user_spec.rb 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551
  1. require 'rails_helper'
  2. require 'devise_two_factor/spec_helpers'
  3. RSpec.describe User, type: :model do
  4. it_behaves_like 'two_factor_backupable'
  5. describe 'otp_secret' do
  6. it 'is encrypted with OTP_SECRET environment variable' do
  7. user = Fabricate(:user,
  8. encrypted_otp_secret: "Fttsy7QAa0edaDfdfSz094rRLAxc8cJweDQ4BsWH/zozcdVA8o9GLqcKhn2b\nGi/V\n",
  9. encrypted_otp_secret_iv: 'rys3THICkr60BoWC',
  10. encrypted_otp_secret_salt: '_LMkAGvdg7a+sDIKjI3mR2Q==')
  11. expect(user.otp_secret).to eq 'anotpsecretthatshouldbeencrypted'
  12. end
  13. end
  14. describe 'validations' do
  15. it 'is invalid without an account' do
  16. user = Fabricate.build(:user, account: nil)
  17. user.valid?
  18. expect(user).to model_have_error_on_field(:account)
  19. end
  20. it 'is invalid without a valid locale' do
  21. user = Fabricate.build(:user, locale: 'toto')
  22. user.valid?
  23. expect(user).to model_have_error_on_field(:locale)
  24. end
  25. it 'is invalid without a valid email' do
  26. user = Fabricate.build(:user, email: 'john@')
  27. user.valid?
  28. expect(user).to model_have_error_on_field(:email)
  29. end
  30. it 'is valid with an invalid e-mail that has already been saved' do
  31. user = Fabricate.build(:user, email: 'invalid-email')
  32. user.save(validate: false)
  33. expect(user.valid?).to be true
  34. end
  35. it 'is valid with a localhost e-mail address' do
  36. user = Fabricate.build(:user, email: 'admin@localhost')
  37. user.valid?
  38. expect(user.valid?).to be true
  39. end
  40. it 'cleans out empty string from languages' do
  41. user = Fabricate.build(:user, chosen_languages: [''])
  42. user.valid?
  43. expect(user.chosen_languages).to eq nil
  44. end
  45. end
  46. describe 'scopes' do
  47. describe 'recent' do
  48. it 'returns an array of recent users ordered by id' do
  49. user_1 = Fabricate(:user)
  50. user_2 = Fabricate(:user)
  51. expect(User.recent).to eq [user_2, user_1]
  52. end
  53. end
  54. describe 'confirmed' do
  55. it 'returns an array of users who are confirmed' do
  56. user_1 = Fabricate(:user, confirmed_at: nil)
  57. user_2 = Fabricate(:user, confirmed_at: Time.zone.now)
  58. expect(User.confirmed).to match_array([user_2])
  59. end
  60. end
  61. describe 'inactive' do
  62. it 'returns a relation of inactive users' do
  63. specified = Fabricate(:user, current_sign_in_at: 15.days.ago)
  64. Fabricate(:user, current_sign_in_at: 6.days.ago)
  65. expect(User.inactive).to match_array([specified])
  66. end
  67. end
  68. describe 'matches_email' do
  69. it 'returns a relation of users whose email starts with the given string' do
  70. specified = Fabricate(:user, email: 'specified@spec')
  71. Fabricate(:user, email: 'unspecified@spec')
  72. expect(User.matches_email('specified')).to match_array([specified])
  73. end
  74. end
  75. describe 'matches_ip' do
  76. it 'returns a relation of users whose ip address is matching with the given CIDR' do
  77. user1 = Fabricate(:user)
  78. user2 = Fabricate(:user)
  79. Fabricate(:session_activation, user: user1, ip: '2160:2160::22', session_id: '1')
  80. Fabricate(:session_activation, user: user1, ip: '2160:2160::23', session_id: '2')
  81. Fabricate(:session_activation, user: user2, ip: '2160:8888::24', session_id: '3')
  82. Fabricate(:session_activation, user: user2, ip: '2160:8888::25', session_id: '4')
  83. expect(User.matches_ip('2160:2160::/32')).to match_array([user1])
  84. end
  85. end
  86. end
  87. let(:account) { Fabricate(:account, username: 'alice') }
  88. let(:password) { 'abcd1234' }
  89. describe 'blacklist' do
  90. around(:each) do |example|
  91. old_blacklist = Rails.configuration.x.email_blacklist
  92. Rails.configuration.x.email_domains_blacklist = 'mvrht.com'
  93. example.run
  94. Rails.configuration.x.email_domains_blacklist = old_blacklist
  95. end
  96. it 'should allow a non-blacklisted user to be created' do
  97. user = User.new(email: 'foo@example.com', account: account, password: password, agreement: true)
  98. expect(user.valid?).to be_truthy
  99. end
  100. it 'should not allow a blacklisted user to be created' do
  101. user = User.new(email: 'foo@mvrht.com', account: account, password: password, agreement: true)
  102. expect(user.valid?).to be_falsey
  103. end
  104. it 'should not allow a subdomain blacklisted user to be created' do
  105. user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password, agreement: true)
