RubyGems - authkit - Versions diffs - 0.4.0 → 0.5.0 - Mend

authkit 0.4.0 → 0.5.0

Files changed (51) hide show

data/lib/generators/authkit/templates/spec/controllers/auths_controller_spec.rb ADDED Viewed

@@ -0,0 +1,72 @@
+require 'rails_helper'
+describe AuthsController do
+  render_views
+  describe "GET 'connect'" do
+    it "returns http success" do
+      get :connect
+      expect(response).to be_success
+    end
+    it "requires login"
+  end
+  describe "POST 'callback'" do
+    it "returns http success" do
+      get :connect
+      expect(response).to be_success
+    end
+    it "validates the authenticity of the omniauth hash"
+    it "requires login when connecting"
+    it "does not require login when signing up or signing in"
+    it "requires an auth hash"
+    it "finds an existing auth"
+    describe "when connecting" do
+      it "does not log out the user"
+      it "redirects to the settings path if the user has already connected the auth"
+      it "does not connect the auth if it is already connected to another user"
+      it "creates a new auth and connects it to the user"
+      it "redirects to the account path"
+      it "adds a flash message if there is an error"
+    end
+    describe "when signing in or singning up" do
+      it "logs out any currently logged in user"
+      it "logs in the auth user if found"
+      # This is a pessimistic protection. We assume that if another user already has the
+      # same email address then it is likely that the user is about to create two accounts
+      # and force them to sign in to the original account to connect the accounts.
+      # You could automatically merge the two together, but if you do not require
+      # email confirmation this presents a case where a malicious user could sign up using
+      # an email address they do not control, then when the actual user connects their account
+      # the malicious user would have access via the email and password they setup.
+      it "fails if the email address associated with the account is already attached to another user"
+      it "creates a new user using the auth"
+      it "logs the user in when signing up"
+      it "redirects to the accounts path"
+      it "redirects to the signup path with errors"
+    end
+    describe "DELETE 'callback'" do
+      # If you do not require a completed login, it is possible for a user to disconnect
+      # their only means of authentication
+      it "requires a completed login"
+      it "finds the auth"
+      it "destroys the auth"
+      it "redirects to the account path"
+    end
+    describe "POST 'failure'" do
+      it "redirects to settings path if connecting"
+      it "redirects to signup path if signing up"
+      it "redirects to login path if logging in"
+      it "sets the flash error"
+    end
+  end
+end

data/lib/generators/authkit/templates/spec/controllers/email_confirmation_controller_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper'
+require 'rails_helper'
 describe EmailConfirmationController do
   render_views
@@ -8,27 +8,27 @@ describe EmailConfirmationController do
   describe "GET 'show'" do
     it "requires a login" do
-      controller.stub(:current_user).and_return(nil)
+      allow(controller).to receive(:current_user).and_return(nil)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires a valid token" do
       user.confirmation_token = "OTHER TOKEN"
-      controller.stub(:current_user).and_return(user)
+      allow(controller).to receive(:current_user).and_return(user)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires an unexpired token" do
       user.confirmation_token = token
       user.confirmation_token_created_at = 4.days.ago
-      controller.stub(:current_user).and_return(user)
+      allow(controller).to receive(:current_user).and_return(user)
       get 'show', token: token
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     describe "with a valid token" do
@@ -36,58 +36,56 @@ describe EmailConfirmationController do
         user.confirmation_email = "new@example.com"
         user.confirmation_token = token
         user.confirmation_token_created_at = Time.now
+        allow(controller).to receive(:current_user).and_return(user)
       end
       describe "when the confirmation is successful" do
         it "confirms the user email" do
-          controller.stub(:current_user).and_return(user)
-          user.should_receive(:email_confirmed).and_return(true)
+          expect(user).to receive(:email_confirmed).and_return(true)
           get 'show', token: token
         end
         it "does not sign the user in" do
-          controller.stub(:current_user).and_return(user)
-          controller.should_not_receive(:login)
+          expect(controller).to_not receive(:login)
           get 'show', token: token
         end
         it "sets the flash" do
-          controller.stub(:current_user).and_return(user)
           get 'show', token: token
-          flash[:notice].should_not be_nil
+          expect(flash[:notice]).to_not be_nil
         end
         it "redirects the user" do
-          controller.stub(:current_user).and_return(user)
           get 'show', token: token
-          response.should be_redirect
+          expect(response).to be_redirect
         end
         describe "from json" do
           it "returns http success" do
-            controller.stub(:current_user).and_return(user)
             get 'show', token: token, format: 'json'
-            response.should be_success
+            expect(response).to be_success
           end
         end
       end
       describe "when the confirmation is not successful" do
+        before(:each) do
+          allow(controller).to receive(:current_user).and_return(user)
+        end
         it "handles invalid confirmations" do
-          controller.stub(:current_user).and_return(user)
-          user.should_receive(:email_confirmed).and_return(false)
+          expect(user).to receive(:email_confirmed).and_return(false)
           get 'show', token: token
-          flash[:error].should_not be_empty
-          response.should be_redirect
+          expect(flash[:error]).to_not be_empty
+          expect(response).to be_redirect
         end
         describe "from json" do
           it "returns a 422" do
-            controller.stub(:current_user).and_return(user)
-            user.should_receive(:email_confirmed).and_return(false)
+            expect(user).to receive(:email_confirmed).and_return(false)
             get 'show', token: token, format: 'json'
-            response.code.should == '422'
+            expect(response.code).to eq('422')
           end
         end

