solidus_auth_devise 2.2.0 → 2.3.0

data/lib/spree/auth/devise.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spree/core'
 require 'devise'
 require 'devise-encryptable'
@@ -5,7 +7,7 @@ require 'cancan'
 
 module Spree
   module Auth
-    def self.config(&block)
+    def self.config
       yield(Spree::Auth::Config)
     end
   end

data/lib/spree/auth/engine.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise'
 require 'devise-encryptable'
 
@@ -7,7 +9,7 @@ module Spree
       isolate_namespace Spree
       engine_name 'solidus_auth'
 
-      initializer "spree.auth.environment", before: :load_config_initializers do |app|
+      initializer "spree.auth.environment", before: :load_config_initializers do |_app|
         Spree::Auth::Config = Spree::AuthConfiguration.new
       end
 

data/lib/spree/auth/version.rb

@@ -2,6 +2,6 @@
 
 module Spree
   module Auth
-    VERSION = '2.2.0'
+    VERSION = '2.3.0'
   end
 end

data/lib/spree/authentication_helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Spree
   module AuthenticationHelpers
     def self.included(receiver)
@@ -17,17 +19,9 @@ module Spree
     end
 
     if SolidusSupport.frontend_available?
-      def spree_login_path
-        spree.login_path
-      end
-
-      def spree_signup_path
-        spree.signup_path
-      end
-
-      def spree_logout_path
-        spree.logout_path
-      end
+      delegate :login_path, :signup_path, :logout_path,
+               to: :spree,
+               prefix: :spree
     end
   end
 end

data/lib/tasks/auth.rake

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 namespace :spree_auth do
   namespace :admin do
     desc "Create admin username and password"
-    task :create => :environment do
+    task create: :environment do
       require File.join(File.dirname(__FILE__), '..', '..', 'db', 'default', 'users.rb')
       puts "Done!"
     end

data/lib/views/backend/spree/admin/shared/_navigation_footer.html.erb

@@ -14,7 +14,7 @@
       <% end %>
     </li>
     <li data-hook="user-logout-link">
-      <%= link_to spree.admin_logout_path do %>
+      <%= link_to spree.admin_logout_path, method: Devise.sign_out_via do %>
         <i class='fa fa-sign-out'></i>
         <%= I18n.t('spree.logout') %>
       <% end %>

data/lib/views/backend/spree/admin/user_passwords/new.html.erb

@@ -1,5 +1,3 @@
-<%= render partial: 'spree/shared/error_messages', locals: { target: @spree_user } %>
-
 <div id="forgot-password">
   <h6><%= I18n.t('spree.forgot_password') %></h6>
 
@@ -8,7 +6,7 @@
   <%= form_for Spree::User.new, as: :spree_user, url: spree.admin_reset_password_path do |f| %>
     <p>
       <%= f.label :email, I18n.t('spree.email') %><br />
-      <%= f.email_field :email %>
+      <%= f.email_field :email, required: true %>
     </p>
     <p>
       <%= f.submit I18n.t('spree.reset_password'), class: 'button primary' %>

data/lib/views/backend/spree/admin/user_sessions/new.html.erb

@@ -22,7 +22,7 @@
         <%= f.label :remember_me, I18n.t('spree.remember_me') %>
       </p>
 
-      <p><%= f.submit I18n.t('spree.login'), class: 'button primary', tabindex: 4 %></p>
+      <p><%= f.submit I18n.t('spree.login'), class: 'btn btn-primary', tabindex: 4 %></p>
     <% end %>
     <%= I18n.t('spree.or') %>
     <%= link_to I18n.t('spree.forgot_password'), spree.admin_recover_password_path %>

data/lib/views/frontend/spree/shared/_login_bar_items.html.erb

@@ -1,6 +1,6 @@
 <% if spree_current_user %>
   <li><%= link_to I18n.t('spree.my_account'), spree.account_path %></li>
-  <li><%= link_to I18n.t('spree.logout'), spree.logout_path %></li>
+  <li><%= link_to I18n.t('spree.logout'), spree.logout_path, method: Devise.sign_out_via %></li>
 <% else %>
   <li id="link-to-login"><%= link_to I18n.t('spree.login'), spree.login_path %></li>
 <% end %>

data/lib/views/frontend/spree/user_passwords/new.html.erb

@@ -1,5 +1,3 @@
-<%= render partial: 'spree/shared/error_messages', locals: { target: @spree_user } %>
-
 <div id="forgot-password">
   <h6><%= I18n.t('spree.forgot_password') %></h6>
 
