analytics/test/plausible_web/controllers/auth_controller_test.exs

2153 lines
68 KiB
Elixir
Raw Normal View History

2019-09-02 14:29:19 +03:00
defmodule PlausibleWeb.AuthControllerTest do
use PlausibleWeb.ConnCase, async: true
2019-09-02 14:29:19 +03:00
use Bamboo.Test
use Plausible.Repo
2019-09-02 14:29:19 +03:00
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
import Plausible.Test.Support.HTML
import Mox
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
require Logger
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
require Plausible.Billing.Subscription.Status
alias Plausible.Auth
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
alias Plausible.Auth.User
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
alias Plausible.Billing.Subscription
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
setup {PlausibleWeb.FirstLaunchPlug.Test, :skip}
setup [:verify_on_exit!]
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
@v3_plan_id "749355"
Limit grandfathering to *active* subscribers and trials (#3524) * refactor asserting plan generation in plans_test.exs * stop grandfathering old expired trials For users who registered before the business tiers release, we want to offer a chance to subscribe to a grandfathered plan. However, if they let their trial expire and don't subscribe in the next 10 days, they'll lose that opportunity. * stop grandfathering expired subscriptions * remove default title and icon from Generic.notice * fix bug with dismissable notice classList is null when dismissable_id is not given * alias Plausible.Auth.User * Refactor Generic.notice component Make it easy to apply different colors * move subscription_cancelled_notice across the app And remove from user settings > subscription box. Also, include a note about losing grandfathered status when letting the subscription expire. * allow full width in Generic.notice * use Generic.notice for subscription_past_due_notice * use Generic.notice for subscription_paused_notice * prevent two notices clashing into each other with gap-y-2 * define attrs for phx components * optimize for light mode * make subscription cancelled notice dismissable but if it's dismiss, show it in the place where it was before in the account settings > subscription box * make function private * replace function doc with regular comment to avoid compile warning * use array for classnames Co-authored-by: Vinicius Brasil <vini@hey.com> * fix typos in function doc --------- Co-authored-by: Vinicius Brasil <vini@hey.com>
2023-11-16 18:40:50 +03:00
@v4_plan_id "857097"
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
@configured_enterprise_plan_paddle_plan_id "123"
2019-09-02 14:29:19 +03:00
describe "GET /register" do
test "shows the register form", %{conn: conn} do
conn = get(conn, "/register")
assert html_response(conn, 200) =~ "Enter your details"
2019-09-02 14:29:19 +03:00
end
end
2019-09-02 14:29:19 +03:00
describe "POST /register" do
test "registering sends an activation link", %{conn: conn} do
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
Repo.insert!(
User.new(%{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
})
)
Formatting only changes - No code change (#75) * first commit with test and compile job Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding 'prepare' stage Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci script to include "test" compile phase Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding environment variables for connecting to postgresql Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci config for postgres Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-alpine version of elixir Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * re-using the 'compile' artifacts and added explict env variables for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing redundant deps fetching from common code Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting using mix.format -- beware no-code changes! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * added release config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding consistent env variable for Database Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * more cleaning up of environment variables Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding releases config for enabling releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up env configs Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Cleaned up config and prepared config for releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated CI script with new config for test Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added Dockerfile for creating production docker image Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding "docker" build job yay! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-slim version of debian and installing webpack Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding overlays for migrations on releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * restricting the docker built to master branch only Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * typo fix Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding "Hosting.md" to explain hosting instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removed the default comments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added documentation related to env variables * updated documentation and fixed typo Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated documentation * Bumping up elixir version as `overlays` are only supported in latest version read release notes: https://github.com/elixir-lang/elixir/releases/tag/v1.10.0 Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding tarball assembly during release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated HOSTING.md Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for db migration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * minor corrections Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * initializing admin user Admin user has been added in the "migration" phase. A default user is automatically created in the process. One can provide the related env variables, else a new one will be automatically created for you. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Initial base domain update - phase#1 These changes are only meant for correct operating it under self-hosting. There are many other cosmetic changes, that require updates to email, site and other places where the original website and author is used. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Using dedicated config variable `base_domain` instead Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding base_domain to releases config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing the dedicated config "base_domain", relying on endpoint host Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Removed the usage of "Mix" in code! It is bad practice to use "mix" module inside the code as in actual release this module is unavailable. Replacing this with a config environment variable Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for SMTP via Bamboo Smtp Adapter Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Capturing SMTP errors via Sentry Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Minor updates Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding junit formatter -- useful for generating test reports Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding documentation for default user * Resolve "Gitlab Adoption: Add supported services in "Security & Compliance"" * bumping up the debian version to fix issues fixing some vulnerabilities identified by the scanning tools * More updates for self-hosting Changes in most of the places to suit self-hosting. Although, there are some which have been left-off. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * quick-dirty-fix! * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up timeout - skipping MRs :-/ * removing restrictions on watching for changes this stuff isn't working * Update HOSTING.md * renamed the module name * reverting formatting-whitespace changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * reverting the name to release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding docker-compose.yml and related instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using `plausible_url` instead of assuming `https` this is because, it is much to test in local dev machines and in most cases there's already a layer above which is capable for `https` termination and http -> https upgrade Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * WIP: merging changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * wip: more changes * Pushing in changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * changes to ci for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up and finishing clickhouse integration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updating readme with hosting details * removing deleted files from upstream * minor config adjustments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me>
2020-06-08 10:35:13 +03:00
post(conn, "/register",
user: %{
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123"
}
)
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == "user@example.com"
assert subject =~ "is your Plausible email verification code"
end
2021-10-26 11:59:14 +03:00
test "user is redirected to activate page after registration", %{conn: conn} do
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
Repo.insert!(
User.new(%{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
})
)
2021-10-26 11:59:14 +03:00
conn =
post(conn, "/register",
user: %{
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123"
2021-10-26 11:59:14 +03:00
}
)
assert redirected_to(conn, 302) == "/activate"
end
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
test "logs the user in", %{conn: conn} do
Repo.insert!(
User.new(%{
name: "Jane Doe",
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
})
Formatting only changes - No code change (#75) * first commit with test and compile job Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding 'prepare' stage Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci script to include "test" compile phase Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding environment variables for connecting to postgresql Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci config for postgres Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-alpine version of elixir Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * re-using the 'compile' artifacts and added explict env variables for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing redundant deps fetching from common code Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting using mix.format -- beware no-code changes! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * added release config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding consistent env variable for Database Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * more cleaning up of environment variables Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding releases config for enabling releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up env configs Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Cleaned up config and prepared config for releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated CI script with new config for test Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added Dockerfile for creating production docker image Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding "docker" build job yay! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-slim version of debian and installing webpack Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding overlays for migrations on releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * restricting the docker built to master branch only Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * typo fix Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding "Hosting.md" to explain hosting instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removed the default comments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added documentation related to env variables * updated documentation and fixed typo Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated documentation * Bumping up elixir version as `overlays` are only supported in latest version read release notes: https://github.com/elixir-lang/elixir/releases/tag/v1.10.0 Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding tarball assembly during release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated HOSTING.md Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for db migration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * minor corrections Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * initializing admin user Admin user has been added in the "migration" phase. A default user is automatically created in the process. One can provide the related env variables, else a new one will be automatically created for you. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Initial base domain update - phase#1 These changes are only meant for correct operating it under self-hosting. There are many other cosmetic changes, that require updates to email, site and other places where the original website and author is used. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Using dedicated config variable `base_domain` instead Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding base_domain to releases config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing the dedicated config "base_domain", relying on endpoint host Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Removed the usage of "Mix" in code! It is bad practice to use "mix" module inside the code as in actual release this module is unavailable. Replacing this with a config environment variable Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for SMTP via Bamboo Smtp Adapter Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Capturing SMTP errors via Sentry Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Minor updates Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding junit formatter -- useful for generating test reports Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding documentation for default user * Resolve "Gitlab Adoption: Add supported services in "Security & Compliance"" * bumping up the debian version to fix issues fixing some vulnerabilities identified by the scanning tools * More updates for self-hosting Changes in most of the places to suit self-hosting. Although, there are some which have been left-off. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * quick-dirty-fix! * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up timeout - skipping MRs :-/ * removing restrictions on watching for changes this stuff isn't working * Update HOSTING.md * renamed the module name * reverting formatting-whitespace changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * reverting the name to release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding docker-compose.yml and related instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using `plausible_url` instead of assuming `https` this is because, it is much to test in local dev machines and in most cases there's already a layer above which is capable for `https` termination and http -> https upgrade Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * WIP: merging changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * wip: more changes * Pushing in changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * changes to ci for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up and finishing clickhouse integration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updating readme with hosting details * removing deleted files from upstream * minor config adjustments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me>
2020-06-08 10:35:13 +03:00
)
2019-09-02 14:29:19 +03:00
conn =
post(conn, "/register",
user: %{
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123"
}
)
assert get_session(conn, :current_user_id)
2019-09-02 14:29:19 +03:00
end
end
describe "GET /register/invitations/:invitation_id" do
test "shows the register form", %{conn: conn} do
inviter = insert(:user)
site = insert(:site, members: [inviter])
invitation =
insert(:invitation,
site_id: site.id,
inviter: inviter,
email: "user@email.co",
role: :admin
)
conn = get(conn, "/register/invitation/#{invitation.invitation_id}")
assert html_response(conn, 200) =~ "Enter your details"
end
end
describe "POST /register/invitation/:invitation_id" do
setup do
inviter = insert(:user)
site = insert(:site, members: [inviter])
invitation =
insert(:invitation,
site_id: site.id,
inviter: inviter,
email: "user@email.co",
role: :admin
)
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
Repo.insert!(
User.new(%{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
})
)
{:ok, %{site: site, invitation: invitation}}
end
test "registering sends an activation link", %{conn: conn, invitation: invitation} do
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
}
)
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == "user@example.com"
assert subject =~ "is your Plausible email verification code"
end
2021-10-26 11:59:14 +03:00
test "user is redirected to activate page after registration", %{
conn: conn,
invitation: invitation
} do
conn =
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
2021-10-26 11:59:14 +03:00
}
)
assert redirected_to(conn, 302) == "/activate"
end
test "logs the user in", %{conn: conn, invitation: invitation} do
conn =
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
password: "very-secret-and-very-long-123",
password_confirmation: "very-secret-and-very-long-123"
}
)
assert get_session(conn, :current_user_id)
end
end
describe "GET /activate" do
setup [:create_user, :log_in]
test "if user does not have a code: prompts user to request activation code", %{conn: conn} do
conn = get(conn, "/activate")
assert html_response(conn, 200) =~ "Request activation code"
end
test "if user does have a code: prompts user to enter the activation code from their email",
%{conn: conn} do
conn =
post(conn, "/activate/request-code")
|> get("/activate")
assert html_response(conn, 200) =~ "Please enter the 4-digit code we sent to"
end
end
describe "POST /activate/request-code" do
setup [:create_user, :log_in]
test "generates an activation pin for user account", %{conn: conn, user: user} do
post(conn, "/activate/request-code")
assert code = Repo.get_by(Auth.EmailActivationCode, user_id: user.id)
assert code.user_id == user.id
refute Plausible.Auth.EmailVerification.expired?(code)
end
test "regenerates an activation pin even if there's one already", %{conn: conn, user: user} do
five_minutes_ago =
NaiveDateTime.utc_now()
|> Timex.shift(minutes: -5)
|> NaiveDateTime.truncate(:second)
{:ok, verification} = Auth.EmailVerification.issue_code(user, five_minutes_ago)
post(conn, "/activate/request-code")
assert new_verification = Repo.get_by(Auth.EmailActivationCode, user_id: user.id)
assert verification.id == new_verification.id
assert verification.user_id == new_verification.user_id
# this actually has a chance to fail 1 in 8999 runs
# but at the same time it's good to have a confirmation
# that it indeed generates a new code
if verification.code == new_verification.code do
Logger.warning(
"Congratulations! You you have hit 1 in 8999 chance of the same " <>
"email verification code repeating twice in a row!"
