authpwn_rails 0.10.5 → 0.10.6

data/test/fixtures/bare_session/home.html.erb

@@ -0,0 +1,5 @@
+<p>
+  This view gets displayed when the user is logged in. Right now, 
+  user <%= current_user.exuid %> is logged in. You should allow the user to
+  <%= link_to 'Log out', session_path, :method => :destroy %>.
+</p>

data/test/fixtures/bare_session/new.html.erb

@@ -0,0 +1,32 @@
+<p>This is a sample login form. You should customize it for your users.</p>
+
+<% if flash[:notice] %>
+<p class="notice"><%= flash[:notice] %></p>
+<% end %>
+
+<% if @redirect_url %>
+<p>
+  We need you to log in before we can show you the page that you are trying to
+  view.
+</p>
+<% end %>
+
+<%= form_tag session_path do %>
+  <div class="field">
+    <%= label_tag :email, 'Email Address' %><br />
+    <%= email_field_tag :email, @email %>
+  </div>
+  
+  <div class="field">
+    <%= label_tag :password %><br />
+    <%= password_field_tag :password %>
+  </div>
+  
+  <div class="actions">
+    <%= submit_tag 'Log in' %>
+    
+    <% if @redirect_url %>
+    <%= hidden_field_tag :redirect_url, @redirect_url %>
+    <% end %>
+  </div>
+<% end %>

data/test/fixtures/bare_session/password_change.html.erb

@@ -0,0 +1,30 @@
+<%= form_for @credential, :url => change_password_session_path do |f| %>
+  <section class="fields">
+  <% unless @credential.new_record? %>
+  <div class="field">
+    <%= label_tag :old_password, 'Current Password' %><br />
+    <span class="value">
+      <%= password_field_tag :old_password %>
+    </span>
+  </div>
+  <% end %>
+  
+  <div class="field">
+    <%= f.label :password, 'New Password' %><br />
+    <span class="value">
+      <%= f.password_field :password %>
+    </span
+  </div>
+
+  <div class="field">
+    <%= f.label :password_confirmation, 'Re-enter New Password' %><br />
+    <span class="value">
+      <%= f.password_field :password_confirmation %>
+    </span
+  </div>
+  </section>
+  
+  <p class="action">
+    <%= submit_tag 'Log in' %>
+  </p>
+<% end %>

data/test/fixtures/bare_session/welcome.html.erb

@@ -0,0 +1,5 @@
+<p>
+  This view gets displayed when the user is not logged in. Entice the user to
+  sign up for your application, and allow them to
+  <%= link_to 'Log in', new_session_path %>. 
+</p>

data/test/helpers/action_mailer.rb

@@ -0,0 +1,8 @@
+# :nodoc: add our views to the path
+class ActionMailer::Base
+  prepend_view_path File.expand_path(
+      '../../../lib/authpwn_rails/generators/templates', __FILE__)
+
+  self.delivery_method = :test
+  self.perform_deliveries = true
+end

data/test/helpers/routes.rb

@@ -7,11 +7,17 @@ class ActionController::TestCase
         collection { get :bouncer }
       end
       resource :facebook, :controller => 'facebook'
-      # NOTE: this route should be kept in sync with the session template.
-      resource :session, :controller => 'session'
+      authpwn_session :controller => 'bare_session',
+                      :method_names => 'bare_session'
+      authpwn_session :controller => 'bare_session2',
+                      :method_names => 'bare_session2'
       root :to => 'session#index'
+
+      # NOTE: this route should be kept in sync with the session template.
+      authpwn_session
     end
     ApplicationController.send :include, @routes.url_helpers
+    ActionMailer::Base.send :include, @routes.url_helpers
   end
   