@@ -8,7 +6,7 @@
   <%= form_for Spree::User.new, as: :spree_user, url: spree.reset_password_path do |f| %>
     <p>
       <%= f.label :email, I18n.t('spree.email') %><br />
-      <%= f.email_field :email %>
+      <%= f.email_field :email, required: true %>
     </p>
     <p>
       <%= f.submit I18n.t('spree.reset_password'), class: 'button primary' %>

data/solidus_auth_devise.gemspec

@@ -1,4 +1,4 @@
-# encoding: UTF-8
+# frozen_string_literal: true
 
 $:.unshift File.expand_path('lib', __dir__)
 require 'spree/auth/version'
@@ -13,8 +13,8 @@ Gem::Specification.new do |s|
   s.author       = 'Solidus Team'
   s.email        = 'contact@solidus.io'
 
-  s.required_ruby_version = ">= 2.1"
-  s.license     = %q{BSD-3}
+  s.required_ruby_version = ">= 2.3"
+  s.license = 'BSD-3'
 
   s.files        = `git ls-files`.split("\n")
   s.test_files   = `git ls-files -- spec/*`.split("\n")
@@ -23,10 +23,16 @@ Gem::Specification.new do |s|
 
   solidus_version = [">= 1.2.0", "< 3"]
 
-  s.add_dependency "solidus_core", solidus_version
-  s.add_dependency "solidus_support", ">= 0.1.3"
+  s.post_install_message = "
+    NOTE: Rails 6 has removed secret_token in favor of secret_key_base, which was deprecated in
+    Rails 5.2. solidus_auth_devise will keep using secret_token, when present, as the pepper. If
+    secret_token is undefined or not available, secret_key_base will be used instead.
+  ".strip.gsub(/ +/, ' ')
+
   s.add_dependency "devise", '~> 4.1'
   s.add_dependency "devise-encryptable", "0.2.0"
+  s.add_dependency "solidus_core", solidus_version
+  s.add_dependency "solidus_support", ">= 0.1.3"
 
   s.add_development_dependency "capybara", "~> 2.14"
   s.add_development_dependency "capybara-screenshot"
@@ -34,9 +40,13 @@ Gem::Specification.new do |s|
   s.add_development_dependency "database_cleaner", "~> 1.6"
   s.add_development_dependency "ffaker"
   s.add_development_dependency "gem-release", "~> 2.0"
-  s.add_development_dependency "poltergeist", "~> 1.5"
+  s.add_development_dependency "github_changelog_generator", "~> 1.14"
   s.add_development_dependency "rspec-rails", "~> 3.3"
+  s.add_development_dependency "rubocop", "~> 0.71"
+  s.add_development_dependency "rubocop-performance", "~> 1.4"
+  s.add_development_dependency "rubocop-rails", "~> 2.2"
   s.add_development_dependency "sass-rails"
+  s.add_development_dependency "selenium-webdriver", "~> 3.142"
   s.add_development_dependency "shoulda-matchers", "~> 3.1"
   s.add_development_dependency "simplecov", "~> 0.14"
   s.add_development_dependency "solidus_backend", solidus_version

data/spec/controllers/spree/admin/user_passwords_controller_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Spree::Admin::UserPasswordsController, type: :controller do
   before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
 

data/spec/controllers/spree/checkout_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::CheckoutController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::CheckoutController, type: :controller do
   let(:order) { create(:order_with_line_items, email: nil, user: nil, guest_token: token) }
   let(:user)  { build(:user, spree_api_key: 'fake') }
   let(:token) { 'some_token' }
@@ -39,11 +40,7 @@ RSpec.describe Spree::CheckoutController, type: :controller do
 
         context 'when guest checkout not allowed' do
           before do
-            Spree::Config.set(allow_guest_checkout: false)
-          end
-
-          after do
-            Spree::Config.set(allow_guest_checkout: true)
+            stub_spree_preferences(allow_guest_checkout: false)
           end
 
           it 'redirects to registration step' do
@@ -56,7 +53,7 @@ RSpec.describe Spree::CheckoutController, type: :controller do
 
     context 'when registration step disabled' do
       before do
-        Spree::Auth::Config.set(registration_step: false)
+        stub_spree_preferences(Spree::Auth::Config, registration_step: false)
       end
 
       context 'when authenticated as registered' do
@@ -80,8 +77,7 @@ RSpec.describe Spree::CheckoutController, type: :controller do
   context '#update' do
     context 'when in the confirm state' do
       before do
-        order.update_column(:email, 'spree@example.com')
-        order.update_column(:state, 'confirm')
+        order.update(email: 'spree@example.com', state: 'confirm')
 
