overleaf/services/web/test/unit/src/User/UserControllerTests.js

const sinon = require('sinon')
const { expect } = require('chai')
const modulePath = '../../../../app/src/Features/User/UserController.js'
const SandboxedModule = require('sandboxed-module')
const OError = require('@overleaf/o-error')
const Errors = require('../../../../app/src/Features/Errors/Errors')

describe('UserController', function () {
  beforeEach(function () {
    this.user_id = '323123'

    this.user = {
      _id: this.user_id,
      email: 'email@overleaf.com',
      save: sinon.stub().callsArgWith(0),
      ace: {},
    }

    this.req = {
      user: {},
      session: {
        destroy() {},
        user: {
          _id: this.user_id,
          email: 'old@something.com',
        },
        analyticsId: this.user_id,
      },
      sessionID: '123',
      body: {},
      i18n: {
        translate: text => text,
      },
      ip: '0:0:0:0',
      query: {},
      headers: {},
    }

    this.UserDeleter = { deleteUser: sinon.stub().yields() }
    this.UserGetter = {
      getUser: sinon.stub().callsArgWith(1, null, this.user),
      promises: { getUser: sinon.stub().resolves(this.user) },
    }
    this.User = { findById: sinon.stub().callsArgWith(1, null, this.user) }
    this.NewsLetterManager = { unsubscribe: sinon.stub().callsArgWith(1) }
    this.UserRegistrationHandler = { registerNewUser: sinon.stub() }
    this.AuthenticationController = {
      establishUserSession: sinon.stub().callsArg(2),
    }
    this.SessionManager = {
      getLoggedInUserId: sinon.stub().returns(this.user._id),
      getSessionUser: sinon.stub().returns(this.req.session.user),
      setInSessionUser: sinon.stub(),
    }
    this.AuthenticationManager = {
      authenticate: sinon.stub(),
      validatePassword: sinon.stub(),
      promises: {
        authenticate: sinon.stub(),
        setUserPassword: sinon.stub(),
      },
    }
    this.UserUpdater = {
      changeEmailAddress: sinon.stub(),
      promises: {
        confirmEmail: sinon.stub().resolves(),
        addAffiliationForNewUser: sinon.stub().resolves(),
      },
    }
    this.settings = { siteUrl: 'sharelatex.example.com' }
    this.UserHandler = { populateTeamInvites: sinon.stub().callsArgWith(1) }
    this.UserSessionsManager = {
      trackSession: sinon.stub(),
      untrackSession: sinon.stub(),
      revokeAllUserSessions: sinon.stub().callsArgWith(2, null),
      promises: {
        getAllUserSessions: sinon.stub().resolves(),
        revokeAllUserSessions: sinon.stub().resolves(),
      },
    }
    this.HttpErrorHandler = {
      badRequest: sinon.stub(),
      conflict: sinon.stub(),
      unprocessableEntity: sinon.stub(),
      legacyInternal: sinon.stub(),
    }

    this.UrlHelper = {
      getSafeRedirectPath: sinon.stub(),
    }
    this.UrlHelper.getSafeRedirectPath
      .withArgs('https://evil.com')
      .returns(undefined)
    this.UrlHelper.getSafeRedirectPath.returnsArg(0)
    this.acceptsJson = sinon.stub().returns(false)

    this.UserController = SandboxedModule.require(modulePath, {
      requires: {
        '../Helpers/UrlHelper': this.UrlHelper,
        './UserGetter': this.UserGetter,
        './UserDeleter': this.UserDeleter,
        './UserUpdater': this.UserUpdater,
        '../../models/User': {
          User: this.User,
        },
        '../Newsletter/NewsletterManager': this.NewsLetterManager,
        './UserRegistrationHandler': this.UserRegistrationHandler,
        '../Authentication/AuthenticationController': this
          .AuthenticationController,
        '../Authentication/SessionManager': this.SessionManager,
        '../Authentication/AuthenticationManager': this.AuthenticationManager,
        '../../infrastructure/Features': (this.Features = {
          hasFeature: sinon.stub(),
        }),
        './UserAuditLogHandler': (this.UserAuditLogHandler = {
          promises: {
            addEntry: sinon.stub().resolves(),
          },
        }),
        './UserHandler': this.UserHandler,
        './UserSessionsManager': this.UserSessionsManager,
        '../Errors/HttpErrorHandler': this.HttpErrorHandler,
        '@overleaf/settings': this.settings,
        '@overleaf/metrics': {
          inc() {},
        },
        '@overleaf/o-error': OError,
        '../Email/EmailHandler': (this.EmailHandler = {
          sendEmail: sinon.stub(),
          promises: { sendEmail: sinon.stub().resolves() },
        }),
        '../../infrastructure/RequestContentTypeDetection': {
          acceptsJson: this.acceptsJson,
        },
      },
    })

