Merge pull request #2991 from alphagov/reset-password-email-gets-forward-link

Put redirect link in reset password email link
2026-02-04 02:11:11 -05:00 · 2020-10-12 12:26:42 +01:00
parent e5413cd193 51811de919
commit 50982ff36a
2 changed files with 33 additions and 9 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -444,7 +444,10 @@ def send_user_reset_password():
        service=service,
        personalisation={
            'user_name': user_to_send_to.name,
-            'url': _create_reset_password_url(user_to_send_to.email_address)
+            'url': _create_reset_password_url(
+                user_to_send_to.email_address,
+                next_redirect=request.get_json().get('next')
+            )
        },
        notification_type=template.template_type,
        api_key_id=None,
@@ -477,10 +480,13 @@ def get_organisations_and_services_for_user(user_id):
    return jsonify(data)


-def _create_reset_password_url(email):
+def _create_reset_password_url(email, next_redirect):
    data = json.dumps({'email': email, 'created_at': str(datetime.utcnow())})
-    url = '/new-password/'
-    return url_with_token(data, url, current_app.config)
+    static_url_part = '/new-password/'
+    full_url = url_with_token(data, static_url_part, current_app.config)
+    if next_redirect:
+        full_url += '?{}'.format(urlencode({'next': next_redirect}))
+    return full_url


 def _create_verification_url(user):
@@ -495,13 +501,13 @@ def _create_confirmation_url(user, email_address):
    return url_with_token(data, url, current_app.config)


-def _create_2fa_url(user, secret_code, next_redir, email_auth_link_host):
+def _create_2fa_url(user, secret_code, next_redirect, email_auth_link_host):
    data = json.dumps({'user_id': str(user.id), 'secret_code': secret_code})
    url = '/email-auth/'
-    ret = url_with_token(data, url, current_app.config, base_url=email_auth_link_host)
-    if next_redir:
-        ret += '?{}'.format(urlencode({'next': next_redir}))
-    return ret
+    full_url = url_with_token(data, url, current_app.config, base_url=email_auth_link_host)
+    if next_redirect:
+        full_url += '?{}'.format(urlencode({'next': next_redirect}))
+    return full_url


 def get_orgs_and_services(user):
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -598,6 +598,24 @@ def test_send_user_reset_password_should_send_reset_password_link(client,
    assert notification.reply_to_text == notify_service.get_default_reply_to_email_address()


+@freeze_time("2016-01-01 11:09:00.061258")
+def test_send_user_reset_password_reset_password_link_contains_redirect_link_if_present_in_request(
+    client, sample_user, mocker, password_reset_email_template
+):
+    mocked = mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
+    data = json.dumps({'email': sample_user.email_address, "next": "blob"})
+    auth_header = create_authorization_header()
+    response = client.post(
+        url_for('user.send_user_reset_password'),
+        data=data,
+        headers=[('Content-Type', 'application/json'), auth_header])
+
+    assert response.status_code == 204
+    notification = Notification.query.first()
+    assert "?next=blob" in notification.content
+    mocked.assert_called_once_with([str(notification.id)], queue="notify-internal-tasks")
+
+
 def test_send_user_reset_password_should_return_400_when_email_is_missing(client, mocker):
    mocked = mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
    data = json.dumps({})