         # So that the order can transition to complete successfully
         allow(order).to receive(:payment_required?) { false }

data/spec/controllers/spree/products_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::ProductsController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::ProductsController, type: :controller do
   let!(:product) { create(:product, available_on: 1.year.from_now) }
   let!(:user)    { build(:user, spree_api_key: 'fake') }
 

data/spec/controllers/spree/user_passwords_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::UserPasswordsController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::UserPasswordsController, type: :controller do
   let(:token) { 'some_token' }
 
   before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
@@ -16,7 +17,7 @@ RSpec.describe Spree::UserPasswordsController, type: :controller do
       it 'flashes an error' do
         get :edit
         expect(flash[:alert]).to include(
-          "You can't access this page without coming from a password reset " +
+          "You can't access this page without coming from a password reset " \
           'email'
         )
       end
@@ -34,7 +35,7 @@ RSpec.describe Spree::UserPasswordsController, type: :controller do
     context 'when updating password with blank password' do
       it 'shows error flash message, sets spree_user with token and re-displays password edit form' do
         put :update, params: { spree_user: { password: '', password_confirmation: '', reset_password_token: token } }
-        expect(assigns(:spree_user).kind_of?(Spree::User)).to eq true
+        expect(assigns(:spree_user).is_a?(Spree::User)).to eq true
         expect(assigns(:spree_user).reset_password_token).to eq token
         expect(flash[:error]).to eq I18n.t(:cannot_be_blank, scope: [:devise, :user_passwords, :spree_user])
         expect(response).to render_template :edit

data/spec/controllers/spree/user_registrations_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::UserRegistrationsController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::UserRegistrationsController, type: :controller do
   before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
 
   context '#create' do
@@ -56,7 +57,7 @@ RSpec.describe Spree::UserRegistrationsController, type: :controller do
         it 'assigns orders with the correct token and no user present' do
           order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
           subject
-          user = Spree::User.find_by_email('foobar@example.com')
+          user = Spree::User.find_by(email: 'foobar@example.com')
 
           order.reload
           expect(order.user_id).to eq user.id

data/spec/controllers/spree/user_sessions_controller_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Spree::UserSessionsController, type: :controller do
   let(:user) { create(:user) }
 
@@ -110,4 +112,16 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
       end
     end
   end
+
+  context "#destroy" do
+    subject do
+      delete(:destroy)
+    end
+
+    it "redirects to default after signing out" do
+      subject
+      expect(controller.spree_current_user).to be_nil
+      expect(response).to redirect_to spree.root_path
+    end
+  end
 end

data/spec/controllers/spree/users_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::UsersController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::UsersController, type: :controller do
   let(:admin_user) { create(:user) }
   let(:user) { create(:user) }
   let(:role) { create(:role) }
@@ -22,7 +23,6 @@ RSpec.describe Spree::UsersController, type: :controller do
     before { sign_in(user) }
 
     context 'when updating own account' do
-
       context 'when user updated successfuly' do
         before { put :update, params: { user: { email: 'mynew@email-address.com' } } }
 

data/spec/factories/confirmed_user.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 FactoryBot.define do
   factory :confirmed_user, parent: :user do
-    confirmed_at { Time.now }
-    confirmation_sent_at { Time.now }
+    confirmed_at { Time.zone.now }
+    confirmation_sent_at { Time.zone.now }
     confirmation_token { "12345" }
   end
-end
+end

data/spec/features/account_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Accounts', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Accounts', type: :feature do
   context 'editing' do
     scenario 'can edit an admin user' do
       user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')
@@ -14,7 +15,7 @@ RSpec.feature 'Accounts', type: :feature do
     end
 
     scenario 'can edit a new user' do
-      Spree::Auth::Config.set(signout_after_password_change: false)
+      stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: false)
       visit spree.signup_path
 
