Use expect params wrapper for more "auth" and "2FA" "controllers" (#33717)

2025-01-24 09:40:20 -05:00 · 2025-01-24 09:40:20 -05:00 · a1d9c3fb99
commit a1d9c3fb99
parent e44b78413a
8 changed files with 77 additions and 10 deletions
--- a/spec/requests/auth/sessions_spec.rb
+++ b/spec/requests/auth/sessions_spec.rb
@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Auth Sessions' do
+  describe 'POST /auth/sign_in' do
+    # The rack-attack check has issues with the non-nested invalid param used here
+    before { Rack::Attack.enabled = false }
+    after { Rack::Attack.enabled = true }
+
+    it 'gracefully handles invalid nested params' do
+      post user_session_path(user: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
--- a/spec/requests/settings/applications_spec.rb
+++ b/spec/requests/settings/applications_spec.rb
@ -40,5 +40,23 @@ RSpec.describe 'Settings / Exports' do
      expect(response)
        .to redirect_to(settings_applications_path)
    end
+
+    it 'gracefully handles invalid nested params' do
+      post settings_applications_path(doorkeeper_application: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'PUT /settings/applications/:id' do
+    let(:application) { Fabricate :application, owner: user }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_application_path(application.id, doorkeeper_application: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
  end
 end
--- a/spec/requests/settings/two_factor_authentication/confirmations_spec.rb
+++ b/spec/requests/settings/two_factor_authentication/confirmations_spec.rb
@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings 2FA Confirmations' do
+  describe 'POST /settings/two_factor_authentication/confirmations' do
+    before do
+      sign_in Fabricate(:user, encrypted_password: '') # Empty encrypted password avoids challengable flow
+      post settings_otp_authentication_path # Sets `session[:new_otp_secret]` which is needed for next step
+    end
+
+    it 'gracefully handles invalid nested params' do
+      post settings_two_factor_authentication_confirmation_path(form_two_factor_confirmation: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end
--- a/spec/requests/settings/verifications_spec.rb
+++ b/spec/requests/settings/verifications_spec.rb
@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Verifications' do
+  describe 'PUT /settings/verification' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_verification_path(account: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end