   setup :setup_routes

data/test/routes_test.rb

@@ -0,0 +1,31 @@
+require File.expand_path('../test_helper', __FILE__)
+
+require 'authpwn_rails/generators/templates/session_controller.rb'
+
+# Tests the routes created by authpwn_session.
+class RoutesTest < ActionController::TestCase
+  tests SessionController
+
+  test "authpwn_session routes" do
+    assert_routing({:path => "/session", :method => :get},
+                   {:controller => 'session', :action => 'show'})
+    assert_routing({:path => "/session/new", :method => :get},
+                   {:controller => 'session', :action => 'new'})
+    assert_routing({:path => "/session", :method => :post},
+                   {:controller => 'session', :action => 'create'})
+    assert_routing({:path => "/session", :method => :delete},
+                   {:controller => 'session', :action => 'destroy'})
+    assert_routing({:path => "/session", :method => :delete},
+                   {:controller => 'session', :action => 'destroy'})
+    assert_routing({:path => "/session/change_password", :method => :get},
+                   {:controller => 'session', :action => 'password_change'})
+    assert_routing({:path => "/session/change_password", :method => :post},
+                   {:controller => 'session', :action => 'change_password'})
+    assert_routing({:path => "/session/reset_password", :method => :post},
+                   {:controller => 'session', :action => 'reset_password'})
+    
+    code = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
+    assert_routing({:path => "/session/token/#{code}", :method => :get},
+        {:controller => 'session', :action => 'token', :code => code})
+  end
+end

data/test/session_controller_api_test.rb

@@ -5,50 +5,55 @@ require 'authpwn_rails/generators/templates/session_controller.rb'
 # Run the tests in the generator, to make sure they pass.
 require 'authpwn_rails/generators/templates/session_controller_test.rb'
 
+class BareSessionController < ApplicationController
+  include Authpwn::SessionController
+  self.append_view_path File.expand_path('../fixtures', __FILE__)
+end
+
 # Tests the methods injected by authpwn_session_controller.
 class SessionControllerApiTest < ActionController::TestCase
-  tests SessionController
+  tests BareSessionController
   
   setup do
     @user = users(:john)
     @email_credential = credentials(:john_email)
+    @password_credential = credentials(:john_password)
+    @token_credential = credentials(:john_token)
   end
   
   test "show renders welcome without a user" do
+    flexmock(@controller).should_receive(:welcome).once.and_return(nil)
     get :show
     assert_template :welcome
     assert_nil assigns(:current_user)
-    assert_equal User.count, assigns(:user_count),
-                 'welcome controller method not called'
   end
 
   test "show json renders empty object without a user" do
+    flexmock(@controller).should_receive(:welcome).once.and_return(nil)
     get :show, :format => 'json'
     assert_response :ok
     assert_equal({}, ActiveSupport::JSON.decode(response.body))
-    assert_equal User.count, assigns(:user_count),
-                 'welcome controller method not called'
   end
   
   test "show renders home with a user" do
+    flexmock(@controller).should_receive(:home).once.and_return(nil)
     set_session_current_user @user
     get :show
     assert_template :home
     assert_equal @user, assigns(:current_user)
-    assert_equal @user, assigns(:user), 'home controller method not called'
   end
   
   test "show json renders user when logged in" do
     set_session_current_user @user
+    flexmock(@controller).should_receive(:home).once.and_return(nil)
     get :show, :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
     assert_equal session[:_csrf_token], data['csrf']
-    assert_equal @user, assigns(:user), 'home controller method not called'
   end
   
-  test "new redirects homes with a user" do
+  test "new redirects to session#show when a user is logged in" do
     set_session_current_user @user
     get :new
     assert_redirected_to session_url
@@ -58,12 +63,6 @@ class SessionControllerApiTest < ActionController::TestCase
     get :new
     assert_template :new
     assert_nil assigns(:current_user), 'current_user should not be set'
-  
-    assert_select 'form[action="/session"]' do
-      assert_select 'input#email'
-      assert_select 'input#password'
-      assert_select 'input[type=submit]'
-    end
   end
   
   test "new renders redirect_url when present in flash" do
@@ -78,9 +77,9 @@ class SessionControllerApiTest < ActionController::TestCase
   
   test "create logs in with good account details" do
     post :create, :email => @email_credential.email, :password => 'password'
-    assert_redirected_to session_url
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
+    assert_redirected_to session_url
   end
 
   test "create by json logs in with good account details" do
@@ -160,6 +159,79 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_not_nil flash[:notice]
   end
 
