Merge pull request #2330 from alphagov/require-signin-after-accepting…

…-invitation Require user to sign in after accepting invitation
alphagov · Aug 30, 2023 · b6f5962 · b6f5962
2 parents 3df4a3b + db825dc
commit b6f5962
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 5 deletions.
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -116,6 +116,11 @@
   # Default: false
   config.validate_on_invite = true
 
+  # Auto-login after the user accepts the invite. If this is false,
+  # the user will need to manually log in after accepting the invite.
+  # Default: true
+  config.allow_insecure_sign_in_after_accept = false
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be

diff --git a/test/integration/email_change_test.rb b/test/integration/email_change_test.rb
@@ -1,8 +1,6 @@
 require "test_helper"
-require "support/user_account_helpers"
 
 class EmailChangeTest < ActionDispatch::IntegrationTest
-  include UserAccountHelpers
   include ActiveJob::TestHelper
 
   context "by an admin" do

diff --git a/test/integration/inviting_users_test.rb b/test/integration/inviting_users_test.rb
@@ -1,18 +1,34 @@
 require "test_helper"
 
 class InvitingUsersTest < ActionDispatch::IntegrationTest
-  include EmailHelpers
   include ActiveJob::TestHelper
 
-  should "send the user an invitation token" do
+  should "ask the invited user to set a password" do
     user = User.invite!(name: "Jim", email: "jim@web.com")
     visit accept_user_invitation_path(invitation_token: user.raw_invitation_token)
 
     fill_in "New password", with: "this 1s 4 v3333ry s3cur3 p4ssw0rd.!Z"
     fill_in "Confirm new password", with: "this 1s 4 v3333ry s3cur3 p4ssw0rd.!Z"
     click_button "Save password"
 
-    assert_response_contains("You are now signed in")
+    assert_response_contains("Your password was set successfully.")
+  end
+
+  should "require the invited user to sign in after setting their password" do
+    user = User.invite!(name: "Neptuno Keighley", email: "neptuno.keighley@office.gov.uk")
+
+    accept_invitation(
+      invitation_token: user.raw_invitation_token,
+      password: "pretext annoying headpiece waviness header slinky",
+    )
+
+    assert_response_contains("Sign in to GOV.UK")
+
+    fill_in "Email", with: "neptuno.keighley@office.gov.uk"
+    fill_in "Password", with: "pretext annoying headpiece waviness header slinky"
+    click_button "Sign in"
+
+    assert_response_contains("Make your account more secure by setting up 2‑step verification.")
   end
 
   should "not send invitation token to Google Analytics" do

diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -73,6 +73,7 @@ def sign_out(_user)
 require "support/managing_two_sv_helpers"
 require "support/analytics_helpers"
 require "support/html_table_helpers"
+require "support/user_account_helpers"
 
 class ActiveRecord::Base
   mattr_accessor :shared_connection
@@ -94,6 +95,7 @@ class ActionDispatch::IntegrationTest
   include EmailHelpers
   include ConfirmationTokenHelpers
   include AnalyticsHelpers
+  include UserAccountHelpers
 
   def assert_response_contains(content)
     assert page.has_content?(content), "Expected to find '#{content}' in:\n#{page.text}"