authpwn_rails 0.12.0 → 0.12.1

data/test/credentials/session_uid_token_test.rb

@@ -0,0 +1,98 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+class SessionUidTokenTest < ActiveSupport::TestCase
+  def setup
+    @credential = Tokens::SessionUid.new(
+      :code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo',
+      :browser_ip => '18.70.0.160',
+      :browser_ua => 'Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1'
+    )
+    @credential.user = users(:jane)
+    @_expires_after = Tokens::SessionUid.expires_after
+  end
+
+  def teardown
+    Tokens::SessionUid.expires_after = @_expires_after
+  end
+
+  test 'setup' do
+    assert @credential.valid?
+  end
+
+  test 'code required' do
+    @credential.code = nil
+    assert !@credential.valid?
+  end
+
+  test 'code uniqueness' do
+    @credential.code = credentials(:john_token).code
+    assert !@credential.valid?
+  end
+
+  test 'browser_ip required' do
+    @credential.browser_ip = nil
+    assert !@credential.valid?
+  end
+
+  test 'browser_ua required' do
+    @credential.browser_ua = nil
+    assert !@credential.valid?
+  end
+
+  test 'user required' do
+    @credential.user = nil
+    assert !@credential.valid?
+  end
+
+  test 'expired?' do
+    Tokens::SessionUid.expires_after = 14.days
+    @credential.updated_at = Time.now - 1.day
+    assert_equal false, @credential.expired?
+    @credential.updated_at = Time.now - 1.month
+    assert_equal true, @credential.expired?
+
+    Tokens::SessionUid.expires_after = nil
+    assert_equal false, @credential.expired?
+  end
+
+  test 'spend updates old token' do
+    @credential.updated_at = Time.now - 1.day
+    @credential.spend
+    assert_operator @credential.updated_at, :>=, Time.now - 1.minute
+  end
+
+  test 'spend does not update reasonably new token' do
+    old_updated_at = @credential.updated_at = Time.now - 5.minutes
+    @credential.spend
+    assert_equal old_updated_at, @credential.updated_at
+  end
+
+  test 'remove_expired gets rid of old tokens' do
+    old_token = credentials(:john_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    fresh_token = credentials(:jane_session_token)
+    fresh_token.updated_at = Time.now - 1.minute
+    fresh_token.save!
+
+    assert_difference 'Credential.count', -1 do
+      Tokens::SessionUid.remove_expired
+    end
+    assert_nil Credentials::Token.with_code(old_token.code)
+    assert_equal fresh_token, Credentials::Token.with_code(fresh_token.code)
+  end
+
+  test 'random_for' do
+    user = users(:john)
+    credential = nil
+    assert_difference 'Credential.count', 1 do
+      credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
+    end
+    saved_credential = Credentials::Token.with_code credential.code
+    assert saved_credential, 'token was not saved'
+    assert_equal saved_credential, credential, 'wrong token returned'
+    assert_equal user, saved_credential.user
+    assert_equal '1.2.3.4', saved_credential.browser_ip
+    assert_equal 'Test/UA', saved_credential.browser_ua
+  end
+end

data/test/credentials/token_crendential_test.rb

@@ -1,21 +1,21 @@
 require File.expand_path('../../test_helper', __FILE__)
 