+  test "token logs in with good token" do
+    flexmock(@controller).should_receive(:home_with_token).once.
+                          with(@token_credential).and_return(nil)
+    assert_difference 'Credential.count', -1, 'one-time credential is spent' do
+      get :token, :code => @token_credential.code
+    end
+    assert_redirected_to session_url
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+  end
+
+  test "token by json logs in with good token" do
+    flexmock(@controller).should_receive(:home_with_token).once.
+                          with(@token_credential).and_return(nil)
+    assert_difference 'Credential.count', -1, 'one-time credential is spent' do
+      get :token, :code => @token_credential.code, :format => 'json'
+    end
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal @user.exuid, data['user']['exuid']
+    assert_equal session[:_csrf_token], data['csrf']
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+  end
+  
+  test "token does not log in with random token" do
+    assert_no_difference 'Credential.count', 'no credential is spent' do
+      get :token, :code => 'no-such-token'
+    end
+    assert_redirected_to new_session_url
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+    assert_match(/Invalid/, flash[:notice])
+  end
+  
+  test "token does not log in blocked accounts" do
+    with_blocked_credential @token_credential do
+      assert_no_difference 'Credential.count', 'no credential is spent' do
+        get :token, :code => @token_credential.code
+      end
+    end
+    assert_redirected_to new_session_url
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+    assert_match(/ blocked/, flash[:notice])
+  end
+
+  test "token by json does not log in with random token" do
+    assert_no_difference 'Credential.count', 'no credential is spent' do
+      get :token, :code => 'no-such-token', :format => 'json'
+    end
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'invalid', data['error']
+    assert_match(/invalid/i , data['text'])
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+  end
+  
+  test "token by json does not log in blocked accounts" do
+    with_blocked_credential @token_credential do
+      assert_no_difference 'Credential.count', 'no credential is spent' do
+        get :token, :code => @token_credential.code, :format => 'json'
+      end
+    end
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'blocked', data['error']
+    assert_match(/blocked/i , data['text'])
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+  end  
+
   test "logout" do
     set_session_current_user @user
     delete :destroy
@@ -175,4 +247,227 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     assert_nil assigns(:current_user)
   end
+  
+  test "password_change bounces without logged in user" do
+    get :password_change
+    assert_response :forbidden
+  end
+
+  test "password_change renders correct form" do
+    set_session_current_user @user
+    get :password_change
+    assert_response :ok
+    assert_template :password_change
+    assert_equal @password_credential, assigns(:credential)
+  end
+
+  test "change_password bounces without logged in user" do
+    post :change_password, :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :forbidden
+  end
+
+  test "change_password works with correct input" do
+    set_session_current_user @user
+    post :change_password, :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_redirected_to session_url
+    assert_equal @password_credential, assigns(:credential)
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'hacks'), 'password not changed'
+  end
+
+  test "change_password rejects bad old password" do
+    set_session_current_user @user
+    post :change_password, :old_password => '_password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :ok
+    assert_template :password_change
+    assert_equal @password_credential, assigns(:credential)
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'password'), 'password wrongly changed'
+  end
+
+  test "change_password rejects un-confirmed password" do
+    set_session_current_user @user
+    post :change_password, :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks_'} 
+    assert_response :ok
+    assert_template :password_change
+    assert_equal @password_credential, assigns(:credential)
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'password'), 'password wrongly changed'
+  end
+
+  test "change_password works for password recovery" do
+    set_session_current_user @user
+    @password_credential.destroy
+    post :change_password,
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_redirected_to session_url
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'hacks'), 'password not changed'
+  end
+
+  test "change_password rejects un-confirmed password on recovery" do
+    set_session_current_user @user
+    @password_credential.destroy
+    assert_no_difference 'Credential.count' do
+      post :change_password,