)
end
assert NaiveDateTime.compare(verification.issued_at, new_verification.issued_at) == :lt
end
test "sends activation email to user", %{conn: conn, user: user} do
post(conn, "/activate/request-code")
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == user.email
assert subject =~ "is your Plausible email verification code"
2019-09-02 14:29:19 +03:00
end
2021-10-26 11:59:14 +03:00
test "redirects user to /activate", %{conn: conn} do
2021-10-26 11:59:14 +03:00
conn = post(conn, "/activate/request-code")
assert redirected_to(conn, 302) == "/activate"
end
2019-09-02 14:29:19 +03:00
end
describe "POST /activate" do
setup [:create_user, :log_in]
2019-09-02 14:29:19 +03:00
test "with wrong pin - reloads the form with error", %{conn: conn} do
conn = post(conn, "/activate", %{code: "1234"})
assert html_response(conn, 200) =~ "Incorrect activation code"
2019-09-02 14:29:19 +03:00
end
test "with expired pin - reloads the form with error", %{conn: conn, user: user} do
one_day_ago =
NaiveDateTime.utc_now()
|> Timex.shift(days: -1)
|> NaiveDateTime.truncate(:second)
{:ok, verification} = Auth.EmailVerification.issue_code(user, one_day_ago)
conn = post(conn, "/activate", %{code: verification.code})
assert html_response(conn, 200) =~ "Code is expired, please request another one"
end
test "marks the user account as active", %{conn: conn, user: user} do
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
verification = Repo.get_by!(Auth.EmailActivationCode, user_id: user.id)
2019-09-02 14:29:19 +03:00
conn = post(conn, "/activate", %{code: verification.code})
user = Repo.get_by(Plausible.Auth.User, id: user.id)
assert user.email_verified
assert redirected_to(conn) == "/sites/new"
2019-09-02 14:29:19 +03:00
end
2021-10-26 11:59:14 +03:00
test "redirects to /sites if user has invitation", %{conn: conn, user: user} do
site = insert(:site)
insert(:invitation, inviter: build(:user), site: site, email: user.email)
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
verification = Repo.get_by!(Auth.EmailActivationCode, user_id: user.id)
2021-10-26 11:59:14 +03:00
conn = post(conn, "/activate", %{code: verification.code})
2021-10-26 11:59:14 +03:00
assert redirected_to(conn) == "/sites"
end
test "removes used up verification code", %{conn: conn, user: user} do
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
verification = Repo.get_by!(Auth.EmailActivationCode, user_id: user.id)
2019-09-02 14:29:19 +03:00
post(conn, "/activate", %{code: verification.code})
2019-09-02 14:29:19 +03:00
refute Repo.get_by(Auth.EmailActivationCode, user_id: user.id)
2019-09-02 14:29:19 +03:00
end
end
describe "GET /login_form" do
test "shows the login form", %{conn: conn} do
conn = get(conn, "/login")
assert html_response(conn, 200) =~ "Enter your email and password"
end
end
describe "POST /login" do
test "valid email and password - logs the user in", %{conn: conn} do
user = insert(:user, password: "password")
conn = post(conn, "/login", email: user.email, password: "password")
assert get_session(conn, :current_user_id) == user.id
2020-04-01 10:37:30 +03:00
assert redirected_to(conn) == "/sites"
2019-09-02 14:29:19 +03:00
end
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
test "valid email and password with login_dest set - redirects properly", %{conn: conn} do
user = insert(:user, password: "password")
conn =
conn
|> init_session()
|> put_session(:login_dest, "/settings")
conn = post(conn, "/login", email: user.email, password: "password")
assert redirected_to(conn, 302) == "/settings"
end
test "valid email and password with 2FA enabled - sets 2FA session and redirects", %{
conn: conn
} do
user = insert(:user, password: "password")
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = post(conn, "/login", email: user.email, password: "password")
assert redirected_to(conn, 302) == Routes.auth_path(conn, :verify_2fa_form)
assert fetch_cookies(conn).cookies["session_2fa"].current_2fa_user_id == user.id
refute get_session(conn)["current_user_id"]
end
test "valid email and password with 2FA enabled and remember 2FA cookie set - logs the user in",
%{conn: conn} do
user = insert(:user, password: "password")
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = set_remember_2fa_cookie(conn, user)
conn = post(conn, "/login", email: user.email, password: "password")
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert conn.resp_cookies["session_2fa"].max_age == 0
assert get_session(conn, :current_user_id) == user.id
end
test "valid email and password with 2FA enabled and rogue remember 2FA cookie set - logs the user in",
%{conn: conn} do
user = insert(:user, password: "password")
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
another_user = insert(:user)
conn = set_remember_2fa_cookie(conn, another_user)
conn = post(conn, "/login", email: user.email, password: "password")
assert redirected_to(conn, 302) == Routes.auth_path(conn, :verify_2fa_form)
assert fetch_cookies(conn).cookies["session_2fa"].current_2fa_user_id == user.id
refute get_session(conn, :current_user_id)
end
2019-09-02 14:29:19 +03:00
test "email does not exist - renders login form again", %{conn: conn} do
conn = post(conn, "/login", email: "user@example.com", password: "password")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 200) =~ "Enter your email and password"
end
test "bad password - renders login form again", %{conn: conn} do
user = insert(:user, password: "password")
conn = post(conn, "/login", email: user.email, password: "wrong")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 200) =~ "Enter your email and password"
end
test "limits login attempts to 5 per minute" do
user = insert(:user, password: "password")
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
conn =
build_conn()
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
|> put_req_header("x-forwarded-for", "1.2.3.5")
|> post("/login", email: user.email, password: "wrong")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 429) =~ "Too many login attempts"
end
2019-09-02 14:29:19 +03:00
end
describe "GET /password/request-reset" do
test "renders the form", %{conn: conn} do
conn = get(conn, "/password/request-reset")
assert html_response(conn, 200) =~ "Enter your email so we can send a password reset link"
end
end
describe "POST /password/request-reset" do
test "email is empty - renders form with error", %{conn: conn} do
conn = post(conn, "/password/request-reset", %{email: ""})
assert html_response(conn, 200) =~ "Enter your email so we can send a password reset link"
end
test "email is present and exists - sends password reset email", %{conn: conn} do
mock_captcha_success()
2019-09-02 14:29:19 +03:00
user = insert(:user)
conn = post(conn, "/password/request-reset", %{email: user.email})
assert html_response(conn, 200) =~ "Success!"