-class TokenCredentialTest < ActiveSupport::TestCase  
+class TokenCredentialTest < ActiveSupport::TestCase
   def setup
     @credential = Credentials::Token.new(
         :code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo')
     @credential.user = users(:bill)
   end
-  
+
   test 'setup' do
     assert @credential.valid?
   end
-  
+
   test 'code required' do
     @credential.code = nil
     assert !@credential.valid?
   end
-  
+
   test 'code uniqueness' do
     @credential.code = credentials(:john_token).code
     assert !@credential.valid?
@@ -25,16 +25,16 @@ class TokenCredentialTest < ActiveSupport::TestCase
     @credential.user = nil
     assert !@credential.valid?
   end
-  
+
   test 'spend does nothing' do
     credential = credentials(:jane_token)
     assert_equal Credentials::Token, credential.class, 'bad setup'
-    
+
     assert_no_difference 'Credential.count' do
       credential.spend
     end
   end
-  
+
   test 'random_for' do
     token = Credentials::Token.random_for users(:john)
     assert token.valid?, 'valid token'
@@ -43,7 +43,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
     assert !token.new_record?, 'saved token'
     assert_operator users(:john).credentials, :include?, token
   end
-  
+
   test 'with_code' do
     john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
     john2 = 'bDSU4tzfjuob79e3R0ykLcOGTBBYvuBWWJ9V06tQrCE'
@@ -57,7 +57,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
     assert_nil Credentials::Token.with_code('john@gmail.com')
     assert_nil Credentials::Token.with_code(credentials(:jane_email).name)
   end
-  
+
   test 'find_by_param' do
     assert_equal credentials(:john_token), Credentials::Token.
         find_by_param(credentials(:john_token).to_param)
@@ -66,7 +66,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
     assert_equal nil, Credentials::Token.find_by_param('bogus token')
     assert_equal nil, Credentials::Token.find_by_param(nil)
   end
-  
+
   test 'class authenticate' do
     john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
     jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
@@ -75,7 +75,29 @@ class TokenCredentialTest < ActiveSupport::TestCase
     assert_equal users(:jane), Credentials::Token.authenticate(jane)
     assert_equal :invalid, Credentials::Token.authenticate(bogus)
   end
-  
+
+  test 'class authenticate on expired tokens' do
+    john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
+    jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
+
+    Credentials::Token.all.each do |token|
+      token.updated_at = Time.now - 1.year
+      flexmock(token.class).should_receive(:expires_after).zero_or_more_times.
+                            and_return 1.week
+      token.save!
+    end
+    assert_difference 'Credential.count', -1,
+                      'authenticate deletes expired credential' do
+      assert_equal :invalid, Credentials::Token.authenticate(john),
+                   'expired token'
+    end
+    assert_difference 'Credential.count', -1,
+                      'authenticate deletes expired credential' do
+      assert_equal :invalid, Credentials::Token.authenticate(jane),
+                   'expired token'
+    end
+  end
+
   test 'class authenticate calls User#auth_bounce_reason' do
     john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
     jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
@@ -92,7 +114,19 @@ class TokenCredentialTest < ActiveSupport::TestCase
     assert_equal users(:john), credentials(:john_token).authenticate
     assert_equal users(:jane), credentials(:jane_token).authenticate
   end
-  
+
+  test 'instance authenticate with expired tokens' do
+    token = Credentials::Token.with_code credentials(:jane_token).code
+    token.updated_at = Time.now - 1.year
+    token.save!
+    flexmock(token.class).should_receive(:expires_after).
+        zero_or_more_times.and_return 1.week
+    assert_equal :invalid, token.authenticate,
+                 'expired token'
+    assert_nil Credentials::Token.with_code(credentials(:jane_token).code),
+               'expired token not destroyed'
+  end
+
   test 'instance authenticate calls User#auth_bounce_reason' do
     with_blocked_credential credentials(:john_token), :reason do
       assert_equal :reason, credentials(:john_token).authenticate

data/test/helpers/db_setup.rb

@@ -4,10 +4,11 @@ when /mysql/i
   ActiveRecord::Base.establish_connection :adapter => 'mysql2',
       :database => 'plugin_dev', :username => 'root', :password => ''
 when /pg/i
-  `psql -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
-  `psql -d postgres -c "CREATE DATABASE plugin_dev;"`
+  pg_user = ENV['DB_USER'] || ENV['USER']
+  `psql -U #{pg_user} -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
+  `psql -U #{pg_user} -d postgres -c "CREATE DATABASE plugin_dev;"`
   ActiveRecord::Base.establish_connection :adapter => 'postgresql',
-      :database => 'plugin_dev', :username => ENV['USER'], :password => ''
+      :database => 'plugin_dev', :username => pg_user, :password => ''
 else
   ActiveRecord::Base.establish_connection :adapter => 'sqlite3',
                                           :database => ':memory:'
@@ -26,11 +27,11 @@ require 'authpwn_rails/generators/templates/credential.rb'
 # :nodoc: open TestCase to setup fixtures
 class ActiveSupport::TestCase
   include ActiveRecord::TestFixtures
-  
+
   self.fixture_path =
       File.expand_path '../../../lib/authpwn_rails/generators/templates',
                        __FILE__
-  
+
   self.use_transactional_fixtures = false
   self.use_instantiated_fixtures  = false
   self.pre_loaded_fixtures = false

