before enabling this setting." + enable_local_logins_disabled: "You must first enable 'enable local logins' before enabling this setting." search: within_post: "#%{post_number} by %{username}" @@ -2772,6 +2778,17 @@ en: Click the following link to choose a new password: %{base_url}/u/password-reset/%{email_token} + email_login: + title: "Email login link" + subject_template: "[%{email_prefix}] Email login link" + text_body_template: | + Somebody asked to login your account on [%{site_name}](%{base_url}). + + If it was not you, you can safely ignore this email. + + Click the following link to login: + %{base_url}/session/email-login/%{email_token} + set_password: title: "Set Password" subject_template: "[%{email_prefix}] Set Password" diff --git a/config/routes.rb b/config/routes.rb index 0f51c44a175..11edecf0f9c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -301,6 +301,7 @@ Discourse::Application.routes.draw do get "session/sso_provider" => "session#sso_provider" get "session/current" => "session#current" get "session/csrf" => "session#csrf" + get "session/email-login/:token" => "session#email_login" get "composer_messages" => "composer_messages#index" post "composer/parse_html" => "composer#parse_html" @@ -330,6 +331,7 @@ Discourse::Application.routes.draw do put "#{root_path}/update-activation-email" => "users#update_activation_email" get "#{root_path}/hp" => "users#get_honeypot_value" + post "#{root_path}/email-login" => "users#email_login" get "#{root_path}/admin-login" => "users#admin_login" put "#{root_path}/admin-login" => "users#admin_login" get "#{root_path}/admin-login/:token" => "users#admin_login" diff --git a/config/site_settings.yml b/config/site_settings.yml index 64b71a2b344..55163cd323b 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -240,6 +240,10 @@ login: enable_local_logins: client: true default: true + enable_local_logins_via_email: + client: true + default: false + validator: "EnableLocalLoginsViaEmailValidator" allow_new_registrations: client: true default: true @@ -331,7 +335,6 @@ login: default: 1440 min: 1 max: 175200 - users: min_username_length: client: true diff --git a/lib/validators/enable_local_logins_via_email_validator.rb b/lib/validators/enable_local_logins_via_email_validator.rb new file mode 100644 index 00000000000..0537f3697e7 --- /dev/null +++ b/lib/validators/enable_local_logins_via_email_validator.rb @@ -0,0 +1,14 @@ +class EnableLocalLoginsViaEmailValidator + def initialize(opts = {}) + @opts = opts + end + + def valid_value?(val) + return true if val == 'f' + SiteSetting.enable_local_logins + end + + def error_message + I18n.t('site_settings.errors.enable_local_logins_disabled') + end +end diff --git a/spec/components/validators/enable_local_logins_via_email_validator_spec.rb b/spec/components/validators/enable_local_logins_via_email_validator_spec.rb new file mode 100644 index 00000000000..289ce4911d0 --- /dev/null +++ b/spec/components/validators/enable_local_logins_via_email_validator_spec.rb @@ -0,0 +1,47 @@ +require 'rails_helper' + +RSpec.describe EnableLocalLoginsViaEmailValidator do + subject { described_class.new } + + describe '#valid_value?' do + describe "when 'enable_local_logins' is false" do + before do + SiteSetting.enable_local_logins = false + end + + describe 'when val is false' do + it 'should be valid' do + expect(subject.valid_value?('f')).to eq(true) + end + end + + describe 'when value is true' do + it 'should not be valid' do + expect(subject.valid_value?('t')).to eq(false) + + expect(subject.error_message).to eq(I18n.t( + 'site_settings.errors.enable_local_logins_disabled' + )) + end + end + end + + describe "when 'enable_local_logins' is true" do + before do + SiteSetting.enable_local_logins = true + end + + describe 'when val is false' do + it 'should be valid' do + expect(subject.valid_value?('f')).to eq(true) + end + end + + describe 'when value is true' do + it 'should be valid' do + expect(subject.valid_value?('t')).to eq(true) + end + end + end + end +end diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb index cc535e72223..96b58c5483d 100644 --- a/spec/controllers/session_controller_spec.rb +++ b/spec/controllers/session_controller_spec.rb @@ -8,7 +8,7 @@ describe SessionController do end end - describe 'become' do + describe '#become' do let!