authpwn_rails 0.16.0 → 0.16.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9d18966634c93c4285ec281995bf5c346d0299ee
-  data.tar.gz: 2e6b7635d173a2c2f9777729aeb38042b08856b1
+  metadata.gz: 55e00431fac95ebeaa4bffd96d5f03a788bc0340
+  data.tar.gz: 80a15431b638ed0798dd0b22735f8ced99770b4c
 SHA512:
-  metadata.gz: c625046e4189a3e7e2beff07784e57b2963e97bcc9837b5d12f5d89155d10b6a839bdddc6467b59cae9449783181c272190f5a809831946fc393aa75f452a0d3
-  data.tar.gz: 1c94a67996c30916e425d0f0628bb71b560d2ae841595590b02420697eaf88a2b304142333a0ca6be075063bbed5029a97ed8e67e104c38bcfc1ff641ce2404c
+  metadata.gz: 4bb61cd308147854a0712247e38678c8d311d9ef145973138218e2b4cae76af334597333e79616f517c9b02fcbfc7bfcaf71d9a6dcc87f3a4a8a3c1a18bce1a8
+  data.tar.gz: b9b35f7de8f897de9674242e7311f10e1faa57f8ce7c429388aca357cf9ee0c78fece76711579385f2b0e6a2574f008f61e26c104187093ca0edbca16d0d9408

data/VERSION

@@ -1 +1 @@
-0.16.0
+0.16.1

data/app/models/credentials/email.rb

@@ -54,6 +54,7 @@ class Email < ::Credential
   def self.authenticate(email)
     credential = with email
     return :invalid unless credential
+    return :blocked unless credential.verified?
     user = credential.user
     user.auth_bounce_reason(credential) || user
   end

data/authpwn_rails.gemspec

@@ -5,7 +5,7 @@
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.16.0"
+  s.version = "0.16.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]

data/lib/authpwn_rails/generators/templates/credentials.yml

@@ -35,12 +35,12 @@ john_facebook:
 
 jane_token:
   user: jane
-  type: Tokens::Base
+  type: Tokens::OneTime
   name: 6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c
 
 john_token:
   user: john
-  type: Tokens::OneTime
+  type: Tokens::Base
   name: YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A
 
 john_email_token:

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -2,10 +2,9 @@ require 'test_helper'
 
 class SessionControllerTest < ActionController::TestCase
   setup do
-    @user = users(:john)
-    @email_credential = credentials(:john_email)
-    @password_credential = credentials(:john_password)
-    @token_credential = credentials(:john_email_token)
+    @user = users(:jane)
+    @email_credential = credentials(:jane_email)
+    @password_credential = credentials(:jane_password)
   end
 
   test "user home page" do
@@ -21,7 +20,7 @@ class SessionControllerTest < ActionController::TestCase
     old_token.updated_at = Time.now - 1.year
     old_token.save!
     post :create, session: { email: @email_credential.email,
-                             password: 'password' }
+                             password: 'pa55w0rd' }
     assert_equal @user, session_current_user, 'session'
     assert_redirected_to session_url
     assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -40,7 +39,7 @@ class SessionControllerTest < ActionController::TestCase
     get :show
 
     assert_equal User.count, assigns(:user_count)
-    assert_select 'a', 'sign in'
+    assert_select 'a[href="/session/new"]', 'sign in'
   end
 
   test "user not logged in with JSON request" do
@@ -62,9 +61,11 @@ class SessionControllerTest < ActionController::TestCase
   end
 
   test "e-mail verification link" do
-    get :token, code: @token_credential.code
+    token_credential = credentials(:john_email_token)
+    email_credential = credentials(:john_email)
+    get :token, code: token_credential.code
     assert_redirected_to session_url
-    assert @email_credential.reload.verified?, 'Email not verified'
+    assert email_credential.reload.verified?, 'Email not verified'
   end
 
