authpwn_rails 0.12.0 → 0.12.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.travis.yml +7 -2
- data/VERSION +1 -1
- data/app/models/credentials/password.rb +16 -8
- data/app/models/credentials/token.rb +8 -0
- data/app/models/tokens/email_verification.rb +3 -0
- data/app/models/tokens/password_reset.rb +5 -2
- data/app/models/tokens/session_uid.rb +54 -0
- data/authpwn_rails.gemspec +8 -2
- data/lib/authpwn_rails.rb +3 -2
- data/lib/authpwn_rails/current_user.rb +1 -10
- data/lib/authpwn_rails/engine.rb +2 -2
- data/lib/authpwn_rails/expires.rb +23 -0
- data/lib/authpwn_rails/generators/all_generator.rb +9 -4
- data/lib/authpwn_rails/generators/templates/credential.rb +1 -1
- data/lib/authpwn_rails/generators/templates/credentials.yml +16 -0
- data/lib/authpwn_rails/generators/templates/initializer.rb +18 -0
- data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session/home.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session/new.html.erb +3 -3
- data/lib/authpwn_rails/generators/templates/session/welcome.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session_controller.rb +13 -4
- data/lib/authpwn_rails/generators/templates/session_controller_test.rb +12 -2
- data/lib/authpwn_rails/generators/templates/session_mailer.rb +3 -3
- data/lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.html.erb +3 -3
- data/lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.html.erb +3 -3
- data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +4 -4
- data/lib/authpwn_rails/routes.rb +4 -4
- data/lib/authpwn_rails/session.rb +31 -8
- data/lib/authpwn_rails/session_controller.rb +27 -18
- data/lib/authpwn_rails/test_extensions.rb +16 -6
- data/lib/authpwn_rails/user_model.rb +10 -10
- data/test/cookie_controller_test.rb +165 -16
- data/test/credentials/email_verification_token_test.rb +11 -11
- data/test/credentials/password_credential_test.rb +31 -12
- data/test/credentials/session_uid_token_test.rb +98 -0
- data/test/credentials/token_crendential_test.rb +46 -12
- data/test/helpers/db_setup.rb +6 -5
- data/test/helpers/routes.rb +5 -2
- data/test/initializer_test.rb +18 -0
- data/test/session_controller_api_test.rb +127 -53
- data/test/test_extensions_test.rb +41 -0
- data/test/test_helper.rb +3 -0
- data/test/user_test.rb +11 -10
- metadata +9 -3
@@ -0,0 +1,98 @@
|
|
1
|
+
require File.expand_path('../../test_helper', __FILE__)
|
2
|
+
|
3
|
+
class SessionUidTokenTest < ActiveSupport::TestCase
|
4
|
+
def setup
|
5
|
+
@credential = Tokens::SessionUid.new(
|
6
|
+
:code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo',
|
7
|
+
:browser_ip => '18.70.0.160',
|
8
|
+
:browser_ua => 'Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1'
|
9
|
+
)
|
10
|
+
@credential.user = users(:jane)
|
11
|
+
@_expires_after = Tokens::SessionUid.expires_after
|
12
|
+
end
|
13
|
+
|
14
|
+
def teardown
|
15
|
+
Tokens::SessionUid.expires_after = @_expires_after
|
16
|
+
end
|
17
|
+
|
18
|
+
test 'setup' do
|
19
|
+
assert @credential.valid?
|
20
|
+
end
|
21
|
+
|
22
|
+
test 'code required' do
|
23
|
+
@credential.code = nil
|
24
|
+
assert !@credential.valid?
|
25
|
+
end
|
26
|
+
|
27
|
+
test 'code uniqueness' do
|
28
|
+
@credential.code = credentials(:john_token).code
|
29
|
+
assert !@credential.valid?
|
30
|
+
end
|
31
|
+
|
32
|
+
test 'browser_ip required' do
|
33
|
+
@credential.browser_ip = nil
|
34
|
+
assert !@credential.valid?
|
35
|
+
end
|
36
|
+
|
37
|
+
test 'browser_ua required' do
|
38
|
+
@credential.browser_ua = nil
|
39
|
+
assert !@credential.valid?
|
40
|
+
end
|
41
|
+
|
42
|
+
test 'user required' do
|
43
|
+
@credential.user = nil
|
44
|
+
assert !@credential.valid?
|
45
|
+
end
|
46
|
+
|
47
|
+
test 'expired?' do
|
48
|
+
Tokens::SessionUid.expires_after = 14.days
|
49
|
+
@credential.updated_at = Time.now - 1.day
|
50
|
+
assert_equal false, @credential.expired?
|
51
|
+
@credential.updated_at = Time.now - 1.month
|
52
|
+
assert_equal true, @credential.expired?
|
53
|
+
|
54
|
+
Tokens::SessionUid.expires_after = nil
|
55
|
+
assert_equal false, @credential.expired?
