Commit Graph

9 Commits

Author SHA1 Message Date
Ted Johansson c1c7ea8959
DEV: Change hide_email_address_taken default to true (#30293)
We're changing the default of hide_email_address_taken to true. This is a trade-off we want to make, as it prevents account enumeration with minimal impact on legitimate users. If you forget you have an account and try to sign up again with the same e-mail you'll receive an e-mail letting you know.
2024-12-17 10:46:04 +08:00
Alan Guo Xiang Tan 952f69ce60
FIX: User can't reset password with backup codes when only security key is enabled (#27368)
This commit fixes a problem where the user will not be able to reset
their password when they only have security keys and backup codes
configured.

This commit also makes the following changes/fixes:

1. Splits password reset system tests to
   `spec/system/forgot_password_spec.rb` instead of missing the system
   tests in `spec/system/login_spec.rb` which is mainly used to test
   the login flow.

2. Fixes a UX issue where the `Use backup codes` or `Use authenticator
   app` text is shown on the reset password form when the user does
   not have either backup codes or an authenticator app configured.
2024-06-06 14:30:42 +08:00
Alan Guo Xiang Tan 4d8eca91ef
Revert "DEV: Use `127.0.0.1` instead of `localhost` as Capybara's server host (#27215)" (#27218)
This reverts commit 998b50fdf4.

Ended up making system tests even more unstable
2024-05-28 11:32:22 +08:00
Alan Guo Xiang Tan 998b50fdf4
DEV: Use `127.0.0.1` instead of `localhost` as Capybara's server host (#27215)
We are seeing a weird resolution error on Github actions with the
following backtrace:

```
Failure/Error:
  visit File.join(
          GlobalSetting.relative_url_root || "",
          "/session/#{user.encoded_username}/become.json?redirect=false",
        )

Socket::ResolutionError:
  getaddrinfo: Temporary failure in name resolution

```

Switch to use `127.0.0.1` instead of forcing a name resolution.
2024-05-28 09:47:22 +08:00
Alan Guo Xiang Tan 31e44cfa82
DEV: Fix flaky "Changing email" system tests (#25805)
Why this change?

`current_url` does not rely on Capybara waiters so opt to use
`have_current_path` matcher instead. Also assert for email against
element displayed on the page instead of querying the database for it
which isn't really what system tests are meant for.
2024-02-22 10:46:37 +08:00
Penar Musaraj 974b3a2a6f
DEV: Do not require session confirmation for new users (#24799)
When making sensitive changes to an account (adding 2FA or passkeys), we
require users to confirm their password. This is to prevent an attacker
from adding 2FA to an account they have access to.

However, on newly created accounts, we should not require this, it's an
extra step and it doesn't provide extra security (since the account was
just created). This commit makes it so that we don't require session
confirmation for accounts created less than 5 minutes ago.
2024-02-15 12:29:16 -05:00
David Taylor 9bd6523581
DEV: Update email_change_spec to increase wait time in CI (#25522)
CI runs on slower machines, so we need to use longer wait times. `Capybara.default_max_wait_time` is automatically reconfigured based on the environment.
2024-02-01 14:11:37 +00:00
David Taylor 02953ec5fa
DEV: Clean up authenticator in email_change_spec (#25521) 2024-02-01 14:11:18 +00:00
David Taylor 283fe48243
DEV: Update confirm-email flows to use central 2fa and ember rendering (#25404)
These routes were previously rendered using Rails, and had a fairly fragile 2fa implementation in vanilla-js. This commit refactors the routes to be handled in the Ember app, removes the custom vanilla-js bundles, and leans on our centralized 2fa implementation. It also introduces a set of system specs for the behavior.
2024-01-30 10:32:42 +00:00