data/test/helpers/routes.rb

@@ -4,7 +4,10 @@ class ActionController::TestCase
     @routes = ActionController::Routing::RouteSet.new
     @routes.draw do
       resource :cookie, :controller => 'cookie' do
-        collection { get :bouncer }
+        collection do
+          get :bouncer
+          put :update
+        end
       end
       resource :http_basic, :controller => 'http_basic' do
         collection { get :bouncer }
@@ -22,6 +25,6 @@ class ActionController::TestCase
     ApplicationController.send :include, @routes.url_helpers
     ActionMailer::Base.send :include, @routes.url_helpers
   end
-  
+
   setup :setup_routes
 end

data/test/initializer_test.rb

@@ -0,0 +1,18 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class InitializerTest < ActiveSupport::TestCase
+  test 'password set correctly' do
+    assert_equal 1.year, Credentials::Password.expires_after
+  end
+
+  test 'e-mail tokens set correctly' do
+    assert_equal 3.days, Tokens::EmailVerification.expires_after
+    assert_equal 3.days, Tokens::PasswordReset.expires_after
+  end
+
+  test 'cookie sessions set correctly' do
+    assert_equal 14.days, Tokens::SessionUid.expires_after
+    assert_equal 1.hour, Tokens::SessionUid.updates_after
+  end
+end
+

data/test/session_controller_api_test.rb

@@ -13,14 +13,19 @@ end
 # Tests the methods injected by authpwn_session_controller.
 class SessionControllerApiTest < ActionController::TestCase
   tests BareSessionController
-  
+
   setup do
     @user = users(:john)
     @email_credential = credentials(:john_email)
     @password_credential = credentials(:john_password)
     @token_credential = credentials(:john_token)
+    @_auto_purge_sessions = BareSessionController.auto_purge_sessions
+  end
+
+  teardown do
+    BareSessionController.auto_purge_sessions = @_auto_purge_sessions
   end
-  
+
   test "show renders welcome without a user" do
     flexmock(@controller).should_receive(:welcome).once.and_return(nil)
     get :show
@@ -34,7 +39,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     assert_equal({}, ActiveSupport::JSON.decode(response.body))
   end
-  
+
   test "show renders home with a user" do
     flexmock(@controller).should_receive(:home).once.and_return(nil)
     set_session_current_user @user
@@ -42,7 +47,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_template :home
     assert_equal @user, assigns(:current_user)
   end
-  
+
   test "show json renders user when logged in" do
     set_session_current_user @user
     flexmock(@controller).should_receive(:home).once.and_return(nil)
@@ -52,21 +57,21 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal @user.exuid, data['user']['exuid']
     assert_equal session[:_csrf_token], data['csrf']
   end
-  
+
   test "new redirects to session#show when a user is logged in" do
     set_session_current_user @user
     get :new
     assert_redirected_to session_url
-  end     
+  end
 
   test "new renders login form without a user" do
     get :new
     assert_template :new
     assert_nil assigns(:current_user), 'current_user should not be set'
   end
-  
+
   test "new renders redirect_url when present in flash" do
-    url = 'http://authpwn.redirect.url'    
+    url = 'http://authpwn.redirect.url'
     get :new, {}, {}, { :auth_redirect_url => url }
     assert_template :new
     assert_equal url, assigns(:redirect_url), 'redirect_url should be set'
@@ -74,7 +79,7 @@ class SessionControllerApiTest < ActionController::TestCase
       assert_select "input[name=redirect_url][value=#{url}]"
     end
   end
-  
+
   test "create logs in with good account details" do
     post :create, :email => @email_credential.email, :password => 'password'
     assert_equal @user, assigns(:current_user), 'instance variable'
@@ -82,6 +87,28 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_redirected_to session_url
   end
 