assert_email_delivered_with(subject: "Plausible password reset")
end
test "renders captcha errors in case of captcha input verification failure", %{conn: conn} do
mock_captcha_failure()
user = insert(:user)
conn = post(conn, "/password/request-reset", %{email: user.email})
assert html_response(conn, 200) =~ "Please complete the captcha"
end
2019-09-02 14:29:19 +03:00
end
describe "GET /password/reset" do
test "with valid token - shows form", %{conn: conn} do
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
user = insert(:user)
token = Plausible.Auth.Token.sign_password_reset(user.email)
2019-09-02 14:29:19 +03:00
conn = get(conn, "/password/reset", %{token: token})
assert html_response(conn, 200) =~ "Reset your password"
end
test "with invalid token - shows error page", %{conn: conn} do
conn = get(conn, "/password/reset", %{token: "blabla"})
assert html_response(conn, 401) =~ "Your token is invalid"
end
test "without token - shows error page", %{conn: conn} do
conn = get(conn, "/password/reset", %{})
assert html_response(conn, 401) =~ "Your token is invalid"
end
2019-09-02 14:29:19 +03:00
end
describe "POST /password/reset" do
Implement better user password validation (#3344) * Add zxcvbn dependency * Change password length range requirement from 6-64 to 12-128 * Reimplement register form in LV * Implement server-side check for password strength * Add rudimentary strength meter * Make password input with strength a separate component and improve it * Fix existing tests to provide strong enough password * Apply formatting * Replace existing registration form with new one * Hide built-in label in `.input` component when none provided * Crop password to first 32 chars for analysis by zxcvbn * Add tests for new form components * Integrate hCaptcha into LV * Fix existing AuthController tests * Add tests for Live.RegisterForm * Hide strength meter when password input is empty * Randomize client IP in headers during tests to avoid hitting rate limit * Apply auxilliary formatting fixes to AuthController * Integrate registration from invitation into LV registration logic * Fix existing password set and reset forms * Make `password_length_hint` component more customizable * Optimize `Auth.User.set_password/2` * Remove unnecessary attribute from registration form * Move password set and reset forms to LV * Add tests for SetPasswordForm LV component * Add tests for password checks in `Auth.User` * Document code a bit * Implement simpler approach to hCaptcha integration * Update CHANGELOG.md * Improve consistency of color scheme * Introduce debounce across all text inputs in registration and password forms * Fix email input background in register form * Ensure only single error is rendered for empty password confirmation case * Remove `/password` form entirely in favor of preferred password reset * Remove unnecessary `router` option from `live_render` calls * Make expensive assigns in LV with `assign_new` (h/t @aerosol) * Accept passwords longer than 32 bytes uniformly as very strong * Avoid displaying blank error side by side with weak password error * Make register actions handle errors gracefully * Render only a single piece of feedback to reduce noise * Make register and password reset forms pw manager friendly (h/t @cnkk) * Move registration forms to live routes * Delete no longer used deadviews * Adjust registration form in accordance to changes in #3290 * Reintroduce dogfood page path for invitation form from #3290 * Use alternative approach to submitting plausible metrics from LV form * Rename metrics events and extend tests to account for them
2023-09-25 11:27:29 +03:00
test "redirects the user to login and shows success message", %{conn: conn} do
conn = post(conn, "/password/reset", %{})
2021-10-26 11:59:14 +03:00
assert location = "/login" = redirected_to(conn, 302)
{:ok, %{conn: conn}} = PlausibleWeb.FirstLaunchPlug.Test.skip(%{conn: recycle(conn)})
conn = get(conn, location)
assert html_response(conn, 200) =~ "Password updated successfully"
2021-10-26 11:59:14 +03:00
end
2019-09-02 14:29:19 +03:00
end
describe "GET /settings" do
setup [:create_user, :log_in]
test "shows the form", %{conn: conn} do
conn = get(conn, "/settings")
assert resp = html_response(conn, 200)
assert resp =~ "Change account name"
assert resp =~ "Change email address"
2019-09-02 14:29:19 +03:00
end
@tag :ee_only
test "shows subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "558018", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10k pageviews"
assert html_response(conn, 200) =~ "monthly billing"
end
@tag :ee_only
test "shows yearly subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "590752", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "100k pageviews"
assert html_response(conn, 200) =~ "yearly billing"
end
@tag :ee_only
test "shows free subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "free_10k", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10k pageviews"
assert html_response(conn, 200) =~ "N/A billing"
end
@tag :ee_only
2022-03-29 13:38:35 +03:00
test "shows enterprise plan subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "123", user: user)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
configure_enterprise_plan(user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "20M pageviews"
assert html_response(conn, 200) =~ "yearly billing"
end
@tag :ee_only
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
test "shows current enterprise plan subscription when user has a new one to upgrade to", %{
conn: conn,
user: user
} do
insert(:subscription,
paddle_plan_id: @configured_enterprise_plan_paddle_plan_id,
user: user
)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
2022-03-29 13:38:35 +03:00
insert(:enterprise_plan,
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
paddle_plan_id: "1234",
2022-03-29 13:38:35 +03:00
user: user,
monthly_pageview_limit: 10_000_000,
billing_interval: :yearly
)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
configure_enterprise_plan(user)
2022-03-29 13:38:35 +03:00
conn = get(conn, "/settings")
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
assert html_response(conn, 200) =~ "20M pageviews"
2022-03-29 13:38:35 +03:00
assert html_response(conn, 200) =~ "yearly billing"
end
@tag :ee_only
test "renders two links to '/billing/choose-plan` with the text 'Upgrade'", %{conn: conn} do
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
doc =
get(conn, "/settings")
|> html_response(200)
upgrade_link_1 = find(doc, "#monthly-quota-box a")
upgrade_link_2 = find(doc, "#upgrade-link-2")
assert text(upgrade_link_1) == "Upgrade"
assert text_of_attr(upgrade_link_1, "href") == Routes.billing_path(conn, :choose_plan)
assert text(upgrade_link_2) == "Upgrade"
assert text_of_attr(upgrade_link_2, "href") == Routes.billing_path(conn, :choose_plan)
end
@tag :ee_only
test "renders a link to '/billing/choose-plan' with the text 'Change plan' + cancel link", %{
2022-03-29 13:38:35 +03:00
conn: conn,
user: user
} do
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
insert(:subscription, paddle_plan_id: @v3_plan_id, user: user)
2022-03-29 13:38:35 +03:00
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
doc =
get(conn, "/settings")
|> html_response(200)
refute element_exists?(doc, "#upgrade-link-2")
assert doc =~ "Cancel my subscription"
change_plan_link = find(doc, "#monthly-quota-box a")
assert text(change_plan_link) == "Change plan"
assert text_of_attr(change_plan_link, "href") == Routes.billing_path(conn, :choose_plan)
end
test "/billing/choose-plan link does not show up when enterprise subscription is past_due", %{
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
conn: conn,
user: user
} do
configure_enterprise_plan(user)
insert(:subscription,
2022-03-29 13:38:35 +03:00
user: user,
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
status: Subscription.Status.past_due(),
paddle_plan_id: @configured_enterprise_plan_paddle_plan_id
2022-03-29 13:38:35 +03:00
)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
doc =
conn
|> get(Routes.auth_path(conn, :user_settings))
|> html_response(200)
refute element_exists?(doc, "#upgrade-or-change-plan-link")
end
test "/billing/choose-plan link does not show up when enterprise subscription is paused", %{
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
conn: conn,
user: user
} do
configure_enterprise_plan(user)
insert(:subscription,
2022-03-29 13:38:35 +03:00
user: user,
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
status: Subscription.Status.paused(),
paddle_plan_id: @configured_enterprise_plan_paddle_plan_id
2022-03-29 13:38:35 +03:00
)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
doc =
conn
|> get(Routes.auth_path(conn, :user_settings))
|> html_response(200)
refute element_exists?(doc, "#upgrade-or-change-plan-link")
end
@tag :ee_only
test "renders two links to '/billing/choose-plan' with the text 'Upgrade' for a configured enterprise plan",
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
%{conn: conn, user: user} do
configure_enterprise_plan(user)
doc =
get(conn, "/settings")
|> html_response(200)
upgrade_link_1 = find(doc, "#monthly-quota-box a")
upgrade_link_2 = find(doc, "#upgrade-link-2")
assert text(upgrade_link_1) == "Upgrade"
assert text_of_attr(upgrade_link_1, "href") ==
Routes.billing_path(conn, :choose_plan)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
assert text(upgrade_link_2) == "Upgrade"
assert text_of_attr(upgrade_link_2, "href") ==
Routes.billing_path(conn, :choose_plan)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
end
@tag :ee_only
test "links to '/billing/choose-plan' with the text 'Change plan' for a configured enterprise plan with an existing subscription + renders cancel button",
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
%{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: @v3_plan_id, user: user)
configure_enterprise_plan(user)
doc =
get(conn, "/settings")
|> html_response(200)
refute element_exists?(doc, "#upgrade-link-2")
assert doc =~ "Cancel my subscription"
change_plan_link = find(doc, "#monthly-quota-box a")
assert text(change_plan_link) == "Change plan"
assert text_of_attr(change_plan_link, "href") ==
Routes.billing_path(conn, :choose_plan)
2022-03-29 13:38:35 +03:00
end
@tag :ee_only
Limit grandfathering to *active* subscribers and trials (#3524) * refactor asserting plan generation in plans_test.exs * stop grandfathering old expired trials For users who registered before the business tiers release, we want to offer a chance to subscribe to a grandfathered plan. However, if they let their trial expire and don't subscribe in the next 10 days, they'll lose that opportunity. * stop grandfathering expired subscriptions * remove default title and icon from Generic.notice * fix bug with dismissable notice classList is null when dismissable_id is not given * alias Plausible.Auth.User * Refactor Generic.notice component Make it easy to apply different colors * move subscription_cancelled_notice across the app And remove from user settings > subscription box. Also, include a note about losing grandfathered status when letting the subscription expire. * allow full width in Generic.notice * use Generic.notice for subscription_past_due_notice * use Generic.notice for subscription_paused_notice * prevent two notices clashing into each other with gap-y-2 * define attrs for phx components * optimize for light mode * make subscription cancelled notice dismissable but if it's dismiss, show it in the place where it was before in the account settings > subscription box * make function private * replace function doc with regular comment to avoid compile warning * use array for classnames Co-authored-by: Vinicius Brasil <vini@hey.com> * fix typos in function doc --------- Co-authored-by: Vinicius Brasil <vini@hey.com>