|
56
|
+
end
|
57
|
+
|
58
|
+
test 'spend updates old token' do
|
59
|
+
@credential.updated_at = Time.now - 1.day
|
60
|
+
@credential.spend
|
61
|
+
assert_operator @credential.updated_at, :>=, Time.now - 1.minute
|
62
|
+
end
|
63
|
+
|
64
|
+
test 'spend does not update reasonably new token' do
|
65
|
+
old_updated_at = @credential.updated_at = Time.now - 5.minutes
|
66
|
+
@credential.spend
|
67
|
+
assert_equal old_updated_at, @credential.updated_at
|
68
|
+
end
|
69
|
+
|
70
|
+
test 'remove_expired gets rid of old tokens' do
|
71
|
+
old_token = credentials(:john_session_token)
|
72
|
+
old_token.updated_at = Time.now - 1.year
|
73
|
+
old_token.save!
|
74
|
+
fresh_token = credentials(:jane_session_token)
|
75
|
+
fresh_token.updated_at = Time.now - 1.minute
|
76
|
+
fresh_token.save!
|
77
|
+
|
78
|
+
assert_difference 'Credential.count', -1 do
|
79
|
+
Tokens::SessionUid.remove_expired
|
80
|
+
end
|
81
|
+
assert_nil Credentials::Token.with_code(old_token.code)
|
82
|
+
assert_equal fresh_token, Credentials::Token.with_code(fresh_token.code)
|
83
|
+
end
|
84
|
+
|
85
|
+
test 'random_for' do
|
86
|
+
user = users(:john)
|
87
|
+
credential = nil
|
88
|
+
assert_difference 'Credential.count', 1 do
|
89
|
+
credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
|
90
|
+
end
|
91
|
+
saved_credential = Credentials::Token.with_code credential.code
|
92
|
+
assert saved_credential, 'token was not saved'
|
93
|
+
assert_equal saved_credential, credential, 'wrong token returned'
|
94
|
+
assert_equal user, saved_credential.user
|
95
|
+
assert_equal '1.2.3.4', saved_credential.browser_ip
|
96
|
+
assert_equal 'Test/UA', saved_credential.browser_ua
|
97
|
+
end
|
98
|
+
end
|
@@ -1,21 +1,21 @@
|
|
1
1
|
require File.expand_path('../../test_helper', __FILE__)
|
2
2
|
|
3
|
-
class TokenCredentialTest < ActiveSupport::TestCase
|
3
|
+
class TokenCredentialTest < ActiveSupport::TestCase
|
4
4
|
def setup
|
5
5
|
@credential = Credentials::Token.new(
|
6
6
|
:code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo')
|
7
7
|
@credential.user = users(:bill)
|
8
8
|
end
|
9
|
-
|
9
|
+
|
10
10
|
test 'setup' do
|
11
11
|
assert @credential.valid?
|
12
12
|
end
|
13
|
-
|
13
|
+
|
14
14
|
test 'code required' do
|
15
15
|
@credential.code = nil
|
16
16
|
assert !@credential.valid?
|
17
17
|
end
|
18
|
-
|
18
|
+
|
19
19
|
test 'code uniqueness' do
|
20
20
|
@credential.code = credentials(:john_token).code
|
21
21
|
assert !@credential.valid?
|
@@ -25,16 +25,16 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
25
25
|
@credential.user = nil
|
26
26
|
assert !@credential.valid?
|
27
27
|
end
|
28
|
-
|
28
|
+
|
29
29
|
test 'spend does nothing' do
|
30
30
|
credential = credentials(:jane_token)
|
31
31
|
assert_equal Credentials::Token, credential.class, 'bad setup'
|
32
|
-
|
32
|
+
|
33
33
|
assert_no_difference 'Credential.count' do
|
34
34
|
credential.spend
|
35
35
|
end
|
36
36
|
end
|
37
|
-
|
37
|
+
|
38
38
|
test 'random_for' do
|
39
39
|
token = Credentials::Token.random_for users(:john)
|
40
40
|
assert token.valid?, 'valid token'
|
@@ -43,7 +43,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
43
43
|
assert !token.new_record?, 'saved token'
|
44
44
|
assert_operator users(:john).credentials, :include?, token
|
45
45
|
end
|
46
|
-
|
46
|
+
|
47
47
|
test 'with_code' do
|
48
48
|
john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
|
49
49
|
john2 = 'bDSU4tzfjuob79e3R0ykLcOGTBBYvuBWWJ9V06tQrCE'
|
@@ -57,7 +57,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
57
57
|
assert_nil Credentials::Token.with_code('john@gmail.com')
|
58
58
|
assert_nil Credentials::Token.with_code(credentials(:jane_email).name)
|
59
59
|
end
|
60
|
-
|
60
|
+
|
61
61
|
test 'find_by_param' do
|
62
62
|
assert_equal credentials(:john_token), Credentials::Token.