    this.res = {
      send: sinon.stub(),
      status: sinon.stub(),
      sendStatus: sinon.stub(),
      json: sinon.stub(),
    }
    this.res.status.returns(this.res)
    this.next = sinon.stub()
    this.callback = sinon.stub()
  })

  describe('tryDeleteUser', function () {
    beforeEach(function () {
      this.req.body.password = 'wat'
      this.req.logout = sinon.stub()
      this.req.session.destroy = sinon.stub().callsArgWith(0, null)
      this.SessionManager.getLoggedInUserId = sinon
        .stub()
        .returns(this.user._id)
      this.AuthenticationManager.authenticate = sinon
        .stub()
        .callsArgWith(2, null, this.user)
    })

    it('should send 200', function (done) {
      this.res.sendStatus = code => {
        code.should.equal(200)
        done()
      }
      this.UserController.tryDeleteUser(this.req, this.res, this.next)
    })

    it('should try to authenticate user', function (done) {
      this.res.sendStatus = code => {
        this.AuthenticationManager.authenticate.callCount.should.equal(1)
        this.AuthenticationManager.authenticate
          .calledWith({ _id: this.user._id }, this.req.body.password)
          .should.equal(true)
        done()
      }
      this.UserController.tryDeleteUser(this.req, this.res, this.next)
    })

    it('should delete the user', function (done) {
      this.res.sendStatus = code => {
        this.UserDeleter.deleteUser.callCount.should.equal(1)
        this.UserDeleter.deleteUser.calledWith(this.user._id).should.equal(true)
        done()
      }
      this.UserController.tryDeleteUser(this.req, this.res, this.next)
    })

    describe('when no password is supplied', function () {
      beforeEach(function () {
        this.req.body.password = ''
      })

      it('should return 403', function (done) {
        this.res.sendStatus = code => {
          code.should.equal(403)
          done()
        }
        this.UserController.tryDeleteUser(this.req, this.res, this.next)
      })
    })

    describe('when authenticate produces an error', function () {
      beforeEach(function () {
        this.AuthenticationManager.authenticate = sinon
          .stub()
          .callsArgWith(2, new Error('woops'))
      })

      it('should call next with an error', function (done) {
        this.next = err => {
          expect(err).to.not.equal(null)
          expect(err).to.be.instanceof(Error)
          done()
        }
        this.UserController.tryDeleteUser(this.req, this.res, this.next)
      })
    })

    describe('when authenticate does not produce a user', function () {
      beforeEach(function () {
        this.AuthenticationManager.authenticate = sinon
          .stub()
          .callsArgWith(2, null, null)
      })

      it('should return 403', function (done) {
        this.res.sendStatus = code => {
          code.should.equal(403)
          done()
        }
        this.UserController.tryDeleteUser(this.req, this.res, this.next)
      })
    })

    describe('when deleteUser produces an error', function () {
      beforeEach(function () {
        this.UserDeleter.deleteUser = sinon.stub().yields(new Error('woops'))
      })

      it('should call next with an error', function (done) {
        this.next = err => {
          expect(err).to.not.equal(null)
          expect(err).to.be.instanceof(Error)
          done()
        }
        this.UserController.tryDeleteUser(this.req, this.res, this.next)
      })
    })

    describe('when deleteUser produces a known error', function () {
      beforeEach(function () {
        this.UserDeleter.deleteUser = sinon
          .stub()
          .yields(new Errors.SubscriptionAdminDeletionError())
      })