       fill_in 'Email', with: 'email@person.com'
@@ -35,7 +36,7 @@ RSpec.feature 'Accounts', type: :feature do
     end
 
     scenario 'can edit an existing user account' do
-      Spree::Auth::Config.set(signout_after_password_change: false)
+      stub_spree_preferences(Spree::Auth::Config ,signout_after_password_change: false)
       user = create(:user, email: 'email@person.com', password: 'secret', password_confirmation: 'secret')
       visit spree.login_path
 

data/spec/features/admin/orders_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin orders', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin orders', type: :feature do
   background do
     create(:store)
     sign_in_as! create(:admin_user)

data/spec/features/admin/password_reset_spec.rb

@@ -1,24 +1,37 @@
-RSpec.feature 'Admin - Reset Password', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Reset Password', type: :feature do
   let!(:store) { create(:store) }
 
   background do
     ActionMailer::Base.default_url_options[:host] = 'http://example.com'
   end
 
-  scenario 'allows a user to supply an email for the password reset' do
-    user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
-    visit spree.admin_login_path
-    click_link 'Forgot Password?'
-    fill_in 'Email', with: 'foobar@example.com'
-    click_button 'Reset my password'
-    expect(page).to have_text 'You will receive an email with instructions'
+  context 'when an account with this email address exists' do
+    let!(:user) { create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret') }
+
+    scenario 'allows a user to supply an email for the password reset' do
+      visit spree.admin_login_path
+      click_link 'Forgot Password?'
+      fill_in_email
+      click_button 'Reset my password'
+      expect(page).to have_text 'you will receive an email with instructions'
+    end
   end
 
-  scenario 'shows errors if no email is supplied' do
+  # Revealing that an admin email address is not found allows an attacker to
+  # find admin account email addresses by trying email addresses until this
+  # error is not shown.
+  scenario 'does not reveal email addresses if they are not found' do
     visit spree.admin_login_path
     click_link 'Forgot Password?'
+    fill_in_email
     click_button 'Reset my password'
-    expect(page).to have_text "Email can't be blank"
+    expect(page).to_not have_text "Email not found"
+    expect(page).to have_text 'you will receive an email with instructions'
+  end
+
+  def fill_in_email
+    fill_in 'Email', with: 'foobar@example.com'
   end
 end

data/spec/features/admin/products_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin products', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin products', type: :feature do
   context 'as anonymous user' do
     # Regression test for #1250
     scenario 'redirects to login page when attempting to access product listing' do

data/spec/features/admin/sign_in_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin - Sign In', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Sign In', type: :feature do
   background do
     @user = create(:user, email: 'email@person.com')
     visit spree.admin_login_path

data/spec/features/admin/sign_out_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin - Sign Out', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Sign Out', type: :feature, js: true do
   given!(:user) do
    create :user, email: 'email@person.com'
   end

data/spec/features/admin_permissions_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin Permissions', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin Permissions', type: :feature do
   context 'orders' do
     background do
       user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')

data/spec/features/change_email_spec.rb

@@ -1,7 +1,8 @@
-RSpec.feature 'Change email', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Change email', type: :feature do
   background do
-    Spree::Auth::Config.set(signout_after_password_change: false)
+    stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: false)
 
     user = create(:user)
     visit spree.root_path

data/spec/features/checkout_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.feature 'Checkout', :js, type: :feature do
   given!(:store) { create(:store) }
   given!(:country) { create(:country, name: 'United States', states_required: true) }
@@ -15,17 +17,17 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
   background do
     @product = create(:product, name: 'RoR Mug')
-    @product.master.stock_items.first.update_column(:count_on_hand, 1)
+    @product.master.stock_items.first.set_count_on_hand(1)
 
