mastodon/spec/system/auth/passwords_spec.rb

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe 'Auth Passwords' do
  let(:user) { Fabricate :user }
  let!(:session_activation) { Fabricate(:session_activation, user: user) }
  let!(:access_token) { Fabricate(:access_token, resource_owner_id: user.id) }
  let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }

  describe 'Resetting a password', :inline_jobs do
    let(:new_password) { 'New.Pass.123' }

    before { allow(Devise).to receive(:pam_authentication).and_return(false) } # Avoid the "seamless external" path

    it 'initiates reset, sends link, resets password from form, clears data' do
      visit new_user_password_path
      expect(page)
        .to have_title(I18n.t('auth.reset_password'))

      submit_email_reset
      expect(page)
        .to have_title(I18n.t('auth.set_new_password'))

      set_new_password
      expect(page)
        .to have_title(I18n.t('auth.login'))

      # Change password
      expect(User.find(user.id))
        .to be_present
        .and be_valid_password(new_password)

      # Deactivate session
      expect(user_session_count)
        .to eq(0)
      expect { session_activation.reload }
        .to raise_error(ActiveRecord::RecordNotFound)

      # Revoke tokens
      expect(user_token_count)
        .to eq(0)

      # Remove push subs
      expect(push_subs_count)
        .to eq(0)
      expect { web_push_subscription.reload }
        .to raise_error(ActiveRecord::RecordNotFound)
    end

    def submit_email_reset
      fill_in 'user_email', with: user.email
      click_on I18n.t('auth.reset_password')
      open_last_email
      visit_in_email(I18n.t('devise.mailer.reset_password_instructions.action'))
    end

    def set_new_password
      fill_in 'user_password', with: new_password
      fill_in 'user_password_confirmation', with: new_password
      click_on I18n.t('auth.set_new_password')
    end

    def user_session_count
      user
        .session_activations
        .count
    end

    def user_token_count
      Doorkeeper::AccessToken
        .active_for(user)
        .count
    end

    def push_subs_count
      Web::PushSubscription
        .where(user: user)
        .or(Web::PushSubscription.where(access_token: access_token))
        .count
    end
  end
end