2023-11-16 18:40:50 +03:00
test "renders cancelled subscription notice", %{conn: conn, user: user} do
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
status: :deleted,
next_bill_date: ~D[2023-01-01]
)
notice_text =
get(conn, "/settings")
|> html_response(200)
|> text_of_element("#global-subscription-cancelled-notice")
assert notice_text =~ "Subscription cancelled"
assert notice_text =~ "Upgrade your subscription to get access to your stats again"
end
@tag :ee_only
Limit grandfathering to *active* subscribers and trials (#3524) * refactor asserting plan generation in plans_test.exs * stop grandfathering old expired trials For users who registered before the business tiers release, we want to offer a chance to subscribe to a grandfathered plan. However, if they let their trial expire and don't subscribe in the next 10 days, they'll lose that opportunity. * stop grandfathering expired subscriptions * remove default title and icon from Generic.notice * fix bug with dismissable notice classList is null when dismissable_id is not given * alias Plausible.Auth.User * Refactor Generic.notice component Make it easy to apply different colors * move subscription_cancelled_notice across the app And remove from user settings > subscription box. Also, include a note about losing grandfathered status when letting the subscription expire. * allow full width in Generic.notice * use Generic.notice for subscription_past_due_notice * use Generic.notice for subscription_paused_notice * prevent two notices clashing into each other with gap-y-2 * define attrs for phx components * optimize for light mode * make subscription cancelled notice dismissable but if it's dismiss, show it in the place where it was before in the account settings > subscription box * make function private * replace function doc with regular comment to avoid compile warning * use array for classnames Co-authored-by: Vinicius Brasil <vini@hey.com> * fix typos in function doc --------- Co-authored-by: Vinicius Brasil <vini@hey.com>
2023-11-16 18:40:50 +03:00
test "renders cancelled subscription notice with some subscription days still left", %{
conn: conn,
user: user
} do
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
status: :deleted,
next_bill_date: Timex.shift(Timex.today(), days: 10)
)
notice_text =
get(conn, "/settings")
|> html_response(200)
|> text_of_element("#global-subscription-cancelled-notice")
assert notice_text =~ "Subscription cancelled"
assert notice_text =~ "You have access to your stats until"
assert notice_text =~ "Upgrade your subscription to make sure you don't lose access"
end
@tag :ee_only
Limit grandfathering to *active* subscribers and trials (#3524) * refactor asserting plan generation in plans_test.exs * stop grandfathering old expired trials For users who registered before the business tiers release, we want to offer a chance to subscribe to a grandfathered plan. However, if they let their trial expire and don't subscribe in the next 10 days, they'll lose that opportunity. * stop grandfathering expired subscriptions * remove default title and icon from Generic.notice * fix bug with dismissable notice classList is null when dismissable_id is not given * alias Plausible.Auth.User * Refactor Generic.notice component Make it easy to apply different colors * move subscription_cancelled_notice across the app And remove from user settings > subscription box. Also, include a note about losing grandfathered status when letting the subscription expire. * allow full width in Generic.notice * use Generic.notice for subscription_past_due_notice * use Generic.notice for subscription_paused_notice * prevent two notices clashing into each other with gap-y-2 * define attrs for phx components * optimize for light mode * make subscription cancelled notice dismissable but if it's dismiss, show it in the place where it was before in the account settings > subscription box * make function private * replace function doc with regular comment to avoid compile warning * use array for classnames Co-authored-by: Vinicius Brasil <vini@hey.com> * fix typos in function doc --------- Co-authored-by: Vinicius Brasil <vini@hey.com>
2023-11-16 18:40:50 +03:00
test "renders cancelled subscription notice with a warning about losing grandfathering", %{
conn: conn,
user: user
} do
insert(:subscription,
paddle_plan_id: @v3_plan_id,
user: user,
status: :deleted,
next_bill_date: Timex.shift(Timex.today(), days: 10)
)
notice_text =
get(conn, "/settings")
|> html_response(200)
|> text_of_element("#global-subscription-cancelled-notice")
assert notice_text =~ "Subscription cancelled"
assert notice_text =~ "You have access to your stats until"
assert notice_text =~
"by letting your subscription expire, you lose access to our grandfathered terms"
end
@tag :ee_only
test "shows invoices for subscribed user", %{conn: conn, user: user} do
insert(:subscription,
paddle_plan_id: "558018",
paddle_subscription_id: "redundant",
user: user
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Dec 24, 2020"
assert html_response(conn, 200) =~ "€11.11"
assert html_response(conn, 200) =~ "Nov 24, 2020"
assert html_response(conn, 200) =~ "$22.00"
end
@tag :ee_only
test "shows 'something went wrong' on failed invoice request'", %{conn: conn, user: user} do
insert(:subscription,
paddle_plan_id: "558018",
paddle_subscription_id: "invalid_subscription_id",
user: user
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Invoices"
assert html_response(conn, 200) =~ "Something went wrong"
end
test "does not show invoice section for a user with no subscription", %{conn: conn} do
conn = get(conn, "/settings")
refute html_response(conn, 200) =~ "Invoices"
end
test "does not show invoice section for a free subscription", %{conn: conn, user: user} do
Plausible.Billing.Subscription.free(%{user_id: user.id, currency_code: "EUR"})
|> Repo.insert!()
conn = get(conn, "/settings")
refute html_response(conn, 200) =~ "Invoices"
end
@tag :ee_only
test "renders pageview usage for current, last, and penultimate billing cycles", %{
conn: conn,
user: user
} do
site = insert(:site, members: [user])
populate_stats(site, [
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -5)),
build(:event, name: "customevent", timestamp: Timex.shift(Timex.now(), days: -20)),
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -50)),
build(:event, name: "customevent", timestamp: Timex.shift(Timex.now(), days: -50))
])
last_bill_date = Timex.shift(Timex.today(), days: -10)
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
status: :deleted,
last_bill_date: last_bill_date
)
doc = get(conn, "/settings") |> html_response(200)
assert text_of_element(doc, "#billing_cycle_tab_current_cycle") =~
Date.range(
last_bill_date,
Timex.shift(last_bill_date, months: 1, days: -1)
)
|> PlausibleWeb.TextHelpers.format_date_range()
assert text_of_element(doc, "#billing_cycle_tab_last_cycle") =~
Date.range(
Timex.shift(last_bill_date, months: -1),
Timex.shift(last_bill_date, days: -1)
)
|> PlausibleWeb.TextHelpers.format_date_range()
assert text_of_element(doc, "#billing_cycle_tab_penultimate_cycle") =~
Date.range(
Timex.shift(last_bill_date, months: -2),
Timex.shift(last_bill_date, months: -1, days: -1)
)
|> PlausibleWeb.TextHelpers.format_date_range()
assert text_of_element(doc, "#total_pageviews_current_cycle") =~
"Total billable pageviews 1"
assert text_of_element(doc, "#pageviews_current_cycle") =~ "Pageviews 1"
assert text_of_element(doc, "#custom_events_current_cycle") =~ "Custom events 0"
assert text_of_element(doc, "#total_pageviews_last_cycle") =~
"Total billable pageviews 1 / 10,000"
assert text_of_element(doc, "#pageviews_last_cycle") =~ "Pageviews 0"
assert text_of_element(doc, "#custom_events_last_cycle") =~ "Custom events 1"
assert text_of_element(doc, "#total_pageviews_penultimate_cycle") =~
"Total billable pageviews 2 / 10,000"
assert text_of_element(doc, "#pageviews_penultimate_cycle") =~ "Pageviews 1"
assert text_of_element(doc, "#custom_events_penultimate_cycle") =~ "Custom events 1"
end
@tag :ee_only
test "renders pageview usage per billing cycle for active subscribers", %{
conn: conn,
user: user
} do
assert_cycles_rendered = fn doc ->
refute element_exists?(doc, "#total_pageviews_last_30_days")
assert element_exists?(doc, "#total_pageviews_current_cycle")
assert element_exists?(doc, "#total_pageviews_last_cycle")
assert element_exists?(doc, "#total_pageviews_penultimate_cycle")
end
# for an active subscription
subscription =
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
status: :active,
last_bill_date: Timex.shift(Timex.now(), months: -6)
)
get(conn, "/settings") |> html_response(200) |> assert_cycles_rendered.()
# for a past_due subscription
subscription =
subscription
|> Plausible.Billing.Subscription.changeset(%{status: :past_due})
|> Repo.update!()
get(conn, "/settings") |> html_response(200) |> assert_cycles_rendered.()
# for a deleted (but not expired) subscription
subscription
|> Plausible.Billing.Subscription.changeset(%{
status: :deleted,
next_bill_date: Timex.shift(Timex.now(), months: 6)
})
|> Repo.update!()
get(conn, "/settings") |> html_response(200) |> assert_cycles_rendered.()
end
@tag :ee_only
test "penultimate cycle is disabled if there's no usage", %{conn: conn, user: user} do
site = insert(:site, members: [user])
populate_stats(site, [
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -5)),
build(:event, name: "customevent", timestamp: Timex.shift(Timex.now(), days: -20))
])
last_bill_date = Timex.shift(Timex.today(), days: -10)
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
last_bill_date: last_bill_date
)
doc = get(conn, "/settings") |> html_response(200)
assert text_of_attr(find(doc, "#monthly_pageview_usage_container"), "x-data") ==
"{ tab: 'current_cycle' }"
assert class_of_element(doc, "#billing_cycle_tab_penultimate_cycle button") =~
"pointer-events-none"
assert text_of_element(doc, "#billing_cycle_tab_penultimate_cycle") =~ "Not available"
end
@tag :ee_only
test "penultimate and last cycles are both disabled if there's no usage", %{
conn: conn,
user: user
} do
site = insert(:site, members: [user])
populate_stats(site, [
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -5))
])
last_bill_date = Timex.shift(Timex.today(), days: -10)
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
last_bill_date: last_bill_date
)
doc = get(conn, "/settings") |> html_response(200)
assert text_of_attr(find(doc, "#monthly_pageview_usage_container"), "x-data") ==
"{ tab: 'current_cycle' }"
assert class_of_element(doc, "#billing_cycle_tab_last_cycle button") =~
"pointer-events-none"
assert text_of_element(doc, "#billing_cycle_tab_last_cycle") =~ "Not available"
assert class_of_element(doc, "#billing_cycle_tab_penultimate_cycle button") =~
"pointer-events-none"
assert text_of_element(doc, "#billing_cycle_tab_penultimate_cycle") =~ "Not available"
end
@tag :ee_only