     # Bypass gateway error on checkout | ..or stub a gateway
-    Spree::Config[:allow_checkout_on_gateway_error] = true
+    stub_spree_preferences(allow_checkout_on_gateway_error: true)
 
     visit spree.root_path
   end
 
   # Regression test for https://github.com/solidusio/solidus/issues/1588
   scenario 'leaving and returning to address step' do
-    Spree::Auth::Config.set(registration_step: true)
+    stub_spree_preferences(Spree::Auth::Config, registration_step: true)
     click_link 'RoR Mug'
     click_button 'Add To Cart'
     within('h1') { expect(page).to have_text 'Shopping Cart' }
@@ -61,9 +63,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
       str_addr = 'bill_address'
       select 'United States', from: "order_#{str_addr}_attributes_country_id"
       %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+        fill_in "order_#{str_addr}_attributes_#{field}", with: address.send(field).to_s
       end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      select address.state.name.to_s, from: "order_#{str_addr}_attributes_state_id"
       check 'order_use_billing'
 
       click_button 'Save and Continue'
@@ -93,9 +95,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
       str_addr = 'bill_address'
       select 'United States', from: "order_#{str_addr}_attributes_country_id"
       %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+        fill_in "order_#{str_addr}_attributes_#{field}", with: address.send(field).to_s
       end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      select address.state.name.to_s, from: "order_#{str_addr}_attributes_state_id"
       check 'order_use_billing'
 
       click_button 'Save and Continue'
@@ -109,7 +111,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
     # Regression test for #890
     scenario 'associate an incomplete guest order with user after successful password reset' do
-      user = create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
+      create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
       click_link 'RoR Mug'
       click_button 'Add To Cart'
 
@@ -135,9 +137,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
       str_addr = 'bill_address'
       select 'United States', from: "order_#{str_addr}_attributes_country_id"
       %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+        fill_in "order_#{str_addr}_attributes_#{field}", with: address.send(field).to_s
       end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      select address.state.name.to_s, from: "order_#{str_addr}_attributes_state_id"
       check 'order_use_billing'
 
       click_button 'Save and Continue'
@@ -164,9 +166,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
       str_addr = 'bill_address'
       select 'United States', from: "order_#{str_addr}_attributes_country_id"
       %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+        fill_in "order_#{str_addr}_attributes_#{field}", with: address.send(field).to_s
       end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      select address.state.name.to_s, from: "order_#{str_addr}_attributes_state_id"
       check 'order_use_billing'
 
       click_button 'Save and Continue'
@@ -175,7 +177,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
       click_button 'Place Order'
 
       expect(page).to have_text 'Your order has been processed successfully'
-      expect(Spree::Order.first.user).to eq Spree::User.find_by_email('email@person.com')
+      expect(Spree::Order.first.user).to eq Spree::User.find_by(email: 'email@person.com')
     end
   end
 end

data/spec/features/confirmation_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 feature 'Confirmation' do

data/spec/features/order_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Orders', :js, type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Orders', :js, type: :feature do
   scenario 'allow a user to view their cart at any time' do
     visit spree.cart_path
     expect(page).to have_text 'Your cart is empty'

data/spec/features/password_reset_spec.rb

@@ -1,24 +1,37 @@
-RSpec.feature 'Reset Password', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Reset Password', type: :feature do
   let!(:store) { create(:store) }
 
   background do
     ActionMailer::Base.default_url_options[:host] = 'http://example.com'
   end
 
-  scenario 'allow a user to supply an email for the password reset' do
-    user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
-    visit spree.login_path
-    click_link 'Forgot Password?'
-    fill_in 'Email', with: 'foobar@example.com'
-    click_button 'Reset my password'
-    expect(page).to have_text 'You will receive an email with instructions'
+  context 'when an account with this email address exists' do
+    let!(:user) { create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret') }
+
+    scenario 'allows a user to supply an email for the password reset' do
+      visit spree.login_path
+      click_link 'Forgot Password?'
+      fill_in_email
+      click_button 'Reset my password'
+      expect(page).to have_text 'you will receive an email with instructions'
+    end
   end
 
-  scenario 'shows errors if no email is supplied' do
+  # Test that we are extending the functionality from
+  # https://github.com/solidusio/solidus_auth_devise/pull/155
+  # to the non-admin login
+  scenario 'does not reveal email addresses if they are not found' do
     visit spree.login_path
     click_link 'Forgot Password?'
+    fill_in_email
     click_button 'Reset my password'
-    expect(page).to have_text "Email can't be blank"
+    expect(page).to_not have_text "Email not found"
+    expect(page).to have_text 'you will receive an email with instructions'
+  end
+
+  def fill_in_email
+    fill_in 'Email', with: 'foobar@example.com'
   end
 end

data/spec/features/sign_in_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Sign In', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Sign In', type: :feature do
   background do
     @user = create(:user, email: 'email@person.com', password: 'secret', password_confirmation: 'secret')
     visit spree.login_path