RubyGems - authkit - Versions diffs - 0.4.0 → 0.5.0 - Mend

authkit 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

data/lib/generators/authkit/templates/spec/controllers/auths_controller_spec.rb ADDED Viewed

@@ -0,0 +1,72 @@
+require 'rails_helper'
+describe AuthsController do
+  render_views
+  describe "GET 'connect'" do
+    it "returns http success" do
+      get :connect
+      expect(response).to be_success
+    end
+    it "requires login"
+  end
+  describe "POST 'callback'" do
+    it "returns http success" do
+      get :connect
+      expect(response).to be_success
+    end
+    it "validates the authenticity of the omniauth hash"
+    it "requires login when connecting"
+    it "does not require login when signing up or signing in"
+    it "requires an auth hash"
+    it "finds an existing auth"
+    describe "when connecting" do
+      it "does not log out the user"
+      it "redirects to the settings path if the user has already connected the auth"
+      it "does not connect the auth if it is already connected to another user"
+      it "creates a new auth and connects it to the user"
+      it "redirects to the account path"
+      it "adds a flash message if there is an error"
+    end
+    describe "when signing in or singning up" do
+      it "logs out any currently logged in user"
+      it "logs in the auth user if found"
+      # This is a pessimistic protection. We assume that if another user already has the
+      # same email address then it is likely that the user is about to create two accounts
+      # and force them to sign in to the original account to connect the accounts.
+      # You could automatically merge the two together, but if you do not require
+      # email confirmation this presents a case where a malicious user could sign up using
+      # an email address they do not control, then when the actual user connects their account
+      # the malicious user would have access via the email and password they setup.
+      it "fails if the email address associated with the account is already attached to another user"
+      it "creates a new user using the auth"
+      it "logs the user in when signing up"
+      it "redirects to the accounts path"
+      it "redirects to the signup path with errors"
+    end
+    describe "DELETE 'callback'" do
+      # If you do not require a completed login, it is possible for a user to disconnect
+      # their only means of authentication
+      it "requires a completed login"
+      it "finds the auth"
+      it "destroys the auth"
+      it "redirects to the account path"
+    end
+    describe "POST 'failure'" do
+      it "redirects to settings path if connecting"
+      it "redirects to signup path if signing up"
+      it "redirects to login path if logging in"
+      it "sets the flash error"
+    end
+  end
+end

data/lib/generators/authkit/templates/spec/controllers/email_confirmation_controller_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper'
+require 'rails_helper'
 describe EmailConfirmationController do
   render_views
@@ -8,27 +8,27 @@ describe EmailConfirmationController do
   describe "GET 'show'" do
     it "requires a login" do
-      controller.stub(:current_user).and_return(nil)
+      allow(controller).to receive(:current_user).and_return(nil)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires a valid token" do
       user.confirmation_token = "OTHER TOKEN"
-      controller.stub(:current_user).and_return(user)
+      allow(controller).to receive(:current_user).and_return(user)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires an unexpired token" do
       user.confirmation_token = token
       user.confirmation_token_created_at = 4.days.ago
-      controller.stub(:current_user).and_return(user)
+      allow(controller).to receive(:current_user).and_return(user)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     describe "with a valid token" do
@@ -36,58 +36,56 @@ describe EmailConfirmationController do
         user.confirmation_email = "new@example.com"
         user.confirmation_token = token
         user.confirmation_token_created_at = Time.now
+        allow(controller).to receive(:current_user).and_return(user)
       end
       describe "when the confirmation is successful" do
         it "confirms the user email" do
-          controller.stub(:current_user).and_return(user)
-          user.should_receive(:email_confirmed).and_return(true)
+          expect(user).to receive(:email_confirmed).and_return(true)
           get 'show', token: token
         end
         it "does not sign the user in" do
-          controller.stub(:current_user).and_return(user)
-          controller.should_not_receive(:login)
+          expect(controller).to_not receive(:login)
           get 'show', token: token
         end
         it "sets the flash" do
-          controller.stub(:current_user).and_return(user)
           get 'show', token: token
-          flash[:notice].should_not be_nil
+          expect(flash[:notice]).to_not be_nil
         end
         it "redirects the user" do
-          controller.stub(:current_user).and_return(user)
           get 'show', token: token
-          response.should be_redirect
+          expect(response).to be_redirect
         end
         describe "from json" do
           it "returns http success" do
-            controller.stub(:current_user).and_return(user)
             get 'show', token: token, format: 'json'
-            response.should be_success
+            expect(response).to be_success
           end
         end
       end
       describe "when the confirmation is not successful" do
+        before(:each) do
+          allow(controller).to receive(:current_user).and_return(user)
+        end
         it "handles invalid confirmations" do
-          controller.stub(:current_user).and_return(user)
-          user.should_receive(:email_confirmed).and_return(false)
+          expect(user).to receive(:email_confirmed).and_return(false)
           get 'show', token: token
-          flash[:error].should_not be_empty
-          response.should be_redirect
+          expect(flash[:error]).to_not be_empty
+          expect(response).to be_redirect
         end
         describe "from json" do
           it "returns a 422" do
-            controller.stub(:current_user).and_return(user)
-            user.should_receive(:email_confirmed).and_return(false)
+            expect(user).to receive(:email_confirmed).and_return(false)
             get 'show', token: token, format: 'json'
-            response.code.should == '422'
+            expect(response.code).to eq('422')
           end
         end