|
63
63
|
find_by_param(credentials(:john_token).to_param)
|
@@ -66,7 +66,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
66
66
|
assert_equal nil, Credentials::Token.find_by_param('bogus token')
|
67
67
|
assert_equal nil, Credentials::Token.find_by_param(nil)
|
68
68
|
end
|
69
|
-
|
69
|
+
|
70
70
|
test 'class authenticate' do
|
71
71
|
john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
|
72
72
|
jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
|
@@ -75,7 +75,29 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
75
75
|
assert_equal users(:jane), Credentials::Token.authenticate(jane)
|
76
76
|
assert_equal :invalid, Credentials::Token.authenticate(bogus)
|
77
77
|
end
|
78
|
-
|
78
|
+
|
79
|
+
test 'class authenticate on expired tokens' do
|
80
|
+
john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
|
81
|
+
jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
|
82
|
+
|
83
|
+
Credentials::Token.all.each do |token|
|
84
|
+
token.updated_at = Time.now - 1.year
|
85
|
+
flexmock(token.class).should_receive(:expires_after).zero_or_more_times.
|
86
|
+
and_return 1.week
|
87
|
+
token.save!
|
88
|
+
end
|
89
|
+
assert_difference 'Credential.count', -1,
|
90
|
+
'authenticate deletes expired credential' do
|
91
|
+
assert_equal :invalid, Credentials::Token.authenticate(john),
|
92
|
+
'expired token'
|
93
|
+
end
|
94
|
+
assert_difference 'Credential.count', -1,
|
95
|
+
'authenticate deletes expired credential' do
|
96
|
+
assert_equal :invalid, Credentials::Token.authenticate(jane),
|
97
|
+
'expired token'
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
79
101
|
test 'class authenticate calls User#auth_bounce_reason' do
|
80
102
|
john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
|
81
103
|
jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
|
@@ -92,7 +114,19 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
92
114
|
assert_equal users(:john), credentials(:john_token).authenticate
|
93
115
|
assert_equal users(:jane), credentials(:jane_token).authenticate
|
94
116
|
end
|
95
|
-
|
117
|
+
|
118
|
+
test 'instance authenticate with expired tokens' do
|
119
|
+
token = Credentials::Token.with_code credentials(:jane_token).code
|
120
|
+
token.updated_at = Time.now - 1.year
|
121
|
+
token.save!
|
122
|
+
flexmock(token.class).should_receive(:expires_after).
|
123
|
+
zero_or_more_times.and_return 1.week
|
124
|
+
assert_equal :invalid, token.authenticate,
|
125
|
+
'expired token'
|
126
|
+
assert_nil Credentials::Token.with_code(credentials(:jane_token).code),
|
127
|
+
'expired token not destroyed'
|
128
|
+
end
|
129
|
+
|
96
130
|
test 'instance authenticate calls User#auth_bounce_reason' do
|
97
131
|
with_blocked_credential credentials(:john_token), :reason do
|
98
132
|
assert_equal :reason, credentials(:john_token).authenticate
|
data/test/helpers/db_setup.rb
CHANGED
@@ -4,10 +4,11 @@ when /mysql/i
|
|
4
4
|
ActiveRecord::Base.establish_connection :adapter => 'mysql2',
|
5
5
|
:database => 'plugin_dev', :username => 'root', :password => ''
|
6
6
|
when /pg/i
|
7
|
-
|
8
|
-
`psql -d postgres -c "
|
7
|
+
pg_user = ENV['DB_USER'] || ENV['USER']
|
8
|
+
`psql -U #{pg_user} -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
|
9
|
+
`psql -U #{pg_user} -d postgres -c "CREATE DATABASE plugin_dev;"`
|
9
10
|
ActiveRecord::Base.establish_connection :adapter => 'postgresql',
|
10
|
-
:database => 'plugin_dev', :username =>
|
11
|
+
:database => 'plugin_dev', :username => pg_user, :password => ''
|
11
12
|
else
|
12
13
|
ActiveRecord::Base.establish_connection :adapter => 'sqlite3',
|
13
14
|
:database => ':memory:'
|
@@ -26,11 +27,11 @@ require 'authpwn_rails/generators/templates/credential.rb'
|
|
26
27
|
# :nodoc: open TestCase to setup fixtures
|
27
28
|
class ActiveSupport::TestCase
|
28
29
|
include ActiveRecord::TestFixtures
|
29
|
-
|
30
|
+
|
30
31
|
self.fixture_path =
|
31
32
|
File.expand_path '../../../lib/authpwn_rails/generators/templates',
|
32
33
|
__FILE__
|
33
|
-
|
34
|
+
|
34
35
|
self.use_transactional_fixtures = false
|
35
36
|
self.use_instantiated_fixtures = false
|
36
37
|
self.pre_loaded_fixtures = false
|
data/test/helpers/routes.rb
CHANGED
@@ -4,7 +4,10 @@ class ActionController::TestCase
|
|
4
4
|
@routes = ActionController::Routing::RouteSet.new
|
5
5
|
@routes.draw do
|
6
6
|
resource :cookie, :controller => 'cookie' do
|
7
|
-
collection
|
7
|
+
collection do
|
8
|
+