test "when last cycle usage is 0, it's still not disabled if penultimate cycle has usage", %{
conn: conn,
user: user
} do
site = insert(:site, members: [user])
populate_stats(site, [
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -5)),
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -50))
])
last_bill_date = Timex.shift(Timex.today(), days: -10)
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
last_bill_date: last_bill_date
)
doc = get(conn, "/settings") |> html_response(200)
assert text_of_attr(find(doc, "#monthly_pageview_usage_container"), "x-data") ==
"{ tab: 'current_cycle' }"
refute class_of_element(doc, "#billing_cycle_tab_last_cycle") =~ "pointer-events-none"
refute text_of_element(doc, "#billing_cycle_tab_last_cycle") =~ "Not available"
refute class_of_element(doc, "#billing_cycle_tab_penultimate_cycle") =~
"pointer-events-none"
refute text_of_element(doc, "#billing_cycle_tab_penultimate_cycle") =~ "Not available"
end
@tag :ee_only
test "renders last 30 days pageview usage for trials and non-active/free_10k subscriptions",
%{
conn: conn,
user: user
} do
site = insert(:site, members: [user])
populate_stats(site, [
build(:event, name: "pageview", timestamp: Timex.shift(Timex.now(), days: -1)),
build(:event, name: "customevent", timestamp: Timex.shift(Timex.now(), days: -10)),
build(:event, name: "customevent", timestamp: Timex.shift(Timex.now(), days: -20))
])
assert_usage = fn doc ->
refute element_exists?(doc, "#total_pageviews_current_cycle")
assert text_of_element(doc, "#total_pageviews_last_30_days") =~
"Total billable pageviews (last 30 days) 3"
assert text_of_element(doc, "#pageviews_last_30_days") =~ "Pageviews 1"
assert text_of_element(doc, "#custom_events_last_30_days") =~ "Custom events 2"
end
# for a trial user
get(conn, "/settings") |> html_response(200) |> assert_usage.()
# for an expired subscription
subscription =
insert(:subscription,
paddle_plan_id: @v4_plan_id,
user: user,
status: :deleted,
last_bill_date: ~D[2022-01-01],
next_bill_date: ~D[2022-02-01]
)
get(conn, "/settings") |> html_response(200) |> assert_usage.()
# for a paused subscription
subscription =
subscription
|> Plausible.Billing.Subscription.changeset(%{status: :paused})
|> Repo.update!()
get(conn, "/settings") |> html_response(200) |> assert_usage.()
# for a free_10k subscription (without a `last_bill_date`)
Repo.delete!(subscription)
Plausible.Billing.Subscription.free(%{user_id: user.id})
|> Repo.insert!()
get(conn, "/settings") |> html_response(200) |> assert_usage.()
end
@tag :ee_only
test "renders sites usage and limit", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: @v3_plan_id, user: user)
insert(:site, members: [user])
site_usage_row_text =
conn
|> get("/settings")
|> html_response(200)
|> text_of_element("#site-usage-row")
assert site_usage_row_text =~ "Owned sites 1 / 50"
end
@tag :ee_only
test "renders team members usage and limit", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: @v4_plan_id, user: user)
team_member_usage_row_text =
conn
|> get("/settings")
|> html_response(200)
|> text_of_element("#team-member-usage-row")
assert team_member_usage_row_text =~ "Team members 0 / 3"
end
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
@tag :ee_only
test "renders team member usage without limit if it's unlimited", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: @v3_plan_id, user: user)
team_member_usage_row_text =
conn
|> get("/settings")
|> html_response(200)
|> text_of_element("#team-member-usage-row")
assert team_member_usage_row_text == "Team members 0"
end
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
test "redners 2FA section in disabled state", %{conn: conn} do
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Enable 2FA"
end
test "renders 2FA in enabled state", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Disable 2FA"
end
2019-09-02 14:29:19 +03:00
end
describe "PUT /settings" do
setup [:create_user, :log_in]
test "updates user record", %{conn: conn, user: user} do
Formatting only changes - No code change (#75) * first commit with test and compile job Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding 'prepare' stage Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci script to include "test" compile phase Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding environment variables for connecting to postgresql Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci config for postgres Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-alpine version of elixir Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * re-using the 'compile' artifacts and added explict env variables for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing redundant deps fetching from common code Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting using mix.format -- beware no-code changes! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * added release config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding consistent env variable for Database Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * more cleaning up of environment variables Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding releases config for enabling releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up env configs Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Cleaned up config and prepared config for releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated CI script with new config for test Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added Dockerfile for creating production docker image Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding "docker" build job yay! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-slim version of debian and installing webpack Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding overlays for migrations on releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * restricting the docker built to master branch only Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * typo fix Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding "Hosting.md" to explain hosting instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removed the default comments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added documentation related to env variables * updated documentation and fixed typo Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated documentation * Bumping up elixir version as `overlays` are only supported in latest version read release notes: https://github.com/elixir-lang/elixir/releases/tag/v1.10.0 Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding tarball assembly during release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated HOSTING.md Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for db migration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * minor corrections Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * initializing admin user Admin user has been added in the "migration" phase. A default user is automatically created in the process. One can provide the related env variables, else a new one will be automatically created for you. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Initial base domain update - phase#1 These changes are only meant for correct operating it under self-hosting. There are many other cosmetic changes, that require updates to email, site and other places where the original website and author is used. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Using dedicated config variable `base_domain` instead Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding base_domain to releases config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing the dedicated config "base_domain", relying on endpoint host Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Removed the usage of "Mix" in code! It is bad practice to use "mix" module inside the code as in actual release this module is unavailable. Replacing this with a config environment variable Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for SMTP via Bamboo Smtp Adapter Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Capturing SMTP errors via Sentry Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Minor updates Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding junit formatter -- useful for generating test reports Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding documentation for default user * Resolve "Gitlab Adoption: Add supported services in "Security & Compliance"" * bumping up the debian version to fix issues fixing some vulnerabilities identified by the scanning tools * More updates for self-hosting Changes in most of the places to suit self-hosting. Although, there are some which have been left-off. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * quick-dirty-fix! * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up timeout - skipping MRs :-/ * removing restrictions on watching for changes this stuff isn't working * Update HOSTING.md * renamed the module name * reverting formatting-whitespace changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * reverting the name to release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding docker-compose.yml and related instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using `plausible_url` instead of assuming `https` this is because, it is much to test in local dev machines and in most cases there's already a layer above which is capable for `https` termination and http -> https upgrade Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * WIP: merging changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * wip: more changes * Pushing in changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * changes to ci for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up and finishing clickhouse integration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updating readme with hosting details * removing deleted files from upstream * minor config adjustments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me>
2020-06-08 10:35:13 +03:00
put(conn, "/settings", %{"user" => %{"name" => "New name"}})
user = Plausible.Repo.get(Plausible.Auth.User, user.id)
assert user.name == "New name"
end
2021-10-26 11:59:14 +03:00
test "does not allow setting non-profile fields", %{conn: conn, user: user} do
expiry_date = user.trial_expiry_date
assert %Date{} = expiry_date
put(conn, "/settings", %{
"user" => %{"name" => "New name", "trial_expiry_date" => "2023-07-14"}
})
assert Repo.reload!(user).trial_expiry_date == expiry_date
end
2021-10-26 11:59:14 +03:00
test "redirects user to /settings", %{conn: conn} do
conn = put(conn, "/settings", %{"user" => %{"name" => "New name"}})
assert redirected_to(conn, 302) == "/settings"
end
test "renders form with error if form validations fail", %{conn: conn} do
conn = put(conn, "/settings", %{"user" => %{"name" => ""}})
assert html_response(conn, 200) =~ "can&#39;t be blank"
end
end
describe "PUT /settings/email" do
setup [:create_user, :log_in]
test "updates email and forces reverification", %{conn: conn, user: user} do
password = "very-long-very-secret-123"
user
|> User.set_password(password)
|> Repo.update!()
assert user.email_verified
conn =
put(conn, "/settings/email", %{
"user" => %{"email" => "new" <> user.email, "password" => password}
})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :activate)
updated_user = Repo.reload!(user)
