Merge pull request #247 from AlchemyCMS/devise-paranoid-mode

tvdeyen · web-flow · commit 2b1a998b1fdd · 2026-02-02T15:38:28.000+01:00
feat: Enable Devise.paranoid mode by default
diff --git a/Gemfile b/Gemfile
@@ -20,8 +20,6 @@ group :test do
   if ENV["GITHUB_ACTIONS"]
     gem "simplecov-cobertura", "~> 3.0"
   end
-  gem "selenium-webdriver", "~> 4.40"
-  gem "capybara-screenshot", "~> 1.0"
 end
 
 gem "github_fast_changelog", require: false
diff --git a/alchemy-devise.gemspec b/alchemy-devise.gemspec
@@ -20,10 +20,12 @@ Gem::Specification.new do |s|
   s.add_dependency "flickwerk", ["~> 0.3.6"]
 
   s.add_development_dependency "capybara"
+  s.add_development_dependency "capybara-screenshot", "~> 1.0"
   s.add_development_dependency "factory_bot_rails"
   s.add_development_dependency "rails-controller-testing"
   s.add_development_dependency "rspec-activemodel-mocks", "~> 1.0"
   s.add_development_dependency "rspec-rails", "~> 8.0"
+  s.add_development_dependency "selenium-webdriver", "~> 4.40"
   s.add_development_dependency "simplecov"
 
   s.post_install_message = <<~MSG
diff --git a/lib/generators/alchemy/devise/install/templates/devise.rb.tt b/lib/generators/alchemy/devise/install/templates/devise.rb.tt
@@ -90,7 +90,7 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.
diff --git a/spec/features/password_reset_feature_spec.rb b/spec/features/password_reset_feature_spec.rb
@@ -17,16 +17,39 @@
     click_button "Send reset instructions"
 
     expect(page)
-      .to have_content("You will receive an email with instructions on how to reset your password in a few minutes.")
+      .to have_content("If your email address exists in our database, you will receive a password recovery link")
   end
 
-  it "Displays error if email not found." do
-    visit admin_new_password_path
+  context "with paranoid mode disabled" do
+    before do
+      allow(Devise).to receive(:paranoid).and_return(false)
+    end
 
-    fill_in :user_email, with: "wrong@email.com"
-    click_button "Send reset instructions"
+    it "Displays error if email not found." do
+      visit admin_new_password_path
+
+      fill_in :user_email, with: "wrong@email.com"
+      click_button "Send reset instructions"
+
+      expect(page).to have_content("Email not found")
+    end
+  end
+
+  context "with paranoid mode enabled" do
+    before do
+      allow(Devise).to receive(:paranoid).and_return(true)
+    end
+
+    it "Displays notification about reset instructions.", :js do
+      visit admin_new_password_path
+
+      fill_in :user_email, with: "wrong@email.com"
+      click_button "Send reset instructions"
 
-    expect(page).to have_content("Email not found")
+      expect(page).to have_content(
+        "If your email address exists in our database, you will receive a password recovery link"
+      )
+    end
   end
 
   it "User can visit edit password form." do
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -25,6 +25,7 @@
 ActionMailer::Base.perform_deliveries = true
 ActionMailer::Base.default_url_options[:host] = "test.com"
 Capybara.default_driver = :rack_test
+Capybara.javascript_driver = :selenium_headless
 Capybara.default_selector = :css
 Capybara.ignore_hidden_elements = false
 ActiveJob::Base.queue_adapter = :test
