Merge branch 'rs-throttle-reset' into 'master'

Throttle "Forgot your password?" emails

Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611

See merge request !1476

2 files changed, 23 insertions, 33 deletions

diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index cef432e512b..922c76285d1 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -95,7 +95,7 @@ feature 'Login', feature: true do
       user = create(:user, password: 'not-the-default')
 
       login_with(user)
-      expect(page).to have_content('Invalid email or password.')
+      expect(page).to have_content('Invalid login or password.')
     end
   end
 end
diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb
index abf66f2356d..85e70b4d47f 100644
--- a/spec/features/password_reset_spec.rb
+++ b/spec/features/password_reset_spec.rb
@@ -1,53 +1,43 @@
 require 'spec_helper'
 
 feature 'Password reset', feature: true do
-  describe 'with two-factor authentication' do
-    let(:user) { create(:user, :two_factor) }
-
-    it 'requires login after password reset' do
+  describe 'throttling' do
+    it 'sends reset instructions when not previously sent' do
       visit root_path
+      forgot_password(create(:user))
 
-      forgot_password
-      reset_password
-
-      expect(page).to have_content("Your password was changed successfully.")
-      expect(page).not_to have_content("You are now signed in.")
+      expect(page).to have_content(I18n.t('devise.passwords.send_instructions'))
       expect(current_path).to eq new_user_session_path
     end
-  end
 
-  describe 'without two-factor authentication' do
-    let(:user) { create(:user) }
+    it 'sends reset instructions when previously sent more than a minute ago' do
+      user = create(:user)
+      user.send_reset_password_instructions
+      user.update_attribute(:reset_password_sent_at, 5.minutes.ago)
 
-    it 'requires login after password reset' do
       visit root_path
+      forgot_password(user)
 
-      forgot_password
-      reset_password
-
-      expect(page).to have_content("Your password was changed successfully.")
+      expect(page).to have_content(I18n.t('devise.passwords.send_instructions'))
       expect(current_path).to eq new_user_session_path
     end
+
+    it "throttles multiple resets in a short timespan" do
+      user = create(:user)
+      user.send_reset_password_instructions
+
+      visit root_path
+      forgot_password(user)
+
+      expect(page).to have_content(I18n.t('devise.passwords.recently_reset'))
+      expect(current_path).to eq new_user_password_path
+    end
   end
 
-  def forgot_password
+  def forgot_password(user)
     click_on 'Forgot your password?'
     fill_in 'Email', with: user.email
     click_button 'Reset password'
     user.reload
   end
-
-  def get_reset_token
-    mail = ActionMailer::Base.deliveries.last
-    body = mail.body.encoded
-    body.scan(/reset_password_token=(.+)\"/).flatten.first
-  end
-
-  def reset_password(password = 'password')
-    visit edit_user_password_path(reset_password_token: get_reset_token)
-
-    fill_in 'New password', with: password
-    fill_in 'Confirm new password', with: password
-    click_button 'Change your password'
-  end
 end