assert updated_user.email == "new" <> user.email
assert updated_user.previous_email == user.email
refute updated_user.email_verified
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == updated_user.email
assert subject =~ "is your Plausible email verification code"
end
2024-01-04 16:34:57 +03:00
test "renders an error on third change attempt (allows 2 per hour)", %{conn: conn, user: user} do
payload = %{
"user" => %{"email" => "new" <> user.email, "password" => "badpass"}
}
resp1 = conn |> put("/settings/email", payload) |> html_response(200)
assert resp1 =~ "is invalid"
refute resp1 =~ "too many requests, try again in an hour"
resp2 = conn |> put("/settings/email", payload) |> html_response(200)
assert resp2 =~ "is invalid"
refute resp2 =~ "too many requests, try again in an hour"
resp3 = conn |> put("/settings/email", payload) |> html_response(200)
assert resp3 =~ "is invalid"
assert resp3 =~ "too many requests, try again in an hour"
end
test "renders form with error on no fields filled", %{conn: conn} do
conn = put(conn, "/settings/email", %{"user" => %{}})
assert html_response(conn, 200) =~ "can&#39;t be blank"
end
test "renders form with error on invalid password", %{conn: conn, user: user} do
conn =
put(conn, "/settings/email", %{
"user" => %{"password" => "invalid", "email" => "new" <> user.email}
})
assert html_response(conn, 200) =~ "is invalid"
end
test "renders form with error on already taken email", %{conn: conn, user: user} do
other_user = insert(:user)
password = "very-long-very-secret-123"
user
|> User.set_password(password)
|> Repo.update!()
conn =
put(conn, "/settings/email", %{
"user" => %{"password" => password, "email" => other_user.email}
})
assert html_response(conn, 200) =~ "has already been taken"
end
test "renders form with error when email is identical with the current one", %{
conn: conn,
user: user
} do
password = "very-long-very-secret-123"
user
|> User.set_password(password)
|> Repo.update!()
conn =
put(conn, "/settings/email", %{
"user" => %{"password" => password, "email" => user.email}
})
assert html_response(conn, 200) =~ "can&#39;t be the same"
end
end
describe "POST /settings/email/cancel" do
setup [:create_user, :log_in]
test "cancels email reverification in progress", %{conn: conn, user: user} do
user =
user
|> Ecto.Changeset.change(
email_verified: false,
email: "new" <> user.email,
previous_email: user.email
)
|> Repo.update!()
conn = post(conn, "/settings/email/cancel")
assert redirected_to(conn, 302) ==
Routes.auth_path(conn, :user_settings) <> "#change-email-address"
updated_user = Repo.reload!(user)
assert updated_user.email_verified
assert updated_user.email == user.previous_email
refute updated_user.previous_email
end
test "fails to cancel reverification when previous email is already retaken", %{
conn: conn,
user: user
} do
user =
user
|> Ecto.Changeset.change(
email_verified: false,
email: "new" <> user.email,
previous_email: user.email
)
|> Repo.update!()
_other_user = insert(:user, email: user.previous_email)
conn = post(conn, "/settings/email/cancel")
assert redirected_to(conn, 302) == Routes.auth_path(conn, :activate_form)
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"Could not cancel email update"
end
test "crashes when previous email is empty on cancel (should not happen)", %{
conn: conn,
user: user
} do
user
|> Ecto.Changeset.change(
email_verified: false,
email: "new" <> user.email,
previous_email: nil
)
|> Repo.update!()
assert_raise RuntimeError, ~r/Previous email is empty for user/, fn ->
post(conn, "/settings/email/cancel")
end
end
end
2019-09-02 14:29:19 +03:00
describe "DELETE /me" do
2021-11-26 17:40:39 +03:00
setup [:create_user, :log_in, :create_new_site]
2019-09-02 14:29:19 +03:00
use Plausible.Repo
2020-01-06 12:08:36 +03:00
test "deletes the user", %{conn: conn, user: user, site: site} do
Formatting only changes - No code change (#75) * first commit with test and compile job Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding 'prepare' stage Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci script to include "test" compile phase Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding environment variables for connecting to postgresql Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated ci config for postgres Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-alpine version of elixir Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * re-using the 'compile' artifacts and added explict env variables for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing redundant deps fetching from common code Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting using mix.format -- beware no-code changes! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * added release config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding consistent env variable for Database Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * more cleaning up of environment variables Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding releases config for enabling releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up env configs Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Cleaned up config and prepared config for releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated CI script with new config for test Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added Dockerfile for creating production docker image Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding "docker" build job yay! Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using non-slim version of debian and installing webpack Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding overlays for migrations on releases Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * restricting the docker built to master branch only Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * typo fix Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding "Hosting.md" to explain hosting instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removed the default comments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added documentation related to env variables * updated documentation and fixed typo Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated documentation * Bumping up elixir version as `overlays` are only supported in latest version read release notes: https://github.com/elixir-lang/elixir/releases/tag/v1.10.0 Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding tarball assembly during release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updated HOSTING.md Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for db migration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * minor corrections Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * initializing admin user Admin user has been added in the "migration" phase. A default user is automatically created in the process. One can provide the related env variables, else a new one will be automatically created for you. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Initial base domain update - phase#1 These changes are only meant for correct operating it under self-hosting. There are many other cosmetic changes, that require updates to email, site and other places where the original website and author is used. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Using dedicated config variable `base_domain` instead Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding base_domain to releases config Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * removing the dedicated config "base_domain", relying on endpoint host Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Removed the usage of "Mix" in code! It is bad practice to use "mix" module inside the code as in actual release this module is unavailable. Replacing this with a config environment variable Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Added support for SMTP via Bamboo Smtp Adapter Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Capturing SMTP errors via Sentry Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Minor updates Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * Adding junit formatter -- useful for generating test reports Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding documentation for default user * Resolve "Gitlab Adoption: Add supported services in "Security & Compliance"" * bumping up the debian version to fix issues fixing some vulnerabilities identified by the scanning tools * More updates for self-hosting Changes in most of the places to suit self-hosting. Although, there are some which have been left-off. Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * quick-dirty-fix! * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up the db connect timeout Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * bumping up timeout - skipping MRs :-/ * removing restrictions on watching for changes this stuff isn't working * Update HOSTING.md * renamed the module name * reverting formatting-whitespace changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * reverting the name to release Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * adding docker-compose.yml and related instructions Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * using `plausible_url` instead of assuming `https` this is because, it is much to test in local dev machines and in most cases there's already a layer above which is capable for `https` termination and http -> https upgrade Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * WIP: merging changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * wip: more changes * Pushing in changes from upstream Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * changes to ci for testing Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * cleaning up and finishing clickhouse integration Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * updating readme with hosting details * removing deleted files from upstream * minor config adjustments Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me> * formatting changes Signed-off-by: Chandra Tungathurthi <tckb@tgrthi.me>
2020-06-08 10:35:13 +03:00
Repo.insert_all("intro_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("feedback_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
2019-09-02 14:29:19 +03:00
2020-12-30 12:00:37 +03:00
Repo.insert_all("create_site_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("check_stats_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("sent_renewal_notifications", [
%{
user_id: user.id,
2020-12-30 12:00:37 +03:00
timestamp: NaiveDateTime.utc_now()
}
])
2020-01-06 12:08:36 +03:00
insert(:google_auth, site: site, user: user)
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
insert(:subscription, user: user, status: Subscription.Status.deleted())
insert(:subscription, user: user, status: Subscription.Status.active())
2020-01-06 12:08:36 +03:00
2019-09-02 14:29:19 +03:00
conn = delete(conn, "/me")
assert redirected_to(conn) == "/"
assert Repo.reload(site) == nil
assert Repo.reload(user) == nil
assert Repo.all(Plausible.Billing.Subscription) == []
2019-09-02 14:29:19 +03:00
end
test "deletes sites that the user owns", %{conn: conn, user: user, site: owner_site} do
viewer_site = insert(:site)
insert(:site_membership, site: viewer_site, user: user, role: "viewer")
delete(conn, "/me")