data/lib/generators/authkit/templates/spec/controllers/password_change_controller_spec.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require 'spec_helper'
+require 'rails_helper'
 describe PasswordChangeController do
   render_views
@@ -10,15 +10,15 @@ describe PasswordChangeController do
   describe "GET 'show'" do
     it "requires no user" do
-      controller.stub(:email_user).and_return(user)
-      controller.should_receive(:logout)
+      allow(controller).to receive(:email_user).and_return(user)
+      expect(controller).to receive(:logout)
       get 'show', valid_params
     end
     it "requires an email user" do
       user.save
       get 'show', valid_params
-      assigns(:user).id.should == user.id
+      expect(assigns(:user).id).to eq(user.id)
     end
     it "redirects if there is no email user" do
@@ -29,39 +29,39 @@ describe PasswordChangeController do
     end
     it "requires a valid token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token = "OTHER TOKEN"
       get 'show', valid_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "requires an unexpired token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token_created_at = 1.year.ago
       get 'show', valid_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     it "returns http success" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       get 'show', valid_params
-      response.should be_success
+      expect(response).to be_success
     end
   end
   describe "POST 'create'" do
     it "requires no user" do
-      controller.stub(:email_user).and_return(user)
-      controller.should_receive(:logout)
+      allow(controller).to receive(:email_user).and_return(user)
+      expect(controller).to receive(:logout)
       get 'show', valid_params
     end
     it "requires an email user" do
       user.save
       post 'create', password_params
-      assigns(:user).id.should == user.id
+      expect(assigns(:user).id).to eq(user.id)
     end
     it "redirects if there is no email user" do
@@ -72,16 +72,16 @@ describe PasswordChangeController do
     end
     it "requires a valid token" do
-      controller.stub(:email_user).and_return(user)
+      allow(controller).to receive(:email_user).and_return(user)
       user.reset_password_token = "OTHER TOKEN"
       post 'create', password_params
-      response.should be_redirect
-      flash[:error].should_not be_empty
+      expect(response).to be_redirect
+      expect(flash[:error]).to_not be_empty
     end
     describe "with valid params" do
       before(:each) do
-        controller.stub(:email_user).and_return(user)
+        allow(controller).to receive(:email_user).and_return(user)
       end
       it "changes the password" do
@@ -89,57 +89,57 @@ describe PasswordChangeController do
           post 'create', password_params
         }.to change(user, :password_digest)
-        user.should be_valid
+        expect(user).to be_valid
       end
       it "does not sign the user in" do
-        controller.should_not_receive(:login)
+        expect(controller).to_not receive(:login)
         post 'create', password_params
       end
       it "redirects the user" do
         post 'create', password_params
-        response.should be_redirect
+        expect(response).to be_redirect
       end
       it "sets the flash" do
         post 'create', password_params
-        flash[:notice].should =~ /successfully/i
+        expect(flash[:notice]).to match(/successfully/i)
       end
       describe "from json" do
         it "returns http success" do
           post 'create', password_params.merge(format: 'json')
-          response.should be_success
+          expect(response).to be_success
         end
       end
     end
     describe "with invalid params" do
       before(:each) do
-        controller.stub(:email_user).and_return(user)
+        allow(controller).to receive(:email_user).and_return(user)
       end
       it "doesn't sign the user in" do
-        controller.should_not_receive(:login)
+        expect(controller).to_not receive(:login)
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
       end
       it "renders the show template" do
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
-        response.should render_template(:show)
+        expect(response).to render_template(:show)
       end
       it "has errors" do
         post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid'}
-        user.should have(2).errors_on(:password_confirmation)
+        expect(user.errors[:password_confirmation].size).to eq(1)
       end
       describe "from json" do
         it "returns an error" do
           post 'create', {token: token, email: user.email, password: 'newpassword', password_confirmation: 'invalid', format: 'json'}
-          response.code.should == '422'
-          response.body.should =~ /doesn't match/i
+          expect(response.code).to eq('422')
+          expect(response.body).to match(/doesn't match/i)
         end
       end
     end

