1
0
mirror of https://github.com/mastodon/mastodon synced 2024-12-16 23:58:23 +09:00
Commit Graph

88 Commits

Author SHA1 Message Date
Matt Jankowski
bf8eaaa9a5
Convert controller spec for security_key_options endpoint to request spec (#31938) 2024-09-18 09:42:36 +00:00
Matt Jankowski
6b6a80b407
Remove body_as_json in favor of built-in response.parsed_body for JSON response specs (#31749) 2024-09-06 09:58:46 +00:00
Matt Jankowski
e1b5f3fc6f
Use response.parsed_body for html response checks (#31750) 2024-09-04 17:29:05 +00:00
Matt Jankowski
f1003b2560
Enable "zero monkey patching" mode in RSpec (#31614) 2024-09-04 05:12:25 +00:00
Matt Jankowski
f1300ad284
Rename jobs/attachments rspec tag names (#29762) 2024-07-08 16:01:08 +00:00
Damien Mathieu
1540f42522
Better tests for auth/registrations#update (#29303) 2024-02-26 16:09:56 +00:00
Wolfgang Fournès
d51c3ac087
Add a missing spec to SessionsController#webauthn_options (#29277) 2024-02-26 16:09:40 +00:00
Matt Jankowski
64f9939e39
Use capture_emails helper to improve email assertions in specs (#29245) 2024-02-19 15:57:47 +00:00
Matt Jankowski
3454fcbd71
Reduce round trips in auth/sessions spec (#29233) 2024-02-16 13:38:49 +00:00
Claire
e2d9635074
Add notification email on invalid second authenticator (#28822) 2024-01-22 13:55:43 +00:00
Claire
3593ee2e36
Add rate-limit of TOTP authentication attempts at controller level (#28801) 2024-01-19 12:19:49 +00:00
Claire
e621c1c44c
Fix registrations not checking MX records for email domain blocks requiring approval (#28608) 2024-01-15 17:10:57 +00:00
Matt Jankowski
00341c70ff
Use Sidekiq fake! instead of inline! in specs (#25369) 2024-01-10 11:06:58 +00:00
Claire
dfdadb92e8
Add ability to require approval when users sign up using specific email domains (#28468) 2024-01-04 09:07:05 +00:00
Matt Jankowski
513d35969e
Fix RSpec/LetSetup cop in auth controller specs (#28464) 2023-12-22 08:03:59 +00:00
Claire
6fed0fcbaa
Remove unneeded settings cleanup from specs (#28425) 2023-12-19 15:17:22 +00:00
Matt Jankowski
b2c5b20ef2
Fix RSpec/AnyInstance cop (#27810) 2023-11-14 14:52:59 +00:00
Matt Jankowski
69d00e2721
Fix RSpec/InstanceVariable cop (#27766) 2023-11-08 15:42:30 +00:00
Matt Jankowski
e545978076
Use framework helpers instead of i-vars in controller specs (#27767) 2023-11-08 08:17:43 +00:00
Matt Jankowski
2e6bf60f15
Use deliveries.size in mailer-related examples in controller specs (#27589) 2023-10-27 15:33:52 +00:00
Matt Jankowski
6c5a2233a8
Fix RSpec/StubbedMock cop (#25552)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-07-12 10:20:10 +02:00
Matt Jankowski
05f9e39b32
Fix RSpec/VerifiedDoubles cop (#25469) 2023-06-22 14:55:22 +02:00
Matt Jankowski
6c0e3f490a
Fix RSpec/MissingExampleGroupArgument cop (#25310) 2023-06-06 15:51:42 +02:00
Matt Jankowski
0f2c16ac4b
Fix RSpec/NoExpectationExample cop (#25103) 2023-05-26 09:41:12 +02:00
Matt Jankowski
604e1c2b11
Remove usage of random sample values in specs (#24869) 2023-05-15 20:20:13 +02:00
Matt Jankowski
a610a02d4f
Fix RSpec/ScatteredSetup cop (#24848) 2023-05-11 10:32:09 +02:00
Matt Jankowski
c97b611b6b
Fix RSpec/InferredSpecType cop (#24736) 2023-05-04 05:49:53 +02:00
Matt Jankowski
710745e16b
Fix RSpec/ContextWording cop (#24739) 2023-05-04 05:49:08 +02:00
Matt Jankowski
d00e45a7d3
Fix Rails/I18nLocaleAssignment cop (#24693) 2023-04-30 14:07:03 +02:00
Eugen Rochko
e98c86050a
Refactor Cache-Control and Vary definitions (#24347) 2023-04-19 16:07:29 +02:00
Matt Jankowski
688287c59d
Coverage improvement round-out following up previous work (#23987) 2023-03-10 13:33:30 +01:00
Nick Schonning
84cc805cae
Enable Style/FrozenStringLiteralComment for specs (#23790) 2023-02-22 09:55:31 +09:00
Nick Schonning
5116347eb7
Autofix Rubocop RSpec/BeEq (#23740) 2023-02-20 06:14:50 +01:00
Nick Schonning
4552685f6b
Autofix Rubocop RSpec/LeadingSubject (#23670) 2023-02-20 13:24:14 +09:00
Nick Schonning
aef0051fd0
Enable Rubocop HTTP status rules (#23717) 2023-02-20 11:16:40 +09:00
Nick Schonning
81ad6c2e39
Autofix Rubocop Style/StringLiterals (#23695) 2023-02-19 07:38:14 +09:00
Nick Schonning
634368c491
Autofix Rubocop Lint/SymbolConversion (#23683) 2023-02-18 03:23:49 +01:00
Nick Schonning
669f6d2c0a
Run rubocop formatting except line length (#23632) 2023-02-18 06:56:20 +09:00
Francis Murillo
5fb1c3e934
Revoke all authorized applications on password reset (#21325)
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 15:47:06 +01:00
Claire
327eed0076
Fix suspicious sign-in mails never being sent (#18599)
* Add tests

