1
0

user_spec.rb 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. require 'devise_two_factor/spec_helpers'
  4. RSpec.describe User do
  5. subject { described_class.new(account: account) }
  6. let(:password) { 'abcd1234' }
  7. let(:account) { Fabricate(:account, username: 'alice') }
  8. it_behaves_like 'two_factor_backupable'
  9. describe 'legacy_otp_secret' do
  10. it 'is encrypted with OTP_SECRET environment variable' do
  11. user = Fabricate(:user,
  12. encrypted_otp_secret: "Fttsy7QAa0edaDfdfSz094rRLAxc8cJweDQ4BsWH/zozcdVA8o9GLqcKhn2b\nGi/V\n",
  13. encrypted_otp_secret_iv: 'rys3THICkr60BoWC',
  14. encrypted_otp_secret_salt: '_LMkAGvdg7a+sDIKjI3mR2Q==')
  15. expect(user.send(:legacy_otp_secret)).to eq 'anotpsecretthatshouldbeencrypted'
  16. end
  17. end
  18. describe 'otp_secret' do
  19. it 'encrypts the saved value' do
  20. user = Fabricate(:user, otp_secret: '123123123')
  21. user.reload
  22. expect(user.otp_secret).to eq '123123123'
  23. expect(user.attributes_before_type_cast[:otp_secret]).to_not eq '123123123'
  24. end
  25. end
  26. describe 'validations' do
  27. it { is_expected.to belong_to(:account).required }
  28. it 'is invalid without a valid email' do
  29. user = Fabricate.build(:user, email: 'john@')
  30. user.valid?
  31. expect(user).to model_have_error_on_field(:email)
  32. end
  33. it 'is valid with an invalid e-mail that has already been saved' do
  34. user = Fabricate.build(:user, email: 'invalid-email')
  35. user.save(validate: false)
  36. expect(user.valid?).to be true
  37. end
  38. it 'is valid with a localhost e-mail address' do
  39. user = Fabricate.build(:user, email: 'admin@localhost')
  40. user.valid?
  41. expect(user.valid?).to be true
  42. end
  43. end
  44. describe 'Normalizations' do
  45. describe 'locale' do
  46. it { is_expected.to_not normalize(:locale).from('en') }
  47. it { is_expected.to normalize(:locale).from('toto').to(nil) }
  48. end
  49. describe 'time_zone' do
  50. it { is_expected.to_not normalize(:time_zone).from('UTC') }
  51. it { is_expected.to normalize(:time_zone).from('toto').to(nil) }
  52. end
  53. describe 'chosen_languages' do
  54. it { is_expected.to normalize(:chosen_languages).from(['en', 'fr', '']).to(%w(en fr)) }
  55. it { is_expected.to normalize(:chosen_languages).from(['']).to(nil) }
  56. end
  57. end
  58. describe 'scopes', :inline_jobs do
  59. describe 'recent' do
  60. it 'returns an array of recent users ordered by id' do
  61. first_user = Fabricate(:user)
  62. second_user = Fabricate(:user)
  63. expect(described_class.recent).to eq [second_user, first_user]
  64. end
  65. end
  66. describe 'confirmed' do
  67. it 'returns an array of users who are confirmed' do
  68. Fabricate(:user, confirmed_at: nil)
  69. confirmed_user = Fabricate(:user, confirmed_at: Time.zone.now)
  70. expect(described_class.confirmed).to contain_exactly(confirmed_user)
  71. end
  72. end
  73. describe 'signed_in_recently' do
  74. it 'returns a relation of users who have signed in during the recent period' do
  75. recent_sign_in_user = Fabricate(:user, current_sign_in_at: within_duration_window_days.ago)
  76. Fabricate(:user, current_sign_in_at: exceed_duration_window_days.ago)
  77. expect(described_class.signed_in_recently)
  78. .to contain_exactly(recent_sign_in_user)
  79. end
  80. end
  81. describe 'not_signed_in_recently' do
  82. it 'returns a relation of users who have not signed in during the recent period' do
  83. no_recent_sign_in_user = Fabricate(:user, current_sign_in_at: exceed_duration_window_days.ago)
  84. Fabricate(:user, current_sign_in_at: within_duration_window_days.ago)
  85. expect(described_class.not_signed_in_recently)
  86. .to contain_exactly(no_recent_sign_in_user)
  87. end
  88. end
  89. describe 'account_not_suspended' do
  90. it 'returns with linked accounts that are not suspended' do
  91. suspended_account = Fabricate(:account, suspended_at: 10.days.ago)