   test "password reset link" do

data/test/credentials/email_credential_test.rb

@@ -71,17 +71,30 @@ class EmailCredentialTest < ActiveSupport::TestCase
   end
 
   test 'authenticate' do
-    assert_equal users(:john), Credentials::Email.authenticate('john@gmail.com')
-    assert_equal users(:jane), Credentials::Email.authenticate('jane@gmail.com')
+    assert_equal users(:jane),
+                 Credentials::Email.authenticate('jane@gmail.com')
+    assert_equal :blocked, Credentials::Email.authenticate('john@gmail.com')
     assert_equal :invalid, Credentials::Email.authenticate('bill@gmail.com')
+
+    john_email = credentials(:john_email)
+    john_email.verified = true
+    john_email.save!
+    assert_equal users(:john),
+                 Credentials::Email.authenticate('john@gmail.com')
   end
 
   test 'authenticate calls User#auth_bounce_reason' do
-    with_blocked_credential credentials(:john_email), :reason do
-      assert_equal :reason, Credentials::Email.authenticate('john@gmail.com')
-      assert_equal users(:jane),
-                   Credentials::Email.authenticate('jane@gmail.com')
+    with_blocked_credential credentials(:jane_email), :reason do
+      assert_equal :reason, Credentials::Email.authenticate('jane@gmail.com')
+      assert_equal :blocked,
+                   Credentials::Email.authenticate('john@gmail.com')
       assert_equal :invalid, Credentials::Email.authenticate('bill@gmail.com')
+
+      john_email = credentials(:john_email)
+      john_email.verified = true
+      john_email.save!
+      assert_equal users(:john),
+                   Credentials::Email.authenticate('john@gmail.com')
     end
   end
 end

data/test/credentials/one_time_token_credential_test.rb

@@ -17,7 +17,7 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'code uniqueness' do
-    @credential.code = credentials(:john_token).code
+    @credential.code = credentials(:jane_token).code
     assert !@credential.valid?
   end
 
@@ -27,7 +27,7 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'spend destroys the token' do
-    credential = credentials(:john_token)
+    credential = credentials(:jane_token)
     assert_equal Tokens::OneTime, credential.class, 'bad setup'
 
     assert_difference 'Credential.count', -1 do
@@ -37,10 +37,10 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'authenticate spends the token' do
-    john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
+    jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
     bogus = 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo'
     assert_difference 'Credential.count', -1, 'token spent' do
-      assert_equal users(:john), Tokens::Base.authenticate(john)
+      assert_equal users(:jane), Tokens::Base.authenticate(jane)
     end
     assert_no_difference 'Credential.count', 'token mistakenly spent' do
       assert_equal :invalid, Tokens::Base.authenticate(bogus)
@@ -48,37 +48,35 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'authenticate calls User#auth_bounce_reason' do
-    john = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
     jane = '6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c'
-    bogus = 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo'
 
-    with_blocked_credential credentials(:john_token), :reason do
+    with_blocked_credential credentials(:jane_token), :reason do
       assert_no_difference 'Credential.count', 'no token spent' do
-        assert_equal :reason, Tokens::Base.authenticate(john)
+        assert_equal :reason, Tokens::Base.authenticate(jane)
       end
     end
   end
 
   test 'instance authenticate spends the token' do
     assert_difference 'Credential.count', -1, 'token spent' do
-      assert_equal users(:john), credentials(:john_token).authenticate
+      assert_equal users(:jane), credentials(:jane_token).authenticate
     end
   end
 
   test 'instance authenticate calls User#auth_bounce_reason' do
-    with_blocked_credential credentials(:john_token), :reason do
+    with_blocked_credential credentials(:jane_token), :reason do
       assert_no_difference 'Credential.count', 'token mistakenly spent' do
-        assert_equal :reason, credentials(:john_token).authenticate
+        assert_equal :reason, credentials(:jane_token).authenticate
       end
     end
   end
 
