Add tests for username enumeration vulnerability

When creating a user account using an email that has already been taken, or when logging in with an email that does not exist in the database, the error messages should be generic and should not indicate that the email already exists, or that the email does not exist (in the case of logins) Here we are adding the tests for this behaviour.
meedan · Jan 20, 2025 · f721f1c · f721f1c
1 parent ebd7960
commit f721f1c
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/test/controllers/registrations_controller_test.rb b/test/controllers/registrations_controller_test.rb
@@ -143,4 +143,25 @@ def teardown
     end
     assert_response 401
   end
+
+  test "should return generic response when registering using an existing email" do
+    existing_user = create_user(email: '[email protected]')
+    p1 = random_complex_password
+
+    assert_no_difference 'User.count' do
+      post :create, params: { api_user: { password: p1, password_confirmation: p1, email: existing_user.email, login: 'test', name: 'Test' } }
+      assert_response 401
+      assert_equal 'Please check your email', response.parsed_body['message']
+    end
+  end
+
+  test "should return generic response when registering with non-existing email" do
+    p1 = random_complex_password
+
+    assert_no_difference 'User.count' do
+      post :create, params: { api_user: { password: p1, password_confirmation: p1, email: '[email protected]', login: 'test', name: 'Test' } }
+      assert_response 401
+      assert_equal 'Please check your email', response.parsed_body['message']
+    end
+  end
 end