(:user) { Fabricate(:user) } it "does not work when not in development mode" do @@ -26,7 +26,7 @@ describe SessionController do end end - describe '.sso_login' do + describe '#sso_login' do before do @sso_url = "http://somesite.com/discourse_sso" @@ -410,7 +410,7 @@ describe SessionController do end end - describe '.sso_provider' do + describe '#sso_provider' do before do SiteSetting.enable_sso_provider = true SiteSetting.enable_sso = false @@ -470,7 +470,7 @@ describe SessionController do end end - describe '.create' do + describe '#create' do let(:user) { Fabricate(:user) } @@ -515,7 +515,9 @@ describe SessionController do login: user.username, password: 'sssss' }, format: :json - expect(::JSON.parse(response.body)['error']).to be_present + expect(::JSON.parse(response.body)['error']).to eq( + I18n.t("login.incorrect_username_email_or_password") + ) end end @@ -526,7 +528,9 @@ describe SessionController do login: user.username, password: ('s' * (User.max_password_length + 1)) }, format: :json - expect(::JSON.parse(response.body)['error']).to be_present + expect(::JSON.parse(response.body)['error']).to eq( + I18n.t("login.incorrect_username_email_or_password") + ) end end @@ -536,14 +540,15 @@ describe SessionController do user.suspended_at = Time.now user.save! StaffActionLogger.new(user).log_user_suspend(user, "banned") + post :create, params: { login: user.username, password: 'myawesomepassword' }, format: :json - error = ::JSON.parse(response.body)['error'] - expect(error).to be_present - expect(error).to match(/banned/) - expect(error).not_to match(//) + expect(JSON.parse(response.body)['error']).to eq(I18n.t('login.suspended_with_reason', + date: I18n.l(user.suspended_till, format: :date_only), + reason: Rack::Utils.escape_html(user.suspend_reason) + )) end end @@ -881,7 +886,7 @@ describe SessionController do end end - describe '.current' do + describe '#current' do context "when not logged in" do it "retuns 404" do get :current, format: :json diff --git a/spec/mailers/user_notifications_spec.rb b/spec/mailers/user_notifications_spec.rb index 9e3327aa927..81cca747984 100644 --- a/spec/mailers/user_notifications_spec.rb +++ b/spec/mailers/user_notifications_spec.rb @@ -79,6 +79,28 @@ describe UserNotifications do end + describe '.email_login' do + let(:email_token) { user.email_tokens.create!(email: user.email).token } + subject { UserNotifications.email_login(user, email_token: email_token) } + + it "generates the right email" do + expect(subject.to).to eq([user.email]) + expect(subject.from).to eq([SiteSetting.notification_email]) + + expect(subject.subject).to eq(I18n.t( + 'user_notifications.email_login.subject_template', + email_prefix: SiteSetting.title + )) + + expect(subject.body.to_s).to match(I18n.t( + 'user_notifications.email_login.text_body_template', + site_name: SiteSetting.title, + base_url: Discourse.base_url, + email_token: email_token + )) + end + end + describe '.digest' do subject { UserNotifications.digest(user) } diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb new file mode 100644 index 00000000000..951968984f2 --- /dev/null +++ b/spec/requests/session_controller_spec.rb @@ -0,0 +1,141 @@ +require 'rails_helper' + +RSpec.describe SessionController do + let(:email_token) { Fabricate(:email_token) } + let(:user) { email_token.user } + + describe '#email_login' do + before do + SiteSetting.enable_local_logins_via_email = true + end + + context 'missing token' do + it 'returns the right response' do + get "/session/email-login" + expect(response.status).to eq(404) + end + end + + context 'invalid token' do + it 'returns the right response' do + get "/session/email-login/adasdad" + + expect(response).to be_success + + expect(CGI.unescapeHTML(response.body)).to match( + I18n.t('email_login.invalid_token') + ) + end + + context 'when token has expired' do + it 'should return the right response' do + email_token.update!(created_at: 999.years.ago) + + get "/session/email-login/#{email_token.token}" + + expect(response).to be_success + + expect(CGI.unescapeHTML(response.body)).to match( + I18n.t('email_login.invalid_token') + ) + end + end + end + + context 'valid token' do + it 'returns success' do + get "/session/email-login/#{email_token.token}" + + expect(response).to redirect_to("/") + end + + it 'fails when local logins via email is disabled' do + SiteSetting.enable_local_logins_via_email = false + + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(404) + end + + it 'fails when local logins is disabled' do + SiteSetting.enable_local_logins = false + + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(500) + end + + it "doesn't log in the user when not approved" do + SiteSetting.must_approve_users = true + + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(200) + + expect(CGI.unescapeHTML(response.body)).to include( + I18n.t("login.not_approved") + ) + end + + context "when admin IP address is not valid" do + before do + Fabricate(:screened_ip_address, + ip_address: "111.111.11.11", + action_type: ScreenedIpAddress.actions[:allow_admin] + ) + + SiteSetting.use_admin_ip_whitelist = true + user.update!(admin: true) + end + + it 'returns the right response' do + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(200) + + expect(CGI.unescapeHTML(response.body)).to include( + I18n.t("login.admin_not_allowed_from_ip_address", username: user.username) + ) + end + end + + context "when IP address is blocked" do + let(:permitted_ip_address) { '111.234.23.11' } + + before do + Fabricate(:screened_ip_address, + ip_address: permitted_ip_address, + action_type: ScreenedIpAddress.actions[:block] + ) + end + + it 'returns the right response' do + ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(permitted_ip_address) + + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(200) + + expect(CGI.unescapeHTML(response.body)).to include( + I18n.t("login.not_allowed_from_ip_address", username: user.username) + ) + end + end + + it "fails when user is suspended" do + user.update!