  106. expect(user.valid?).to be_falsey
  107. end
  108. end
  109. describe '#confirmed?' do
  110. it 'returns true when a confirmed_at is set' do
  111. user = Fabricate.build(:user, confirmed_at: Time.now.utc)
  112. expect(user.confirmed?).to be true
  113. end
  114. it 'returns false if a confirmed_at is nil' do
  115. user = Fabricate.build(:user, confirmed_at: nil)
  116. expect(user.confirmed?).to be false
  117. end
  118. end
  119. describe '#confirm' do
  120. let(:new_email) { 'new-email@example.com' }
  121. subject { user.confirm }
  122. before do
  123. allow(TriggerWebhookWorker).to receive(:perform_async)
  124. end
  125. context 'when the user is already confirmed' do
  126. let!(:user) { Fabricate(:user, confirmed_at: Time.now.utc, approved: true, unconfirmed_email: new_email) }
  127. it 'sets email to unconfirmed_email' do
  128. expect { subject }.to change { user.reload.email }.to(new_email)
  129. end
  130. it 'does not trigger the account.approved Web Hook' do
  131. subject
  132. expect(TriggerWebhookWorker).not_to have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  133. end
  134. end
  135. context 'when the user is a new user' do
  136. let(:user) { Fabricate(:user, confirmed_at: nil, unconfirmed_email: new_email) }
  137. context 'when the user is already approved' do
  138. around(:example) do |example|
  139. registrations_mode = Setting.registrations_mode
  140. Setting.registrations_mode = 'approved'
  141. example.run
  142. Setting.registrations_mode = registrations_mode
  143. end
  144. before do
  145. user.approve!
  146. end
  147. it 'sets email to unconfirmed_email' do
  148. expect { subject }.to change { user.reload.email }.to(new_email)
  149. end
  150. it 'triggers the account.approved Web Hook' do
  151. user.confirm
  152. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  153. end
  154. end
  155. context 'when the user does not require explicit approval' do
  156. around(:example) do |example|
  157. registrations_mode = Setting.registrations_mode
  158. Setting.registrations_mode = 'open'
  159. example.run
  160. Setting.registrations_mode = registrations_mode
  161. end
  162. it 'sets email to unconfirmed_email' do
  163. expect { subject }.to change { user.reload.email }.to(new_email)
  164. end
  165. it 'triggers the account.approved Web Hook' do
  166. user.confirm
  167. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  168. end
  169. end
  170. context 'when the user requires explicit approval but is not approved' do
  171. around(:example) do |example|
  172. registrations_mode = Setting.registrations_mode
  173. Setting.registrations_mode = 'approved'
  174. example.run
  175. Setting.registrations_mode = registrations_mode
  176. end
  177. it 'sets email to unconfirmed_email' do
  178. expect { subject }.to change { user.reload.email }.to(new_email)
  179. end
  180. it 'does not trigger the account.approved Web Hook' do
  181. subject
  182. expect(TriggerWebhookWorker).to_not have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  183. end
  184. end
  185. end
  186. end
  187. describe '#approve!' do
  188. subject { user.approve! }
  189. around(:example) do |example|
  190. registrations_mode = Setting.registrations_mode
  191. Setting.registrations_mode = 'approved'
  192. example.run
  193. Setting.registrations_mode = registrations_mode
  194. end
  195. before do
  196. allow(TriggerWebhookWorker).to receive(:perform_async)
  197. end
  198. context 'when the user is already confirmed' do
  199. let(:user) { Fabricate(:user, confirmed_at: Time.now.utc, approved: false) }
  200. it 'sets the approved flag' do
  201. expect { subject }.to change { user.reload.approved? }.to(true)
  202. end
  203. it 'triggers the account.approved Web Hook' do
  204. subject
  205. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  206. end
  207. end
  208. context 'when the user is not confirmed' do
  209. let(:user) { Fabricate(:user, confirmed_at: nil, approved: false) }
  210. it 'sets the approved flag' do
  211. expect { subject }.to change { user.reload.approved? }.to(true)
  212. end
  213. it 'does not trigger the account.approved Web Hook' do
  214. subject
  215. expect(TriggerWebhookWorker).not_to have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  216. end
  217. end
  218. end
  219. describe '#disable_two_factor!' do
  220. it 'saves false for otp_required_for_login' do
  221. user = Fabricate.build(:user, otp_required_for_login: true)
  222. user.disable_two_factor!
