Use redirect url to edit from initializer as well (#1228)

lynndylanhurley · Dec 3, 2018 · 2e9f001 · 2e9f001
1 parent 44b4a18
commit 2e9f001
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 23 deletions.
diff --git a/.codeclimate.yml b/.codeclimate.yml
@@ -0,0 +1,6 @@
+plugins:
+  duplication:
+    enabled: true
+  method-count:
+    config:
+      threshold: 30
diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -3,22 +3,14 @@
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
     before_action :set_user_by_token, only: [:update]
+    before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
 
     # this action is responsible for generating password reset tokens and
     # sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
-      # give redirect value from params priority
-      @redirect_url = params.fetch(
-        :redirect_url,
-        DeviseTokenAuth.default_password_reset_url
-      )
-
-      return render_create_error_missing_redirect_url unless @redirect_url
-      return render_create_error_not_allowed_redirect_url if blacklisted_redirect_url?
-
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:uid, @email)
 
@@ -63,7 +55,7 @@ def edit
         redirect_headers = build_redirect_headers(token,
                                                   client_id,
                                                   redirect_header_options)
-        redirect_to(@resource.build_auth_url(params[:redirect_url],
+        redirect_to(@resource.build_auth_url(@redirect_url,
                                              redirect_headers))
       else
         render_edit_error
@@ -114,7 +106,7 @@ def render_create_error_missing_redirect_url
       render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
     end
 
-    def render_create_error_not_allowed_redirect_url
+    def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
         data:   resource_data
@@ -181,5 +173,16 @@ def password_resource_params
     def render_not_found_error
       render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
     end
+
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_password_reset_url
+      )
+
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
+    end
   end
 end
diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb
@@ -41,22 +41,49 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         before do
           @auth_headers = @resource.create_new_auth_token
           @new_password = Faker::Internet.password
-
-          post :create,
-               params: { email: 'chester@cheet.ah' }
-          @data = JSON.parse(response.body)
         end
 
-        test 'response should fail' do
-          assert_equal 401, response.status
+        describe 'for create' do
+          before do
+            post :create,
+                 params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
 
-        test 'error message should be returned' do
-          assert @data['errors']
-          assert_equal(
-            @data['errors'],
-            [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
-          )
+        describe 'for edit' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            @new_password = Faker::Internet.password
+
+            put :edit,
+                 params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
       end