      it('should return a HTTP Unprocessable Entity error', function (done) {
        this.HttpErrorHandler.unprocessableEntity = sinon.spy(
          (req, res, message, info) => {
            expect(req).to.exist
            expect(res).to.exist
            expect(message).to.equal('error while deleting user account')
            expect(info).to.deep.equal({
              error: 'SubscriptionAdminDeletionError',
            })
            done()
          }
        )
        this.UserController.tryDeleteUser(this.req, this.res)
      })
    })

    describe('when session.destroy produces an error', function () {
      beforeEach(function () {
        this.req.session.destroy = sinon
          .stub()
          .callsArgWith(0, new Error('woops'))
      })

      it('should call next with an error', function (done) {
        this.next = err => {
          expect(err).to.not.equal(null)
          expect(err).to.be.instanceof(Error)
          done()
        }
        this.UserController.tryDeleteUser(this.req, this.res, this.next)
      })
    })
  })

  describe('unsubscribe', function () {
    it('should send the user to unsubscribe', function (done) {
      this.res.sendStatus = () => {
        this.NewsLetterManager.unsubscribe
          .calledWith(this.user)
          .should.equal(true)
        done()
      }
      this.UserController.unsubscribe(this.req, this.res)
    })
  })

  describe('updateUserSettings', function () {
    beforeEach(function () {
      this.auditLog = { initiatorId: this.user_id, ipAddress: this.req.ip }
      this.newEmail = 'hello@world.com'
      this.req.externalAuthenticationSystemUsed = sinon.stub().returns(false)
    })

    it('should call save', function (done) {
      this.req.body = {}
      this.res.sendStatus = code => {
        this.user.save.called.should.equal(true)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should set the first name', function (done) {
      this.req.body = { first_name: 'bobby  ' }
      this.res.sendStatus = code => {
        this.user.first_name.should.equal('bobby')
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should set the role', function (done) {
      this.req.body = { role: 'student' }
      this.res.sendStatus = code => {
        this.user.role.should.equal('student')
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should set the institution', function (done) {
      this.req.body = { institution: 'MIT' }
      this.res.sendStatus = code => {
        this.user.institution.should.equal('MIT')
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should set some props on ace', function (done) {
      this.req.body = { editorTheme: 'something' }
      this.res.sendStatus = code => {
        this.user.ace.theme.should.equal('something')
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should set the overall theme', function (done) {
      this.req.body = { overallTheme: 'green-ish' }
      this.res.sendStatus = code => {
        this.user.ace.overallTheme.should.equal('green-ish')
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should send an error if the email is 0 len', function (done) {
      this.req.body.email = ''
      this.res.sendStatus = function (code) {
        code.should.equal(400)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should send an error if the email does not contain an @', function (done) {
      this.req.body.email = 'bob at something dot com'
      this.res.sendStatus = function (code) {
        code.should.equal(400)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should call the user updater with the new email and user _id', function (done) {
      this.req.body.email = this.newEmail.toUpperCase()
      this.UserUpdater.changeEmailAddress.callsArgWith(3)
      this.res.sendStatus = code => {
        code.should.equal(200)
        this.UserUpdater.changeEmailAddress
          .calledWith(this.user_id, this.newEmail, this.auditLog)
          .should.equal(true)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should update the email on the session', function (done) {
      this.req.body.email = this.newEmail.toUpperCase()
      this.UserUpdater.changeEmailAddress.callsArgWith(3)
      let callcount = 0
      this.User.findById = (id, cb) => {
        if (++callcount === 2) {
          this.user.email = this.newEmail
        }
        cb(null, this.user)
      }
      this.res.sendStatus = code => {
        code.should.equal(200)
        this.SessionManager.setInSessionUser
          .calledWith(this.req.session, {
            email: this.newEmail,
            first_name: undefined,
            last_name: undefined,
          })
          .should.equal(true)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    it('should call populateTeamInvites', function (done) {
      this.req.body.email = this.newEmail.toUpperCase()
      this.UserUpdater.changeEmailAddress.callsArgWith(3)
      this.res.sendStatus = code => {
        code.should.equal(200)
        this.UserHandler.populateTeamInvites
          .calledWith(this.user)
          .should.equal(true)
        done()
      }
      this.UserController.updateUserSettings(this.req, this.res)
    })