  223. expect(user.reload.otp_required_for_login).to be false
  224. end
  225. it 'saves nil for otp_secret' do
  226. user = Fabricate.build(:user, otp_secret: 'oldotpcode')
  227. user.disable_two_factor!
  228. expect(user.reload.otp_secret).to be nil
  229. end
  230. it 'saves cleared otp_backup_codes' do
  231. user = Fabricate.build(:user, otp_backup_codes: %w(dummy dummy))
  232. user.disable_two_factor!
  233. expect(user.reload.otp_backup_codes.empty?).to be true
  234. end
  235. end
  236. describe '#send_confirmation_instructions' do
  237. around do |example|
  238. queue_adapter = ActiveJob::Base.queue_adapter
  239. example.run
  240. ActiveJob::Base.queue_adapter = queue_adapter
  241. end
  242. it 'delivers confirmation instructions later' do
  243. user = Fabricate(:user)
  244. ActiveJob::Base.queue_adapter = :test
  245. expect { user.send_confirmation_instructions }.to have_enqueued_job(ActionMailer::MailDeliveryJob)
  246. end
  247. end
  248. describe 'settings' do
  249. it 'is instance of Settings::ScopedSettings' do
  250. user = Fabricate(:user)
  251. expect(user.settings).to be_kind_of Settings::ScopedSettings
  252. end
  253. end
  254. describe '#setting_default_privacy' do
  255. it 'returns default privacy setting if user has configured' do
  256. user = Fabricate(:user)
  257. user.settings[:default_privacy] = 'unlisted'
  258. expect(user.setting_default_privacy).to eq 'unlisted'
  259. end
  260. it "returns 'private' if user has not configured default privacy setting and account is locked" do
  261. user = Fabricate(:account, locked: true).user
  262. expect(user.setting_default_privacy).to eq 'private'
  263. end
  264. it "returns 'public' if user has not configured default privacy setting and account is not locked" do
  265. user = Fabricate(:account, locked: false).user
  266. expect(user.setting_default_privacy).to eq 'public'
  267. end
  268. end
  269. describe 'whitelist' do
  270. around(:each) do |example|
  271. old_whitelist = Rails.configuration.x.email_domains_whitelist
  272. Rails.configuration.x.email_domains_whitelist = 'mastodon.space'
  273. example.run
  274. Rails.configuration.x.email_domains_whitelist = old_whitelist
  275. end
  276. it 'should not allow a user to be created unless they are whitelisted' do
  277. user = User.new(email: 'foo@example.com', account: account, password: password, agreement: true)
  278. expect(user.valid?).to be_falsey
  279. end
  280. it 'should allow a user to be created if they are whitelisted' do
  281. user = User.new(email: 'foo@mastodon.space', account: account, password: password, agreement: true)
  282. expect(user.valid?).to be_truthy
  283. end
  284. it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
  285. user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password, agreement: true)
  286. expect(user.valid?).to be_falsey
  287. end
  288. context do
  289. around do |example|
  290. old_blacklist = Rails.configuration.x.email_blacklist
  291. example.run
  292. Rails.configuration.x.email_domains_blacklist = old_blacklist
  293. end
  294. it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do
  295. Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space'
  296. user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password)
  297. expect(user.valid?).to be_falsey
  298. end
  299. end
  300. end
  301. it_behaves_like 'Settings-extended' do
  302. def create!
