From c9fffca0464e695650f666b3ef1784808a5ac9bc Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 18 Oct 2022 16:19:41 +0200 Subject: [PATCH] Always lowercase the emails before trying to reset password Signed-off-by: Thomas Citharel --- lib/graphql/resolvers/user.ex | 17 +++++++++++++---- test/graphql/resolvers/user_test.exs | 16 ++++++++++++++-- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/lib/graphql/resolvers/user.ex b/lib/graphql/resolvers/user.ex index a555037b9..ca9fdf7c3 100644 --- a/lib/graphql/resolvers/user.ex +++ b/lib/graphql/resolvers/user.ex @@ -222,7 +222,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do # Domains should always be lower-case, so let's force that @spec lowercase_domain(String.t()) :: {:ok, String.t()} | {:error, :invalid_email} - defp lowercase_domain(email) do + defp lowercase_domain(email) when is_binary(email) do case split_email(email) do [user_part, domain_part] -> {:ok, "#{user_part}@#{String.downcase(domain_part)}"} @@ -232,6 +232,8 @@ defmodule Mobilizon.GraphQL.Resolvers.User do end end + defp lowercase_domain(_), do: {:error, :invalid_email} + @spec split_email(String.t()) :: list(String.t()) defp split_email(email), do: String.split(email, "@", parts: 2, trim: true) @@ -270,8 +272,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do We only do this to accounts not activated """ def resend_confirmation_email(_parent, args, _resolution) do - with {:ok, %User{locale: locale} = user} <- - Users.get_user_by_email(Map.get(args, :email), activated: false, unconfirmed: false), + with {:ok, email} <- lowercase_domain(Map.get(args, :email)), + {:ok, %User{locale: locale} = user} <- + Users.get_user_by_email(email, activated: false, unconfirmed: false), {:ok, email} <- Email.User.resend_confirmation_email(user, Map.get(args, :locale, locale)) do {:ok, email} @@ -279,6 +282,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do {:error, :user_not_found} -> {:error, dgettext("errors", "No user to validate with this email was found")} + {:error, :invalid_email} -> + {:error, dgettext("errors", "This email doesn't seem to be valid")} + {:error, :email_too_soon} -> {:error, dgettext("errors", "You requested again a confirmation email too soon")} end @@ -288,7 +294,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do Send an email to reset the password from an user """ def send_reset_password(_parent, args, _resolution) do - with email <- Map.get(args, :email), + with {:ok, email} <- lowercase_domain(Map.get(args, :email)), {:ok, %User{locale: locale} = user} <- Users.get_user_by_email(email, activated: true, unconfirmed: false), {:can_reset_password, true} <- @@ -299,6 +305,9 @@ defmodule Mobilizon.GraphQL.Resolvers.User do {:can_reset_password, false} -> {:error, dgettext("errors", "This user can't reset their password")} + {:error, :invalid_email} -> + {:error, dgettext("errors", "This email doesn't seem to be valid")} + {:error, :user_not_found} -> # TODO : implement rate limits for this endpoint {:error, dgettext("errors", "No user with this email was found")} diff --git a/test/graphql/resolvers/user_test.exs b/test/graphql/resolvers/user_test.exs index cee7e898e..00f61ee19 100644 --- a/test/graphql/resolvers/user_test.exs +++ b/test/graphql/resolvers/user_test.exs @@ -713,7 +713,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do mutation = """ mutation { resendConfirmationEmail( - email: "oh no" + email: "oh@no.com" ) } """ @@ -741,6 +741,18 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do assert res["data"]["sendResetPassword"] == email end + test "test send_reset_password/3 with an email with no account", %{conn: conn} do + res = + conn + |> AbsintheHelpers.graphql_query( + query: @send_reset_password_mutation, + variables: %{email: "noone@nowhere.com"} + ) + + assert hd(res["errors"])["message"] == + "No user with this email was found" + end + test "test send_reset_password/3 with invalid email", %{conn: conn} do res = conn @@ -750,7 +762,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do ) assert hd(res["errors"])["message"] == - "No user with this email was found" + "This email doesn't seem to be valid" end test "test send_reset_password/3 for an LDAP user", %{conn: conn} do