Ensure users can’t be spammed with password resets
This commit is contained in:
parent
651813066e
commit
72f2894b06
|
@ -20,6 +20,9 @@ class UserMailer < ApplicationMailer
|
||||||
@user = params[:user]
|
@user = params[:user]
|
||||||
@token = params[:token]
|
@token = params[:token]
|
||||||
|
|
||||||
|
return if @user.password_reset_last_sent_at&.after?(10.minutes.ago)
|
||||||
|
|
||||||
|
@user.update(password_reset_last_sent_at: Time.zone.now)
|
||||||
mail(to: @user.email, subject: t(".password_reset.subject"))
|
mail(to: @user.email, subject: t(".password_reset.subject"))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class AddPasswordResetLastSentAtToUser < ActiveRecord::Migration[7.1]
|
||||||
|
def change
|
||||||
|
add_column :users, :password_reset_last_sent_at, :datetime
|
||||||
|
end
|
||||||
|
end
|
|
@ -10,7 +10,7 @@
|
||||||
#
|
#
|
||||||
# It's strongly recommended that you check this file into your version control system.
|
# It's strongly recommended that you check this file into your version control system.
|
||||||
|
|
||||||
ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
|
ActiveRecord::Schema[7.1].define(version: 2024_06_05_132327) do
|
||||||
# These are extensions that must be enabled in order to support this database
|
# These are extensions that must be enabled in order to support this database
|
||||||
enable_extension "plpgsql"
|
enable_extension "plpgsql"
|
||||||
|
|
||||||
|
@ -221,6 +221,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
|
||||||
t.datetime "created_at", null: false
|
t.datetime "created_at", null: false
|
||||||
t.datetime "updated_at", null: false
|
t.datetime "updated_at", null: false
|
||||||
t.boolean "verified", default: false, null: false
|
t.boolean "verified", default: false, null: false
|
||||||
|
t.datetime "password_reset_last_sent_at"
|
||||||
t.index ["email"], name: "index_users_on_email", unique: true
|
t.index ["email"], name: "index_users_on_email", unique: true
|
||||||
t.index ["username"], name: "index_users_on_username", unique: true
|
t.index ["username"], name: "index_users_on_username", unique: true
|
||||||
t.index ["verified"], name: "index_users_on_verified"
|
t.index ["verified"], name: "index_users_on_verified"
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class UserMailerTest < ActionMailer::TestCase
|
||||||
|
test "password resets can’t be resent within 10 minutes" do
|
||||||
|
user = users(:trevor)
|
||||||
|
assert_emails(+1) do
|
||||||
|
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
|
||||||
|
end
|
||||||
|
assert_emails(0) do
|
||||||
|
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
|
||||||
|
end
|
||||||
|
travel 11.minutes
|
||||||
|
assert_emails(+1) do
|
||||||
|
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue