authpwn_rails 0.12.0 → 0.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. data/.travis.yml +7 -2
  2. data/VERSION +1 -1
  3. data/app/models/credentials/password.rb +16 -8
  4. data/app/models/credentials/token.rb +8 -0
  5. data/app/models/tokens/email_verification.rb +3 -0
  6. data/app/models/tokens/password_reset.rb +5 -2
  7. data/app/models/tokens/session_uid.rb +54 -0
  8. data/authpwn_rails.gemspec +8 -2
  9. data/lib/authpwn_rails.rb +3 -2
  10. data/lib/authpwn_rails/current_user.rb +1 -10
  11. data/lib/authpwn_rails/engine.rb +2 -2
  12. data/lib/authpwn_rails/expires.rb +23 -0
  13. data/lib/authpwn_rails/generators/all_generator.rb +9 -4
  14. data/lib/authpwn_rails/generators/templates/credential.rb +1 -1
  15. data/lib/authpwn_rails/generators/templates/credentials.yml +16 -0
  16. data/lib/authpwn_rails/generators/templates/initializer.rb +18 -0
  17. data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
  18. data/lib/authpwn_rails/generators/templates/session/home.html.erb +1 -1
  19. data/lib/authpwn_rails/generators/templates/session/new.html.erb +3 -3
  20. data/lib/authpwn_rails/generators/templates/session/welcome.html.erb +1 -1
  21. data/lib/authpwn_rails/generators/templates/session_controller.rb +13 -4
  22. data/lib/authpwn_rails/generators/templates/session_controller_test.rb +12 -2
  23. data/lib/authpwn_rails/generators/templates/session_mailer.rb +3 -3
  24. data/lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.html.erb +3 -3
  25. data/lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.html.erb +3 -3
  26. data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +4 -4
  27. data/lib/authpwn_rails/routes.rb +4 -4
  28. data/lib/authpwn_rails/session.rb +31 -8
  29. data/lib/authpwn_rails/session_controller.rb +27 -18
  30. data/lib/authpwn_rails/test_extensions.rb +16 -6
  31. data/lib/authpwn_rails/user_model.rb +10 -10
  32. data/test/cookie_controller_test.rb +165 -16
  33. data/test/credentials/email_verification_token_test.rb +11 -11
  34. data/test/credentials/password_credential_test.rb +31 -12
  35. data/test/credentials/session_uid_token_test.rb +98 -0
  36. data/test/credentials/token_crendential_test.rb +46 -12
  37. data/test/helpers/db_setup.rb +6 -5
  38. data/test/helpers/routes.rb +5 -2
  39. data/test/initializer_test.rb +18 -0
  40. data/test/session_controller_api_test.rb +127 -53
  41. data/test/test_extensions_test.rb +41 -0
  42. data/test/test_helper.rb +3 -0
  43. data/test/user_test.rb +11 -10
  44. metadata +9 -3
@@ -0,0 +1,98 @@
1
+ require File.expand_path('../../test_helper', __FILE__)
2
+
3
+ class SessionUidTokenTest < ActiveSupport::TestCase
4
+ def setup
5
+ @credential = Tokens::SessionUid.new(
6
+ :code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo',
7
+ :browser_ip => '18.70.0.160',
8
+ :browser_ua => 'Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1'
9
+ )
10
+ @credential.user = users(:jane)
11
+ @_expires_after = Tokens::SessionUid.expires_after
12
+ end
13
+
14
+ def teardown
15
+ Tokens::SessionUid.expires_after = @_expires_after
16
+ end
17
+
18
+ test 'setup' do
19
+ assert @credential.valid?
20
+ end
21
+
22
+ test 'code required' do
23
+ @credential.code = nil
24
+ assert !@credential.valid?
25
+ end
26
+
27
+ test 'code uniqueness' do
28
+ @credential.code = credentials(:john_token).code
29
+ assert !@credential.valid?
30
+ end
31
+
32
+ test 'browser_ip required' do
33
+ @credential.browser_ip = nil
34
+ assert !@credential.valid?
35
+ end
36
+
37
+ test 'browser_ua required' do
38
+ @credential.browser_ua = nil
39
+ assert !@credential.valid?
40
+ end
41
+
42
+ test 'user required' do
43
+ @credential.user = nil
44
+ assert !@credential.valid?
45
+ end
46
+
47
+ test 'expired?' do
48
+ Tokens::SessionUid.expires_after = 14.days
49
+ @credential.updated_at = Time.now - 1.day
50
+ assert_equal false, @credential.expired?
51
+ @credential.updated_at = Time.now - 1.month
52
+ assert_equal true, @credential.expired?
53
+
54
+ Tokens::SessionUid.expires_after = nil
55
+ assert_equal false, @credential.expired?
56
+ end
57
+
58
+ test 'spend updates old token' do
59
+ @credential.updated_at = Time.now - 1.day
60
+ @credential.spend
61
+ assert_operator @credential.updated_at, :>=, Time.now - 1.minute
62
+ end
63
+
64
+ test 'spend does not update reasonably new token' do
65
+ old_updated_at = @credential.updated_at = Time.now - 5.minutes
66
+ @credential.spend
67
+ assert_equal old_updated_at, @credential.updated_at
68
+ end
69
+
70
+ test 'remove_expired gets rid of old tokens' do
71
+ old_token = credentials(:john_session_token)
72
+ old_token.updated_at = Time.now - 1.year
73
+ old_token.save!
74
+ fresh_token = credentials(:jane_session_token)
75
+ fresh_token.updated_at = Time.now - 1.minute
76
+ fresh_token.save!
77
+
78
+ assert_difference 'Credential.count', -1 do
79
+ Tokens::SessionUid.remove_expired
80
+ end
81
+ assert_nil Credentials::Token.with_code(old_token.code)
82
+ assert_equal fresh_token, Credentials::Token.with_code(fresh_token.code)
83
+ end
84
+
85
+ test 'random_for' do
86
+ user = users(:john)
87
+ credential = nil
88
+ assert_difference 'Credential.count', 1 do
89
+ credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
90
+ end
91
+ saved_credential = Credentials::Token.with_code credential.code
92
+ assert saved_credential, 'token was not saved'
93
+ assert_equal saved_credential, credential, 'wrong token returned'
94
+ assert_equal user, saved_credential.user
95
+ assert_equal '1.2.3.4', saved_credential.browser_ip
96
+ assert_equal 'Test/UA', saved_credential.browser_ua
97
+ end
98
+ end
@@ -1,21 +1,21 @@
1
1
  require File.expand_path('../../test_helper', __FILE__)
2
2
 
3
- class TokenCredentialTest < ActiveSupport::TestCase
3
+ class TokenCredentialTest < ActiveSupport::TestCase
4
4
  def setup
5
5
  @credential = Credentials::Token.new(
6
6
  :code => 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo')
7
7
  @credential.user = users(:bill)
8
8
  end
9
-
9
+
10
10
  test 'setup' do
11
11
  assert @credential.valid?
12
12
  end
13
-
13
+
14
14
  test 'code required' do
15
15
  @credential.code = nil
16
16
  assert !@credential.valid?
17
17
  end
18
-
18
+
19
19
  test 'code uniqueness' do
20
20
  @credential.code = credentials(:john_token).code
21
21
  assert !@credential.valid?
@@ -25,16 +25,16 @@ class TokenCredentialTest < ActiveSupport::TestCase
25
25
  @credential.user = nil
26
26
  assert !@credential.valid?
27
27
  end
28
-
28
+
29
29
  test 'spend does nothing' do
30
30
  credential = credentials(:jane_token)
31
31
  assert_equal Credentials::Token, credential.class, 'bad setup'
32
-
32
+
33
33
  assert_no_difference 'Credential.count' do
34
34
  credential.spend
35
35
  end
36
36
  end
37
-
37
+
38
38
  test 'random_for' do
39
39
  token = Credentials::Token.random_for users(:john)
40
40
  assert token.valid?, 'valid token'
@@ -43,7 +43,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
43
43
  assert !token.new_record?, 'saved token'
44
44
  assert_operator users(:john).credentials, :include?, token
45
45
  end
46
-
46
+
47
47
  test 'with_code' do
48
48
  john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
49
49
  john2 = 'bDSU4tzfjuob79e3R0ykLcOGTBBYvuBWWJ9V06tQrCE'
@@ -57,7 +57,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
57
57
  assert_nil Credentials::Token.with_code('john@gmail.com')
58
58
  assert_nil Credentials::Token.with_code(credentials(:jane_email).name)
59
59
  end
60
-
60
+
61
61
  test 'find_by_param' do
62
62
  assert_equal credentials(:john_token), Credentials::Token.
63
63
  find_by_param(credentials(:john_token).to_param)
@@ -66,7 +66,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
66
66
  assert_equal nil, Credentials::Token.find_by_param('bogus token')
67
67
  assert_equal nil, Credentials::Token.find_by_param(nil)
68
68
  end
69
-
69
+
70
70
  test 'class authenticate' do
71
71
  john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
72
72
  jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
@@ -75,7 +75,29 @@ class TokenCredentialTest < ActiveSupport::TestCase
75
75
  assert_equal users(:jane), Credentials::Token.authenticate(jane)
76
76
  assert_equal :invalid, Credentials::Token.authenticate(bogus)
77
77
  end
78
-
78
+
79
+ test 'class authenticate on expired tokens' do
80
+ john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
81
+ jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
82
+
83
+ Credentials::Token.all.each do |token|
84
+ token.updated_at = Time.now - 1.year
85
+ flexmock(token.class).should_receive(:expires_after).zero_or_more_times.
86
+ and_return 1.week
87
+ token.save!
88
+ end
89
+ assert_difference 'Credential.count', -1,
90
+ 'authenticate deletes expired credential' do
91
+ assert_equal :invalid, Credentials::Token.authenticate(john),
92
+ 'expired token'
93
+ end
94
+ assert_difference 'Credential.count', -1,
95
+ 'authenticate deletes expired credential' do
96
+ assert_equal :invalid, Credentials::Token.authenticate(jane),
97
+ 'expired token'
98
+ end
99
+ end
100
+
79
101
  test 'class authenticate calls User#auth_bounce_reason' do
80
102
  john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
81
103
  jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
@@ -92,7 +114,19 @@ class TokenCredentialTest < ActiveSupport::TestCase
92
114
  assert_equal users(:john), credentials(:john_token).authenticate
93
115
  assert_equal users(:jane), credentials(:jane_token).authenticate
94
116
  end
95
-
117
+
118
+ test 'instance authenticate with expired tokens' do
119
+ token = Credentials::Token.with_code credentials(:jane_token).code
120
+ token.updated_at = Time.now - 1.year
121
+ token.save!
122
+ flexmock(token.class).should_receive(:expires_after).
123
+ zero_or_more_times.and_return 1.week
124
+ assert_equal :invalid, token.authenticate,
125
+ 'expired token'
126
+ assert_nil Credentials::Token.with_code(credentials(:jane_token).code),
127
+ 'expired token not destroyed'
128
+ end
129
+
96
130
  test 'instance authenticate calls User#auth_bounce_reason' do
97
131
  with_blocked_credential credentials(:john_token), :reason do
98
132
  assert_equal :reason, credentials(:john_token).authenticate
@@ -4,10 +4,11 @@ when /mysql/i
4
4
  ActiveRecord::Base.establish_connection :adapter => 'mysql2',
5
5
  :database => 'plugin_dev', :username => 'root', :password => ''
6
6
  when /pg/i
7
- `psql -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
8
- `psql -d postgres -c "CREATE DATABASE plugin_dev;"`
7
+ pg_user = ENV['DB_USER'] || ENV['USER']
8
+ `psql -U #{pg_user} -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
9
+ `psql -U #{pg_user} -d postgres -c "CREATE DATABASE plugin_dev;"`
9
10
  ActiveRecord::Base.establish_connection :adapter => 'postgresql',
10
- :database => 'plugin_dev', :username => ENV['USER'], :password => ''
11
+ :database => 'plugin_dev', :username => pg_user, :password => ''
11
12
  else
12
13
  ActiveRecord::Base.establish_connection :adapter => 'sqlite3',
13
14
  :database => ':memory:'
@@ -26,11 +27,11 @@ require 'authpwn_rails/generators/templates/credential.rb'
26
27
  # :nodoc: open TestCase to setup fixtures
27
28
  class ActiveSupport::TestCase
28
29
  include ActiveRecord::TestFixtures
29
-
30
+
30
31
  self.fixture_path =
31
32
  File.expand_path '../../../lib/authpwn_rails/generators/templates',
32
33
  __FILE__
33
-
34
+
34
35
  self.use_transactional_fixtures = false
35
36
  self.use_instantiated_fixtures = false
36
37
  self.pre_loaded_fixtures = false
@@ -4,7 +4,10 @@ class ActionController::TestCase
4
4
  @routes = ActionController::Routing::RouteSet.new
5
5
  @routes.draw do
6
6
  resource :cookie, :controller => 'cookie' do
7
- collection { get :bouncer }
7
+ collection do
8
+ get :bouncer
9
+ put :update
10
+ end
8
11
  end
9
12
  resource :http_basic, :controller => 'http_basic' do
10
13
  collection { get :bouncer }
@@ -22,6 +25,6 @@ class ActionController::TestCase
22
25
  ApplicationController.send :include, @routes.url_helpers
23
26
  ActionMailer::Base.send :include, @routes.url_helpers
24
27
  end
25
-
28
+
26
29
  setup :setup_routes
27
30
  end
@@ -0,0 +1,18 @@
1
+ require File.expand_path('../test_helper', __FILE__)
2
+
3
+ class InitializerTest < ActiveSupport::TestCase
4
+ test 'password set correctly' do
5
+ assert_equal 1.year, Credentials::Password.expires_after
6
+ end
7
+
8
+ test 'e-mail tokens set correctly' do
9
+ assert_equal 3.days, Tokens::EmailVerification.expires_after
10
+ assert_equal 3.days, Tokens::PasswordReset.expires_after
11
+ end
12
+
13
+ test 'cookie sessions set correctly' do
14
+ assert_equal 14.days, Tokens::SessionUid.expires_after
15
+ assert_equal 1.hour, Tokens::SessionUid.updates_after
16
+ end
17
+ end
18
+
@@ -13,14 +13,19 @@ end
13
13
  # Tests the methods injected by authpwn_session_controller.
14
14
  class SessionControllerApiTest < ActionController::TestCase
15
15
  tests BareSessionController
16
-
16
+
17
17
  setup do
18
18
  @user = users(:john)
19
19
  @email_credential = credentials(:john_email)
20
20
  @password_credential = credentials(:john_password)
21
21
  @token_credential = credentials(:john_token)
22
+ @_auto_purge_sessions = BareSessionController.auto_purge_sessions
23
+ end
24
+
25
+ teardown do
26
+ BareSessionController.auto_purge_sessions = @_auto_purge_sessions
22
27
  end
23
-
28
+
24
29
  test "show renders welcome without a user" do
25
30
  flexmock(@controller).should_receive(:welcome).once.and_return(nil)
26
31
  get :show
@@ -34,7 +39,7 @@ class SessionControllerApiTest < ActionController::TestCase
34
39
  assert_response :ok
35
40
  assert_equal({}, ActiveSupport::JSON.decode(response.body))
36
41
  end
37
-
42
+
38
43
  test "show renders home with a user" do
39
44
  flexmock(@controller).should_receive(:home).once.and_return(nil)
40
45
  set_session_current_user @user
@@ -42,7 +47,7 @@ class SessionControllerApiTest < ActionController::TestCase
42
47
  assert_template :home
43
48
  assert_equal @user, assigns(:current_user)
44
49
  end
45
-
50
+
46
51
  test "show json renders user when logged in" do
47
52
  set_session_current_user @user
48
53
  flexmock(@controller).should_receive(:home).once.and_return(nil)
@@ -52,21 +57,21 @@ class SessionControllerApiTest < ActionController::TestCase
52
57
  assert_equal @user.exuid, data['user']['exuid']
53
58
  assert_equal session[:_csrf_token], data['csrf']
54
59
  end
55
-
60
+
56
61
  test "new redirects to session#show when a user is logged in" do
57
62
  set_session_current_user @user
58
63
  get :new
59
64
  assert_redirected_to session_url
60
- end
65
+ end
61
66
 
62
67
  test "new renders login form without a user" do
63
68
  get :new
64
69
  assert_template :new
65
70
  assert_nil assigns(:current_user), 'current_user should not be set'
66
71
  end
67
-
72
+
68
73
  test "new renders redirect_url when present in flash" do
69
- url = 'http://authpwn.redirect.url'
74
+ url = 'http://authpwn.redirect.url'
70
75
  get :new, {}, {}, { :auth_redirect_url => url }
71
76
  assert_template :new
72
77
  assert_equal url, assigns(:redirect_url), 'redirect_url should be set'
@@ -74,7 +79,7 @@ class SessionControllerApiTest < ActionController::TestCase
74
79
  assert_select "input[name=redirect_url][value=#{url}]"
75
80
  end
76
81
  end
77
-
82
+
78
83
  test "create logs in with good account details" do
79
84
  post :create, :email => @email_credential.email, :password => 'password'
80
85
  assert_equal @user, assigns(:current_user), 'instance variable'
@@ -82,6 +87,28 @@ class SessionControllerApiTest < ActionController::TestCase
82
87
  assert_redirected_to session_url
83
88
  end
84
89
 
90
+ test "create purges sessions when logging in" do
91
+ BareSessionController.auto_purge_sessions = true
92
+ old_token = credentials(:jane_session_token)
93
+ old_token.updated_at = Time.now - 1.year
94
+ old_token.save!
95
+ post :create, :email => @email_credential.email, :password => 'password'
96
+ assert_equal @user, session_current_user, 'session'
97
+ assert_nil Credentials::Token.with_code(old_token.code),
98
+ 'old session not purged'
99
+ end
100
+
101
+ test "create does not purge sessions if auto_purge_sessions is false" do
102
+ BareSessionController.auto_purge_sessions = false
103
+ old_token = credentials(:jane_session_token)
104
+ old_token.updated_at = Time.now - 1.year
105
+ old_token.save!
106
+ post :create, :email => @email_credential.email, :password => 'password'
107
+ assert_equal @user, session_current_user, 'session'
108
+ assert_equal old_token, Credentials::Token.with_code(old_token.code),
109
+ 'old session purged'
110
+ end
111
+
85
112
  test "create by json logs in with good account details" do
86
113
  post :create, :email => @email_credential.email, :password => 'password',
87
114
  :format => 'json'
@@ -92,14 +119,27 @@ class SessionControllerApiTest < ActionController::TestCase
92
119
  assert_equal @user, assigns(:current_user), 'instance variable'
93
120
  assert_equal @user, session_current_user, 'session'
94
121
  end
95
-
122
+
123
+ test "create by json purges sessions when logging in" do
124
+ BareSessionController.auto_purge_sessions = true
125
+ old_token = credentials(:jane_session_token)
126
+ old_token.updated_at = Time.now - 1.year
127
+ old_token.save!
128
+ post :create, :email => @email_credential.email, :password => 'password',
129
+ :format => 'json'
130
+ assert_response :ok
131
+ assert_equal @user, session_current_user, 'session'
132
+ assert_nil Credentials::Token.with_code(old_token.code),
133
+ 'old session not purged'
134
+ end
135
+
96
136
  test "create redirects properly with good account details" do
97
137
  url = 'http://authpwn.redirect.url'
98
138
  post :create, :email => @email_credential.email, :password => 'password',
99
139
  :redirect_url => url
100
140
  assert_redirected_to url
101
141
  end
102
-
142
+
103
143
  test "create does not log in with bad password" do
104
144
  post :create, :email => @email_credential.email, :password => 'fail'
105
145
  assert_redirected_to new_session_url
@@ -107,7 +147,28 @@ class SessionControllerApiTest < ActionController::TestCase
107
147
  assert_nil session_current_user, 'session'
108
148
  assert_match(/Invalid/, flash[:alert])
109
149
  end
110
-
150
+
151
+ test "create does not log in with expired password" do
152
+ @password_credential.updated_at = Time.now - 2.years
153
+ @password_credential.save!
154
+ post :create, :email => @email_credential.email, :password => 'password'
155
+ assert_redirected_to new_session_url
156
+ assert_nil assigns(:current_user), 'instance variable'
157
+ assert_nil session_current_user, 'session'
158
+ assert_match(/expired/, flash[:alert])
159
+ end
160
+
161
+ test "create does not purge sessions if not logged in" do
162
+ BareSessionController.auto_purge_sessions = true
163
+ old_token = credentials(:jane_session_token)
164
+ old_token.updated_at = Time.now - 1.year
165
+ old_token.save!
166
+ post :create, :email => @email_credential.email, :password => 'fail'
167
+ assert_nil session_current_user, 'session'
168
+ assert_equal old_token, Credentials::Token.with_code(old_token.code),
169
+ 'old session purged'
170
+ end
171
+
111
172
  test "create does not log in blocked accounts" do
112
173
  with_blocked_credential @email_credential do
113
174
  post :create, :email => @email_credential.email, :password => 'password'
@@ -126,7 +187,7 @@ class SessionControllerApiTest < ActionController::TestCase
126
187
  assert_equal @user, session_current_user, 'session'
127
188
  assert_redirected_to session_url
128
189
  end
129
-
190
+
130
191
  test "create by json does not log in with bad password" do
131
192
  post :create, :email => @email_credential.email, :password => 'fail',
132
193
  :format => 'json'
@@ -137,7 +198,20 @@ class SessionControllerApiTest < ActionController::TestCase
137
198
  assert_nil assigns(:current_user), 'instance variable'
138
199
  assert_nil session_current_user, 'session'
139
200
  end
140
-
201
+
202
+ test "create by json does not log in with expired password" do
203
+ @password_credential.updated_at = Time.now - 2.years
204
+ @password_credential.save!
205
+ post :create, :email => @email_credential.email, :password => 'password',
206
+ :format => 'json'
207
+ assert_response :ok
208
+ data = ActiveSupport::JSON.decode response.body
209
+ assert_equal 'expired', data['error']
210
+ assert_match(/expired/i , data['text'])
211
+ assert_nil assigns(:current_user), 'instance variable'
212
+ assert_nil session_current_user, 'session'
213
+ end
214
+
141
215
  test "create by json does not log in blocked accounts" do
142
216
  with_blocked_credential @email_credential do
143
217
  post :create, :email => @email_credential.email, :password => 'password',
@@ -149,7 +223,7 @@ class SessionControllerApiTest < ActionController::TestCase
149
223
  assert_match(/blocked/i , data['text'])
150
224
  assert_nil assigns(:current_user), 'instance variable'
151
225
  assert_nil session_current_user, 'session'
152
- end
226
+ end
153
227
 
154
228
  test "create maintains redirect_url for bad logins" do
155
229
  url = 'http://authpwn.redirect.url'
@@ -171,28 +245,28 @@ class SessionControllerApiTest < ActionController::TestCase
171
245
  test "token logs in with good token" do
172
246
  flexmock(@controller).should_receive(:home_with_token).once.
173
247
  with(@token_credential).and_return(nil)
174
- assert_difference 'Credential.count', -1, 'one-time credential is spent' do
175
- get :token, :code => @token_credential.code
176
- end
248
+ get :token, :code => @token_credential.code
177
249
  assert_redirected_to session_url
178
250
  assert_equal @user, assigns(:current_user), 'instance variable'
179
251
  assert_equal @user, session_current_user, 'session'
252
+ assert_nil Credentials::Token.with_code(@token_credential.code),
253
+ 'one-time credential is spent'
180
254
  end
181
255
 
182
256
  test "token by json logs in with good token" do
183
257
  flexmock(@controller).should_receive(:home_with_token).once.
184
258
  with(@token_credential).and_return(nil)
185
- assert_difference 'Credential.count', -1, 'one-time credential is spent' do
186
- get :token, :code => @token_credential.code, :format => 'json'
187
- end
259
+ get :token, :code => @token_credential.code, :format => 'json'
188
260
  assert_response :ok
189
261
  data = ActiveSupport::JSON.decode response.body
190
262
  assert_equal @user.exuid, data['user']['exuid']
191
263
  assert_equal session[:_csrf_token], data['csrf']
192
264
  assert_equal @user, assigns(:current_user), 'instance variable'
193
265
  assert_equal @user, session_current_user, 'session'
266
+ assert_nil Credentials::Token.with_code(@token_credential.code),
267
+ 'one-time credential is spent'
194
268
  end
195
-
269
+
196
270
  test "token does not log in with random token" do
197
271
  assert_no_difference 'Credential.count', 'no credential is spent' do
198
272
  get :token, :code => 'no-such-token'
@@ -202,7 +276,7 @@ class SessionControllerApiTest < ActionController::TestCase
202
276
  assert_nil session_current_user, 'session'
203
277
  assert_match(/Invalid/, flash[:alert])
204
278
  end
205
-
279
+
206
280
  test "token does not log in blocked accounts" do
207
281
  with_blocked_credential @token_credential do
208
282
  assert_no_difference 'Credential.count', 'no credential is spent' do
@@ -226,7 +300,7 @@ class SessionControllerApiTest < ActionController::TestCase
226
300
  assert_nil assigns(:current_user), 'instance variable'
227
301
  assert_nil session_current_user, 'session'
228
302
  end
229
-
303
+
230
304
  test "token by json does not log in blocked accounts" do
231
305
  with_blocked_credential @token_credential do
232
306
  assert_no_difference 'Credential.count', 'no credential is spent' do
@@ -239,24 +313,24 @@ class SessionControllerApiTest < ActionController::TestCase
239
313
  assert_match(/blocked/i , data['text'])
240
314
  assert_nil assigns(:current_user), 'instance variable'
241
315
  assert_nil session_current_user, 'session'
242
- end
316
+ end
243
317
 
244
318
  test "logout" do
245
319
  set_session_current_user @user
246
320
  delete :destroy
247
-
321
+
248
322
  assert_redirected_to session_url
249
323
  assert_nil assigns(:current_user)
250
324
  end
251
-
325
+
252
326
  test "logout by json" do