   test 'random_for' do
-    token = Tokens::OneTime.random_for users(:john)
+    token = Tokens::OneTime.random_for users(:jane)
     assert token.valid?, 'valid token'
-    assert_equal users(:john), token.user
+    assert_equal users(:jane), token.user
     assert_equal Tokens::OneTime, token.class
     assert !token.new_record?, 'saved token'
-    assert_operator users(:john).credentials, :include?, token
+    assert_operator users(:jane).credentials, :include?, token
   end
 end

data/test/credentials/password_credential_test.rb

@@ -77,24 +77,30 @@ class PasswordCredentialTest < ActiveSupport::TestCase
   end
 
   test 'authenticate_email' do
-    assert_equal users(:john),
-        Credentials::Password.authenticate_email('john@gmail.com', 'password')
-    assert_equal :invalid,
-        Credentials::Password.authenticate_email('john@gmail.com', 'pa55w0rd'),
-        "Jane's password on John's account"
     assert_equal users(:jane),
         Credentials::Password.authenticate_email('jane@gmail.com', 'pa55w0rd')
     assert_equal :invalid,
         Credentials::Password.authenticate_email('jane@gmail.com', 'password'),
         "John's password on Jane's account"
     assert_equal :invalid,
-        Credentials::Password.authenticate_email('john@gmail.com', 'awesome'),
+        Credentials::Password.authenticate_email('jane@gmail.com', 'awesome'),
         'Bogus password'
+    assert_equal :blocked,
+        Credentials::Password.authenticate_email('john@gmail.com', 'password')
+    assert_equal :blocked,
+        Credentials::Password.authenticate_email('john@gmail.com', 'pa55w0rd'),
+        "Jane's password on John's account"
     assert_equal :invalid,
         Credentials::Password.authenticate_email('bill@gmail.com', 'pa55w0rd'),
         'Password authentication on account without password credential'
     assert_equal :invalid,
         Credentials::Password.authenticate_email('none@gmail.com', 'pa55w0rd'),
         'Bogus e-mail'
+
+    john_email = credentials(:john_email)
+    john_email.verified = true
+    john_email.save!
+    assert_equal users(:john),
+        Credentials::Password.authenticate_email('john@gmail.com', 'password')
   end
 end

data/test/credentials/token_crendential_test.rb

@@ -17,7 +17,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'code uniqueness' do
-    @credential.code = credentials(:john_token).code
+    @credential.code = credentials(:jane_token).code
     assert !@credential.valid?
   end
 
@@ -27,7 +27,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'spend does nothing' do
-    credential = credentials(:jane_token)
+    credential = credentials(:john_token)
     assert_equal Tokens::Base, credential.class, 'bad setup'
 
     assert_no_difference 'Credential.count' do
@@ -36,12 +36,12 @@ class TokenCredentialTest < ActiveSupport::TestCase
   end
 
   test 'random_for' do
-    token = Tokens::Base.random_for users(:john)
+    token = Tokens::Base.random_for users(:jane)
     assert token.valid?, 'valid token'
-    assert_equal users(:john), token.user
+    assert_equal users(:jane), token.user
     assert_equal Tokens::Base, token.class
     assert !token.new_record?, 'saved token'
-    assert_operator users(:john).credentials, :include?, token
+    assert_operator users(:jane).credentials, :include?, token
   end
 
   test 'with_code' do

data/test/session_controller_api_test.rb

@@ -15,10 +15,10 @@ class SessionControllerApiTest < ActionController::TestCase
   tests BareSessionController
 
   setup do
-    @user = users(:john)
-    @email_credential = credentials(:john_email)
-    @password_credential = credentials(:john_password)
-    @token_credential = credentials(:john_token)
+    @user = users(:jane)
+    @email_credential = credentials(:jane_email)
+    @password_credential = credentials(:jane_password)
+    @token_credential = credentials(:jane_token)
     @_auto_purge_sessions = BareSessionController.auto_purge_sessions
   end
 
