codeforamerica / ohana-api

100%

master: 99%

LAST BUILD ON BRANCH add-devise-paranoid

branch: add-devise-paranoid

CHANGE BRANCH

x

Reset

• add-devise-paranoid
• 10-user-agent
• 104-search-for-many-languages
• 164-fix-devise-bug
• 185-org-autocomplete
• 187-admin-languages
• 188-highlight-error-fields
• 200-remove-required-attribute
• 238-update-readme
• 25-api-keys
• 304-csv-export
• 308-add-new-program-button
• 313-copy-service
• 326-zip-csv-files
• 332-improve-import-errors
• 336-import-fixes
• 361-csv-memory
• 41-enable-ssl
• 69-create-app-link
• add-additional-fields
• add-admin-field-to-location
• add-codeclimate-config
• add-contacts-to-org
• add-contacts-to-service
• add-docker-support
• add-gitattributes
• add-interpretation-services
• add-number_type-to-phones
• add-phones-to-org
• add-phones-to-service
• add-profiling-gems
• add-programs
• add-schedules
• add-sms-to-phone-number-type
• added_fields
• admin-interface
• admin-subdomain
• automatically-set-super-admin
• bootstrap-tweaks
• cache-gems-for-travis
• category-assignment-via-CSV
• csv-import
• data-merge
• disable-email-sending-during-db-seed
• disable-state-validation-for-non-us
• elasticsearch
• expose-weekday-as-integer
• fix-csv-import-script
• fix-dashboard-spec
• fix-devise-issues
• fix-docker
• fix-flickering-search-spec
• fix-heroku-db-setup
• fix-label-for-categories
• fix-ranking-issue
• fix-readme
• fix-rubocop-offenses
• fix-scss-offenses
• full-text-search-for-org-name
• holiday-schedules
• holiday-schedules-admin
• hound-config
• inactive-services
• installation-docs
• latlon
• master
• mb-protected-attributes
• mb-update-factory-bot
• mb-update-gems
• nearby
• only-validate-presence-of-state-for-us-and-ca
• optimize-admin-decorator
• order-categories
• pg-search
• postgres
• prevent-puma-connection-leakage
• readme-updates
• refactor-search
• refactor-validators
• remove-grape
• remove-redis
• remove-short-description-validations-137
• remove-unused-code
• remove-unused-http-headers
• rename-fields
• replace-location-emails-with-email
• replace-location-urls-with-website
• replace-mandrill-with-sendgrid
• replace-pg-search
• search-keyword-service-area
• search-multiple-categories
• select2-for-service-areas
• service-area-filter
• show-version-number-in-admin-interface
• snyk-fix-80ad56c6
• taxonomy-import
• test
• tweak-install-postgresql-words
• update-README
• update-bootstrap-sass
• update-caching
• update-dev-gems
• update-devise
• update-gems
• update-gems-with-bummr
• update-nearby-serializer
• update-nokogiri
• update-pundit
• update-rails
• update-readme
• update-required-fields
• update-root-endpoint
• update-rubocop
• update-ruby
• update-ruby-and-bummr
• update-sample-csvs
• update-services
• update-spec-setup
• update-status-controller
• update-uglifier
• updates-seed-user-comments
• updates-test-data
• updates-test-data-infobox
• upgrade-bootstrap
• upgrade-rspec
• upgrade-swagger
• use-select2-tags-for-service-keywords
• v0.3.1.0
• v1.0
• v1.1.0
• v1.2.0
• v2.0.0
• v3.0.0
• v3.1.0
• wad-without-credentials

Build # 949

Build Type

push

travis-ci

Committed by monfresh

Commit Message

Prevent discovery of existing email addresses

Devise allows user enumeration by default, but they provide a `paranoid` setting to prevent enumeration when resetting a password or resending confirmation instructions. This PR turns the `paranoid` setting on.

In addition, this PR also makes sure that enumeration is not possible during sign up. Devise does not provide a way to prevent user enumeration for the `registerable` module, so I wrote my own by overriding the `create` method in the Devise registrations controller.

So now, when you try to sign up with an existing email address, instead of getting an error message that says the email has already been taken, you get the same success notice as you would during a regular successful sign up, and an email is sent to the user letting them know that a request was made to sign up with their email address, and provides the user with helpful links and text depending on whether or not they initiated that request.

Run Details

1645 of 1653 relevant lines covered (99.52%)

68.21 hits per line