get :bouncer
|
9
|
+
put :update
|
10
|
+
end
|
8
11
|
end
|
9
12
|
resource :http_basic, :controller => 'http_basic' do
|
10
13
|
collection { get :bouncer }
|
@@ -22,6 +25,6 @@ class ActionController::TestCase
|
|
22
25
|
ApplicationController.send :include, @routes.url_helpers
|
23
26
|
ActionMailer::Base.send :include, @routes.url_helpers
|
24
27
|
end
|
25
|
-
|
28
|
+
|
26
29
|
setup :setup_routes
|
27
30
|
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
require File.expand_path('../test_helper', __FILE__)
|
2
|
+
|
3
|
+
class InitializerTest < ActiveSupport::TestCase
|
4
|
+
test 'password set correctly' do
|
5
|
+
assert_equal 1.year, Credentials::Password.expires_after
|
6
|
+
end
|
7
|
+
|
8
|
+
test 'e-mail tokens set correctly' do
|
9
|
+
assert_equal 3.days, Tokens::EmailVerification.expires_after
|
10
|
+
assert_equal 3.days, Tokens::PasswordReset.expires_after
|
11
|
+
end
|
12
|
+
|
13
|
+
test 'cookie sessions set correctly' do
|
14
|
+
assert_equal 14.days, Tokens::SessionUid.expires_after
|
15
|
+
assert_equal 1.hour, Tokens::SessionUid.updates_after
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
@@ -13,14 +13,19 @@ end
|
|
13
13
|
# Tests the methods injected by authpwn_session_controller.
|
14
14
|
class SessionControllerApiTest < ActionController::TestCase
|
15
15
|
tests BareSessionController
|
16
|
-
|
16
|
+
|
17
17
|
setup do
|
18
18
|
@user = users(:john)
|
19
19
|
@email_credential = credentials(:john_email)
|
20
20
|
@password_credential = credentials(:john_password)
|
21
21
|
@token_credential = credentials(:john_token)
|
22
|
+
@_auto_purge_sessions = BareSessionController.auto_purge_sessions
|
23
|
+
end
|
24
|
+
|
25
|
+
teardown do
|
26
|
+
BareSessionController.auto_purge_sessions = @_auto_purge_sessions
|
22
27
|
end
|
23
|
-
|
28
|
+
|
24
29
|
test "show renders welcome without a user" do
|
25
30
|
flexmock(@controller).should_receive(:welcome).once.and_return(nil)
|
26
31
|
get :show
|
@@ -34,7 +39,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
34
39
|
assert_response :ok
|
35
40
|
assert_equal({}, ActiveSupport::JSON.decode(response.body))
|
36
41
|
end
|
37
|
-
|
42
|
+
|
38
43
|
test "show renders home with a user" do
|
39
44
|
flexmock(@controller).should_receive(:home).once.and_return(nil)
|
40
45
|
set_session_current_user @user
|
@@ -42,7 +47,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
42
47
|
assert_template :home
|
43
48
|
assert_equal @user, assigns(:current_user)
|
44
49
|
end
|
45
|
-
|
50
|
+
|
46
51
|
test "show json renders user when logged in" do
|
47
52
|
set_session_current_user @user
|
48
53
|
flexmock(@controller).should_receive(:home).once.and_return(nil)
|
@@ -52,21 +57,21 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
52
57
|
assert_equal @user.exuid, data['user']['exuid']
|
53
58
|
assert_equal session[:_csrf_token], data['csrf']
|
54
59
|
end
|
55
|
-
|
60
|
+
|
56
61
|
test "new redirects to session#show when a user is logged in" do
|
57
62
|
set_session_current_user @user
|
58
63
|
get :new
|
59
64
|
assert_redirected_to session_url
|
60
|
-
end
|
65
|
+
end
|
61
66
|
|
62
67
|
test "new renders login form without a user" do
|
63
68
|
get :new
|
64
69
|
assert_template :new
|
65
70
|
assert_nil assigns(:current_user), 'current_user should not be set'
|
66
71
|
end
|
67
|
-
|
72
|
+
|
68
73
|
test "new renders redirect_url when present in flash" do
|
69
|
-
url = 'http://authpwn.redirect.url'
|
74
|
+
url = 'http://authpwn.redirect.url'
|
70
75
|
get :new, {}, {}, { :auth_redirect_url => url }
|
71
76
|
assert_template :new
|
72
77
|
assert_equal url, assigns(:redirect_url), 'redirect_url should be set'
|
@@ -74,7 +79,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
74
79
|
assert_select "input[name=redirect_url][value=#{url}]"
|
75
80
|
end
|
76
81
|
end
|
77
|
-
|
82
|
+
|
78
83
|
test "create logs in with good account details" do
|
79
84
|
post :create, :email => @email_credential.email, :password => 'password'
|
80
85
|
assert_equal @user, assigns(:current_user), 'instance variable'
|
@@ -82,6 +87,28 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
82
87
|
assert_redirected_to session_url
|
83
88
|
end
|
84
89
|
|
90
|
+
test "create purges sessions when logging in" do
|
91
|
+
BareSessionController.auto_purge_sessions = true
|
92
|
+
old_token = credentials(:jane_session_token)
|
93
|
+
old_token.updated_at = Time.now - 1.year
|
94
|
+
old_token.save!
