Merge pull request #3444 from alphagov/allow-admin-to-specify-domain-for-password-reset

Allow admin app to specify domain for password reset
2026-02-01 07:35:34 -05:00 · 2022-02-03 09:15:03 +00:00
parent ac5967bc5a 07f584e1d5
commit 19704a3e49
2 changed files with 39 additions and 6 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -499,10 +499,9 @@ def find_users_by_email():

@user_blueprint.route('/reset-password', methods=['POST'])
 def send_user_reset_password():
-    email, errors = email_data_request_schema.load(request.get_json())
-
+    request_json = request.get_json()
+    email, errors = email_data_request_schema.load(request_json)
    user_to_send_to = get_user_by_email(email['email'])
-
    template = dao_get_template_by_id(current_app.config['PASSWORD_RESET_TEMPLATE_ID'])
    service = Service.query.get(current_app.config['NOTIFY_SERVICE_ID'])
    saved_notification = persist_notification(
@@ -514,7 +513,8 @@ def send_user_reset_password():
            'user_name': user_to_send_to.name,
            'url': _create_reset_password_url(
                user_to_send_to.email_address,
-                next_redirect=request.get_json().get('next')
+                base_url=request_json.get('admin_base_url'),
+                next_redirect=request_json.get('next')
            )
        },
        notification_type=template.template_type,
@@ -547,10 +547,10 @@ def get_organisations_and_services_for_user(user_id):
    return jsonify(data)


-def _create_reset_password_url(email, next_redirect):
+def _create_reset_password_url(email, next_redirect, base_url=None):
    data = json.dumps({'email': email, 'created_at': str(datetime.utcnow())})
    static_url_part = '/new-password/'
-    full_url = url_with_token(data, static_url_part, current_app.config)
+    full_url = url_with_token(data, static_url_part, current_app.config, base_url=base_url)
    if next_redirect:
        full_url += '?{}'.format(urlencode({'next': next_redirect}))
    return full_url
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -667,6 +667,39 @@ def test_send_user_reset_password_should_send_reset_password_link(client,
    assert notification.reply_to_text == notify_service.get_default_reply_to_email_address()


+@pytest.mark.parametrize('data, expected_url', (
+    ({
+        'email': 'notify@digital.cabinet-office.gov.uk',
+    }, (
+        'http://localhost:6012/new-password/'
+    )),
+    ({
+        'email': 'notify@digital.cabinet-office.gov.uk',
+        'admin_base_url': 'https://different.example.com',
+    }, (
+        'https://different.example.com/new-password/'
+    )),
+))
+@freeze_time("2016-01-01 11:09:00.061258")
+def test_send_user_reset_password_should_use_provided_base_url(
+    admin_request,
+    sample_user,
+    password_reset_email_template,
+    mocker,
+    data,
+    expected_url,
+):
+    mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
+
+    admin_request.post(
+        'user.send_user_reset_password',
+        _data=data,
+        _expected_status=204,
+    )
+
+    assert Notification.query.first().personalisation['url'].startswith(expected_url)
+
+
@freeze_time("2016-01-01 11:09:00.061258")
 def test_send_user_reset_password_reset_password_link_contains_redirect_link_if_present_in_request(
    client, sample_user, mocker, password_reset_email_template