From 9e8bd76e5982be5f6ebc5f6d3f86f7432347f552 Mon Sep 17 00:00:00 2001 From: Luke Crouch Date: Thu, 9 May 2019 15:00:01 -0500 Subject: [PATCH] fix user controller tests --- controllers/user.js | 5 ++++ tests/controllers/user.test.js | 43 +++++++++++++++++++++++++++------- 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/controllers/user.js b/controllers/user.js index 5dd360552..389051a16 100644 --- a/controllers/user.js +++ b/controllers/user.js @@ -172,6 +172,11 @@ async function verify(req, res) { if (!existingEmail) { throw new FluentError("error-not-subscribed"); } + + if (existingEmail.subscriber_id !== req.session.user.id) { + throw new FluentError("user-verify-token-error"); + } + if (!existingEmail.verified) { await _verify(req); } diff --git a/tests/controllers/user.test.js b/tests/controllers/user.test.js index 442e1c6f3..4c02b1d73 100644 --- a/tests/controllers/user.test.js +++ b/tests/controllers/user.test.js @@ -9,7 +9,7 @@ const getSha1 = require("../../sha1-utils"); const user = require("../../controllers/user"); const { testBreaches } = require ("../test-breaches"); -const { TEST_SUBSCRIBERS } = require("../../db/seeds/test_subscribers"); +const { TEST_SUBSCRIBERS, TEST_EMAIL_ADDRESSES } = require("../../db/seeds/test_subscribers"); require("../resetDB"); @@ -40,7 +40,7 @@ test("user add POST with email adds unverified subscriber and sends verification await user.add(req, resp); // Check expectations - expect(resp.statusCode).toEqual(200); + expect(resp.statusCode).toEqual(302); expect(testSubscriber.primary_email).toEqual(testSubscriberEmail); @@ -81,7 +81,7 @@ test("user add request with invalid email throws error", async () => { test("user verify request with valid token verifies user", async () => { - const validToken = TEST_SUBSCRIBERS.unverified_email.primary_verification_token; + const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token; const testSubscriberEmail = "firefoxaccount@test.com"; const testSubscriber = await DB.getSubscriberByEmail(testSubscriberEmail); @@ -90,6 +90,7 @@ test("user verify request with valid token verifies user", async () => { url: `/user/verify?token=${validToken}`, session: { user: testSubscriber }, fluentFormat: jest.fn(), + app: { locals: { breaches: testBreaches } }, }); const resp = httpMocks.createResponse(); @@ -97,15 +98,41 @@ test("user verify request with valid token verifies user", async () => { await user.verify(req, resp); expect(resp.statusCode).toEqual(200); - const subscriber = await DB.getSubscriberByToken(validToken); - expect(subscriber.verified).toBeTruthy(); + const emailAddress = await DB.getEmailByToken(validToken); + expect(emailAddress.verified).toBeTruthy(); +}); + + +test("user verify request with valid token but wrong user session does NOT verify email address", async () => { + const validToken = TEST_EMAIL_ADDRESSES.unverified_email_on_firefox_account.verification_token; + const testSubscriberEmail = "verifiedemail@test.com"; + const testSubscriber = await DB.getSubscriberByEmail(testSubscriberEmail); + + const req = httpMocks.createRequest({ + method: "GET", + url: `/user/verify?token=${validToken}`, + session: { user: testSubscriber }, + fluentFormat: jest.fn(), + app: { locals: { breaches: testBreaches } }, + }); + const resp = httpMocks.createResponse(); + + // Call code-under-test + await expect(user.verify(req, resp)).rejects.toThrow("user-verify-token-error"); + + const emailAddress = await DB.getEmailByToken(validToken); + expect(emailAddress.verified).toBeFalsy(); }); test("user verify request for already verified user doesn't send extra email", async () => { - const alreadyVerifiedToken = TEST_SUBSCRIBERS.verified_email.primary_verification_token; + const alreadyVerifiedToken = TEST_EMAIL_ADDRESSES.firefox_account.verification_token; + const testSubscriberEmail = "firefoxaccount@test.com"; + const testSubscriber = await DB.getSubscriberByEmail(testSubscriberEmail); + // Set up mocks EmailUtils.sendEmail = jest.fn(); + mockRequest.session = { user: testSubscriber }; mockRequest.query = { token: alreadyVerifiedToken }; mockRequest.app = { locals: { breaches: testBreaches } }; const resp = httpMocks.createResponse(); @@ -114,8 +141,8 @@ test("user verify request for already verified user doesn't send extra email", a await user.verify(mockRequest, resp); expect(resp.statusCode).toEqual(200); - const subscriber = await DB.getSubscriberByToken(alreadyVerifiedToken); - expect(subscriber.verified).toBeTruthy(); + const emailAddress = await DB.getEmailByToken(alreadyVerifiedToken); + expect(emailAddress.verified).toBeTruthy(); expect(EmailUtils.sendEmail).not.toHaveBeenCalled(); });