data/lib/generators/authkit/templates/spec/controllers/password_change_controller_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper'
+require 'rails_helper'
 describe PasswordChangeController do
   render_views
@@ -10,15 +10,15 @@ describe PasswordChangeController do
   describe "GET 'show'" do
     it "requires no user" do
-      controller.stub(:email_user).and_return(user)
-      controller.should_receive(:logout)
+      allow(controller).to receive(:email_user).and_return(user)
+      expect(controller).to receive(:logout)
       get 'show', valid_params
     end
     it "requires an email user" do
       user.save
       get 'show', valid_params
-      assigns(:user).id.should == user.id
+      expect(assigns(:user).id).to eq(user.id)
     end
     it "redirects if there is no email user" do
@@ -29,39 +29,39 @@ describe PasswordChangeController do
     end
     it "requires a valid token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token = "OTHER TOKEN"
       get 'show', valid_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires an unexpired token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token_created_at = 1.year.ago
       get 'show', valid_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "returns http success" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       get 'show', valid_params
-      response.should be_success
+      expect(response).to be_success
     end
   end
   describe "POST 'create'" do
     it "requires no user" do
-      controller.stub(:email_user).and_return(user)
-      controller.should_receive(:logout)
+      allow(controller).to receive(:email_user).and_return(user)
+      expect(controller).to receive(:logout)
       get 'show', valid_params
     end
     it "requires an email user" do
       user.save
       post 'create', password_params
-      assigns(:user).id.should == user.id
+      expect(assigns(:user).id).to eq(user.id)
     end
     it "redirects if there is no email user" do
@@ -72,16 +72,16 @@ describe PasswordChangeController do
     end
     it "requires a valid token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token = "OTHER TOKEN"
       post 'create', password_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     describe "with valid params" do
       before(:each) do
-        controller.stub(:email_user).and_return(user)
+        allow(controller).to receive(:email_user).and_return(user)
       end
       it "changes the password" do
@@ -89,57 +89,57 @@ describe PasswordChangeController do
           post 'create', password_params
         }.to change(user, :password_digest)
-        user.should be_valid
+        expect(user).to be_valid
       end
       it "does not sign the user in" do
-        controller.should_not_receive(:login)
+        expect(controller).to_not receive(:login)
         post 'create', password_params
       end
       it "redirects the user" do
         post 'create', password_params
-        response.should be_redirect
+        expect(response).to be_redirect
       end
       it "sets the flash" do
         post 'create', password_params
-        flash[:notice].should =~ /successfully/i
+        expect(flash[:notice]).to match(/successfully/i)
       end
       describe "from json" do
         it "returns http success" do
           post 'create', password_params.merge(format: 'json')
-          response.should be_success
+          expect(response).to be_success
         end
       end
     end
     describe "with invalid params" do
       before(:each) do
-        controller.stub(:email_user).and_return(user)
+        allow(controller).to receive(:email_user).and_return(user)
       end
       it "doesn't sign the user in" do
-        controller.should_not_receive(:login)
+        expect(controller).to_not receive(:login)
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
       end
       it "renders the show template" do
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
-        response.should render_template(:show)
+        expect(response).to render_template(:show)
       end
       it "has errors" do
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
-        user.should have(2).errors_on(:password_confirmation)
+        expect(user.errors[:password_confirmation].size).to eq(1)
       end
       describe "from json" do
         it "returns an error" do
           post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid', format: 'json'}
-          response.code.should == '422'
-          response.body.should =~ /doesn't match/i
+          expect(response.code).to eq('422')
+          expect(response.body).to match(/doesn't match/i)
         end
       end
     end

