Always lowercase the emails before trying to reset password

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2022-10-18 16:19:41 +02:00
parent cb083ab2f8
commit c9fffca046
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
2 changed files with 27 additions and 6 deletions

View file

@ -222,7 +222,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
# Domains should always be lower-case, so let's force that # Domains should always be lower-case, so let's force that
@spec lowercase_domain(String.t()) :: {:ok, String.t()} | {:error, :invalid_email} @spec lowercase_domain(String.t()) :: {:ok, String.t()} | {:error, :invalid_email}
defp lowercase_domain(email) do defp lowercase_domain(email) when is_binary(email) do
case split_email(email) do case split_email(email) do
[user_part, domain_part] -> [user_part, domain_part] ->
{:ok, "#{user_part}@#{String.downcase(domain_part)}"} {:ok, "#{user_part}@#{String.downcase(domain_part)}"}
@ -232,6 +232,8 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
end end
end end
defp lowercase_domain(_), do: {:error, :invalid_email}
@spec split_email(String.t()) :: list(String.t()) @spec split_email(String.t()) :: list(String.t())
defp split_email(email), do: String.split(email, "@", parts: 2, trim: true) defp split_email(email), do: String.split(email, "@", parts: 2, trim: true)
@ -270,8 +272,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
We only do this to accounts not activated We only do this to accounts not activated
""" """
def resend_confirmation_email(_parent, args, _resolution) do def resend_confirmation_email(_parent, args, _resolution) do
with {:ok, %User{locale: locale} = user} <- with {:ok, email} <- lowercase_domain(Map.get(args, :email)),
Users.get_user_by_email(Map.get(args, :email), activated: false, unconfirmed: false), {:ok, %User{locale: locale} = user} <-
Users.get_user_by_email(email, activated: false, unconfirmed: false),
{:ok, email} <- {:ok, email} <-
Email.User.resend_confirmation_email(user, Map.get(args, :locale, locale)) do Email.User.resend_confirmation_email(user, Map.get(args, :locale, locale)) do
{:ok, email} {:ok, email}
@ -279,6 +282,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
{:error, :user_not_found} -> {:error, :user_not_found} ->
{:error, dgettext("errors", "No user to validate with this email was found")} {:error, dgettext("errors", "No user to validate with this email was found")}
{:error, :invalid_email} ->
{:error, dgettext("errors", "This email doesn't seem to be valid")}
{:error, :email_too_soon} -> {:error, :email_too_soon} ->
{:error, dgettext("errors", "You requested again a confirmation email too soon")} {:error, dgettext("errors", "You requested again a confirmation email too soon")}
end end
@ -288,7 +294,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
Send an email to reset the password from an user Send an email to reset the password from an user
""" """
def send_reset_password(_parent, args, _resolution) do def send_reset_password(_parent, args, _resolution) do
with email <- Map.get(args, :email), with {:ok, email} <- lowercase_domain(Map.get(args, :email)),
{:ok, %User{locale: locale} = user} <- {:ok, %User{locale: locale} = user} <-
Users.get_user_by_email(email, activated: true, unconfirmed: false), Users.get_user_by_email(email, activated: true, unconfirmed: false),
{:can_reset_password, true} <- {:can_reset_password, true} <-
@ -299,6 +305,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
{:can_reset_password, false} -> {:can_reset_password, false} ->
{:error, dgettext("errors", "This user can't reset their password")} {:error, dgettext("errors", "This user can't reset their password")}
{:error, :invalid_email} ->
{:error, dgettext("errors", "This email doesn't seem to be valid")}
{:error, :user_not_found} -> {:error, :user_not_found} ->
# TODO : implement rate limits for this endpoint # TODO : implement rate limits for this endpoint
{:error, dgettext("errors", "No user with this email was found")} {:error, dgettext("errors", "No user with this email was found")}

View file

@ -713,7 +713,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
mutation = """ mutation = """
mutation { mutation {
resendConfirmationEmail( resendConfirmationEmail(
email: "oh no" email: "oh@no.com"
) )
} }
""" """
@ -741,6 +741,18 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
assert res["data"]["sendResetPassword"] == email assert res["data"]["sendResetPassword"] == email
end end
test "test send_reset_password/3 with an email with no account", %{conn: conn} do
res =
conn
|> AbsintheHelpers.graphql_query(
query: @send_reset_password_mutation,
variables: %{email: "noone@nowhere.com"}
)
assert hd(res["errors"])["message"] ==
"No user with this email was found"
end
test "test send_reset_password/3 with invalid email", %{conn: conn} do test "test send_reset_password/3 with invalid email", %{conn: conn} do
res = res =
conn conn
@ -750,7 +762,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
) )
assert hd(res["errors"])["message"] == assert hd(res["errors"])["message"] ==
"No user with this email was found" "This email doesn't seem to be valid"
end end
test "test send_reset_password/3 for an LDAP user", %{conn: conn} do test "test send_reset_password/3 for an LDAP user", %{conn: conn} do