authenticate 0.2.3 → 0.3.0

data/spec/controllers/secured_controller_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+require 'support/controllers/controller_helpers'
+
+# Matcher that asserts user was denied access.
+RSpec::Matchers.define :deny_access do
+  match do |controller|
+    redirects_to_sign_in?(controller) && sets_flash?(controller)
+  end
+  def redirects_to_sign_in? controller
+    expect(controller).to redirect_to(controller.sign_in_url)
+  end
+  def sets_flash? controller
+    controller.flash[:notice].match /sign in to continue/
+  end
+end
+
+
+class SecuredAppsController < ActionController::Base
+  include Authenticate::Controller
+
+  before_action :require_authentication, only: :show
+
+  def new
+    head :ok
+  end
+
+  def show
+    head :ok
+  end
+end
+
+
+describe SecuredAppsController, type: :controller do
+  before do
+    Rails.application.routes.draw do
+      resource :secured_app, only: [:new, :show]
+      get '/sign_in' => 'authenticate/sessions#new', as: 'sign_in'
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  context 'with authenticated user' do
+    before { sign_in }
+
+    it 'allows access to new' do
+      get :new
+      expect(subject).to_not deny_access
+    end
+
+    it 'allows access to show' do
+      get :show
+      expect(subject).to_not deny_access
+    end
+  end
+
+  context 'with an unauthenticated visitor' do
+    it 'allows access to new' do
+      get :new
+      expect(subject).to_not deny_access
+    end
+
+    it 'denies access to show' do
+      get :show
+      expect(subject).to deny_access
+    end
+  end
+end

data/spec/controllers/sessions_controller_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+require 'support/controllers/controller_helpers'
+
+describe Authenticate::SessionsController, type: :controller do
+  it { is_expected.to be_a Authenticate::Controller }
+
+  describe 'get to #new' do
+    context 'when user not signed in' do
+      before do
+        get :new
+      end
+      it { is_expected.to respond_with 200 }
+      it { is_expected.to render_template :new }
+      it { is_expected.not_to set_flash }
+    end
+
+    context 'when user is signed in' do
+      before do
+        sign_in
+        get :new
+      end
+
+      it { is_expected.not_to set_flash }
+      it { is_expected.to redirect_to(Authenticate.configuration.redirect_url) }
+    end
+  end
+
+  describe 'post to #create' do
+    context 'without password' do
+      it 'renders page with error' do
+        user = create(:user)
+        post :create, session: { email: user.email }
+        expect(response).to render_template :new
+        expect(flash[:notice]).to match(/Invalid id or password/)
+      end
+    end
+    context 'with good password' do
+      before do
+        @user = create(:user)
+        post :create, session:{ email: @user.email, password: @user.password }
+      end
+      it { is_expected.to respond_with 302 }
+
+      it { is_expected.to redirect_to Authenticate.configuration.redirect_url }
+
+      it 'sets user session token' do
+        @user.reload
+        expect(@user.session_token).to_not be_nil
+      end
+
+      it 'sets user session' do
+        expect(controller.current_user).to eq(@user)
+      end
+    end
+  end
+
+  describe 'delete to #destroy' do
+    context 'with a signed out user' do
+      before do
+        sign_out
+        get :destroy
+      end
+
+      it { is_expected.to redirect_to sign_in_url }
+    end
+    context 'with a session cookie' do
+      before do
+        @user = create(:user, session_token: 'old-session-token')
+        @request.cookies['authenticate_session_token'] = 'old-session-token'
+        get :destroy
+      end
+
+      it { is_expected.to redirect_to sign_in_url }
+
+      it 'reset the session token' do
+        @user.reload
+        expect(@user.session_token).to_not eq('old-session-token')
+      end
+
+      it 'unset the current user' do
+        expect(controller.current_user).to be_nil
+      end
+    end
+  end
+
+end

