[#114] Added :user_id component to email confirmation path to improve the security.

Added tests for `confirm_email` action.

1 files changed, 15 insertions, 3 deletions

diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index 53b390793..16422c35a 100644
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -873,7 +873,7 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
     end
   end
 
-  describe "GET /api/account/confirm_email/:token" do
+  describe "GET /api/account/confirm_email/:id/:token" do
     setup do
       user = insert(:user)
       info_change = User.Info.confirmation_changeset(user.info, :unconfirmed)
@@ -890,19 +890,31 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
     end
 
     test "it redirects to root url", %{conn: conn, user: user} do
-      conn = get(conn, "/api/account/confirm_email/#{user.info.confirmation_token}")
+      conn = get(conn, "/api/account/confirm_email/#{user.id}/#{user.info.confirmation_token}")
 
       assert 302 == conn.status
     end
 
     test "it confirms the user account", %{conn: conn, user: user} do
-      get(conn, "/api/account/confirm_email/#{user.info.confirmation_token}")
+      get(conn, "/api/account/confirm_email/#{user.id}/#{user.info.confirmation_token}")
 
       user = Repo.get(User, user.id)
 
       refute user.info.confirmation_pending
       refute user.info.confirmation_token
     end
+
+    test "it returns 500 if user cannot be found by id", %{conn: conn, user: user} do
+      conn = get(conn, "/api/account/confirm_email/0/#{user.info.confirmation_token}")
+
+      assert 500 == conn.status
+    end
+
+    test "it returns 500 if token is invalid", %{conn: conn, user: user} do
+      conn = get(conn, "/api/account/confirm_email/#{user.id}/wrong_token")
+
+      assert 500 == conn.status
+    end
   end
 
   describe "POST /api/account/resend_confirmation_email" do