  92. non_suspended_account = Fabricate(:account, suspended_at: nil)
  93. suspended_user = Fabricate(:user, account: suspended_account)
  94. non_suspended_user = Fabricate(:user, account: non_suspended_account)
  95. expect(described_class.account_not_suspended)
  96. .to include(non_suspended_user)
  97. .and not_include(suspended_user)
  98. end
  99. end
  100. describe 'matches_email' do
  101. it 'returns a relation of users whose email starts with the given string' do
  102. specified = Fabricate(:user, email: 'specified@spec')
  103. Fabricate(:user, email: 'unspecified@spec')
  104. expect(described_class.matches_email('specified')).to contain_exactly(specified)
  105. end
  106. end
  107. describe 'matches_ip' do
  108. it 'returns a relation of users whose ip address is matching with the given CIDR' do
  109. user1 = Fabricate(:user)
  110. user2 = Fabricate(:user)
  111. Fabricate(:session_activation, user: user1, ip: '2160:2160::22', session_id: '1')
  112. Fabricate(:session_activation, user: user1, ip: '2160:2160::23', session_id: '2')
  113. Fabricate(:session_activation, user: user2, ip: '2160:8888::24', session_id: '3')
  114. Fabricate(:session_activation, user: user2, ip: '2160:8888::25', session_id: '4')
  115. expect(described_class.matches_ip('2160:2160::/32')).to contain_exactly(user1)
  116. end
  117. end
  118. def exceed_duration_window_days
  119. described_class::ACTIVE_DURATION + 2.days
  120. end
  121. def within_duration_window_days
  122. described_class::ACTIVE_DURATION - 2.days
  123. end
  124. end
  125. describe 'email domains denylist integration' do
  126. around do |example|
  127. original = Rails.configuration.x.email_domains_denylist
  128. Rails.configuration.x.email_domains_denylist = 'mvrht.com'
  129. example.run
  130. Rails.configuration.x.email_domains_denylist = original
  131. end
  132. it 'allows a user with an email domain that is not on the denylist to be created' do
  133. user = described_class.new(email: 'foo@example.com', account: account, password: password, agreement: true)
  134. expect(user).to be_valid
  135. end
  136. it 'does not allow a user with an email domain on the deylist to be created' do
  137. user = described_class.new(email: 'foo@mvrht.com', account: account, password: password, agreement: true)
  138. expect(user).to_not be_valid
  139. end
  140. it 'does not allow a user with an email where the subdomain is on the denylist to be created' do
  141. user = described_class.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password, agreement: true)
  142. expect(user).to_not be_valid
  143. end
  144. end
  145. describe '#confirmed?' do
  146. it 'returns true when a confirmed_at is set' do
  147. user = Fabricate.build(:user, confirmed_at: Time.now.utc)
  148. expect(user.confirmed?).to be true
  149. end
  150. it 'returns false if a confirmed_at is nil' do
  151. user = Fabricate.build(:user, confirmed_at: nil)
  152. expect(user.confirmed?).to be false
  153. end
  154. end
  155. describe '#confirm' do
  156. subject { user.confirm }
  157. let(:new_email) { 'new-email@example.com' }
  158. before do
  159. allow(TriggerWebhookWorker).to receive(:perform_async)
  160. end
  161. context 'when the user is already confirmed' do
  162. let!(:user) { Fabricate(:user, confirmed_at: Time.now.utc, approved: true, unconfirmed_email: new_email) }
  163. it 'sets email to unconfirmed_email and does not trigger web hook' do
  164. expect { subject }.to change { user.reload.email }.to(new_email)
  165. expect(TriggerWebhookWorker).to_not have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  166. end
  167. end
  168. context 'when the user is a new user' do
  169. let(:user) { Fabricate(:user, confirmed_at: nil, unconfirmed_email: new_email) }
  170. context 'when the user is already approved' do
  171. before do
  172. Setting.registrations_mode = 'approved'
  173. user.approve!