assert Repo.get(Plausible.Site, viewer_site.id)
refute Repo.get(Plausible.Site, owner_site.id)
end
2019-09-02 14:29:19 +03:00
end
2022-08-05 10:24:24 +03:00
describe "POST /settings/api-keys" do
setup [:create_user, :log_in]
import Ecto.Query
test "can create an API key", %{conn: conn, user: user} do
insert(:site, memberships: [build(:site_membership, user: user, role: "owner")])
conn =
post(conn, "/settings/api-keys", %{
"api_key" => %{
"user_id" => user.id,
"name" => "all your code are belong to us",
"key" => "swordfish"
}
})
key = Plausible.Auth.ApiKey |> where(user_id: ^user.id) |> Repo.one()
assert conn.status == 302
assert key.name == "all your code are belong to us"
end
test "cannot create a duplicate API key", %{conn: conn, user: user} do
insert(:site, memberships: [build(:site_membership, user: user, role: "owner")])
conn =
post(conn, "/settings/api-keys", %{
"api_key" => %{
"user_id" => user.id,
"name" => "all your code are belong to us",
"key" => "swordfish"
}
})
conn2 =
post(conn, "/settings/api-keys", %{
"api_key" => %{
"user_id" => user.id,
"name" => "all your code are belong to us",
"key" => "swordfish"
}
})
assert html_response(conn2, 200) =~ "has already been taken"
end
2022-08-05 10:24:24 +03:00
test "can't create api key into another site", %{conn: conn, user: me} do
_my_site = insert(:site, memberships: [build(:site_membership, user: me, role: "owner")])
2022-08-05 10:24:24 +03:00
other_user = insert(:user)
_other_site =
insert(:site, memberships: [build(:site_membership, user: other_user, role: "owner")])
2022-08-05 10:24:24 +03:00
conn =
post(conn, "/settings/api-keys", %{
"api_key" => %{
"user_id" => other_user.id,
"name" => "all your code are belong to us",
"key" => "swordfish"
}
})
assert conn.status == 302
refute Plausible.Auth.ApiKey |> where(user_id: ^other_user.id) |> Repo.one()
end
end
describe "DELETE /settings/api-keys/:id" do
setup [:create_user, :log_in]
alias Plausible.Auth.ApiKey
test "can't delete api key that doesn't belong to me", %{conn: conn} do
other_user = insert(:user)
insert(:site, memberships: [build(:site_membership, user: other_user, role: "owner")])
2022-08-05 10:24:24 +03:00
assert {:ok, %ApiKey{} = api_key} =
%ApiKey{user_id: other_user.id}
|> ApiKey.changeset(%{"name" => "other user's key"})
|> Repo.insert()
conn = delete(conn, "/settings/api-keys/#{api_key.id}")
assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Could not find API Key to delete"
2022-08-05 10:24:24 +03:00
assert Repo.get(ApiKey, api_key.id)
end
end
describe "GET /auth/google/callback" do
test "shows error and redirects back to settings when authentication fails", %{conn: conn} do
site = insert(:site)
callback_params = %{"error" => "access_denied", "state" => "[#{site.id},\"import\"]"}
conn = get(conn, Routes.auth_path(conn, :google_auth_callback), callback_params)
Implement UI for multiple imports (#3727) * Create a stub of site settings section for imports and exports * Use legacy site import indication to determine UA import handling * Add provisional logos for upcoming import sources * Stub basics of import page * Add very rudimentary support for multiple UA imports * Implement imports list as live view * Add support for opening LV modal from backend and closing from frontend * Introduce notion of themes to `button` and `button_link` components * Add confirmation modal on deleting import * Swap GA4 logo * Implement disabled state support for `button_link` component * Disable export and non-implemented import sources * Use native starts start date for upper boundary of import time range * Ensure integrations view uses legacy UA import flow * Remove unnecessary preload in SiteController * Remove unnecessary exception for legacy imports * Move API controller stats tests under PlausibleWeb * Test listing imports * Add test for explicit listener setup * Add tests for legacy flag state in UA importer * Add test for purging legacy import data * Add tests for `Sites.native_stats_start_date` * Test forgetting imports * Add `Stats.Clickhouse.imported_pageview_counts/1` and fix test flakiness * Show page view counts on imports list * Add tests for static imports and exports view * Adjust button look slightly * Use `case` instead of `cond` * Make feature flag customisable per site * Fix buttons and empty state styling * Add another import to seeds * Use JS confirm dialog instead of modal for deletion confirmations * Revert "Add support for opening LV modal from backend and closing from frontend" This reverts commit 260e6c753032b451542e24be9edc2118790b5a00. * Default `legacy` to false when inserting new import jobs * Drop `method` attribute from `button_link` and `unstyled_link` components
2024-02-28 11:34:04 +03:00
assert redirected_to(conn, 302) ==
Routes.site_path(conn, :settings_imports_exports, site.domain)
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"unable to authenticate your Google Analytics"
end
end
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
describe "POST /2fa/setup/initiate" do
setup [:create_user, :log_in]
test "initiates setup rendering QR and human friendly versions of secret", %{
conn: conn,
user: user
} do
conn = post(conn, Routes.auth_path(conn, :initiate_2fa_setup))
secret = Base.encode32(Repo.reload!(user).totp_secret)
assert html = html_response(conn, 200)
assert element_exists?(html, "svg")
assert html =~ secret
end
test "redirects back to settings if 2FA is already setup", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = post(conn, Routes.auth_path(conn, :initiate_2fa_setup))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"Two-Factor Authentication is already setup"
end
end
describe "GET /2fa/setup/verify" do
setup [:create_user, :log_in]
test "renders form when 2FA setup is initiated", %{conn: conn, user: user} do
{:ok, _, _} = Auth.TOTP.initiate(user)
conn = get(conn, Routes.auth_path(conn, :verify_2fa_setup))
assert html = html_response(conn, 200)
assert text_of_attr(html, "form#verify-2fa-form", "action") ==
Routes.auth_path(conn, :verify_2fa_setup)
assert element_exists?(html, "input[name=code]")
assert text_of_attr(html, "form#start-over-form", "action") ==
Routes.auth_path(conn, :initiate_2fa_setup)
end
test "redirects back to settings if 2FA not initiated", %{conn: conn} do
conn = get(conn, Routes.auth_path(conn, :verify_2fa_setup))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
end
end
describe "POST /2fa/setup/verify" do
setup [:create_user, :log_in]
test "enables 2FA and renders recovery codes when valid code provided", %{
conn: conn,
user: user
} do
{:ok, user, _} = Auth.TOTP.initiate(user)
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa_setup), %{code: code})
assert html = html_response(conn, 200)
assert list = [_ | _] = find(html, "#recovery-codes-list > *")
assert length(list) == 10
assert user |> Repo.reload!() |> Auth.TOTP.enabled?()
end
test "renders error on invalid code provided", %{conn: conn, user: user} do
{:ok, _, _} = Auth.TOTP.initiate(user)
conn = post(conn, Routes.auth_path(conn, :verify_2fa_setup), %{code: "invalid"})
assert html_response(conn, 200)
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"The provided code is invalid."
end
test "redirects to settings when 2FA is not initiated", %{conn: conn} do
conn = post(conn, Routes.auth_path(conn, :verify_2fa_setup), %{code: "123123"})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"Please enable Two-Factor Authentication"
end
end
describe "POST /2fa/disable" do
setup [:create_user, :log_in]
test "disables 2FA when valid password provided", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = post(conn, Routes.auth_path(conn, :disable_2fa), %{password: "password"})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :success) =~
"Two-Factor Authentication is disabled"
refute user |> Repo.reload!() |> Auth.TOTP.enabled?()
end
test "renders error when invalid password provided", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = post(conn, Routes.auth_path(conn, :disable_2fa), %{password: "invalid"})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "Incorrect password provided"
end
end
describe "POST /2fa/recovery_codes" do
setup [:create_user, :log_in]
test "generates new recovery codes when valid password provided", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn =
post(conn, Routes.auth_path(conn, :generate_2fa_recovery_codes), %{password: "password"})
assert html = html_response(conn, 200)
assert list = [_ | _] = find(html, "#recovery-codes-list > *")
assert length(list) == 10
end
test "renders error when invalid password provided", %{conn: conn, user: user} do
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn =
post(conn, Routes.auth_path(conn, :generate_2fa_recovery_codes), %{password: "invalid"})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "Incorrect password provided"
end
test "renders error when 2FA is not enabled", %{conn: conn} do
conn =
post(conn, Routes.auth_path(conn, :generate_2fa_recovery_codes), %{password: "password"})
assert redirected_to(conn, 302) == Routes.auth_path(conn, :user_settings) <> "#setup-2fa"
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"Please enable Two-Factor Authentication"
end
end
describe "GET /2fa/verify" do
test "renders verification form when 2FA session present", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn = get(conn, Routes.auth_path(conn, :verify_2fa_form))
assert html = html_response(conn, 200)
assert text_of_attr(html, "form", "action") == Routes.auth_path(conn, :verify_2fa)
assert element_exists?(html, "input[name=code]")
assert element_exists?(html, "input[name=remember_2fa]")
assert element_exists?(
html,
"a[href='#{Routes.auth_path(conn, :verify_2fa_recovery_code_form)}']"
)
end
test "redirects to login when cookie not found", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = get(conn, Routes.auth_path(conn, :verify_2fa_form))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
test "redirects to login when 2FA not enabled", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
{:ok, _} = Auth.TOTP.disable(user, "password")
conn = get(conn, Routes.auth_path(conn, :verify_2fa_form))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
end
describe "POST /2fa/verify" do
test "redirects to sites when code verification succeeds", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
# Remember cookie unset
assert conn.resp_cookies["remember_2fa"].max_age == 0
end
test "redirects to login_dest when set", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn =
conn
|> init_session()
|> put_session(:login_dest, "/settings")
conn = login_with_cookie(conn, user.email, "password")
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code})
assert redirected_to(conn, 302) == "/settings"
end
test "sets remember cookie when device trusted", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code, remember_2fa: "true"})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
# Remember cookie set
assert conn.resp_cookies["remember_2fa"].max_age > 0
end
test "overwrites rogue remember cookie when device trusted", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
another_user = insert(:user, totp_token: "different_token")
conn = set_remember_2fa_cookie(conn, another_user)
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code, remember_2fa: "true"})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