    describe('when changeEmailAddress yields an error', function () {
      it('should pass on an error and not send a success status', function (done) {
        this.req.body.email = this.newEmail.toUpperCase()
        this.UserUpdater.changeEmailAddress.callsArgWith(3, new OError())
        this.HttpErrorHandler.legacyInternal = sinon.spy(
          (req, res, message, error) => {
            expect(req).to.exist
            expect(req).to.exist
            message.should.equal('problem_changing_email_address')
            expect(error).to.be.instanceof(OError)
            done()
          }
        )
        this.UserController.updateUserSettings(this.req, this.res, this.next)
      })

      it('should call the HTTP conflict error handler when the email already exists', function (done) {
        this.HttpErrorHandler.conflict = sinon.spy((req, res, message) => {
          expect(req).to.exist
          expect(req).to.exist
          message.should.equal('email_already_registered')
          done()
        })
        this.req.body.email = this.newEmail.toUpperCase()
        this.UserUpdater.changeEmailAddress.callsArgWith(
          3,
          new Errors.EmailExistsError()
        )
        this.UserController.updateUserSettings(this.req, this.res)
      })
    })

    describe('when using an external auth source', function () {
      beforeEach(function () {
        this.UserUpdater.changeEmailAddress.callsArgWith(2)
        this.newEmail = 'someone23@example.com'
        this.req.externalAuthenticationSystemUsed = sinon.stub().returns(true)
      })

      it('should not set a new email', function (done) {
        this.req.body.email = this.newEmail
        this.res.sendStatus = code => {
          code.should.equal(200)
          this.UserUpdater.changeEmailAddress
            .calledWith(this.user_id, this.newEmail)
            .should.equal(false)
          done()
        }
        this.UserController.updateUserSettings(this.req, this.res)
      })
    })
  })

  describe('logout', function () {
    beforeEach(function () {
      this.acceptsJson.returns(false)
    })

    it('should destroy the session', function (done) {
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.redirect = url => {
        url.should.equal('/login')
        this.req.session.destroy.called.should.equal(true)
        done()
      }

      this.UserController.logout(this.req, this.res)
    })

    it('should untrack session', function (done) {
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.redirect = url => {
        url.should.equal('/login')
        this.UserSessionsManager.untrackSession.callCount.should.equal(1)
        this.UserSessionsManager.untrackSession
          .calledWith(sinon.match(this.req.user), this.req.sessionID)
          .should.equal(true)
        done()
      }

      this.UserController.logout(this.req, this.res)
    })

    it('should redirect after logout', function (done) {
      this.req.body.redirect = '/institutional-login'
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.redirect = url => {
        url.should.equal(this.req.body.redirect)
        done()
      }
      this.UserController.logout(this.req, this.res)
    })

    it('should redirect after logout, but not to evil.com', function (done) {
      this.req.body.redirect = 'https://evil.com'
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.redirect = url => {
        url.should.equal('/login')
        done()
      }
      this.UserController.logout(this.req, this.res)
    })

    it('should redirect to login after logout when no redirect set', function (done) {
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.redirect = url => {
        url.should.equal('/login')
        done()
      }
      this.UserController.logout(this.req, this.res)
    })

    it('should send json with redir property for json request', function (done) {
      this.acceptsJson.returns(true)
      this.req.session.destroy = sinon.stub().callsArgWith(0)
      this.res.status = code => {
        code.should.equal(200)
        return this.res
      }
      this.res.json = data => {
        data.redir.should.equal('/login')
        done()
      }
      this.UserController.logout(this.req, this.res)
    })
  })

  describe('register', function () {
    beforeEach(function () {
      this.UserRegistrationHandler.registerNewUserAndSendActivationEmail = sinon
        .stub()
        .callsArgWith(1, null, this.user, (this.url = 'mock/url'))
      this.req.body.email = this.user.email = this.email = 'email@example.com'
      this.UserController.register(this.req, this.res)
    })