|
95
|
+
post :create, :email => @email_credential.email, :password => 'password'
|
96
|
+
assert_equal @user, session_current_user, 'session'
|
97
|
+
assert_nil Credentials::Token.with_code(old_token.code),
|
98
|
+
'old session not purged'
|
99
|
+
end
|
100
|
+
|
101
|
+
test "create does not purge sessions if auto_purge_sessions is false" do
|
102
|
+
BareSessionController.auto_purge_sessions = false
|
103
|
+
old_token = credentials(:jane_session_token)
|
104
|
+
old_token.updated_at = Time.now - 1.year
|
105
|
+
old_token.save!
|
106
|
+
post :create, :email => @email_credential.email, :password => 'password'
|
107
|
+
assert_equal @user, session_current_user, 'session'
|
108
|
+
assert_equal old_token, Credentials::Token.with_code(old_token.code),
|
109
|
+
'old session purged'
|
110
|
+
end
|
111
|
+
|
85
112
|
test "create by json logs in with good account details" do
|
86
113
|
post :create, :email => @email_credential.email, :password => 'password',
|
87
114
|
:format => 'json'
|
@@ -92,14 +119,27 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
92
119
|
assert_equal @user, assigns(:current_user), 'instance variable'
|
93
120
|
assert_equal @user, session_current_user, 'session'
|
94
121
|
end
|
95
|
-
|
122
|
+
|
123
|
+
test "create by json purges sessions when logging in" do
|
124
|
+
BareSessionController.auto_purge_sessions = true
|
125
|
+
old_token = credentials(:jane_session_token)
|
126
|
+
old_token.updated_at = Time.now - 1.year
|
127
|
+
old_token.save!
|
128
|
+
post :create, :email => @email_credential.email, :password => 'password',
|
129
|
+
:format => 'json'
|
130
|
+
assert_response :ok
|
131
|
+
assert_equal @user, session_current_user, 'session'
|
132
|
+
assert_nil Credentials::Token.with_code(old_token.code),
|
133
|
+
'old session not purged'
|
134
|
+
end
|
135
|
+
|
96
136
|
test "create redirects properly with good account details" do
|
97
137
|
url = 'http://authpwn.redirect.url'
|
98
138
|
post :create, :email => @email_credential.email, :password => 'password',
|
99
139
|
:redirect_url => url
|
100
140
|
assert_redirected_to url
|
101
141
|
end
|
102
|
-
|
142
|
+
|
103
143
|
test "create does not log in with bad password" do
|
104
144
|
post :create, :email => @email_credential.email, :password => 'fail'
|
105
145
|
assert_redirected_to new_session_url
|
@@ -107,7 +147,28 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
107
147
|
assert_nil session_current_user, 'session'
|
108
148
|
assert_match(/Invalid/, flash[:alert])
|
109
149
|
end
|
110
|
-
|
150
|
+
|
151
|
+
test "create does not log in with expired password" do
|
152
|
+
@password_credential.updated_at = Time.now - 2.years
|
153
|
+
@password_credential.save!
|
154
|
+
post :create, :email => @email_credential.email, :password => 'password'
|
155
|
+
assert_redirected_to new_session_url
|
156
|
+
assert_nil assigns(:current_user), 'instance variable'
|
157
|
+
assert_nil session_current_user, 'session'
|
158
|
+
assert_match(/expired/, flash[:alert])
|
159
|
+
end
|
160
|
+
|
161
|
+
test "create does not purge sessions if not logged in" do
|
162
|
+
BareSessionController.auto_purge_sessions = true
|
163
|
+
old_token = credentials(:jane_session_token)
|
164
|
+
old_token.updated_at = Time.now - 1.year
|
165
|
+
old_token.save!
|
166
|
+
post :create, :email => @email_credential.email, :password => 'fail'
|
167
|
+
assert_nil session_current_user, 'session'
|
168
|
+
assert_equal old_token, Credentials::Token.with_code(old_token.code),
|
169
|
+
'old session purged'
|
170
|
+
end
|
171
|
+
|
111
172
|
test "create does not log in blocked accounts" do
|
112
173
|
with_blocked_credential @email_credential do
|
113
174
|
post :create, :email => @email_credential.email, :password => 'password'
|
@@ -126,7 +187,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
126
187
|
assert_equal @user, session_current_user, 'session'
|
127
188
|
assert_redirected_to session_url
|
128
189
|
end
|
129
|
-
|
190
|
+
|
130
191
|
test "create by json does not log in with bad password" do
|
131
192
|
post :create, :email => @email_credential.email, :password => 'fail',
|
132
193
|
:format => 'json'
|
@@ -137,7 +198,20 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
137
198
|
assert_nil assigns(:current_user), 'instance variable'
|
138
199
|
assert_nil session_current_user, 'session'
|
139
200
|
end
|
140
|
-
|
201
|
+
|
202
|
+
test "create by json does not log in with expired password" do
|
203
|
+
@password_credential.updated_at = Time.now - 2.years
|
204
|
+
@password_credential.save!