  174. end
  175. it 'sets email to unconfirmed_email and triggers `account.approved` web hook' do
  176. expect { subject }.to change { user.reload.email }.to(new_email)
  177. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  178. end
  179. end
  180. context 'when the user does not require explicit approval' do
  181. before do
  182. Setting.registrations_mode = 'open'
  183. end
  184. it 'sets email to unconfirmed_email and triggers `account.approved` web hook' do
  185. expect { subject }.to change { user.reload.email }.to(new_email)
  186. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  187. end
  188. end
  189. context 'when the user requires explicit approval but is not approved' do
  190. before do
  191. Setting.registrations_mode = 'approved'
  192. end
  193. it 'sets email to unconfirmed_email and does not trigger web hook' do
  194. expect { subject }.to change { user.reload.email }.to(new_email)
  195. expect(TriggerWebhookWorker).to_not have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  196. end
  197. end
  198. end
  199. end
  200. describe '#approve!' do
  201. subject { user.approve! }
  202. before do
  203. Setting.registrations_mode = 'approved'
  204. allow(TriggerWebhookWorker).to receive(:perform_async)
  205. end
  206. context 'when the user is already confirmed' do
  207. let(:user) { Fabricate(:user, confirmed_at: Time.now.utc, approved: false) }
  208. it 'sets the approved flag and triggers `account.approved` web hook' do
  209. expect { subject }.to change { user.reload.approved? }.to(true)
  210. expect(TriggerWebhookWorker).to have_received(:perform_async).with('account.approved', 'Account', user.account_id).once
  211. end
  212. end
  213. context 'when the user is not confirmed' do
  214. let(:user) { Fabricate(:user, confirmed_at: nil, approved: false) }
  215. it 'sets the approved flag and does not trigger web hook' do
  216. expect { subject }.to change { user.reload.approved? }.to(true)
  217. expect(TriggerWebhookWorker).to_not have_received(:perform_async).with('account.approved', 'Account', user.account_id)
  218. end
  219. end
  220. end
  221. describe '#disable_two_factor!' do
  222. it 'saves false for otp_required_for_login' do
  223. user = Fabricate.build(:user, otp_required_for_login: true)
  224. user.disable_two_factor!
  225. expect(user.reload.otp_required_for_login).to be false
  226. end
  227. it 'saves nil for otp_secret' do
  228. user = Fabricate.build(:user, otp_secret: 'oldotpcode')
  229. user.disable_two_factor!
  230. expect(user.reload.otp_secret).to be_nil
  231. end
  232. it 'saves cleared otp_backup_codes' do
  233. user = Fabricate.build(:user, otp_backup_codes: %w(dummy dummy))
  234. user.disable_two_factor!
  235. expect(user.reload.otp_backup_codes.empty?).to be true
  236. end
  237. end
  238. describe '#send_confirmation_instructions' do
  239. around do |example|
  240. queue_adapter = ActiveJob::Base.queue_adapter
  241. example.run
  242. ActiveJob::Base.queue_adapter = queue_adapter
  243. end
  244. it 'delivers confirmation instructions later' do
  245. user = Fabricate(:user)
  246. ActiveJob::Base.queue_adapter = :test
  247. expect { user.send_confirmation_instructions }.to have_enqueued_job(ActionMailer::MailDeliveryJob)
  248. end
  249. end
  250. describe 'settings' do
  251. it 'is instance of UserSettings' do
  252. user = Fabricate(:user)
  253. expect(user.settings).to be_a UserSettings
  254. end
  255. end
  256. describe '#setting_default_privacy' do
  257. it 'returns default privacy setting if user has configured' do
  258. user = Fabricate(:user)
  259. user.settings[:default_privacy] = 'unlisted'
  260. expect(user.setting_default_privacy).to eq 'unlisted'
  261. end
  262. it "returns 'private' if user has not configured default privacy setting and account is locked" do
  263. user = Fabricate(:account, locked: true).user
  264. expect(user.setting_default_privacy).to eq 'private'
  265. end
  266. it "returns 'public' if user has not configured default privacy setting and account is not locked" do
  267. user = Fabricate(:account, locked: false).user
  268. expect(user.setting_default_privacy).to eq 'public'
  269. end
  270. end
  271. describe 'allowlist integration' do
  272. around do |example|
  273. original = Rails.configuration.x.email_domains_allowlist
  274. Rails.configuration.x.email_domains_allowlist = 'mastodon.space'
