Check redirect url on confirm account query

mcelicalderon · mcelicalderon · commit 80a8b508ad4a · 2020-12-21T17:21:12.000-05:00
diff --git a/lib/graphql_devise/resolvers/confirm_account.rb b/lib/graphql_devise/resolvers/confirm_account.rb
@@ -7,6 +7,8 @@ class ConfirmAccount < Base
       argument :redirect_url,       String, required: true
 
       def resolve(confirmation_token:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = resource_class.confirm_by_token(confirmation_token)
 
         if resource.errors.empty?
diff --git a/spec/requests/queries/confirm_account_spec.rb b/spec/requests/queries/confirm_account_spec.rb
@@ -7,7 +7,7 @@
 
   context 'when using the user model' do
     let(:user)     { create(:user, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {
@@ -43,6 +43,21 @@
         expect(user).to be_active_for_authentication
       end
 
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
+
       context 'when unconfirmed_email is present' do
         let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
 
