authpwn_rails 0.12.0 → 0.12.1

data/lib/authpwn_rails/test_extensions.rb

@@ -6,7 +6,7 @@ module TestExtensions
   # Stubs User#auth_bounce_reason to block a given credential.
   #
   # The default implementation of User#auth_bounce_reason always returns nil.
-  # Your application's implementation might differ. Either way, the method is 
+  # Your application's implementation might differ. Either way, the method is
   # replaced for the duration of the block, such that it returns :block if
   # the credential matches the given argument, and nil otherwise.
   def with_blocked_credential(blocked_credential, reason = :blocked, &block)
@@ -19,7 +19,7 @@ module TestExtensions
         credential == blocked_credential ? reason : nil
       end
     end
-    
+
     begin
       yield
     ensure
@@ -40,13 +40,23 @@ end
 module ControllerTestExtensions
   # Sets the authenticated user in the test session.
   def set_session_current_user(user)
-    request.session[:user_exuid] = user ? user.to_param : nil
+    if user
+      # Avoid database inserts, if at all possible.
+      if token = Tokens::SessionUid.where(:user_id => user.id).first
+        token.spend  # Only bump updated_at if necessary.
+      else
+        token = Tokens::SessionUid.random_for user, '127.0.0.1', 'UnitTests'
+      end
+      request.session[:authpwn_suid] = token.suid
+    else
+      request.session.delete :authpwn_suid
+    end
   end
-  
+
   # The authenticated user in the test session.
   def session_current_user
-    return nil unless user_param = request.session[:user_exuid]
-    User.find_by_param user_param
+    return nil unless suid = request.session[:authpwn_suid]
+    Credentials::Token.with_code(suid).user
   end
 
   # Sets the HTTP Authentication header.

data/lib/authpwn_rails/user_model.rb

@@ -18,16 +18,16 @@ module UserModel
     # This is decoupled from "id" column to avoid leaking information about
     # the application's usage.
     validates :exuid, :presence => true, :length => 1..32, :uniqueness => true
-    
+
     # Credentials used to authenticate the user.
     has_many :credentials, :dependent => :destroy, :inverse_of => :user
     validates_associated :credentials
     # This is safe, because credentials use attr_accessible.
     accepts_nested_attributes_for :credentials, :allow_destroy => true
-    
+
     # Automatically assign exuid.
     before_validation :set_default_exuid, :on => :create
-    
+
     # Forms should not be able to touch any attribute.
     attr_accessible :credentials_attributes
   end
@@ -46,8 +46,8 @@ module UserModel
     # The method's parameter names are an acknowledgement to the email and
     # password fields on automatically-generated forms.
     #
-    # The easiest method of accepting other login information is to override this
-    # method, locate the user's email, and supply it in a call to super.
+    # The easiest method of accepting other login information is to override
+    # this method, locate the user's email, and supply it in a call to super.
     #
     # Returns an authenticated user, or a symbol indicating the reason why the
     # authentication failed.
@@ -55,21 +55,21 @@ module UserModel
       Credentials::Password.authenticate_email email, password
     end
   end  # module Authpwn::UserModel::ClassMethods
-  
+
   # Checks if a credential is acceptable for authenticating a user.
   #
   # Returns nil if the credential is acceptable, or a String containing a
-  # user-visible reason why the credential is not acceptable. 
+  # user-visible reason why the credential is not acceptable.
   def auth_bounce_reason(crdential)
     nil
   end
-  
+
   # Use e-mails instead of exposing ActiveRecord IDs.
   def to_param
     exuid
   end
-  
-  # :nodoc: sets exuid to a (hopefully) unique value before validations occur. 
+
+  # :nodoc: sets exuid to a (hopefully) unique value before validations occur.
   def set_default_exuid
     self.exuid ||=
         SecureRandom.random_bytes(8).unpack('Q').first & 0x7fffffffffffffff

data/test/cookie_controller_test.rb

@@ -2,8 +2,8 @@ require File.expand_path('../test_helper', __FILE__)
 
 # Mock controller used for testing session handling.
 class CookieController < ApplicationController
-  authenticates_using_session
-    
+  authenticates_using_session :except => :update
+
   def show
     if current_user
       render :text => "User: #{current_user.id}"
@@ -11,7 +11,16 @@ class CookieController < ApplicationController
       render :text => "No user"
     end
   end
-  
+
+  def update
+    if params[:exuid].blank?
+      set_session_current_user nil
+    else
+      set_session_current_user User.find_by_param(params[:exuid])
+    end
+    render :text => ''
+  end
+
   def bouncer
     bounce_user
   end
@@ -20,32 +29,172 @@ end
 class CookieControllerTest < ActionController::TestCase
   setup do
     @user = users(:john)
+    @token = credentials(:john_session_token)
   end
 
