authenticate 0.5.0 → 0.6.0

data/spec/controllers/secured_controller_spec.rb

@@ -46,24 +46,24 @@ describe SecuredAppsController, type: :controller do
     before { sign_in }
 
     it 'allows access to new' do
-      get :new
+      do_get :new
       expect(subject).to_not deny_access
     end
 
     it 'allows access to show' do
-      get :show
+      do_get :show
       expect(subject).to_not deny_access
     end
   end
 
   context 'with an unauthenticated visitor' do
     it 'allows access to new' do
-      get :new
+      do_get :new
       expect(subject).to_not deny_access
     end
 
     it 'denies access to show' do
-      get :show
+      do_get :show
       expect(subject).to deny_access
     end
   end

data/spec/dummy/config/application.rb

@@ -20,7 +20,7 @@ module Dummy
     # config.i18n.default_locale = :de
 
     # Do not swallow errors in after_commit/after_rollback callbacks.
-    config.active_record.raise_in_transactional_callbacks = true
+    # config.active_record.raise_in_transactional_callbacks = true
 
   end
 end

data/spec/dummy/config/environments/test.rb

@@ -13,8 +13,8 @@ Rails.application.configure do
   config.eager_load = false
 
   # Configure static file server for tests with Cache-Control for performance.
-  config.serve_static_files   = true
-  config.static_cache_control = 'public, max-age=3600'
+  # config.serve_static_files   = true
+  # config.static_cache_control = 'public, max-age=3600'
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
@@ -30,6 +30,7 @@ Rails.application.configure do
   # The :test delivery method accumulates sent emails in the
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
+  config.action_mailer.perform_deliveries = true
 
   # Randomize the order test cases are executed.
   config.active_support.test_order = :random

data/spec/features/create_user_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+require 'support/features/feature_helpers'
+
+feature 'create a user with valid attributes' do
+
+  # this doesn't belong as a feature test but it will catch regressions.
+  # consider moving to a request spec or... something.
+  scenario 'increases number of users' do
+    expect { create_user_with_valid_params }.to change { User.count }.by(1)
+  end
+
+  scenario 'signs in the user after creation' do
+    create_user_with_valid_params
+    expect_user_to_be_signed_in
+  end
+
+  scenario 'redirects to redirect_url' do
+    create_user_with_valid_params
+    expect_path_is_redirect_url
+  end
+end
+
+feature 'visit a protected url, then create user' do
+  scenario 'redirects to the protected url after user is created' do
+    visit '/welcome'
+    create_user_with_valid_params
+    expect(current_path).to eq '/welcome'
+  end
+end
+
+feature 'create user after signed in' do
+  scenario 'cannot get to new user page' do
+    user = create(:user, email: 'test.user@example.com')
+    sign_in_with user.email, user.password
+    visit new_users_path
+    expect_path_is_redirect_url
+  end
+end
+
+def create_user_with_valid_params(user_attrs = attributes_for(:user))
+  visit new_users_path
+  fill_in 'user_email', with: user_attrs[:email]
+  fill_in 'user_password', with: user_attrs[:password]
+  click_button 'Sign up'
+end

data/spec/features/new_user_form_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+require 'support/features/feature_helpers'
+
+feature 'visitor at new user form, not signed in' do
+  scenario 'visit with no arguments' do
+    visit new_users_path
+    expect(page).to have_current_path new_users_path
+    within 'h2' do
+      expect(page).to have_content /Sign up/i
+    end
+  end
+
+  scenario 'defaults email to value provided in query string' do
+    visit new_users_path(user: { email: 'dude@example.com' })
+    expect(page).to have_selector 'input[value="dude@example.com"]'
+  end
+end
+
+feature 'visitor at new user form, already signed in' do
+  scenario 'redirects user to redirect_url' do
+    user = create(:user, email: 'test.user@example.com')
+    sign_in_with 'Test.USER@example.com', user.password
+    visit new_users_path
+    expect_path_is_redirect_url
+  end
+end

data/spec/features/password_reset_spec.rb

@@ -10,6 +10,7 @@ feature 'visitor requests password reset' do
     visit sign_in_path
     click_link 'Forgot Password'
     expect(current_path).to eq new_password_path
+    expect(page).to have_content I18n.t("passwords.new.description")
   end
 
   scenario 'uses valid email' do
@@ -21,11 +22,12 @@ feature 'visitor requests password reset' do
     expect_password_reset_email_for user
   end
 
