https://www.pivotaltracker.com/story/show/113840073
Previously the forgot password page would give an error if you entered an email
address which didn’t belong to an account.
This would allow a potential attacker to know which email addresses were
registered.
This commit changes the response to always be the same, whether or not the email
address exists.
Also, this is a good read about the dangers of asserting whether a mocked method
was called: http://engineeringblog.yelp.com/2015/02/assert_called_once-threat-or-menace.html
Because the redirect after logging in checks the number of services a user has,
this now needs to be mocked.
Right now this means adding `mock_get_login` to any tests that need a login.
This must be one of the first mocks, so that it can be overridden by any use
of `mock_get_services`, for tests that specifically want to rely on a quantity
of mocked services, or their contents.
This is a bit fragile, but there’s already a TODO in the code to make it better
so ¯\_(ツ)_/¯
We used to do this by redirecting on the choose service page. However when we
lost the dropdown and this page also became the page for adding a new service
(in 3617f2e936) the redirect was removed.
This commit re-adds the redirect on the two factor page, so that it only happens
on first login.
So the flows are:
**Multiple services**
```
`Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard`
```
**One service**
```
`Sign in` → `Enter two factor code` → `Service dashboard`
```
**No services (you’ve deleted all your services)**
`Sign in` → `Enter two factor code` → `Choose service` → `Add new service`
By default a service should be active (ie keys not suspended). For some reason
the API is returning the opposite.
This commit reverses the logic to make it look right for hack day.
A bug was found whereby the body of a template was not being shown in the
on the page when returning to edit an existing template. This bug was caused
by renaming the field in some places, but not in the `Form` class.
This bug has since been fixed, but this commit adds a test to make sure that it
doesn’t happen again.
The codes are hashed and saved to the db.
The code is marked as used once a valid code is submitted.
The code is valid for 1 hour.
The codes are no longer saved to the session.
Includes validation for gov.uk email address, mobile number with +44, password at least 10 char.
Form validation errors will be added to template in a later story.
User is created when form validates.