    it('should register the user and send them an email', function () {
      sinon.assert.calledWith(
        this.UserRegistrationHandler.registerNewUserAndSendActivationEmail,
        this.email
      )
    })

    it('should return the user and activation url', function () {
      this.res.json
        .calledWith({
          email: this.email,
          setNewPasswordUrl: this.url,
        })
        .should.equal(true)
    })
  })

  describe('clearSessions', function () {
    describe('success', function () {
      it('should call revokeAllUserSessions', function (done) {
        this.res.sendStatus.callsFake(() => {
          this.UserSessionsManager.promises.revokeAllUserSessions.callCount.should.equal(
            1
          )
          done()
        })
        this.UserController.clearSessions(this.req, this.res)
      })

      it('send a 201 response', function (done) {
        this.res.sendStatus.callsFake(status => {
          status.should.equal(201)
          done()
        })

        this.UserController.clearSessions(this.req, this.res)
      })

      it('sends a security alert email', function (done) {
        this.res.sendStatus.callsFake(status => {
          this.EmailHandler.promises.sendEmail.callCount.should.equal(1)
          const expectedArg = {
            to: this.user.email,
            actionDescribed: `active sessions were cleared on your account ${this.user.email}`,
            action: 'active sessions cleared',
          }
          const emailCall = this.EmailHandler.promises.sendEmail.lastCall
          expect(emailCall.args[0]).to.equal('securityAlert')
          expect(emailCall.args[1]).to.deep.equal(expectedArg)
          done()
        })

        this.UserController.clearSessions(this.req, this.res)
      })
    })

    describe('errors', function () {
      describe('when getAllUserSessions produces an error', function () {
        it('should return an error', function (done) {
          this.UserSessionsManager.promises.getAllUserSessions.rejects(
            new Error('woops')
          )
          this.UserController.clearSessions(this.req, this.res, error => {
            expect(error).to.be.instanceof(Error)
            done()
          })
        })
      })

      describe('when audit log addEntry produces an error', function () {
        it('should call next with an error', function (done) {
          this.UserAuditLogHandler.promises.addEntry.rejects(new Error('woops'))
          this.UserController.clearSessions(this.req, this.res, error => {
            expect(error).to.be.instanceof(Error)
            done()
          })
        })
      })

      describe('when revokeAllUserSessions produces an error', function () {
        it('should call next with an error', function (done) {
          this.UserSessionsManager.promises.revokeAllUserSessions.rejects(
            new Error('woops')
          )
          this.UserController.clearSessions(this.req, this.res, error => {
            expect(error).to.be.instanceof(Error)
            done()
          })
        })
      })

      describe('when EmailHandler produces an error', function () {
        const anError = new Error('oops')
        it('send a 201 response but log error', function (done) {
          this.EmailHandler.promises.sendEmail.rejects(anError)
          this.res.sendStatus.callsFake(status => {
            status.should.equal(201)
            this.logger.error.callCount.should.equal(1)
            const loggerCall = this.logger.error.getCall(0)
            expect(loggerCall.args[0]).to.deep.equal({
              error: anError,
              userId: this.user_id,
            })
            expect(loggerCall.args[1]).to.contain(
              'could not send security alert email when sessions cleared'
            )
            done()
          })
          this.UserController.clearSessions(this.req, this.res)
        })
      })
    })
  })

  describe('changePassword', function () {
    describe('success', function () {
      beforeEach(function () {
        this.AuthenticationManager.promises.authenticate.resolves(this.user)
        this.AuthenticationManager.promises.setUserPassword.resolves()
        this.req.body = {
          newPassword1: 'newpass',
          newPassword2: 'newpass',
        }
      })
      it('should set the new password if they do match', function (done) {
        this.res.json.callsFake(() => {
          this.AuthenticationManager.promises.setUserPassword.should.have.been.calledWith(
            this.user,
            'newpass'
          )
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })

      it('should log the update', function (done) {
        this.res.json.callsFake(() => {
          this.UserAuditLogHandler.promises.addEntry.should.have.been.calledWith(
            this.user._id,
            'update-password',
            this.user._id,
            this.req.ip
          )
          this.AuthenticationManager.promises.setUserPassword.callCount.should.equal(
            1
          )
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })

      it('should send security alert email', function (done) {
        this.res.json.callsFake(() => {
          const expectedArg = {
            to: this.user.email,
            actionDescribed: `your password has been changed on your account ${this.user.email}`,
            action: 'password changed',
          }
          const emailCall = this.EmailHandler.sendEmail.lastCall
          expect(emailCall.args[0]).to.equal('securityAlert')
          expect(emailCall.args[1]).to.deep.equal(expectedArg)
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })
    })

    describe('errors', function () {
      it('should check the old password is the current one at the moment', function (done) {
        this.AuthenticationManager.promises.authenticate.resolves()
        this.req.body = { currentPassword: 'oldpasshere' }
        this.HttpErrorHandler.badRequest.callsFake(() => {
          expect(this.HttpErrorHandler.badRequest).to.have.been.calledWith(
            this.req,
            this.res,
            'Your old password is wrong'
          )
          this.AuthenticationManager.promises.authenticate.should.have.been.calledWith(
            { _id: this.user._id },
            'oldpasshere'
          )
          this.AuthenticationManager.promises.setUserPassword.callCount.should.equal(
            0
          )
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })

      it('it should not set the new password if they do not match', function (done) {
        this.AuthenticationManager.promises.authenticate.resolves({})
        this.req.body = {
          newPassword1: '1',
          newPassword2: '2',
        }
        this.HttpErrorHandler.badRequest.callsFake(() => {
          expect(this.HttpErrorHandler.badRequest).to.have.been.calledWith(
            this.req,
            this.res,
            'password_change_passwords_do_not_match'
          )
          this.AuthenticationManager.promises.setUserPassword.callCount.should.equal(
            0
          )
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })

      it('it should not set the new password if it is invalid', function (done) {
        // this.AuthenticationManager.validatePassword = sinon
        //   .stub()
        //   .returns({ message: 'validation-error' })
        const err = new Error('bad')
        err.name = 'InvalidPasswordError'
        this.AuthenticationManager.promises.setUserPassword.rejects(err)
        this.AuthenticationManager.promises.authenticate.resolves({})
        this.req.body = {
          newPassword1: 'newpass',
          newPassword2: 'newpass',
        }
        this.HttpErrorHandler.badRequest.callsFake(() => {
          expect(this.HttpErrorHandler.badRequest).to.have.been.calledWith(
            this.req,
            this.res,
            err.message
          )
          this.AuthenticationManager.promises.setUserPassword.callCount.should.equal(
            1
          )
          done()
        })
        this.UserController.changePassword(this.req, this.res)
      })

      describe('UserAuditLogHandler error', function () {
        it('should return error and not update password', function (done) {
          this.UserAuditLogHandler.promises.addEntry.rejects(new Error('oops'))
          this.AuthenticationManager.promises.authenticate.resolves(this.user)
          this.AuthenticationManager.promises.setUserPassword.resolves()
          this.req.body = {
            newPassword1: 'newpass',
            newPassword2: 'newpass',
          }

          this.UserController.changePassword(this.req, this.res, error => {
            expect(error).to.be.instanceof(Error)
            this.AuthenticationManager.promises.setUserPassword.callCount.should.equal(
              1
            )
            done()
          })
        })
      })

      describe('EmailHandler error', function () {
        const anError = new Error('oops')
        beforeEach(function () {
          this.AuthenticationManager.promises.authenticate.resolves(this.user)
          this.AuthenticationManager.promises.setUserPassword.resolves()
          this.req.body = {
            newPassword1: 'newpass',
            newPassword2: 'newpass',
          }
          this.EmailHandler.sendEmail.yields(anError)
        })
        it('should not return error but should log it', function (done) {
          this.res.json.callsFake(result => {
            expect(result.message.type).to.equal('success')
            this.logger.error.callCount.should.equal(1)
            expect(this.logger.error).to.have.been.calledWithExactly(
              {
                error: anError,
                userId: this.user_id,
              },
              'could not send security alert email when password changed'
            )
            done()
          })
          this.UserController.changePassword(this.req, this.res)
        })
      })
    })
  })