-  scenario 'with a non-user-account email' do
+  scenario 'with an unknown email' do
     request_password_reset_for 'fake.email@example.com'
 
     expect_password_change_request_success_message
     expect_mailer_to_have_no_deliveries
+    expect(current_path).to eq sign_in_path
   end
 
   scenario 'with invalid email' do

data/spec/features/password_update_spec.rb

@@ -1,39 +1,111 @@
 require 'spec_helper'
 require 'support/features/feature_helpers'
 
+
+feature 'visit password edit screen' do
+  scenario 'with valid token in url, redirects to the edit page with the token removed from the url' do
+    user = create(:user, :with_password_reset_token_and_timestamp)
+    visit_password_reset_page_for(user)
+    expect(current_path).to  eq edit_users_password_path(user)
+    expect(current_path).to_not have_content('token')
+  end
+
+  scenario 'with an invalid token in url, failure and prompt to request a password reset' do
+    user = create(:user, :with_password_reset_token_and_timestamp)
+    visit_password_reset_page_for(user, 'this is an invalid token')
+    expect_forbidden_failure
+  end
+
+  scenario 'with a valid token, but an expired timestamp' do
+    user = create(:user, :with_password_reset_token_and_timestamp, password_reset_sent_at: 20.years.ago)
+    visit_password_reset_page_for(user)
+    expect_token_expired_failure
+  end
+
+  scenario 'with a nil token' do
+    user = create(:user)
+    visit_password_reset_page_for(user, token: nil)
+    expect_forbidden_failure
+  end
+end
+
+
 feature 'visitor updates password' do
   before(:each) do
     @user = create(:user, :with_password_reset_token_and_timestamp)
   end
 
-  scenario 'with a valid password' do
+  scenario 'with valid password, signs in user' do
     update_password @user, 'newpassword'
-
     expect_user_to_be_signed_in
   end
 
-  scenario 'with a blank password' do
-    update_password @user, ''
-
-    expect(page).to have_content I18n.t('flashes.failure_after_update')
-    expect_user_to_be_signed_out
+  scenario 'with a valid password, password is updated' do
+    old_pw = @user.encrypted_password
+    update_password @user, 'newpassword'
+    expect_password_was_updated(old_pw)
   end
 
-  scenario 'signs in with new password' do
+  scenario 'password change signs in user' do
     update_password @user, 'newpassword'
-
     sign_out
     sign_in_with @user.email, 'newpassword'
     expect_user_to_be_signed_in
   end
+
+  scenario 'signs in, redirects user' do
+    update_password @user, 'newpassword'
+    expect_path_is_redirect_url
+  end
+end
+
+feature 'visitor updates password with invalid password' do
+  before(:each) do
+    @user = create(:user, :with_password_reset_token_and_timestamp)
+  end
+
+  scenario 'with a blank password, signs out user' do
+    update_password @user, ''
+    expect_invalid_password
+    expect_user_to_be_signed_out
+  end
+
+  scenario 'with a short password, flashes invalid password' do
+    update_password @user, 'short'
+    expect_invalid_password
+    expect_user_to_be_signed_out
+  end
 end
 
+
 def update_password(user, password)
   visit_password_reset_page_for user
   fill_in 'password_reset_password', with: password
   click_button 'Save this password'
 end
 
-def visit_password_reset_page_for(user)
-  visit edit_users_password_path(id: user, token: user.password_reset_token)
+def visit_password_reset_page_for(user, token = user.password_reset_token)
+  visit edit_users_password_path(id: user, token: token)
+end
+
+def expect_invalid_password
+  expect(page).to have_content I18n.t('flashes.failure_after_update')
+end
+
+def expect_forbidden_failure
+  expect(page).to have_content I18n.t('passwords.new.description')
+  expect(page).to have_content I18n.t('flashes.failure_when_forbidden')
+end
+
+def expect_token_expired_failure
+  expect(page).to have_content 'Sign in'
+  expect(page).to have_content I18n.t('flashes.failure_token_expired')
+end
+
+# def expect_path_is_redirect_url
+#   expect(current_path).to eq(Authenticate.configuration.redirect_url)
+# end
+
+def expect_password_was_updated(old_password)
+  expect(@user.reload.encrypted_password).not_to eq old_password
 end

data/spec/features/sign_in_spec.rb

@@ -27,3 +27,22 @@ feature 'visitor signs in' do
     expect_user_to_be_signed_out
   end
 end
+
+feature 'visitor goes to sign in page' do
+  scenario 'signed out user is not redirected' do
+    visit sign_in_path
+    expect_sign_in_path
+  end
+
+  scenario 'signed in user is redirected' do
+    user = create(:user)
+    sign_in_with user.email, user.password
+    visit sign_in_path
+    expect_path_is_redirect_url
+    expect_user_to_be_signed_in
+  end
+end
+
+def expect_sign_in_path
+  expect(current_path).to eq sign_in_path
+end

data/spec/features/sign_out_spec.rb

@@ -12,10 +12,21 @@ feature 'visitor signs out' do
     expect_user_to_be_signed_out
   end
 