-  test "no user_id in session" do
+  test "no suid in session" do
     get :show
     assert_response :success
     assert_nil assigns(:current_user)
     assert_equal 'No user', response.body
   end
-  
-  test "valid user_id in session" do
-    set_session_current_user @user
+
+  test "valid suid in session" do
+    request.session[:authpwn_suid] = @token.suid
     get :show
     assert_response :success
     assert_equal @user, assigns(:current_user)
     assert_equal "User: #{ActiveRecord::Fixtures.identify(:john)}",
                  response.body
   end
-  
-  test "invalid user_pid in session" do
-    get :show, {}, :current_user_pid => 'random@user.com'
+
+  test "valid suid in session does not refresh very recent session" do
+    request.session[:authpwn_suid] = @token.suid
+    @token.updated_at = Time.now - 5.minutes
+    @token.save!
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+    assert_operator @token.reload.updated_at, :<=, Time.now - 5.minutes
+  end
+
+  test "valid suid in session refreshes recent session" do
+    request.session[:authpwn_suid] = @token.suid
+    @token.updated_at = Time.now - 5.minutes
+    @token.save!
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+    assert_operator @token.reload.updated_at, :<=, Time.now - 5.minutes
+  end
+
+  test "valid suid in session is discarded if the session is old" do
+    request.session[:authpwn_suid] = @token.suid
+    @token.updated_at = Time.now - 3.months
+    @token.save!
+    get :show
+    assert_response :success
+    assert_nil assigns(:current_user), 'current_user set'
+    assert_nil Credentials::Token.with_code(@token.suid),
+               'session token not destroyed'
+  end
+
+  test "invalid suid in session" do
+    request.session[:authpwn_suid] = @token.suid
+    @token.destroy
+    get :show
     assert_response :success
     assert_nil assigns(:current_user)
   end
-  
+
+  test "set_session_current_user creates new token by default" do
+    assert_difference 'Credential.count', 1 do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+    assert_not_equal @token.suid, request.session[:authpwn_suid]
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user reuses existing token when suitable" do
+    request.session[:authpwn_suid] = @token.suid
+    assert_no_difference 'Credential.count', 'existing token not reused' do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+    assert_equal @token.suid, request.session[:authpwn_suid]
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user refreshes old token" do
+    @token.updated_at = Time.now - 1.day
+    request.session[:authpwn_suid] = @token.suid
+    assert_no_difference 'Credential.count', 'existing token not reused' do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+    assert_operator @token.reload.updated_at, :>=, Time.now - 1.hour,
+        'Old token not refreshed'
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user creates new token if old token is invalid" do
+    @token.destroy
+    request.session[:authpwn_suid] = @token.suid
+    assert_difference 'Credential.count', 1, 'session token not created' do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+    assert_not_equal @token.suid, request.session[:authpwn_suid]
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user switches users correctly" do
+    old_token = credentials(:jane_session_token)
+    request.session[:authpwn_suid] = old_token.suid
+    assert_no_difference 'Credential.count',
+        "old user's token not destroyed or no new token created" do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+    assert_nil Credentials::Token.with_code(old_token.suid),
+               "old user's token not destroyed"
+    assert_not_equal @token.suid, request.session[:authpwn_suid]
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user reuses token when switching users" do
+    @token.destroy
+    request.session[:authpwn_suid] = credentials(:jane_session_token).suid
+    assert_no_difference 'Credential.count',
+        "old user's token not destroyed or new user's token not created" do
+      put :update, :exuid => @user.exuid
+    end
+    assert_response :success
+
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+
+  test "set_session_current_user logs off a user correctly" do
+    request.session[:authpwn_suid] = @token.suid
+    assert_difference 'Credential.count', -1, 'token not destroyed' do
+      put :update, :exuid => ''
+    end
+    assert_response :success
+    assert_nil request.session[:authpwn_suid]
+
+    get :show
+    assert_response :success
+    assert_equal nil, assigns(:current_user)
+  end
+
+  test "set_session_current_user behaves when no user is logged off" do
+    assert_no_difference 'Credential.count' do
+      put :update, :exuid => ''
+    end
+    assert_response :success
+    assert_nil request.session[:authpwn_suid]
+  end
+
   test "valid user_id bounced" do
-    set_session_current_user @user
+    request.session[:authpwn_suid] = @token.suid
     get :bouncer
     assert_response :forbidden
     assert_template 'session/forbidden'
@@ -53,19 +202,19 @@ class CookieControllerTest < ActionController::TestCase
   end
 
   test "valid user_id bounced in json" do
-    set_session_current_user @user
+    request.session[:authpwn_suid] = @token.suid
     get :bouncer, :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_match(/not allowed/i, data['error'])
   end
-  
+
   test "no user_id bounced" do
     get :bouncer
     assert_response :forbidden
     assert_template 'session/forbidden'
     assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
-    
+
     assert_select 'script', %r/.*window.location.*#{new_session_path}.*/
   end
 
@@ -75,7 +224,7 @@ class CookieControllerTest < ActionController::TestCase
     data = ActiveSupport::JSON.decode response.body
     assert_match(/sign in/i, data['error'])
   end
-  
+
   test "auth_controller? is false" do
     assert_equal false, @controller.auth_controller?
   end

data/test/credentials/email_verification_token_test.rb

@@ -1,27 +1,27 @@
 require File.expand_path('../../test_helper', __FILE__)
 