  describe('ensureAffiliationMiddleware', function () {
    describe('without affiliations feature', function () {
      beforeEach(async function () {
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should not run affiliation check', function () {
        expect(this.UserGetter.promises.getUser).to.not.have.been.called
        expect(this.UserUpdater.promises.confirmEmail).to.not.have.been.called
        expect(this.UserUpdater.promises.addAffiliationForNewUser).to.not.have
          .been.called
      })
      it('should not return an error', function () {
        expect(this.next).to.be.calledWith()
      })
    })
    describe('without ensureAffiliation query parameter', function () {
      beforeEach(async function () {
        this.Features.hasFeature.withArgs('affiliations').returns(true)
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should not run middleware', function () {
        expect(this.UserGetter.promises.getUser).to.not.have.been.called
        expect(this.UserUpdater.promises.confirmEmail).to.not.have.been.called
        expect(this.UserUpdater.promises.addAffiliationForNewUser).to.not.have
          .been.called
      })
      it('should not return an error', function () {
        expect(this.next).to.be.calledWith()
      })
    })
    describe('no flagged email', function () {
      beforeEach(async function () {
        const email = 'unit-test@overleaf.com'
        this.user.email = email
        this.user.emails = [
          {
            email,
          },
        ]
        this.Features.hasFeature.withArgs('affiliations').returns(true)
        this.req.query.ensureAffiliation = true
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should get the user', function () {
        expect(this.UserGetter.promises.getUser).to.have.been.calledWith(
          this.user._id
        )
      })
      it('should not try to add affiliation or update user', function () {
        expect(this.UserUpdater.promises.addAffiliationForNewUser).to.not.have
          .been.called
      })
      it('should not return an error', function () {
        expect(this.next).to.be.calledWith()
      })
    })
    describe('flagged non-SSO email', function () {
      let emailFlagged
      beforeEach(async function () {
        emailFlagged = 'flagged@overleaf.com'
        this.user.email = emailFlagged
        this.user.emails = [
          {
            email: emailFlagged,
            affiliationUnchecked: true,
          },
        ]
        this.Features.hasFeature.withArgs('affiliations').returns(true)
        this.req.query.ensureAffiliation = true
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should unflag the emails but not confirm', function () {
        expect(
          this.UserUpdater.promises.addAffiliationForNewUser
        ).to.have.been.calledWith(this.user._id, emailFlagged)
        expect(
          this.UserUpdater.promises.confirmEmail
        ).to.not.have.been.calledWith(this.user._id, emailFlagged)
      })
      it('should not return an error', function () {
        expect(this.next).to.be.calledWith()
      })
    })
    describe('flagged SSO email', function () {
      let emailFlagged
      beforeEach(async function () {
        emailFlagged = 'flagged@overleaf.com'
        this.user.email = emailFlagged
        this.user.emails = [
          {
            email: emailFlagged,
            affiliationUnchecked: true,
            samlProviderId: '123',
          },
        ]
        this.Features.hasFeature.withArgs('affiliations').returns(true)
        this.req.query.ensureAffiliation = true
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should add affiliation to v1, unflag and confirm on v2', function () {
        expect(this.UserUpdater.promises.addAffiliationForNewUser).to.have.not
          .been.called
        expect(this.UserUpdater.promises.confirmEmail).to.have.been.calledWith(
          this.user._id,
          emailFlagged
        )
      })
      it('should not return an error', function () {
        expect(this.next).to.be.calledWith()
      })
    })
    describe('when v1 returns an error', function () {
      let emailFlagged
      beforeEach(async function () {
        this.UserUpdater.promises.addAffiliationForNewUser.rejects()
        emailFlagged = 'flagged@overleaf.com'
        this.user.email = emailFlagged
        this.user.emails = [
          {
            email: emailFlagged,
            affiliationUnchecked: true,
          },
        ]
        this.Features.hasFeature.withArgs('affiliations').returns(true)
        this.req.query.ensureAffiliation = true
        await this.UserController.promises.ensureAffiliationMiddleware(
          this.req,
          this.res,
          this.next
        )
      })
      it('should return the error', function () {
        expect(this.next).to.be.calledWith(sinon.match.instanceOf(Error))
      })
    })
  })
})