File: controllers_spec.rb

package info (click to toggle)
ruby-invisible-captcha 2.3.0-3
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 384 kB
sloc: ruby: 717; makefile: 6
file content (249 lines) | stat: -rw-r--r-- 7,566 bytes
# frozen_string_literal: true

RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
  render_views

  before(:each) do
    @controller = TopicsController.new
    request.env['HTTP_REFERER'] = 'http://test.host/topics'

    InvisibleCaptcha.init!
    InvisibleCaptcha.timestamp_threshold = 1
    InvisibleCaptcha.spinner_enabled = false
  end

  context 'without invisible_captcha_timestamp in session' do
    it 'fails like if it was submitted too fast' do
      post :create, params: { topic: { title: 'foo' } }

      expect(response).to redirect_to 'http://test.host/topics'
      expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
    end

    it 'passes if disabled at action level' do
      post :copy, params: { topic: { title: 'foo' } }

      expect(flash[:error]).not_to be_present
      expect(response.body).to be_present
    end

    it 'passes if disabled at app level' do
      InvisibleCaptcha.timestamp_enabled = false

      post :create, params: { topic: { title: 'foo' } }

      expect(flash[:error]).not_to be_present
      expect(response.body).to be_present
    end
  end

  context 'submission timestamp_threshold' do
    before(:each) do
      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
    end

    it 'fails if submission before timestamp_threshold' do
      post :create, params: { topic: { title: 'foo' } }

      expect(response).to redirect_to 'http://test.host/topics'
      expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)

      # Make sure session is cleared
      expect(session[:invisible_captcha_timestamp]).to be_nil
    end

    it 'allows a custom on_timestamp_spam callback' do
      put :update, params: { id: 1, topic: { title: 'bar' } }

      expect(response.status).to eq(204)
    end

    it 'allows a new timestamp to be set in the on_timestamp_spam callback' do
      @controller.singleton_class.class_eval do
        def custom_timestamp_callback
          session[:invisible_captcha_timestamp] = 2.seconds.from_now(Time.zone.now).iso8601
          head(204)
        end
      end

      expect { put :update, params: { id: 1, topic: { title: 'bar' } } }
        .to change { session[:invisible_captcha_timestamp] }
        .to be_present
    end

    it 'runs on_spam callback if on_timestamp_spam callback is defined but passes' do
      put :test_passthrough, params: { id: 1, topic: { title: 'bar', subtitle: 'foo' } }

      expect(response.status).to eq(204)
    end

    context 'successful submissions' do
      it 'passes if submission on or after timestamp_threshold' do
        sleep InvisibleCaptcha.timestamp_threshold

        post :create, params: {
          topic: {
            title: 'foobar',
            author: 'author',
            body: 'body that passes validation'
          }
        }

        expect(flash[:error]).not_to be_present
        expect(response.body).to redirect_to(new_topic_path)

        # Make sure session is cleared
        expect(session[:invisible_captcha_timestamp]).to be_nil
      end

      it 'allow to set a custom timestamp_threshold per action' do
        sleep 2 # custom threshold

        post :publish, params: { id: 1 }

        expect(flash[:error]).not_to be_present
        expect(response.body).to redirect_to(new_topic_path)
      end

      it 'passes if on_timestamp_spam doesn\'t perform' do
        put :test_passthrough, params: { id: 1, topic: { title: 'bar' } }

        expect(response.body).to redirect_to(new_topic_path)
      end
    end
  end

  context 'honeypot attribute' do
    before(:each) do
      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601

      # Wait for valid submission
      sleep InvisibleCaptcha.timestamp_threshold
    end

    it 'fails with spam' do
      post :create,  params: { topic: { subtitle: 'foo' } }

      expect(response.body).to be_blank
    end

    it 'passes with no spam' do
      post :create,  params: { topic: { title: 'foo' } }

      expect(response.body).to be_present
    end

    context 'with random honeypot' do
      context 'auto-scoped' do
        it 'passes with no spam' do
          post :categorize, params: { topic: { title: 'foo' } }

          expect(response.body).to redirect_to(new_topic_path)
        end

        it 'fails with spam' do
          post :categorize, params: { topic: { "#{InvisibleCaptcha.honeypots.sample}": 'foo' } }

          expect(response.body).not_to redirect_to(new_topic_path)
        end
      end

      context 'with no scope' do
        it 'passes with no spam' do
          post :categorize

          expect(response.body).to redirect_to(new_topic_path)
        end

        it 'fails with spam' do
          post :categorize, params: { "#{InvisibleCaptcha.honeypots.sample}": 'foo' }

          expect(response.body).not_to redirect_to(new_topic_path)
        end
      end

      context 'with scope' do
        it 'fails with spam' do
          post :rename, params: { topic: { "#{InvisibleCaptcha.honeypots.sample}": 'foo' } }

          expect(response.body).to be_blank
        end

        it 'passes with no spam' do
          post :rename, params: { topic: { title: 'foo' } }

          expect(response.body).to be_blank
        end
      end
    end

    it 'allow a custom on_spam callback' do
      put :update,  params: { id: 1, topic: { subtitle: 'foo' } }

      expect(response.body).to redirect_to(new_topic_path)
    end

    it 'honeypot is removed from params if you use a custom honeypot' do
      post :create,  params: { topic: { title: 'foo', subtitle: '' } }

      expect(flash[:error]).not_to be_present
      expect(@controller.params[:topic].key?(:subtitle)).to eq(false)
    end

    describe 'ActiveSupport::Notifications' do
      let(:dummy_handler) { double(handle_event: nil) }

      let!(:subscriber) do
        subscriber = ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data|
          dummy_handler.handle_event(data)
        end

        subscriber
      end

      after { ActiveSupport::Notifications.unsubscribe(subscriber) }

      it 'dispatches an `invisible_captcha.spam_detected` event' do
        expect(dummy_handler).to receive(:handle_event).once.with({
          message: "[Invisible Captcha] Potential spam detected for IP 0.0.0.0. Honeypot param 'subtitle' was present.",
          remote_ip: '0.0.0.0',
          user_agent: 'Rails Testing',
          controller: 'topics',
          action: 'create',
          url: 'http://test.host/topics',
          params: {
            topic: { subtitle: "foo"},
            controller: 'topics',
            action: 'create'
          }
        })

        post :create, params: { topic: { subtitle: 'foo' } }
      end
    end
  end

  context 'spinner attribute' do
    before(:each) do
      InvisibleCaptcha.spinner_enabled = true
      InvisibleCaptcha.secret = 'secret'
      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
      session[:invisible_captcha_spinner] = '32ab649161f9f6faeeb323746de1a25d'

      # Wait for valid submission
      sleep InvisibleCaptcha.timestamp_threshold
    end

    it 'fails with no spam, but mismatch of spinner' do
      post :create,  params: { topic: { title: 'foo' }, spinner: 'mismatch' }

      expect(response.body).to be_blank
    end

    it 'passes with no spam and spinner match' do
      post :create,  params: { topic: { title: 'foo' }, spinner: '32ab649161f9f6faeeb323746de1a25d' }

      expect(response.body).to be_present
    end
  end
end