data/lib/generators/authkit/templates/spec/controllers/password_reset_controller_spec.rb CHANGED Viewed

@@ -1,14 +1,14 @@
-require 'spec_helper'
+require 'rails_helper'
 describe PasswordResetController do
   render_views
-  let(:user) { create(:user, email: "test@example.com") }
+  let(:user) { create(:user) }
   describe "GET 'show'" do
     it "returns http success" do
       get 'show'
-      response.should be_success
+      expect(response).to be_success
     end
   end
@@ -18,39 +18,39 @@ describe PasswordResetController do
     end
     it "redirects the user" do
-      post :create, {email: "test@example.com"}
-      response.should be_redirect
+      post :create, {email: user.email}
+      expect(response).to be_redirect
     end
     it "finds the user by the email or user name" do
-      post :create, {email: "test@example.com"}
-      controller.send(:user).should == user
+      post :create, {email: user.email}
+      expect(controller.send(:user)).to eq(user)
     end
     it "logs any current user out if it finds the user" do
-      controller.should_receive(:logout)
-      post :create, {email: "test@example.com"}
+      expect(controller).to receive(:logout)
+      post :create, {email: user.email}
     end
     it "resets the password if it finds the user" do
-      User.any_instance.should_receive(:send_reset_password).and_return(true)
-      post :create, {email: "test@example.com"}
+      expect_any_instance_of(User).to receive(:send_reset_password).and_return(true)
+      post :create, {email: user.email}
     end
     it "does not reset the password if it does not find a user" do
-      User.any_instance.should_not_receive(:send_reset_password)
+      expect_any_instance_of(User).to_not receive(:send_reset_password)
       post :create, {email: "unknown@example.com"}
     end
     it "downcases the email or user name" do
-      User.any_instance.should_receive(:send_reset_password).and_return(true)
-      post :create, {email: "TEST@EXAMPLE.COM"}
+      expect_any_instance_of(User).to receive(:send_reset_password).and_return(true)
+      post :create, {email: user.email.upcase}
     end
     describe "from json" do
       it "returns http success" do
-        post :create, {email: "test@example.com", format: "json"}
-        response.should be_success
+        post :create, {email: user.email, format: "json"}
+        expect(response).to be_success
       end
     end
@@ -58,24 +58,24 @@ describe PasswordResetController do
       describe "from html" do
         it "sets the flash message" do
           post :create, {email: "unknown@example.com"}
-          flash.now[:error].should_not be_empty
+          expect(flash.now[:error]).to_not be_empty
         end
         it "renders the show page" do
           post :create, {email: "unknown@example.com"}
-          response.should render_template(:show)
+          expect(response).to render_template(:show)
         end
       end
       describe "from json" do
         it "returns an error" do
           post :create, {email: "unknown@example.com", format: "json"}
-          response.body.should =~ /invalid user name or email/i
+          expect(response.body).to match(/invalid user name or email/i)
         end
         it "returns forbidden status" do
           post :create, {email: "unknown@example.com", format: "json"}
-          response.code.should == '422'
+          expect(response.code).to eq('422')
         end
       end
     end