data/spec/controllers/users_controller_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+require 'support/controllers/controller_helpers'
+
+describe Authenticate::UsersController, type: :controller do
+  it { is_expected.to be_a Authenticate::Controller }
+
+  describe 'get to #new' do
+    context 'not signed in' do
+      it 'renders form' do
+        get :new
+        expect(response).to be_success
+        expect(response).to render_template(:new)
+      end
+      it 'defaults email field to the value provided in the query string' do
+        get :new, user: { email: 'dude@example.com' }
+        expect(assigns(:user).email).to eq 'dude@example.com'
+        expect(response).to be_success
+        expect(response).to render_template(:new)
+      end
+    end
+    context 'signed in' do
+      it 'redirects user to the redirect_url' do
+        sign_in
+        get :new
+        expect(response).to redirect_to Authenticate.configuration.redirect_url
+      end
+    end
+  end
+  describe 'post to #create' do
+    context 'not signed in' do
+      context 'with valid attributes' do
+        let(:user_attributes) { attributes_for(:user) }
+        subject { post :create, user: user_attributes }
+
+        it 'creates user' do
+          expect{ subject }.to change{ User.count }.by(1)
+        end
+
+        it 'assigned user' do
+          subject
+          expect(assigns(:user)).to be_present
+        end
+
+        it 'redirects to the redirect_url' do
+          subject
+          expect(response).to redirect_to Authenticate.configuration.redirect_url
+        end
+      end
+
+      context 'with valid attributes and a session return cookie' do
+        before do
+          @request.cookies[:authenticate_return_to] = '/url_in_the_session'
+        end
+        let(:user_attributes) { attributes_for(:user) }
+        subject { post :create, user: user_attributes }
+
+        it 'creates user' do
+          expect{ subject }.to change{ User.count }.by(1)
+        end
+
+        it 'assigned user' do
+          subject
+          expect(assigns(:user)).to be_present
+        end
+
+        it 'redirects to the redirect_url' do
+          subject
+          expect(response).to redirect_to '/url_in_the_session'
+        end
+      end
+
+    end
+    context 'signed in' do
+      it 'redirects to redirect_url' do
+        sign_in
+        post :create, user: {}
+        expect(response).to redirect_to Authenticate.configuration.redirect_url
+      end
+    end
+  end
+
+end

data/spec/dummy/app/controllers/application_controller.rb

@@ -1,5 +1,7 @@
 class ApplicationController < ActionController::Base
   include Authenticate::Controller
+  before_action :require_authentication
+
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception

data/spec/dummy/app/controllers/welcome_controller.rb

@@ -0,0 +1,4 @@
+class WelcomeController < ApplicationController
+  def index
+  end
+end

data/spec/dummy/app/views/layouts/application.html.erb

@@ -8,6 +8,20 @@
 </head>
 <body>
 
+<div id="header">
+  <% if authenticated? -%>
+      <%= link_to t(".sign_out"), sign_out_path %>
+  <% else -%>
+      <%= link_to t(".sign_in"), sign_in_path %>
+  <% end -%>
+</div>
+
+<div id="flash">
+  <% flash.each do |key, value| -%>
+      <div id="flash_<%= key %>"><%=h value %></div>
+  <% end %>
+</div>
+
 <%= yield %>
 
 </body>

data/spec/dummy/app/views/welcome/index.html.erb

@@ -0,0 +1,4 @@
+<h1>Welcome#index</h1>
+<p>Find me in app/views/welcome/index.html.erb</p>
+
+<%= link_to "Sign out", sign_out_path %>

data/spec/dummy/config/application.rb

@@ -21,6 +21,8 @@ module Dummy
 
     # Do not swallow errors in after_commit/after_rollback callbacks.
     config.active_record.raise_in_transactional_callbacks = true
+
   end
 end
 
+Rails.application.routes.default_url_options[:host] = 'localhost:3000'

data/spec/dummy/config/environments/production.rb

@@ -64,6 +64,17 @@ Rails.application.configure do
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false
 