  303. User.create!(account: Fabricate(:account, user: nil), email: 'foo@mastodon.space', password: 'abcd1234', agreement: true)
  304. end
  305. def fabricate
  306. Fabricate(:user)
  307. end
  308. end
  309. describe 'token_for_app' do
  310. let(:user) { Fabricate(:user) }
  311. let(:app) { Fabricate(:application, owner: user) }
  312. it 'returns a token' do
  313. expect(user.token_for_app(app)).to be_a(Doorkeeper::AccessToken)
  314. end
  315. it 'persists a token' do
  316. t = user.token_for_app(app)
  317. expect(user.token_for_app(app)).to eql(t)
  318. end
  319. it 'is nil if user does not own app' do
  320. app.update!(owner: nil)
  321. expect(user.token_for_app(app)).to be_nil
  322. end
  323. end
  324. describe '#disable!' do
  325. subject(:user) { Fabricate(:user, disabled: false, current_sign_in_at: current_sign_in_at, last_sign_in_at: nil) }
  326. let(:current_sign_in_at) { Time.zone.now }
  327. before do
  328. user.disable!
  329. end
  330. it 'disables user' do
  331. expect(user).to have_attributes(disabled: true)
  332. end
  333. end
  334. describe '#enable!' do
  335. subject(:user) { Fabricate(:user, disabled: true) }
  336. before do
  337. user.enable!
  338. end
  339. it 'enables user' do
  340. expect(user).to have_attributes(disabled: false)
  341. end
  342. end
  343. describe '#reset_password!' do
  344. subject(:user) { Fabricate(:user, password: 'foobar12345') }
  345. let!(:session_activation) { Fabricate(:session_activation, user: user) }
  346. let!(:access_token) { Fabricate(:access_token, resource_owner_id: user.id) }
  347. let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
  348. let(:redis_pipeline_stub) { instance_double(Redis::Namespace, publish: nil) }
  349. before do
  350. allow(redis).to receive(:pipelined).and_yield(redis_pipeline_stub)
  351. user.reset_password!
  352. end
  353. it 'changes the password immediately' do
  354. expect(user.external_or_valid_password?('foobar12345')).to be false
  355. end
  356. it 'deactivates all sessions' do
  357. expect(user.session_activations.count).to eq 0
  358. end
  359. it 'revokes all access tokens' do
  360. expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
  361. end
  362. it 'revokes streaming access for all access tokens' do
  363. expect(redis_pipeline_stub).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
  364. end
  365. it 'removes push subscriptions' do
  366. expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
  367. end
  368. end
  369. describe '#confirm!' do
  370. subject(:user) { Fabricate(:user, confirmed_at: confirmed_at) }
  371. before do
  372. ActionMailer::Base.deliveries.clear
  373. user.confirm!
  374. end
  375. after { ActionMailer::Base.deliveries.clear }
  376. context 'when user is new' do
  377. let(:confirmed_at) { nil }
  378. it 'confirms user' do
  379. expect(user.confirmed_at).to be_present
  380. end
  381. it 'delivers mails' do
  382. expect(ActionMailer::Base.deliveries.count).to eq 2
  383. end
  384. end
  385. context 'when user is not new' do
  386. let(:confirmed_at) { Time.zone.now }
  387. it 'confirms user' do
  388. expect(user.confirmed_at).to be_present
  389. end
  390. it 'does not deliver mail' do
  391. expect(ActionMailer::Base.deliveries.count).to eq 0
  392. end
  393. end
  394. end
  395. describe '#active_for_authentication?' do
  396. subject { user.active_for_authentication? }
  397. let(:user) { Fabricate(:user, disabled: disabled, confirmed_at: confirmed_at) }
  398. context 'when user is disabled' do
  399. let(:disabled) { true }
  400. context 'when user is confirmed' do
  401. let(:confirmed_at) { Time.zone.now }
  402. it { is_expected.to be true }
  403. end
  404. context 'when user is not confirmed' do
  405. let(:confirmed_at) { nil }
  406. it { is_expected.to be true }
  407. end
  408. end
  409. context 'when user is not disabled' do
  410. let(:disabled) { false }
  411. context 'when user is confirmed' do
  412. let(:confirmed_at) { Time.zone.now }
  413. it { is_expected.to be true }
  414. end
  415. context 'when user is not confirmed' do
  416. let(:confirmed_at) { nil }
  417. it { is_expected.to be true }
  418. end
  419. end
  420. end
  421. describe '.those_who_can' do
  422. pending
  423. end
  424. end