253
327
  set_session_current_user @user
254
328
  delete :destroy, :format => 'json'
255
-
329
+
256
330
  assert_response :ok
257
331
  assert_nil assigns(:current_user)
258
332
  end
259
-
333
+
260
334
  test "password_change bounces without logged in user" do
261
335
  get :password_change
262
336
  assert_response :forbidden
@@ -273,7 +347,7 @@ class SessionControllerApiTest < ActionController::TestCase
273
347
  test "change_password bounces without logged in user" do
274
348
  post :change_password, :old_password => 'password',
275
349
  :credential => { :password => 'hacks',
276
- :password_confirmation => 'hacks'}
350
+ :password_confirmation => 'hacks'}
277
351
  assert_response :forbidden
278
352
  end
279
353
 
@@ -281,7 +355,7 @@ class SessionControllerApiTest < ActionController::TestCase
281
355
  set_session_current_user @user
282
356
  post :change_password, :old_password => 'password',
283
357
  :credential => { :password => 'hacks',
284
- :password_confirmation => 'hacks'}
358
+ :password_confirmation => 'hacks'}
285
359
  assert_redirected_to session_url
286
360
  assert_equal @password_credential, assigns(:credential)
287
361
  assert_equal @user, User.authenticate_signin(@email_credential.email,
@@ -292,7 +366,7 @@ class SessionControllerApiTest < ActionController::TestCase
292
366
  set_session_current_user @user
293
367
  post :change_password, :old_password => '_password',
294
368
  :credential => { :password => 'hacks',
295
- :password_confirmation => 'hacks'}
369
+ :password_confirmation => 'hacks'}
296
370
  assert_response :ok
297
371
  assert_template :password_change
298
372
  assert_equal @password_credential, assigns(:credential)
@@ -304,7 +378,7 @@ class SessionControllerApiTest < ActionController::TestCase
304
378
  set_session_current_user @user
305
379
  post :change_password, :old_password => 'password',
306
380
  :credential => { :password => 'hacks',
307
- :password_confirmation => 'hacks_'}
381
+ :password_confirmation => 'hacks_'}
308
382
  assert_response :ok
309
383
  assert_template :password_change
310
384
  assert_equal @password_credential, assigns(:credential)
@@ -317,7 +391,7 @@ class SessionControllerApiTest < ActionController::TestCase
317
391
  @password_credential.destroy
318
392
  post :change_password,
319
393
  :credential => { :password => 'hacks',
320
- :password_confirmation => 'hacks'}
394
+ :password_confirmation => 'hacks'}
321
395
  assert_redirected_to session_url
322
396
  assert_equal @user, User.authenticate_signin(@email_credential.email,
323
397
  'hacks'), 'password not changed'
@@ -329,7 +403,7 @@ class SessionControllerApiTest < ActionController::TestCase
329
403
  assert_no_difference 'Credential.count' do
330
404
  post :change_password,
331
405
  :credential => { :password => 'hacks',
332
- :password_confirmation => 'hacks_'}
406
+ :password_confirmation => 'hacks_'}
333
407
  end
334
408
  assert_response :ok
335
409
  assert_template :password_change
@@ -338,7 +412,7 @@ class SessionControllerApiTest < ActionController::TestCase
338
412
  test "change_password by json bounces without logged in user" do
339
413
  post :change_password, :format => 'json', :old_password => 'password',
340
414
  :credential => { :password => 'hacks',
341
- :password_confirmation => 'hacks'}
415
+ :password_confirmation => 'hacks'}
342
416
  assert_response :ok
343
417
  data = ActiveSupport::JSON.decode response.body
344
418
  assert_equal 'Please sign in', data['error']
@@ -348,7 +422,7 @@ class SessionControllerApiTest < ActionController::TestCase
348
422
  set_session_current_user @user
349
423
  post :change_password, :format => 'json', :old_password => 'password',
350
424
  :credential => { :password => 'hacks',
351
- :password_confirmation => 'hacks'}
425
+ :password_confirmation => 'hacks'}
352
426
  assert_response :ok
353
427
  assert_equal @user, User.authenticate_signin(@email_credential.email,
354
428
  'hacks'), 'password not changed'
@@ -358,7 +432,7 @@ class SessionControllerApiTest < ActionController::TestCase
358
432
  set_session_current_user @user
359
433
  post :change_password, :format => 'json', :old_password => '_password',