+  test "create purges sessions when logging in" do
+    BareSessionController.auto_purge_sessions = true
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    post :create, :email => @email_credential.email, :password => 'password'
+    assert_equal @user, session_current_user, 'session'
+    assert_nil Credentials::Token.with_code(old_token.code),
+               'old session not purged'
+  end
+
+  test "create does not purge sessions if auto_purge_sessions is false" do
+    BareSessionController.auto_purge_sessions = false
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    post :create, :email => @email_credential.email, :password => 'password'
+    assert_equal @user, session_current_user, 'session'
+    assert_equal old_token, Credentials::Token.with_code(old_token.code),
+               'old session purged'
+  end
+
   test "create by json logs in with good account details" do
     post :create, :email => @email_credential.email, :password => 'password',
                   :format => 'json'
@@ -92,14 +119,27 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
   end
-  
+
+  test "create by json purges sessions when logging in" do
+    BareSessionController.auto_purge_sessions = true
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    post :create, :email => @email_credential.email, :password => 'password',
+                  :format => 'json'
+    assert_response :ok
+    assert_equal @user, session_current_user, 'session'
+    assert_nil Credentials::Token.with_code(old_token.code),
+               'old session not purged'
+  end
+
   test "create redirects properly with good account details" do
     url = 'http://authpwn.redirect.url'
     post :create, :email => @email_credential.email, :password => 'password',
                   :redirect_url => url
     assert_redirected_to url
   end
-  
+
   test "create does not log in with bad password" do
     post :create, :email => @email_credential.email, :password => 'fail'
     assert_redirected_to new_session_url
@@ -107,7 +147,28 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_nil session_current_user, 'session'
     assert_match(/Invalid/, flash[:alert])
   end
-  
+
+  test "create does not log in with expired password" do
+    @password_credential.updated_at = Time.now - 2.years
+    @password_credential.save!
+    post :create, :email => @email_credential.email, :password => 'password'
+    assert_redirected_to new_session_url
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+    assert_match(/expired/, flash[:alert])
+  end
+
+  test "create does not purge sessions if not logged in" do
+    BareSessionController.auto_purge_sessions = true
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    post :create, :email => @email_credential.email, :password => 'fail'
+    assert_nil session_current_user, 'session'
+    assert_equal old_token, Credentials::Token.with_code(old_token.code),
+               'old session purged'
+  end
+
   test "create does not log in blocked accounts" do
     with_blocked_credential @email_credential do
       post :create, :email => @email_credential.email, :password => 'password'
@@ -126,7 +187,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal @user, session_current_user, 'session'
     assert_redirected_to session_url
   end
-  
+
   test "create by json does not log in with bad password" do
     post :create, :email => @email_credential.email, :password => 'fail',
                   :format => 'json'
@@ -137,7 +198,20 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
-  
+
+  test "create by json does not log in with expired password" do
+    @password_credential.updated_at = Time.now - 2.years
+    @password_credential.save!
+    post :create, :email => @email_credential.email, :password => 'password',
+                  :format => 'json'
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'expired', data['error']
+    assert_match(/expired/i , data['text'])
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+  end
+
   test "create by json does not log in blocked accounts" do
     with_blocked_credential @email_credential do
       post :create, :email => @email_credential.email, :password => 'password',
@@ -149,7 +223,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_match(/blocked/i , data['text'])
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
-  end  
+  end
 
   test "create maintains redirect_url for bad logins" do
     url = 'http://authpwn.redirect.url'
@@ -171,28 +245,28 @@ class SessionControllerApiTest < ActionController::TestCase
   test "token logs in with good token" do
     flexmock(@controller).should_receive(:home_with_token).once.
                           with(@token_credential).and_return(nil)
-    assert_difference 'Credential.count', -1, 'one-time credential is spent' do
-      get :token, :code => @token_credential.code
-    end
+    get :token, :code => @token_credential.code
     assert_redirected_to session_url
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
+    assert_nil Credentials::Token.with_code(@token_credential.code),
+               'one-time credential is spent'
   end
 
   test "token by json logs in with good token" do
     flexmock(@controller).should_receive(:home_with_token).once.
                           with(@token_credential).and_return(nil)
-    assert_difference 'Credential.count', -1, 'one-time credential is spent' do
-      get :token, :code => @token_credential.code, :format => 'json'
-    end
+    get :token, :code => @token_credential.code, :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
     assert_equal session[:_csrf_token], data['csrf']
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
+    assert_nil Credentials::Token.with_code(@token_credential.code),
+               'one-time credential is spent'
   end
-  
+
   test "token does not log in with random token" do
     assert_no_difference 'Credential.count', 'no credential is spent' do
       get :token, :code => 'no-such-token'
@@ -202,7 +276,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_nil session_current_user, 'session'
     assert_match(/Invalid/, flash[:alert])
   end
-  
+
   test "token does not log in blocked accounts" do
     with_blocked_credential @token_credential do
       assert_no_difference 'Credential.count', 'no credential is spent' do
@@ -226,7 +300,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
-  
+
   test "token by json does not log in blocked accounts" do
     with_blocked_credential @token_credential do
       assert_no_difference 'Credential.count', 'no credential is spent' do
@@ -239,24 +313,24 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_match(/blocked/i , data['text'])
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
-  end  
+  end
 
   test "logout" do
     set_session_current_user @user
     delete :destroy
-    
+
     assert_redirected_to session_url
     assert_nil assigns(:current_user)
   end
-  
+
   test "logout by json" do
     set_session_current_user @user
     delete :destroy, :format => 'json'
-    
+
     assert_response :ok
     assert_nil assigns(:current_user)
   end
-  
+
   test "password_change bounces without logged in user" do
     get :password_change
     assert_response :forbidden
@@ -273,7 +347,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password bounces without logged in user" do
     post :change_password, :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :forbidden
   end
 
