From 07f584e1d5aa287637a1d9a8b4d810e4d0ccc4b7 Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Wed, 2 Feb 2022 16:42:55 +0000 Subject: [PATCH] Allow admin app to specify domain for password reset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This follows the pattern for invite emails where the admin app tells the API which domain to use when generating the link. This will starting working once this admin change is merged: - [ ] https://github.com/alphagov/notifications-admin/pull/4150/files It won’t break anything if it’s merged before the admin change. --- app/user/rest.py | 12 ++++++------ tests/app/user/test_rest.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/app/user/rest.py b/app/user/rest.py index 1f25affee..ac6989266 100644 --- a/app/user/rest.py +++ b/app/user/rest.py @@ -499,10 +499,9 @@ def find_users_by_email(): @user_blueprint.route('/reset-password', methods=['POST']) def send_user_reset_password(): - email, errors = email_data_request_schema.load(request.get_json()) - + request_json = request.get_json() + email, errors = email_data_request_schema.load(request_json) user_to_send_to = get_user_by_email(email['email']) - template = dao_get_template_by_id(current_app.config['PASSWORD_RESET_TEMPLATE_ID']) service = Service.query.get(current_app.config['NOTIFY_SERVICE_ID']) saved_notification = persist_notification( @@ -514,7 +513,8 @@ def send_user_reset_password(): 'user_name': user_to_send_to.name, 'url': _create_reset_password_url( user_to_send_to.email_address, - next_redirect=request.get_json().get('next') + base_url=request_json.get('admin_base_url'), + next_redirect=request_json.get('next') ) }, notification_type=template.template_type, @@ -547,10 +547,10 @@ def get_organisations_and_services_for_user(user_id): return jsonify(data) -def _create_reset_password_url(email, next_redirect): +def _create_reset_password_url(email, next_redirect, base_url=None): data = json.dumps({'email': email, 'created_at': str(datetime.utcnow())}) static_url_part = '/new-password/' - full_url = url_with_token(data, static_url_part, current_app.config) + full_url = url_with_token(data, static_url_part, current_app.config, base_url=base_url) if next_redirect: full_url += '?{}'.format(urlencode({'next': next_redirect})) return full_url diff --git a/tests/app/user/test_rest.py b/tests/app/user/test_rest.py index 1e2d03435..24af49935 100644 --- a/tests/app/user/test_rest.py +++ b/tests/app/user/test_rest.py @@ -667,6 +667,39 @@ def test_send_user_reset_password_should_send_reset_password_link(client, assert notification.reply_to_text == notify_service.get_default_reply_to_email_address() +@pytest.mark.parametrize('data, expected_url', ( + ({ + 'email': 'notify@digital.cabinet-office.gov.uk', + }, ( + 'http://localhost:6012/new-password/' + )), + ({ + 'email': 'notify@digital.cabinet-office.gov.uk', + 'admin_base_url': 'https://different.example.com', + }, ( + 'https://different.example.com/new-password/' + )), +)) +@freeze_time("2016-01-01 11:09:00.061258") +def test_send_user_reset_password_should_use_provided_base_url( + admin_request, + sample_user, + password_reset_email_template, + mocker, + data, + expected_url, +): + mocker.patch('app.celery.provider_tasks.deliver_email.apply_async') + + admin_request.post( + 'user.send_user_reset_password', + _data=data, + _expected_status=204, + ) + + assert Notification.query.first().personalisation['url'].startswith(expected_url) + + @freeze_time("2016-01-01 11:09:00.061258") def test_send_user_reset_password_reset_password_link_contains_redirect_link_if_present_in_request( client, sample_user, mocker, password_reset_email_template