# Remember cookie set
assert conn.resp_cookies["remember_2fa"].max_age > 0
assert fetch_cookies(conn).cookies["remember_2fa"] == user.totp_token
end
test "clears rogue remember cookie when device _not_ trusted", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
another_user = insert(:user, totp_token: "different_token")
conn = set_remember_2fa_cookie(conn, another_user)
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
# Remember cookie cleared
assert conn.resp_cookies["remember_2fa"].max_age == 0
end
test "returns error on invalid code", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
assert html_response(conn, 200)
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"The provided code is invalid"
end
test "redirects to login when cookie not found", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
code = NimbleTOTP.verification_code(user.totp_secret)
conn = post(conn, Routes.auth_path(conn, :verify_2fa, %{code: code}))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
test "passes through when 2FA is disabled", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
code = NimbleTOTP.verification_code(user.totp_secret)
{:ok, _} = Auth.TOTP.disable(user, "password")
conn = post(conn, Routes.auth_path(conn, :verify_2fa), %{code: code})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
end
test "limits verification attempts to 5 per minute", %{conn: conn} do
user = insert(:user, email: "ratio#{Ecto.UUID.generate()}@example.com")
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
conn =
conn
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post(Routes.auth_path(conn, :verify_2fa), %{code: "invalid"})
assert get_session(conn, :current_user_id) == nil
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
assert html_response(conn, 429) =~ "Too many login attempts"
end
end
describe "GET /2fa/use_recovery_code" do
test "renders recovery verification form when 2FA session present", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn = get(conn, Routes.auth_path(conn, :verify_2fa_recovery_code_form))
assert html = html_response(conn, 200)
assert text_of_attr(html, "form", "action") ==
Routes.auth_path(conn, :verify_2fa_recovery_code)
assert element_exists?(html, "input[name=recovery_code]")
assert element_exists?(html, "a[href='#{Routes.auth_path(conn, :verify_2fa_form)}']")
end
test "redirects to login when cookie not found", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = get(conn, Routes.auth_path(conn, :verify_2fa_recovery_code_form))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
test "redirects to login when 2FA not enabled", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
{:ok, _} = Auth.TOTP.disable(user, "password")
conn = get(conn, Routes.auth_path(conn, :verify_2fa_recovery_code_form))
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
end
describe "POST /2fa/use_recovery_code" do
test "redirects to sites when recovery code verification succeeds", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, %{recovery_codes: [recovery_code | _]}} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn =
post(conn, Routes.auth_path(conn, :verify_2fa_recovery_code), %{
recovery_code: recovery_code
})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
end
test "returns error on invalid recovery code", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn =
post(conn, Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
assert html_response(conn, 200)
assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
"The provided recovery code is invalid"
end
test "redirects to login when cookie not found", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, _, %{recovery_codes: [recovery_code | _]}} = Auth.TOTP.enable(user, :skip_verify)
conn =
post(
conn,
Routes.auth_path(conn, :verify_2fa_recovery_code, %{recovery_code: recovery_code})
)
assert redirected_to(conn, 302) == Routes.auth_path(conn, :login_form)
end
test "passes through when 2FA is disabled", %{conn: conn} do
user = insert(:user)
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, %{recovery_codes: [recovery_code | _]}} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
{:ok, _} = Auth.TOTP.disable(user, "password")
conn =
post(conn, Routes.auth_path(conn, :verify_2fa_recovery_code), %{
recovery_code: recovery_code
})
assert redirected_to(conn, 302) == Routes.site_path(conn, :index)
assert get_session(conn)["current_user_id"] == user.id
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
end
test "limits verification attempts to 5 per minute", %{conn: conn} do
user = insert(:user, email: "ratio#{Ecto.UUID.generate()}@example.com")
# enable 2FA
{:ok, user, _} = Auth.TOTP.initiate(user)
{:ok, user, _} = Auth.TOTP.enable(user, :skip_verify)
conn = login_with_cookie(conn, user.email, "password")
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
conn =
conn
|> put_req_header("x-forwarded-for", "1.2.3.4")
|> post(Routes.auth_path(conn, :verify_2fa_recovery_code), %{recovery_code: "invalid"})
assert get_session(conn, :current_user_id) == nil
# 2FA session terminated
assert conn.resp_cookies["session_2fa"].max_age == 0
assert html_response(conn, 429) =~ "Too many login attempts"
end
end
defp login_with_cookie(conn, email, password) do
conn
|> post(Routes.auth_path(conn, :login), %{
email: email,
password: password
})
|> recycle()
|> Map.put(:secret_key_base, secret_key_base())
|> Plug.Conn.put_req_header("x-forwarded-for", Plausible.TestUtils.random_ip())
end
defp set_remember_2fa_cookie(conn, user) do
conn
|> PlausibleWeb.TwoFactor.Session.maybe_set_remember_2fa(user, "true")
|> recycle()
|> Map.put(:secret_key_base, secret_key_base())
|> Plug.Conn.put_req_header("x-forwarded-for", Plausible.TestUtils.random_ip())
end
defp mock_captcha_success() do
mock_captcha(true)
end
defp mock_captcha_failure() do
mock_captcha(false)
end
defp mock_captcha(success) do
expect(
Plausible.HTTPClient.Mock,
:post,
fn _, _, _ ->
{:ok,
%Finch.Response{
status: 200,
headers: [{"content-type", "application/json"}],
body: %{"success" => success}
}}
end
)
end
Refactor enterprise plan upgrade and change-plan actions (#3397) * rename enterprise?/1 function * change link text to Upgrade when subscription deleted * extract paddle_button and paddle_script components * create a new upgrade-to-enterprise-plan page * extract upgrade_link component * rename function * link to enterprise plan upgrade page from settings ...if the user has an enterprise plan configured * fetch enterprise plan price on the new page * add change_enterprise_plan functionality on the new page * render existing change_enterprise_plan_contact_us.html ...when subscribed to latest configured enterprise plan * rename vars and extract resumable? fn * remove dead billing route * small test refactor: extract convenience fn * add tests for... ...restricting paused and past_due subscription access to the new enterprise plan page. 1. redirect to /settings from the controller action 2. hiding the change-plan link from the user settings * implement redirect to /settings * hide the enterprise upgrade/change-plan link * add tests for a deleted enterprise subscription * plug in the new controller action and delete dead code * optimize for dark mode * fix compile warning * credo fix * display N/A instead of crash when price nil * change subscription.status type to Ecto.Enum Also, create a new `Subscription.Status` module that exposes macros to return the used atom values (prevent typos at compiletime). * fix bug (@conn not available anymore) * use Routes.billing_path where applicable * add a status() type * silence credo * refactor suggestion from review Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com> * Remove the __using__ macro from Subscription.Status ... instead be explicit about requires and aliases and also order the use, import, require, and alias clauses according to https://github.com/christopheradams/elixir_style_guide#module-attribute-ordering * drop the virtual Enteprise 'price_per_interval' field * apply review suggestion to make the code more DRY * use dot syntax to fetch current user in new controller actions * fix formatting --------- Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2023-10-10 20:35:17 +03:00
defp configure_enterprise_plan(user) do
insert(:enterprise_plan,
paddle_plan_id: @configured_enterprise_plan_paddle_plan_id,
user: user,
monthly_pageview_limit: 20_000_000,
billing_interval: :yearly
)
end
Implement UI for 2FA setup and verification (#3541) * Add 2FA actions to `AuthController` * Hook up new `AuthController` actions to router * Add `qr_code` to project dependencies * Implement generic `qr_code` component rendering SVG QR code from text * Implement enabled and disabled 2FA setting state in user settings view * Implement view for initiating 2FA setup * Implement view for verifying 2FA setup * Implement view for rendering generated 2FA recovery codes * Implement view for verifying 2FA code * Implement view for verifying 2FA recovery code * Improve `input_with_clipboard` component * Improve view for initiating 2FA setup * Improve verify 2FA setup view * Implement `verify_2fa_input` component * Improve view for verifying 2FA setup * Improve view rendering generated 2FA recovery codes * Use `verify_2fa_input` component in verify 2FA view * Do not render PA contact on self-hosted instances * Improve flash message phrasing on generated recovery codes * Add byline with a warning to disable 2FA modal * Extract modal to component and move 2FA components to dedicated module * First pass on loading state for "generate new codes" * Adjust modal button logic * Fix button in verify_2fa_input component * Use button component in activate view * Implement wait states for recovery code related actions properly * Apply rate limiting to 2FA verification * Log failed 2FA code input attempts * Add ability to trust device and skip 2FA for 30 days * Improve styling in dark mode * Fix waiting state under Chrome and Safari * Delete trust cookie when disabling 2FA * Put 2FA behind a feature flag * Extract 2FA cookie deletion * ff fixup * Improve session management during 2FA login * Extract part of 2FA controller logic to a separate module and clean up a bit * Clear 2FA user session when rate limit hit * Add id to form in verify 2FA setup view * Add controller tests for 2FA actions and login action * Update CHANGELOG.md * Use `full_build?()` instead of `@is_selfhost` removed after rebase * Update `Auth.TOTP` moduledoc * Add TOTP token management and make `TOTP.enable` more test-friendly * Use TOTP token for device trust feature * Use zero-deps `eqrcode` instead of deps-heavy `qr_code` * Improve flash messages copy Co-authored-by: hq1 <hq@mtod.org> * Make one more copy improvement Co-authored-by: hq1 <hq@mtod.org> * Fix copy in remaining spots * Change redirect after login to accept URLs from #3560 (h/t @aerosol) * Add tests checking handling login_dest on login and 2FA verification * Fix regression in email activation form submit button behavior * Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session` * Move `qr_code` component under `Components.TwoFactor` * Set domain and secure options for new cookies --------- Co-authored-by: hq1 <hq@mtod.org>
2023-12-06 14:01:19 +03:00
defp secret_key_base() do
:plausible
|> Application.fetch_env!(PlausibleWeb.Endpoint)
|> Keyword.fetch!(:secret_key_base)
end
2019-09-02 14:29:19 +03:00
end