  275. example.run
  276. Rails.configuration.x.email_domains_allowlist = original
  277. end
  278. it 'does not allow a user to be created when their email is not on the allowlist' do
  279. user = described_class.new(email: 'foo@example.com', account: account, password: password, agreement: true)
  280. expect(user).to_not be_valid
  281. end
  282. it 'allows a user to be created when their email is on the allowlist' do
  283. user = described_class.new(email: 'foo@mastodon.space', account: account, password: password, agreement: true)
  284. expect(user).to be_valid
  285. end
  286. it 'does not allow a user with an email subdomain included on the top level domain allowlist to be created' do
  287. user = described_class.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password, agreement: true)
  288. expect(user).to_not be_valid
  289. end
  290. context 'with a subdomain on the denylist' do
  291. around do |example|
  292. original = Rails.configuration.x.email_domains_denylist
  293. example.run
  294. Rails.configuration.x.email_domains_denylist = original
  295. end
  296. it 'does not allow a user to be created with an email subdomain on the denylist even if the top domain is on the allowlist' do
  297. Rails.configuration.x.email_domains_denylist = 'denylisted.mastodon.space'
  298. user = described_class.new(email: 'foo@denylisted.mastodon.space', account: account, password: password)
  299. expect(user).to_not be_valid
  300. end
  301. end
  302. end
  303. describe '#token_for_app' do
  304. let(:user) { Fabricate(:user) }
  305. context 'when user owns app but does not have tokens' do
  306. let(:app) { Fabricate(:application, owner: user) }
  307. it 'creates and returns a persisted token' do
  308. expect { user.token_for_app(app) }
  309. .to change(Doorkeeper::AccessToken.where(resource_owner_id: user.id, application: app), :count).by(1)
  310. end
  311. end
  312. context 'when user owns app and already has tokens' do
  313. let(:app) { Fabricate(:application, owner: user) }
  314. let!(:token) { Fabricate :access_token, application: app, resource_owner_id: user.id }
  315. it 'returns a persisted token' do
  316. expect(user.token_for_app(app))
  317. .to be_a(Doorkeeper::AccessToken)
  318. .and eq(token)
  319. end
  320. end
  321. context 'when user does not own app' do
  322. let(:app) { Fabricate(:application) }
  323. it 'returns nil' do
  324. expect(user.token_for_app(app))
  325. .to be_nil
  326. end
  327. end
  328. context 'when app is nil' do
  329. it 'returns nil' do
  330. expect(user.token_for_app(nil))
  331. .to be_nil
  332. end
  333. end
  334. end
  335. describe '#disable!' do
  336. subject(:user) { Fabricate(:user, disabled: false, current_sign_in_at: current_sign_in_at, last_sign_in_at: nil) }
  337. let(:current_sign_in_at) { Time.zone.now }
  338. before do
  339. user.disable!
  340. end
  341. it 'disables user' do
  342. expect(user).to have_attributes(disabled: true)
  343. end
  344. end
  345. describe '#enable!' do
  346. subject(:user) { Fabricate(:user, disabled: true) }
  347. before do
  348. user.enable!
  349. end
  350. it 'enables user' do
  351. expect(user).to have_attributes(disabled: false)
  352. end
  353. end
  354. describe '#reset_password!' do
  355. subject(:user) { Fabricate(:user, password: original_password) }
  356. let(:original_password) { 'foobar12345' }
  357. let!(:session_activation) { Fabricate(:session_activation, user: user) }
  358. let!(:access_token) { Fabricate(:access_token, resource_owner_id: user.id) }
  359. let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
  360. let(:redis_pipeline_stub) { instance_double(Redis::Namespace, publish: nil) }
  361. before { stub_redis }
  362. it 'changes the password immediately and revokes related access' do
  363. expect { user.reset_password! }
  364. .to remove_activated_sessions
  365. .and remove_active_user_tokens
  366. .and remove_user_web_subscriptions
  367. expect(user)
  368. .to_not be_external_or_valid_password(original_password)
  369. expect { session_activation.reload }
  370. .to raise_error(ActiveRecord::RecordNotFound)
  371. expect { web_push_subscription.reload }
  372. .to raise_error(ActiveRecord::RecordNotFound)
  373. expect(redis_pipeline_stub)
  374. .to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
  375. end
  376. def remove_activated_sessions