|
205
|
+
post :create, :email => @email_credential.email, :password => 'password',
|
206
|
+
:format => 'json'
|
207
|
+
assert_response :ok
|
208
|
+
data = ActiveSupport::JSON.decode response.body
|
209
|
+
assert_equal 'expired', data['error']
|
210
|
+
assert_match(/expired/i , data['text'])
|
211
|
+
assert_nil assigns(:current_user), 'instance variable'
|
212
|
+
assert_nil session_current_user, 'session'
|
213
|
+
end
|
214
|
+
|
141
215
|
test "create by json does not log in blocked accounts" do
|
142
216
|
with_blocked_credential @email_credential do
|
143
217
|
post :create, :email => @email_credential.email, :password => 'password',
|
@@ -149,7 +223,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
149
223
|
assert_match(/blocked/i , data['text'])
|
150
224
|
assert_nil assigns(:current_user), 'instance variable'
|
151
225
|
assert_nil session_current_user, 'session'
|
152
|
-
end
|
226
|
+
end
|
153
227
|
|
154
228
|
test "create maintains redirect_url for bad logins" do
|
155
229
|
url = 'http://authpwn.redirect.url'
|
@@ -171,28 +245,28 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
171
245
|
test "token logs in with good token" do
|
172
246
|
flexmock(@controller).should_receive(:home_with_token).once.
|
173
247
|
with(@token_credential).and_return(nil)
|
174
|
-
|
175
|
-
get :token, :code => @token_credential.code
|
176
|
-
end
|
248
|
+
get :token, :code => @token_credential.code
|
177
249
|
assert_redirected_to session_url
|
178
250
|
assert_equal @user, assigns(:current_user), 'instance variable'
|
179
251
|
assert_equal @user, session_current_user, 'session'
|
252
|
+
assert_nil Credentials::Token.with_code(@token_credential.code),
|
253
|
+
'one-time credential is spent'
|
180
254
|
end
|
181
255
|
|
182
256
|
test "token by json logs in with good token" do
|
183
257
|
flexmock(@controller).should_receive(:home_with_token).once.
|
184
258
|
with(@token_credential).and_return(nil)
|
185
|
-
|
186
|
-
get :token, :code => @token_credential.code, :format => 'json'
|
187
|
-
end
|
259
|
+
get :token, :code => @token_credential.code, :format => 'json'
|
188
260
|
assert_response :ok
|
189
261
|
data = ActiveSupport::JSON.decode response.body
|
190
262
|
assert_equal @user.exuid, data['user']['exuid']
|
191
263
|
assert_equal session[:_csrf_token], data['csrf']
|
192
264
|
assert_equal @user, assigns(:current_user), 'instance variable'
|
193
265
|
assert_equal @user, session_current_user, 'session'
|
266
|
+
assert_nil Credentials::Token.with_code(@token_credential.code),
|
267
|
+
'one-time credential is spent'
|
194
268
|
end
|
195
|
-
|
269
|
+
|
196
270
|
test "token does not log in with random token" do
|
197
271
|
assert_no_difference 'Credential.count', 'no credential is spent' do
|
198
272
|
get :token, :code => 'no-such-token'
|
@@ -202,7 +276,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
202
276
|
assert_nil session_current_user, 'session'
|
203
277
|
assert_match(/Invalid/, flash[:alert])
|
204
278
|
end
|
205
|
-
|
279
|
+
|
206
280
|
test "token does not log in blocked accounts" do
|
207
281
|
with_blocked_credential @token_credential do
|
208
282
|
assert_no_difference 'Credential.count', 'no credential is spent' do
|
@@ -226,7 +300,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
226
300
|
assert_nil assigns(:current_user), 'instance variable'
|
227
301
|
assert_nil session_current_user, 'session'
|
228
302
|
end
|
229
|
-
|
303
|
+
|
230
304
|
test "token by json does not log in blocked accounts" do
|
231
305
|
with_blocked_credential @token_credential do
|
232
306
|
assert_no_difference 'Credential.count', 'no credential is spent' do
|
@@ -239,24 +313,24 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
239
313
|
assert_match(/blocked/i , data['text'])
|
240
314
|
assert_nil assigns(:current_user), 'instance variable'
|
241
315
|
assert_nil session_current_user, 'session'
|
242
|
-
end
|
316
|
+
end
|
243
317
|
|
244
318
|
test "logout" do
|
245
319
|
set_session_current_user @user
|
246
320
|
delete :destroy
|
247
|
-
|
321
|
+
|
248
322
|
assert_redirected_to session_url
|
249
323
|
assert_nil assigns(:current_user)
|
250
324
|
end
|
251
|
-
|
325
|
+
|
252
326
|
test "logout by json" do
|
253
327
|
set_session_current_user @user
|
254
328
|
