Check validity of email contents for password reset requests tests

fvanderpost · fvanderpost · commit b31c2eb63a2d · 2025-11-11T10:01:12.000+01:00
diff --git a/packages/hidp/tests/unit_tests/test_api/test_passwords.py b/packages/hidp/tests/unit_tests/test_api/test_passwords.py
@@ -24,6 +24,7 @@ def test_password_reset_request_valid_email(self):
         Verify behaviour when a valid email is provided.
 
         - A password reset mail is sent
+        - The correct password reset mail is sent with the correct URL
         - The response status code is 204 No Content
         - The response is empty
         """
@@ -37,9 +38,19 @@ def test_password_reset_request_valid_email(self):
                 },
             )
 
-            self.assertEqual(response.status_code, HTTPStatus.NO_CONTENT)
             self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual("Reset your password", mail.outbox[0].subject)
+            email = mail.outbox[0]
+            self.assertEqual("Reset your password", email.subject)
+            self.assertEqual(email.to, [user.email])
+            uidb64 = urlsafe_base64_encode(force_bytes(user.pk))
+            self.assertRegex(
+                email.body,
+                # Matches the password reset URL:
+                # password_reset_url/MDE5MTkyY2UtODE0Yy03NjNlLTlhMGUtMmM1ODk3MGNkYTFj/cced4c-9a0766ea185039a6d293ff660c04007e/
+                r"password_reset_url/{uidb64}/[0-9a-z]+-[0-9a-f]+/".format(uidb64=uidb64),
+            )
+
+            self.assertEqual(response.status_code, HTTPStatus.NO_CONTENT)
             self.assertIsNone(response.data)
 
         mail.outbox = []
@@ -54,9 +65,13 @@ def test_password_reset_request_valid_email(self):
                 },
             )
 
-            self.assertEqual(response.status_code, HTTPStatus.NO_CONTENT)
             self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual("Set a password", mail.outbox[0].subject)
+            email = mail.outbox[0]
+            self.assertEqual("Set a password", email.subject)
+            self.assertEqual(email.to, [user.email])
+            self.assertIn("set_password_url/", email.body)
+
+            self.assertEqual(response.status_code, HTTPStatus.NO_CONTENT)
             self.assertIsNone(response.data)
 
     def test_password_reset_request_invalid_email(self):
@@ -149,6 +164,7 @@ def test_password_reset_confirmation_valid(self):
         Verify behaviour when a valid token, password and user ID are provided.
 
         - The user's password is updated
+        - A changed password email is sent
         - The session hash of the initiating session has been updated
         - Other sessions are no longer valid and contain the old session hash
         - The response status code is 204 No Content
@@ -176,6 +192,12 @@ def test_password_reset_confirmation_valid(self):
         self.verified_user.refresh_from_db()
         self.assertTrue(self.verified_user.check_password(new_password))
 
+        self.assertEqual(len(mail.outbox), 1)
+        email = mail.outbox[0]
+        self.assertEqual("Your password has been changed", email.subject)
+        self.assertEqual(email.to, [self.verified_user.email])
+        self.assertIn("password_changed_url/", email.body)
+
         # Session that initiated the password change no longer has the old session hash
         self.assertNotEqual(
             self.client.session.get("_auth_user_hash"), pre_password_change_session_hash