data/lib/generators/authkit/templates/spec/controllers/password_reset_controller_spec.rb CHANGED Viewed

@@ -1,14 +1,14 @@
-require 'spec_helper'
+require 'rails_helper'
 describe PasswordResetController do
   render_views
-  let(:user) { create(:user, email: "test@example.com") }
+  let(:user) { create(:user) }
   describe "GET 'show'" do
     it "returns http success" do
       get 'show'
-      response.should be_success
+      expect(response).to be_success
     end
   end
@@ -18,39 +18,39 @@ describe PasswordResetController do
     end
     it "redirects the user" do
-      post :create, {email: "test@example.com"}
-      response.should be_redirect
+      post :create, {email: user.email}
+      expect(response).to be_redirect
     end
     it "finds the user by the email or user name" do
-      post :create, {email: "test@example.com"}
-      controller.send(:user).should == user
+      post :create, {email: user.email}
+      expect(controller.send(:user)).to eq(user)
     end
     it "logs any current user out if it finds the user" do
-      controller.should_receive(:logout)
-      post :create, {email: "test@example.com"}
+      expect(controller).to receive(:logout)
+      post :create, {email: user.email}
     end
     it "resets the password if it finds the user" do
-      User.any_instance.should_receive(:send_reset_password).and_return(true)
-      post :create, {email: "test@example.com"}
+      expect_any_instance_of(User).to receive(:send_reset_password).and_return(true)
+      post :create, {email: user.email}
     end
     it "does not reset the password if it does not find a user" do
-      User.any_instance.should_not_receive(:send_reset_password)
+      expect_any_instance_of(User).to_not receive(:send_reset_password)
       post :create, {email: "unknown@example.com"}
     end
     it "downcases the email or user name" do
-      User.any_instance.should_receive(:send_reset_password).and_return(true)
-      post :create, {email: "TEST@EXAMPLE.COM"}
+      expect_any_instance_of(User).to receive(:send_reset_password).and_return(true)
+      post :create, {email: user.email.upcase}
     end
     describe "from json" do
       it "returns http success" do
-        post :create, {email: "test@example.com", format: "json"}
-        response.should be_success
+        post :create, {email: user.email, format: "json"}
+        expect(response).to be_success
       end
     end
@@ -58,24 +58,24 @@ describe PasswordResetController do
       describe "from html" do
         it "sets the flash message" do
           post :create, {email: "unknown@example.com"}
-          flash.now[:error].should_not be_empty
+          expect(flash.now[:error]).to_not be_empty
         end
         it "renders the show page" do
           post :create, {email: "unknown@example.com"}
-          response.should render_template(:show)
+          expect(response).to render_template(:show)
         end
       end
       describe "from json" do
         it "returns an error" do
           post :create, {email: "unknown@example.com", format: "json"}
-          response.body.should =~ /invalid user name or email/i
+          expect(response.body).to match(/invalid user name or email/i)
         end
         it "returns forbidden status" do
           post :create, {email: "unknown@example.com", format: "json"}
-          response.code.should == '422'
+          expect(response.code).to eq('422')
         end
       end
     end