delete :destroy, :format => 'json'
|
255
|
-
|
329
|
+
|
256
330
|
assert_response :ok
|
257
331
|
assert_nil assigns(:current_user)
|
258
332
|
end
|
259
|
-
|
333
|
+
|
260
334
|
test "password_change bounces without logged in user" do
|
261
335
|
get :password_change
|
262
336
|
assert_response :forbidden
|
@@ -273,7 +347,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
273
347
|
test "change_password bounces without logged in user" do
|
274
348
|
post :change_password, :old_password => 'password',
|
275
349
|
:credential => { :password => 'hacks',
|
276
|
-
:password_confirmation => 'hacks'}
|
350
|
+
:password_confirmation => 'hacks'}
|
277
351
|
assert_response :forbidden
|
278
352
|
end
|
279
353
|
|
@@ -281,7 +355,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
281
355
|
set_session_current_user @user
|
282
356
|
post :change_password, :old_password => 'password',
|
283
357
|
:credential => { :password => 'hacks',
|
284
|
-
:password_confirmation => 'hacks'}
|
358
|
+
:password_confirmation => 'hacks'}
|
285
359
|
assert_redirected_to session_url
|
286
360
|
assert_equal @password_credential, assigns(:credential)
|
287
361
|
assert_equal @user, User.authenticate_signin(@email_credential.email,
|
@@ -292,7 +366,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
292
366
|
set_session_current_user @user
|
293
367
|
post :change_password, :old_password => '_password',
|
294
368
|
:credential => { :password => 'hacks',
|
295
|
-
:password_confirmation => 'hacks'}
|
369
|
+
:password_confirmation => 'hacks'}
|
296
370
|
assert_response :ok
|
297
371
|
assert_template :password_change
|
298
372
|
assert_equal @password_credential, assigns(:credential)
|
@@ -304,7 +378,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
304
378
|
set_session_current_user @user
|
305
379
|
post :change_password, :old_password => 'password',
|
306
380
|
:credential => { :password => 'hacks',
|
307
|
-
:password_confirmation => 'hacks_'}
|
381
|
+
:password_confirmation => 'hacks_'}
|
308
382
|
assert_response :ok
|
309
383
|
assert_template :password_change
|
310
384
|
assert_equal @password_credential, assigns(:credential)
|
@@ -317,7 +391,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
317
391
|
@password_credential.destroy
|
318
392
|
post :change_password,
|
319
393
|
:credential => { :password => 'hacks',
|
320
|
-
:password_confirmation => 'hacks'}
|
394
|
+
:password_confirmation => 'hacks'}
|
321
395
|
assert_redirected_to session_url
|
322
396
|
assert_equal @user, User.authenticate_signin(@email_credential.email,
|
323
397
|
'hacks'), 'password not changed'
|
@@ -329,7 +403,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
329
403
|
assert_no_difference 'Credential.count' do
|
330
404
|
post :change_password,
|
331
405
|
:credential => { :password => 'hacks',
|
332
|
-
:password_confirmation => 'hacks_'}
|
406
|
+
:password_confirmation => 'hacks_'}
|
333
407
|
end
|
334
408
|
assert_response :ok
|
335
409
|
assert_template :password_change
|
@@ -338,7 +412,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
338
412
|
test "change_password by json bounces without logged in user" do
|
339
413
|
post :change_password, :format => 'json', :old_password => 'password',
|
340
414
|
:credential => { :password => 'hacks',
|
341
|
-
:password_confirmation => 'hacks'}
|
415
|
+
:password_confirmation => 'hacks'}
|
342
416
|
assert_response :ok
|
343
417
|
data = ActiveSupport::JSON.decode response.body
|
344
418
|
assert_equal 'Please sign in', data['error']
|
@@ -348,7 +422,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
348
422
|
set_session_current_user @user
|
349
423
|
post :change_password, :format => 'json', :old_password => 'password',
|
350
424
|
:credential => { :password => 'hacks',
|
351
|
-
:password_confirmation => 'hacks'}
|
425
|
+
:password_confirmation => 'hacks'}
|
352
426
|
assert_response :ok
|
353
427
|
assert_equal @user, User.authenticate_signin(@email_credential.email,
|
354
428
|
'hacks'), 'password not changed'
|
@@ -358,7 +432,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
358
432
|
set_session_current_user @user
|
359
433
|
post :change_password, :format => 'json', :old_password => '_password',
|
360
434
|
:credential => { :password => 'hacks',
|
361
|
-