-  scenario 'sign out and sign out again' do
+  scenario 'sign out again' do
     sign_in_with(@user.email, @user.password)
     visit sign_out_path
     visit sign_out_path
     expect_user_to_be_signed_out
   end
+
+  scenario 'redirects to sign in' do
+    sign_in_with(@user.email, @user.password)
+    visit sign_out_path
+    expect_sign_in_path
+  end
+end
+
+
+def expect_sign_in_path
+  expect(current_path).to eq sign_in_path
 end

data/spec/model/password_reset_spec.rb

@@ -40,7 +40,7 @@ describe Authenticate::Model::PasswordReset do
   context '#update_password' do
     subject { create(:user) }
 
-    context 'within time time' do
+    context 'within time limit' do
       before(:each) { subject.password_reset_sent_at = 1.minutes.ago }
 
       it 'allows password update within time limit' do
@@ -57,19 +57,21 @@ describe Authenticate::Model::PasswordReset do
         subject.update_password 'password2'
         expect(subject.session_token).to_not eq(token)
       end
-
-      it 'prevents update if token is nil'
     end
 
-    it 'stops password update after time limit' do
-      subject.password_reset_sent_at = 6.minutes.ago
-      expect(subject.update_password('password2')).to be_falsey
+    context 'after time limit' do
+      it 'stops password update' do
+        subject.password_reset_sent_at = 6.minutes.ago
+        expect(subject.update_password('password2')).to be_falsey
+      end
     end
 
-    it 'stops password update if password_reset_token set but password_reset_sent_at isnt' do
-      subject.password_reset_sent_at = nil
-      subject.password_reset_token = 'notNilResetToken'
-      expect(subject.update_password('password2')).to be_falsey
+    context 'password_reset_sent_at is nil' do
+      it 'stops password update' do
+        subject.password_reset_sent_at = nil
+        subject.password_reset_token = 'notNilResetToken'
+        expect(subject.update_password('password2')).to be_falsey
+      end
     end
   end
 end

data/spec/requests/csrf_rotation_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe 'CSRF rotation' do
+  around do |example|
+    ActionController::Base.allow_forgery_protection = true
+    example.run
+    ActionController::Base.allow_forgery_protection = false
+  end
+
+  context 'Authenticate configuration is set to rotate CSRF token on sign in' do
+    describe 'sign in' do
+      before do
+        @user = create(:user, password: 'password')
+      end
+      it 'rotates the CSRF token' do
+        Authenticate.configure { |config| config.rotate_csrf_on_sign_in = true }
+
+        # go to sign in screen, generating csrf
+        get sign_in_path
+        original_token = csrf_token
+
+        # post a login
+        do_post session_path, params: { **session_params }
+
+        # expect that we now have a new csrf token
+        expect(csrf_token).not_to eq original_token
+        expect(csrf_token).to be_present
+      end
+    end
+  end
+
+  def csrf_token
+    session[:_csrf_token]
+  end
+
+  def session_params
+    { session: { email: @user.email, password: @user.password }, authenticity_token: csrf_token  }
+  end
+end

data/spec/requests/session_key_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'session key assignment' do
+  context 'user signs in' do
+    before do
+      @user = create(:user)
+      do_post session_path, params: { session: { email: @user.email, password: @user.password } }
+    end
+
+    it 'sets user session token' do
+      @user.reload
+      expect(@user.session_token).to_not be_nil
+    end
+
+    it 'sets session token in cookie' do
+      expect(cookies['authenticate_session_token']).to_not be_nil
+    end
+
+    it 'sets current_user' do
+      expect(controller.current_user).to eq(@user)
+    end
+
+    context 'user signs out' do
+      it 'rotates user session token' do
+        old_session = @user.session_token
+        do_get sign_out_path
+        @user.reload
+        expect(@user.session_token).to_not eq old_session
+      end
+
+      it 'removes session cookie' do
+        do_get sign_out_path
+        expect(cookies['authenticate_session_token']).to eq ''
+      end
+
+      it 'sets current_user to nil' do
+        do_get sign_out_path
+        expect(controller.current_user).to be_nil
+      end
+    end
+  end
+end