@@ -281,7 +355,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_redirected_to session_url
     assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(@email_credential.email,
@@ -292,7 +366,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :old_password => '_password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
@@ -304,7 +378,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks_'} 
+                          :password_confirmation => 'hacks_'}
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
@@ -317,7 +391,7 @@ class SessionControllerApiTest < ActionController::TestCase
     @password_credential.destroy
     post :change_password,
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_redirected_to session_url
     assert_equal @user, User.authenticate_signin(@email_credential.email,
         'hacks'), 'password not changed'
@@ -329,7 +403,7 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_no_difference 'Credential.count' do
       post :change_password,
            :credential => { :password => 'hacks',
-                            :password_confirmation => 'hacks_'} 
+                            :password_confirmation => 'hacks_'}
     end
     assert_response :ok
     assert_template :password_change
@@ -338,7 +412,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password by json bounces without logged in user" do
     post :change_password, :format => 'json', :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'Please sign in', data['error']
@@ -348,7 +422,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :format => 'json', :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :ok
     assert_equal @user, User.authenticate_signin(@email_credential.email,
         'hacks'), 'password not changed'
@@ -358,7 +432,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :format => 'json', :old_password => '_password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
@@ -371,7 +445,7 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     post :change_password, :format => 'json', :old_password => 'password',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks_'} 
+                          :password_confirmation => 'hacks_'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
@@ -384,7 +458,7 @@ class SessionControllerApiTest < ActionController::TestCase
     @password_credential.destroy
     post :change_password, :format => 'json',
          :credential => { :password => 'hacks',
-                          :password_confirmation => 'hacks'} 
+                          :password_confirmation => 'hacks'}
     assert_response :ok
     assert_equal @user, User.authenticate_signin(
          @email_credential.email, 'hacks'), 'password not changed'
@@ -396,25 +470,25 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_no_difference 'Credential.count' do
       post :change_password, :format => 'json',
            :credential => { :password => 'hacks',
-                            :password_confirmation => 'hacks_'} 
+                            :password_confirmation => 'hacks_'}
     end
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
   end
-  
+
   test "reset_password for good e-mail" do
     ActionMailer::Base.deliveries = []
     @request.host = 'mail.test.host:1234'
-    
+
     assert_difference 'Credential.count', 1 do
       post :reset_password, :email => @email_credential.email
     end
-    
+
     token = Credential.last
     assert_operator token, :kind_of?, Tokens::PasswordReset
     assert_equal @user, token.user, 'password reset token user'
-    
+
     assert !ActionMailer::Base.deliveries.empty?, 'email generated'
     email = ActionMailer::Base.deliveries.last
     assert_equal '"mail.test.host staff" <admin@mail.test.host>',
@@ -422,17 +496,17 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal [@email_credential.email], email.to
     assert_match 'http://mail.test.host:1234/', email.encoded
     assert_match token.code, email.encoded
-    
+
     assert_redirected_to new_session_url
   end
-  
+
   test "reset_password for good e-mail by json" do
     ActionMailer::Base.deliveries = []
-    
+
     assert_difference 'Credential.count', 1 do
       post :reset_password, :email => @email_credential.email, :format => 'json'
     end
-    
+
     token = Credential.last
     assert_operator token, :kind_of?, Tokens::PasswordReset
     assert_equal @user, token.user, 'password reset token user'
@@ -453,7 +527,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
     assert_redirected_to new_session_url
   end
-  
+
   test "reset_password for invalid e-mail by json" do
     ActionMailer::Base.deliveries = []
 
@@ -469,17 +543,17 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "create delegation to reset_password" do
     ActionMailer::Base.deliveries = []
-    
+
     assert_difference 'Credential.count', 1 do
       post :create, :email => @email_credential.email, :password => '',
                     :reset_password => :requested
     end
-    
+
     token = Credential.last
     assert_operator token, :kind_of?, Tokens::PasswordReset
     assert_equal @user, token.user, 'password reset token user'
   end
-  
+
   test "auth_controller? is true" do
     assert_equal true, @controller.auth_controller?
   end