-class EmailVerificationTokenCredentialTest < ActiveSupport::TestCase  
+class EmailVerificationTokenTest < ActiveSupport::TestCase
   def setup
     @credential = Tokens::EmailVerification.new(
         :code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo',
         :key => 'jane@gmail.com')
     @credential.user = users(:jane)
   end
-  
+
   test 'setup' do
     assert @credential.valid?
   end
-  
+
   test 'code required' do
     @credential.code = nil
     assert !@credential.valid?
   end
-  
+
   test 'code uniqueness' do
     @credential.code = credentials(:john_token).code
     assert !@credential.valid?
   end
-  
+
   test 'email required' do
     @credential.email = nil
     assert !@credential.valid?
@@ -31,22 +31,22 @@ class EmailVerificationTokenCredentialTest < ActiveSupport::TestCase
     @credential.user = nil
     assert !@credential.valid?
   end
-  
+
   test 'email_credential' do
     assert_equal credentials(:jane_email), @credential.email_credential
     assert_equal credentials(:john_email),
                  credentials(:john_email_token).email_credential
-  
+
     @credential.email = 'bill@gmail.com'
     assert_nil @credential.email_credential
   end
-  
+
   test 'spend verifies the e-mail and destroys the token' do
     email_credential = credentials(:john_email)
     assert !email_credential.verified, 'bad setup'
     credential = credentials(:john_email_token)
     assert_equal Tokens::EmailVerification, credential.class, 'bad setup'
-    
+
     assert_difference 'Credential.count', -1 do
       credential.spend
     end
@@ -58,14 +58,14 @@ class EmailVerificationTokenCredentialTest < ActiveSupport::TestCase
     email_credential = credentials(:john_email)
     credential = credentials(:john_email_token)
     credential.email = 'bill@gmail.com'
-    
+
     assert_difference 'Credential.count', -1 do
       credential.spend
     end
     assert credential.frozen?, 'not destroyed'
     assert !email_credential.reload.verified?, 'e-mail wrongly verified'
   end
-  
+
   test 'random_for' do
     token = Tokens::EmailVerification.random_for credentials(:jane_email)
     assert token.valid?, 'valid token'

data/test/credentials/password_credential_test.rb

@@ -1,61 +1,80 @@
 require File.expand_path('../../test_helper', __FILE__)
 
-class PasswordCredentialTest < ActiveSupport::TestCase  
+class PasswordCredentialTest < ActiveSupport::TestCase
   def setup
     @credential = Credentials::Password.new :password => 'awesome',
                                             :password_confirmation => 'awesome'
     @credential.user = users(:bill)
+    @_password_expires = Credentials::Password.expires_after
   end
-  
+
+  def teardown
+    Credentials::Password.expires_after = @_password_expires
+  end
+
   test 'setup' do
     assert @credential.valid?
   end
-    
+
   test 'key not required' do
     @credential.key = nil
     assert @credential.valid?
   end
-  
+
   test 'user presence' do
     @credential.user = nil
     assert !@credential.valid?
   end
-  
+
   test 'user uniqueness' do
     @credential.user = users(:john)
     assert !@credential.valid?
   end
-  
+
   test 'password confirmation' do
     @credential.password_confirmation = 'not awesome'
     assert !@credential.valid?
   end
-  
+
   test 'password required' do
     @credential.password = @credential.password_confirmation = nil
     assert !@credential.valid?
   end
-  
+
   test 'check_password' do
     assert_equal true, @credential.check_password('awesome')
     assert_equal false, @credential.check_password('not awesome'),
                  'Bogus password'
     assert_equal false, @credential.check_password('password'),
-                 "Another user's password" 
+                 "Another user's password"
+  end
+
+  test 'expired?' do
+    @credential.updated_at = Time.now
+    assert_equal false, @credential.expired?
+    @credential.updated_at = Time.now - 2.years
+    assert_equal true, @credential.expired?
+    Credentials::Password.expires_after = nil
+    assert_equal false, @credential.expired?
   end
-  
+
   test 'authenticate' do
+    @credential.updated_at = Time.now
     assert_equal users(:bill), @credential.authenticate('awesome')
     assert_equal :invalid, @credential.authenticate('not awesome')
+    Credentials::Password.expires_after = 1.month
+    @credential.updated_at = Time.now - 1.year
+    assert_equal :expired, @credential.authenticate('awesome')
   end
-  
+
   test 'authenticate calls User#auth_bounce_reason' do
     user = @credential.user
     flexmock(user).should_receive(:auth_bounce_reason).and_return(:reason)
+    @credential.updated_at = Time.now
     assert_equal :reason, @credential.authenticate('awesome')
     assert_equal :invalid, @credential.authenticate('not awesome')
   end
-    
+
   test 'authenticate_email' do
     assert_equal users(:john),
         Credentials::Password.authenticate_email('john@gmail.com', 'password')