feat: Improved password security policy (#2345)

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2025-11-01 19:48:08 +00:00 · 2021-06-07 17:26:08 +05:30
parent d1b3c7b0c2
commit 467b45b427
36 changed files with 284 additions and 151 deletions
--- a/spec/controllers/api/v1/accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts_controller_spec.rb
@@ -18,13 +18,13 @@ RSpec.describe 'Accounts API', type: :request do
      it 'calls account builder' do
        allow(account_builder).to receive(:perform).and_return([user, account])

-        params = { account_name: 'test', email: email, user: nil, user_full_name: user_full_name }
+        params = { account_name: 'test', email: email, user: nil, user_full_name: user_full_name, password: 'Password1!' }

        post api_v1_accounts_url,
             params: params,
             as: :json

-        expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
+        expect(AccountBuilder).to have_received(:new).with(params.except(:password).merge(user_password: params[:password]))
        expect(account_builder).to have_received(:perform)
        expect(response.headers.keys).to include('access-token', 'token-type', 'client', 'expiry', 'uid')
      end
@@ -38,44 +38,11 @@ RSpec.describe 'Accounts API', type: :request do
             params: params,
             as: :json

-        expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
+        expect(AccountBuilder).to have_received(:new).with(params.merge(user_password: params[:password]))
        expect(account_builder).to have_received(:perform)
        expect(response).to have_http_status(:forbidden)
        expect(response.body).to eq({ message: I18n.t('errors.signup.failed') }.to_json)
      end
-
-      it 'ignores confirmed param when called with out super admin token' do
-        allow(account_builder).to receive(:perform).and_return(nil)
-
-        params = { account_name: 'test', email: email, confirmed: true, user: nil, user_full_name: user_full_name }
-
-        post api_v1_accounts_url,
-             params: params,
-             as: :json
-
-        expect(AccountBuilder).to have_received(:new).with(params.merge(confirmed: false))
-        expect(account_builder).to have_received(:perform)
-        expect(response).to have_http_status(:forbidden)
-        expect(response.body).to eq({ message: I18n.t('errors.signup.failed') }.to_json)
-      end
-    end
-
-    context 'when called with super admin token' do
-      let(:super_admin) { create(:super_admin) }
-
-      it 'calls account builder with confirmed true when confirmed param is passed' do
-        params = { account_name: 'test', email: email, confirmed: true, user_full_name: user_full_name }
-
-        post api_v1_accounts_url,
-             params: params,
-             headers: { api_access_token: super_admin.access_token.token },
-             as: :json
-
-        created_user = User.find_by(email: email)
-        expect(created_user.confirmed?).to eq(true)
-        expect(response.headers.keys).to include('access-token', 'token-type', 'client', 'expiry', 'uid')
-        expect(response.body).to include(created_user.access_token.token)
-      end
    end

    context 'when ENABLE_ACCOUNT_SIGNUP env variable is set to false' do
--- a/spec/controllers/api/v1/profiles_controller_spec.rb
+++ b/spec/controllers/api/v1/profiles_controller_spec.rb
@@ -44,7 +44,7 @@ RSpec.describe 'Profile API', type: :request do
      it 'updates the name & email' do
        new_email = Faker::Internet.email
        put '/api/v1/profile',
-            params: { profile: { name: 'test', 'email': new_email } },
+            params: { profile: { name: 'test', email: new_email } },
            headers: agent.create_new_auth_token,
            as: :json