360
434
  :credential => { :password => 'hacks',
361
- :password_confirmation => 'hacks'}
435
+ :password_confirmation => 'hacks'}
362
436
  assert_response :ok
363
437
  data = ActiveSupport::JSON.decode response.body
364
438
  assert_equal 'invalid', data['error']
@@ -371,7 +445,7 @@ class SessionControllerApiTest < ActionController::TestCase
371
445
  set_session_current_user @user
372
446
  post :change_password, :format => 'json', :old_password => 'password',
373
447
  :credential => { :password => 'hacks',
374
- :password_confirmation => 'hacks_'}
448
+ :password_confirmation => 'hacks_'}
375
449
  assert_response :ok
376
450
  data = ActiveSupport::JSON.decode response.body
377
451
  assert_equal 'invalid', data['error']
@@ -384,7 +458,7 @@ class SessionControllerApiTest < ActionController::TestCase
384
458
  @password_credential.destroy
385
459
  post :change_password, :format => 'json',
386
460
  :credential => { :password => 'hacks',
387
- :password_confirmation => 'hacks'}
461
+ :password_confirmation => 'hacks'}
388
462
  assert_response :ok
389
463
  assert_equal @user, User.authenticate_signin(
390
464
  @email_credential.email, 'hacks'), 'password not changed'
@@ -396,25 +470,25 @@ class SessionControllerApiTest < ActionController::TestCase
396
470
  assert_no_difference 'Credential.count' do
397
471
  post :change_password, :format => 'json',
398
472
  :credential => { :password => 'hacks',
399
- :password_confirmation => 'hacks_'}
473
+ :password_confirmation => 'hacks_'}
400
474
  end
401
475
  assert_response :ok
402
476
  data = ActiveSupport::JSON.decode response.body
403
477
  assert_equal 'invalid', data['error']
404
478
  end
405
-
479
+
406
480
  test "reset_password for good e-mail" do
407
481
  ActionMailer::Base.deliveries = []
408
482
  @request.host = 'mail.test.host:1234'
409
-
483
+
410
484
  assert_difference 'Credential.count', 1 do
411
485
  post :reset_password, :email => @email_credential.email
412
486
  end
413
-
487
+
414
488
  token = Credential.last
415
489
  assert_operator token, :kind_of?, Tokens::PasswordReset
416
490
  assert_equal @user, token.user, 'password reset token user'
417
-
491
+
418
492
  assert !ActionMailer::Base.deliveries.empty?, 'email generated'
419
493
  email = ActionMailer::Base.deliveries.last
420
494
  assert_equal '"mail.test.host staff" <admin@mail.test.host>',
@@ -422,17 +496,17 @@ class SessionControllerApiTest < ActionController::TestCase
422
496
  assert_equal [@email_credential.email], email.to
423
497
  assert_match 'http://mail.test.host:1234/', email.encoded
424
498
  assert_match token.code, email.encoded
425
-
499
+
426
500
  assert_redirected_to new_session_url
427
501
  end
428
-
502
+
429
503
  test "reset_password for good e-mail by json" do
430
504
  ActionMailer::Base.deliveries = []
431
-
505
+
432
506
  assert_difference 'Credential.count', 1 do
433
507
  post :reset_password, :email => @email_credential.email, :format => 'json'
434
508
  end
435
-
509
+
436
510
  token = Credential.last
437
511
  assert_operator token, :kind_of?, Tokens::PasswordReset
438
512
  assert_equal @user, token.user, 'password reset token user'
@@ -453,7 +527,7 @@ class SessionControllerApiTest < ActionController::TestCase
453
527
 
454
528
  assert_redirected_to new_session_url
455
529
  end
456
-
530
+
457
531
  test "reset_password for invalid e-mail by json" do
458
532
  ActionMailer::Base.deliveries = []
459
533
 
@@ -469,17 +543,17 @@ class SessionControllerApiTest < ActionController::TestCase
469
543
 
470
544
  test "create delegation to reset_password" do
471
545
  ActionMailer::Base.deliveries = []
472
-
546
+
473
547
  assert_difference 'Credential.count', 1 do
474
548
  post :create, :email => @email_credential.email, :password => '',
475
549
  :reset_password => :requested
476
550
  end
477
-
551
+
478
552
  token = Credential.last
479
553
  assert_operator token, :kind_of?, Tokens::PasswordReset
480
554
  assert_equal @user, token.user, 'password reset token user'
481
555
  end
482
-
556
+
483
557
  test "auth_controller? is true" do
484
558
  assert_equal true, @controller.auth_controller?
485
559
  end