+           :credential => { :password => 'hacks',
+                            :password_confirmation => 'hacks_'} 
+    end
+    assert_response :ok
+    assert_template :password_change
+  end
+
+  test "change_password by json bounces without logged in user" do
+    post :change_password, :format => 'json', :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'Please sign in', data['error']
+  end
+
+  test "change_password by json works with correct input" do
+    set_session_current_user @user
+    post :change_password, :format => 'json', :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :ok
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'hacks'), 'password not changed'
+  end
+
+  test "change_password by json rejects bad old password" do
+    set_session_current_user @user
+    post :change_password, :format => 'json', :old_password => '_password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'invalid', data['error']
+    assert_equal @password_credential, assigns(:credential)
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'password'), 'password wrongly changed'
+  end
+
+  test "change_password by json rejects un-confirmed password" do
+    set_session_current_user @user
+    post :change_password, :format => 'json', :old_password => 'password',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks_'} 
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'invalid', data['error']
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'password'), 'password wrongly changed'
+  end
+
+  test "change_password by json works for password recovery" do
+    set_session_current_user @user
+    @password_credential.destroy
+    post :change_password, :format => 'json',
+         :credential => { :password => 'hacks',
+                          :password_confirmation => 'hacks'} 
+    assert_response :ok
+    assert_equal @user, Credentials::Password.authenticate_email(
+         @email_credential.email, 'hacks'), 'password not changed'
+  end
+
+  test "change_password by json rejects un-confirmed password on recovery" do
+    set_session_current_user @user
+    @password_credential.destroy
+    assert_no_difference 'Credential.count' do
+      post :change_password, :format => 'json',
+           :credential => { :password => 'hacks',
+                            :password_confirmation => 'hacks_'} 
+    end
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'invalid', data['error']
+  end
+  
+  test "reset_password for good e-mail" do
+    ActionMailer::Base.deliveries = []
+    @request.host = 'mail.test.host:1234'
+    
+    assert_difference 'Credential.count', 1 do
+      post :reset_password, :email => @email_credential.email
+    end
+    
+    token = Credential.last
+    assert_operator token, :kind_of?, Tokens::PasswordReset
+    assert_equal @user, token.user, 'password reset token user'
+    
+    assert !ActionMailer::Base.deliveries.empty?, 'email generated'
+    email = ActionMailer::Base.deliveries.last
+    assert_equal '"mail.test.host staff" <admin@mail.test.host>',
+                 email['from'].to_s
+    assert_equal [@email_credential.email], email.to
+    assert_match 'http://mail.test.host:1234/', email.encoded
+    assert_match token.code, email.encoded
+    
+    assert_redirected_to new_session_url
+  end
+  
+  test "reset_password for good e-mail by json" do
+    ActionMailer::Base.deliveries = []
+    
+    assert_difference 'Credential.count', 1 do
+      post :reset_password, :email => @email_credential.email, :format => 'json'
+    end
+    
+    token = Credential.last
+    assert_operator token, :kind_of?, Tokens::PasswordReset
+    assert_equal @user, token.user, 'password reset token user'
+
+    assert !ActionMailer::Base.deliveries.empty?, 'email generated'
+
+    assert_response :ok
+    assert_equal '{}', response.body
+  end
+
+  test "reset_password for invalid e-mail" do
+    ActionMailer::Base.deliveries = []
+
+    assert_no_difference 'Credential.count' do
+      post :reset_password, :email => 'no@such.email'
+    end
+    assert ActionMailer::Base.deliveries.empty?, 'no email generated'
+
+    assert_redirected_to new_session_url
+  end
+  
+  test "reset_password for invalid e-mail by json" do
+    ActionMailer::Base.deliveries = []
+
+    assert_no_difference 'Credential.count' do
+      post :reset_password, :email => 'no@such.email', :format => 'json'
+    end
+    assert ActionMailer::Base.deliveries.empty?, 'no email generated'
+
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'not_found', data['error']
+  end
+
+  test "create delegation to reset_password" do
+    ActionMailer::Base.deliveries = []
+    
+    assert_difference 'Credential.count', 1 do
+      post :create, :email => @email_credential.email, :password => '',
+                    :reset_password => :requested
+    end
+    
+    token = Credential.last
+    assert_operator token, :kind_of?, Tokens::PasswordReset
+    assert_equal @user, token.user, 'password reset token user'
+  end
 end