* Fix suspicious sign-in mails never being sent
2022-06-21 15:16:22 +02:00
Eugen Rochko
6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in (#17970) 2022-04-06 20:58:12 +02:00
Claire
e38fc319dc
Refactor and improve tests (#17386)
* Change account and user fabricators to simplify and improve tests

- `Fabricate(:account)` implicitly fabricates an associated `user` if
  no `domain` attribute is given (an account with `domain: nil` is
  considered a local account, but no user record was created), unless
  `user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
  but is discouraged.

* Fix and refactor tests

- avoid passing unneeded attributes to `Fabricate(:user)` or
  `Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
  way around
- prefer `Fabricate(:user, account_attributes: …)` to
  `Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
  not representative of production code.
2022-01-28 00:46:42 +01:00
Eugen Rochko
8e84ebf0cb
Remove IP tracking columns from users table (#16409) 2022-01-16 13:23:50 +01:00
Claire
24f9ea7818
Fix webauthn secure key authentication (#16792)
* Add tests

* Fix webauthn secure key authentication

Fixes #16769
2021-09-30 05:26:29 +02:00
Claire
94bcf45321
Fix authentication failures after going halfway through a sign-in attempt (#16607)
* Add tests

* Add security-related tests

My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.

* Fix authentication failures after going halfway through a sign-in attempt

* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25 22:52:41 +02:00
Claire
8c44b723bb
Change confirmations controller to redirect to / for approved users (#16151)
Clicking the confirmation link multiple times currently leads to entering
account settings, which can be confusing. This commit changes that so that
it redirects to the root path, so it behaves the same way as clicking only
once in most cases.
2021-05-03 15:45:19 +02:00
Eugen Rochko
9aa37b32c3
Add details to error response for POST /api/v1/accounts in REST API (#15803) 2021-03-01 04:59:13 +01:00
ThibG
1cf2c3a810
Fix external user creation failing when invite request text is required (#15405)
* Fix external user creation failing when invite request text is required

Also fixes tootctl-based user creation.

* Add test about invites when invite request text is otherwise required

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-22 17:14:32 +01:00
ThibG
49eb4d4ddf
Add honeypot fields and minimum fill-out time for sign-up form (#15276)
* Add honeypot fields to limit non-specialized spam

Add two honeypot fields: a fake website input and a fake password confirmation
one. The label/placeholder/aria-label tells not to fill them, and they are
hidden in CSS, so legitimate users should not fall into these.

This should cut down on some non-Mastodon-specific spambots.

* Require a 3 seconds delay before submitting the registration form

* Fix tests

* Move registration form time check to model validation

* Give people a chance to clear the honeypot fields

* Refactor honeypot translation strings

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
Eugen Rochko
8532429af7
Fix 2FA/sign-in token sessions being valid after password change (#14802)
If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00