( + suspended_till: 2.days.from_now, + suspended_at: Time.zone.now + ) + + get "/session/email-login/#{email_token.token}" + + expect(response.status).to eq(200) + + expect(CGI.unescapeHTML(response.body)).to include(I18n.t("login.suspended", + date: I18n.l(user.suspended_till, format: :date_only) + )) + end + end + end +end diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index d3351e59e1d..ba41c482ecd 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -340,4 +340,65 @@ RSpec.describe UsersController do expect(response).to redirect_to("/u/#{user.username_lower}/preferences") end end + + describe '#email_login' do + before do + SiteSetting.queue_jobs = true + SiteSetting.enable_local_logins_via_email = true + end + + it "enqueues the right email" do + post "/u/email-login.json", params: { login: user.email } + + expect(response).to be_success + expect(JSON.parse(response.body)['user_found']).to eq(true) + + job_args = Jobs::CriticalUserEmail.jobs.last["args"].first + + expect(job_args["user_id"]).to eq(user.id) + expect(job_args["type"]).to eq("email_login") + expect(job_args["email_token"]).to eq(user.email_tokens.last.token) + end + + describe 'when enable_local_logins_via_email is disabled' do + before do + SiteSetting.enable_local_logins_via_email = false + end + + it 'should return the right response' do + post "/u/email-login.json", params: { login: user.email } + + expect(response.status).to eq(404) + end + end + + describe 'when username or email is not valid' do + it 'should not enqueue the email to login' do + post "/u/email-login.json", params: { login: '@random' } + + expect(response).to be_success + expect(JSON.parse(response.body)['user_found']).to eq(false) + expect(Jobs::CriticalUserEmail.jobs).to eq([]) + end + end + + describe 'when hide_email_address_taken is true' do + it 'should return the right response' do + SiteSetting.hide_email_address_taken = true + post "/u/email-login.json", params: { login: user.email } + + expect(response).to be_success + expect(JSON.parse(response.body).has_key?('user_found')).to eq(false) + end + end + + describe "when user is already logged in" do + it 'should redirect to the root path' do + sign_in(user) + post "/u/email-login.json", params: { login: user.email } + + expect(response).to redirect_to("/") + end + end + end end diff --git a/test/javascripts/acceptance/forgot-password-test.js.es6 b/test/javascripts/acceptance/forgot-password-test.js.es6 new file mode 100644 index 00000000000..d3a868cb1f2 --- /dev/null +++ b/test/javascripts/acceptance/forgot-password-test.js.es6 @@ -0,0 +1,90 @@ +import { acceptance } from "helpers/qunit-helpers"; + +let userFound = false; + +acceptance("Forgot password", { + settings: { + enable_local_logins_via_email: true + }, + beforeEach() { + const response = object => { + return [ + 200, + { "Content-Type": "application/json" }, + object + ]; + }; + + server.post('/u/email-login', () => { // eslint-disable-line no-undef + return response({ "user_found": userFound }); + }); + } +}); + +QUnit.test("logging in via email", assert => { + visit("/"); + click("header .login-button"); + + andThen(() => { + assert.ok(exists('.login-modal'), "it shows the login modal"); + }); + + click('#forgot-password-link'); + + fillIn("#username-or-email", 'someuser'); + click('.email-login'); + + andThen(() => { + assert.equal( + find(".alert-error").html(), + I18n.t('email_login.complete_username_not_found', { username: 'someuser' }), + 'it should display the right error message' + ); + }); + + fillIn("#username-or-email", 'someuser@gmail.com'); + click('.email-login'); + + andThen(() => { + assert.equal( + find(".alert-error").html(), + I18n.t('email_login.complete_email_not_found', { email: 'someuser@gmail.com' }), + 'it should display the right error message' + ); + }); + + fillIn("#username-or-email", 'someuser'); + + andThen(() => { + userFound = true; + }); + + click('.email-login'); + + andThen(() => { + assert.equal( + find(".modal-body").html().trim(), + I18n.t('email_login.complete_username_found', { username: 'someuser' }), + 'it should display the right message' + ); + }); + + visit("/"); + click("header .login-button"); + + andThen(() => { + assert.ok(exists('.login-modal'), "it shows the login modal"); + }); + + click('#forgot-password-link'); + fillIn("#username-or-email", 'someuser@gmail.com'); + click('.email-login'); + + andThen(() => { + assert.equal( + find(".modal-body").html().trim(), + I18n.t('email_login.complete_email_found', { email: 'someuser@gmail.com' }), + 'it should display the right message' + ); + }); +});