+
+
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+
+
+
   # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
   # the I18n.default_locale when a translation cannot be found).
   config.i18n.fallbacks = true
@@ -77,3 +88,4 @@ Rails.application.configure do
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 end
+

data/spec/dummy/config/initializers/authenticate.rb

@@ -1,15 +1,8 @@
 Authenticate.configure do |config|
-  # config.user_model = 'User'
-  # config.cookie_name = 'authenticate_session_token'
-  # config.cookie_expiration = { 1.month.from_now.utc }
-  # config.cookie_domain = nil
-  # config.cookie_path = '/'
-  # config.secure_cookie = false # set to true in production https environments
-  # config.http_only = false # set to true if you can
   config.timeout_in = 45.minutes
-  config.max_session_lifetime = 5.minutes
-  config.max_consecutive_bad_logins_allowed = 1
-  config.bad_login_lockout_period = 2.minutes
+  config.max_session_lifetime = 20.minutes
+  config.max_consecutive_bad_logins_allowed = 2
+  config.bad_login_lockout_period = 10.minutes
   config.reset_password_within = 5.minutes
-  # config.authentication_strategy = :email
+  config.password_length = 8..128
 end

data/spec/dummy/config/routes.rb

@@ -1,4 +1,7 @@
 Rails.application.routes.draw do
+  resources :welcome, only: [:index]
+  root 'welcome#index'
+
   # The priority is based upon order of creation: first created -> highest priority.
   # See how all your routes lay out with "rake routes".
 

data/spec/factories/users.rb

@@ -1,5 +1,3 @@
-require 'authenticate/user'
-
 FactoryGirl.define do
   sequence :email do |n|
     "user#{n}@example.com"
@@ -7,7 +5,6 @@ FactoryGirl.define do
 
   factory :user do
     email
-    # encrypted_password 'password'
     password 'password'
 
     trait :without_email do
@@ -23,8 +20,9 @@ FactoryGirl.define do
       session_token 'this_is_a_big_fake_long_token'
     end
 
-    trait :with_forgotten_password do
+    trait :with_password_reset_token_and_timestamp do
       password_reset_token Authenticate::Token.new
+      password_reset_sent_at 10.seconds.ago
     end
   end
 end

data/spec/features/brute_force_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+require 'support/features/feature_helpers'
+
+feature 'visitor has consecutive bad logins' do
+  before do
+    # puts Authenticate.configuration.max_consecutive_bad_logins_allowed.inspect
+    # puts Authenticate.configuration.bad_login_lockout_period.inspect
+    @user = create(:user)
+  end
+
+  scenario 'less than max bad logins does not lock account' do
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, @user.password
+
+    expect_user_to_be_signed_in
+  end
+
+  scenario 'exceeds max bad logins and locks account' do
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, 'badpassword'
+
+    expect_locked_account
+    expect_lockout_time_to_be_displayed
+    expect_user_to_be_signed_out
+  end
+
+  scenario 'user locks account, waits for lock to expire, logs in successfully' do
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, 'badpassword'
+    sign_in_with @user.email, 'badpassword'
+
+    Timecop.travel 50.minutes do
+      sign_in_with @user.email, @user.password
+      expect_user_to_be_signed_in
+    end
+  end
+
+end
+
+
+def expect_locked_account
+  expect(page).to have_content 'Your account is locked'
+end
+
+def expect_lockout_time_to_be_displayed
+  expect(page).to have_content '10 minutes'
+end

data/spec/features/max_session_lifetime_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+require 'support/features/feature_helpers'
+
+feature 'visitor has consecutive bad logins' do
+  before(:each) do
+    @user = create(:user)
+  end
+
+  scenario 'visitor logs in and subsequent click within lifetime' do
+    sign_in_with @user.email, @user.password
+    expect_user_to_be_signed_in
+
+    Timecop.travel 10.minutes do
+      visit root_path
+      expect_user_to_be_signed_in
+    end
+  end
+
+  scenario 'visitor logs in and lets session live too long' do
+    sign_in_with @user.email, @user.password
+    expect_user_to_be_signed_in
+
+    Timecop.travel 21.minutes do
+      visit root_path
+      expect(current_path).to eq sign_in_path
+      expect_user_to_be_signed_out
+    end
+  end
+
+end