  377. change(user.session_activations, :count).to(0)
  378. end
  379. def remove_active_user_tokens
  380. change { Doorkeeper::AccessToken.active_for(user).count }.to(0)
  381. end
  382. def remove_user_web_subscriptions
  383. change { Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count }.to(0)
  384. end
  385. def stub_redis
  386. allow(redis)
  387. .to receive(:pipelined)
  388. .and_yield(redis_pipeline_stub)
  389. end
  390. end
  391. describe '#mark_email_as_confirmed!' do
  392. subject { user.mark_email_as_confirmed! }
  393. let!(:user) { Fabricate(:user, confirmed_at: confirmed_at) }
  394. context 'when user is new' do
  395. let(:confirmed_at) { nil }
  396. it 'confirms user and delivers welcome email', :inline_jobs do
  397. emails = capture_emails { subject }
  398. expect(user.confirmed_at).to be_present
  399. expect(emails.size)
  400. .to eq(1)
  401. expect(emails.first)
  402. .to have_attributes(
  403. to: contain_exactly(user.email),
  404. subject: eq(I18n.t('user_mailer.welcome.subject'))
  405. )
  406. end
  407. end
  408. context 'when user is not new' do
  409. let(:confirmed_at) { Time.zone.now }
  410. it 'confirms user but does not deliver welcome email' do
  411. emails = capture_emails { subject }
  412. expect(user.confirmed_at).to be_present
  413. expect(emails).to be_empty
  414. end
  415. end
  416. end
  417. describe '#active_for_authentication?' do
  418. subject { user.active_for_authentication? }
  419. let(:user) { Fabricate(:user, disabled: disabled, confirmed_at: confirmed_at) }
  420. context 'when user is disabled' do
  421. let(:disabled) { true }
  422. context 'when user is confirmed' do
  423. let(:confirmed_at) { Time.zone.now }
  424. it { is_expected.to be true }
  425. end
  426. context 'when user is not confirmed' do
  427. let(:confirmed_at) { nil }
  428. it { is_expected.to be true }
  429. end
  430. end
  431. context 'when user is not disabled' do
  432. let(:disabled) { false }
  433. context 'when user is confirmed' do
  434. let(:confirmed_at) { Time.zone.now }
  435. it { is_expected.to be true }
  436. end
  437. context 'when user is not confirmed' do
  438. let(:confirmed_at) { nil }
  439. it { is_expected.to be true }
  440. end
  441. end
  442. end
  443. describe '.those_who_can' do
  444. before { Fabricate(:user, role: UserRole.find_by(name: 'Moderator')) }
  445. context 'when there are not any user roles' do
  446. before { UserRole.destroy_all }
  447. it 'returns an empty list' do
  448. expect(described_class.those_who_can(:manage_blocks)).to eq([])
  449. end
  450. end
  451. context 'when there are not users with the needed role' do
  452. it 'returns an empty list' do
  453. expect(described_class.those_who_can(:manage_blocks)).to eq([])
  454. end
  455. end
  456. context 'when there are users with roles' do
  457. let!(:admin_user) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')) }
  458. it 'returns the users with the role' do
  459. expect(described_class.those_who_can(:manage_blocks)).to eq([admin_user])
  460. end
  461. end
  462. end
  463. describe '#applications_last_used' do
  464. let!(:user) { Fabricate(:user) }
  465. let!(:never_used_application) { Fabricate :application, owner: user }
  466. let!(:application_one) { Fabricate :application, owner: user }
  467. let!(:application_two) { Fabricate :application, owner: user }
  468. before do
  469. _other_user_token = Fabricate :access_token, last_used_at: 3.days.ago
  470. _never_used_token = Fabricate :access_token, application: never_used_application, resource_owner_id: user.id, last_used_at: nil
  471. _app_one_old_token = Fabricate :access_token, application: application_one, resource_owner_id: user.id, last_used_at: 5.days.ago
  472. _app_one_new_token = Fabricate :access_token, application: application_one, resource_owner_id: user.id, last_used_at: 1.day.ago
  473. _never_used_token = Fabricate :access_token, application: application_two, resource_owner_id: user.id, last_used_at: 5.days.ago
  474. end
  475. it 'returns a hash of unique applications with last used values' do
  476. expect(user.applications_last_used)
  477. .to include(application_one.id => be_within(1.0).of(1.day.ago))
  478. .and include(application_two.id => be_within(1.0).of(5.days.ago))
  479. .and not_include(never_used_application.id)
  480. end
  481. end
  482. end