:password_confirmation => 'hacks'}
|
435
|
+
:password_confirmation => 'hacks'}
|
362
436
|
assert_response :ok
|
363
437
|
data = ActiveSupport::JSON.decode response.body
|
364
438
|
assert_equal 'invalid', data['error']
|
@@ -371,7 +445,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
371
445
|
set_session_current_user @user
|
372
446
|
post :change_password, :format => 'json', :old_password => 'password',
|
373
447
|
:credential => { :password => 'hacks',
|
374
|
-
:password_confirmation => 'hacks_'}
|
448
|
+
:password_confirmation => 'hacks_'}
|
375
449
|
assert_response :ok
|
376
450
|
data = ActiveSupport::JSON.decode response.body
|
377
451
|
assert_equal 'invalid', data['error']
|
@@ -384,7 +458,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
384
458
|
@password_credential.destroy
|
385
459
|
post :change_password, :format => 'json',
|
386
460
|
:credential => { :password => 'hacks',
|
387
|
-
:password_confirmation => 'hacks'}
|
461
|
+
:password_confirmation => 'hacks'}
|
388
462
|
assert_response :ok
|
389
463
|
assert_equal @user, User.authenticate_signin(
|
390
464
|
@email_credential.email, 'hacks'), 'password not changed'
|
@@ -396,25 +470,25 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
396
470
|
assert_no_difference 'Credential.count' do
|
397
471
|
post :change_password, :format => 'json',
|
398
472
|
:credential => { :password => 'hacks',
|
399
|
-
:password_confirmation => 'hacks_'}
|
473
|
+
:password_confirmation => 'hacks_'}
|
400
474
|
end
|
401
475
|
assert_response :ok
|
402
476
|
data = ActiveSupport::JSON.decode response.body
|
403
477
|
assert_equal 'invalid', data['error']
|
404
478
|
end
|
405
|
-
|
479
|
+
|
406
480
|
test "reset_password for good e-mail" do
|
407
481
|
ActionMailer::Base.deliveries = []
|
408
482
|
@request.host = 'mail.test.host:1234'
|
409
|
-
|
483
|
+
|
410
484
|
assert_difference 'Credential.count', 1 do
|
411
485
|
post :reset_password, :email => @email_credential.email
|
412
486
|
end
|
413
|
-
|
487
|
+
|
414
488
|
token = Credential.last
|
415
489
|
assert_operator token, :kind_of?, Tokens::PasswordReset
|
416
490
|
assert_equal @user, token.user, 'password reset token user'
|
417
|
-
|
491
|
+
|
418
492
|
assert !ActionMailer::Base.deliveries.empty?, 'email generated'
|
419
493
|
email = ActionMailer::Base.deliveries.last
|
420
494
|
assert_equal '"mail.test.host staff" <admin@mail.test.host>',
|
@@ -422,17 +496,17 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
422
496
|
assert_equal [@email_credential.email], email.to
|
423
497
|
assert_match 'http://mail.test.host:1234/', email.encoded
|
424
498
|
assert_match token.code, email.encoded
|
425
|
-
|
499
|
+
|
426
500
|
assert_redirected_to new_session_url
|
427
501
|
end
|
428
|
-
|
502
|
+
|
429
503
|
test "reset_password for good e-mail by json" do
|
430
504
|
ActionMailer::Base.deliveries = []
|
431
|
-
|
505
|
+
|
432
506
|
assert_difference 'Credential.count', 1 do
|
433
507
|
post :reset_password, :email => @email_credential.email, :format => 'json'
|
434
508
|
end
|
435
|
-
|
509
|
+
|
436
510
|
token = Credential.last
|
437
511
|
assert_operator token, :kind_of?, Tokens::PasswordReset
|
438
512
|
assert_equal @user, token.user, 'password reset token user'
|
@@ -453,7 +527,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
453
527
|
|
454
528
|
assert_redirected_to new_session_url
|
455
529
|
end
|
456
|
-
|
530
|
+
|
457
531
|
test "reset_password for invalid e-mail by json" do
|
458
532
|
ActionMailer::Base.deliveries = []
|
459
533
|
|
@@ -469,17 +543,17 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
469
543
|
|
470
544
|
test "create delegation to reset_password" do
|
471
545
|
ActionMailer::Base.deliveries = []
|
472
|
-
|
546
|
+
|
473
547
|
assert_difference 'Credential.count', 1 do
|
474
548
|
post :create, :email => @email_credential.email, :password => '',
|
475
549
|
:reset_password => :requested
|
476
550
|
end
|
477
|
-
|
551
|
+
|
478
552
|
token = Credential.last
|
479
553
|
assert_operator token, :kind_of?, Tokens::PasswordReset
|
480
554
|
assert_equal @user, token.user, 'password reset token user'
|
481
555
|
end
|
482
|
-
|
556
|
+
|
483
557
|
test "auth_controller? is true" do
|
484
558
|
assert_equal true, @controller.auth_controller?
|
485
559
|
end
|