From 648ba45fe988cbdac346fd7c73286c0d28eef913 Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Tue, 21 Jul 2015 10:09:58 -0300
Subject: [PATCH] api: added change password methods

---
 lib/noosfero/api/api.rb       |  1 +
 lib/noosfero/api/helpers.rb   |  9 ++++++++-
 lib/noosfero/api/session.rb   | 39 +++++++++++++++++++++++++++++++++++++++
 test/unit/api/session_test.rb | 43 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 1 deletion(-)

diff --git a/lib/noosfero/api/api.rb b/lib/noosfero/api/api.rb
index 2d5fd60..b0d686f 100644
--- a/lib/noosfero/api/api.rb
+++ b/lib/noosfero/api/api.rb
@@ -29,6 +29,7 @@ module Noosfero
       before { setup_multitenancy }
       before { detect_stuff_by_domain }
       before { filter_disabled_plugins_endpoints }
+      before { init_noosfero_plugins }
       after { set_session_cookie }
 
       version 'v1'
diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index 7aa2044..2eb7d3b 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -6,11 +6,18 @@
       DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
 
       include SanitizeParams
+      include Noosfero::Plugin::HotSpot
+      include ForgotPasswordHelper
 
       def set_locale
         I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
       end
-      
+
+      # FIXME this filter just loads @plugins
+      def init_noosfero_plugins
+        plugins
+      end
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
diff --git a/lib/noosfero/api/session.rb b/lib/noosfero/api/session.rb
index 06a68ee..c11d417 100644
--- a/lib/noosfero/api/session.rb
+++ b/lib/noosfero/api/session.rb
@@ -92,6 +92,45 @@ module Noosfero
           render_api_error!(_('Token is invalid'), 412)
         end
       end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by_code(params[:code])
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin
+        else
+          something_wrong!
+        end
+      end
+
     end
   end
 end
diff --git a/test/unit/api/session_test.rb b/test/unit/api/session_test.rb
index 61736ab..0c99ad0 100644
--- a/test/unit/api/session_test.rb
+++ b/test/unit/api/session_test.rb
@@ -117,4 +117,47 @@ class SessionTest < ActiveSupport::TestCase
     assert_equal 412, last_response.status
   end
 
+  should 'create task to change password by user login' do
+    user = create_user
+    params = {:value => user.login}
+    assert_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+  end
+
+  should 'not create task to change password when user is not found' do
+    params = {:value => 'wronglogin'}
+    assert_no_difference 'ChangePassword.count' do
+      post "/api/v1/forgot_password?#{params.to_query}"
+    end
+    assert_equal 404, last_response.status
+  end
+
+  should 'change user password and close task' do
+    user = create_user
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::FINISHED, task.reload.status
+    assert user.reload.authenticated?('secret')
+    json = JSON.parse(last_response.body)
+    assert_equal user.id, json['id']
+  end
+
+  should 'do not change user password when password confirmation is wrong' do
+    user = create_user
+    task = ChangePassword.create!(:requestor => user.person)
+    params = {:code => task.code, :password => 'secret', :password_confirmation => 's3cret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal Task::Status::ACTIVE, task.reload.status
+    assert !user.reload.authenticated?('secret')
+    assert_equal 400, last_response.status
+  end
+
+  should 'render not found when provide a wrong code on password change' do
+    params = {:code => "wrongcode", :password => 'secret', :password_confirmation => 'secret'}
+    patch "/api/v1/new_password?#{params.to_query}"
+    assert_equal 404, last_response.status
+  end
+
 end
--
libgit2 0.21.2