@@ -81,7 +81,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "create logs in with good account details" do
     post :create, session: { email: @email_credential.email,
-                             password: 'password' }
+                             password: 'pa55w0rd' }
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil flash[:alert], 'no alert'
@@ -90,7 +90,7 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "create logs in with good raw account details" do
-    post :create, email: @email_credential.email, password: 'password'
+    post :create, email: @email_credential.email, password: 'pa55w0rd'
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil flash[:alert], 'no alert'
@@ -104,7 +104,7 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token.updated_at = Time.now - 1.year
     old_token.save!
     post :create, session: { email: @email_credential.email,
-                             password: 'password' }
+                             password: 'pa55w0rd' }
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(old_token.code).first,
                'old session not purged'
@@ -115,14 +115,14 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.now - 1.year
     old_token.save!
-    post :create, email: @email_credential.email, password: 'password'
+    post :create, email: @email_credential.email, password: 'pa55w0rd'
     assert_equal @user, session_current_user, 'session'
     assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
                'old session purged'
   end
 
   test "create by json logs in with good account details" do
-    post :create, email: @email_credential.email, password: 'password',
+    post :create, email: @email_credential.email, password: 'pa55w0rd',
                   format: 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
@@ -137,7 +137,7 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.now - 1.year
     old_token.save!
-    post :create, email: @email_credential.email, password: 'password',
+    post :create, email: @email_credential.email, password: 'pa55w0rd',
                   format: 'json'
     assert_response :ok
     assert_equal @user, session_current_user, 'session'
@@ -148,7 +148,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create redirects properly with good account details" do
     url = 'http://authpwn.redirect.url'
     post :create, session: { email: @email_credential.email,
-                             password: 'password' }, redirect_url: url
+                             password: 'pa55w0rd' }, redirect_url: url
     assert_redirected_to url
     assert_nil flash[:alert], 'no alert'
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -167,7 +167,7 @@ class SessionControllerApiTest < ActionController::TestCase
     @password_credential.updated_at = Time.now - 2.years
     @password_credential.save!
     post :create, session: { email: @email_credential.email,
-                             password: 'password' }
+                             password: 'pa55w0rd' }
     assert_redirected_to new_session_url
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
@@ -189,7 +189,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create does not log in blocked accounts" do
     with_blocked_credential @email_credential do
       post :create, session: { email: @email_credential.email,
-                               password: 'password' }
+                               password: 'pa55w0rd' }
     end
     assert_redirected_to new_session_url
     assert_nil assigns(:current_user), 'instance variable'
@@ -221,7 +221,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create by json does not log in with expired password" do
     @password_credential.updated_at = Time.now - 2.years
     @password_credential.save!
-    post :create, email: @email_credential.email, password: 'password',
+    post :create, email: @email_credential.email, password: 'pa55w0rd',
                   format: 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
@@ -233,7 +233,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "create by json does not log in blocked accounts" do
     with_blocked_credential @email_credential do
-      post :create, email: @email_credential.email, password: 'password',
+      post :create, email: @email_credential.email, password: 'pa55w0rd',
                     format: 'json'
     end
     assert_response :ok
@@ -365,15 +365,15 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "change_password bounces without logged in user" do
-    post :change_password, old_password: 'password',
+    post :change_password, old_password: 'pa55w0rd',
          credential: { password: 'hacks',
-                          password_confirmation: 'hacks'}
+                       password_confirmation: 'hacks'}
     assert_response :forbidden
   end
 
   test "change_password works with correct input" do
     set_session_current_user @user
-    post :change_password, old_password: 'password',
+    post :change_password, old_password: 'pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks'}
     assert_redirected_to session_url
     assert_equal @password_credential, assigns(:credential)
@@ -383,7 +383,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password works with correct input and extra form input" do
     set_session_current_user @user
-    post :change_password, old_password: 'password',
+    post :change_password, old_password: 'pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks'},
          utf8: "\u2713", commit: 'Change password'
     assert_redirected_to session_url
@@ -394,24 +394,24 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password rejects bad old password" do
     set_session_current_user @user
-    post :change_password, old_password: '_password',
+    post :change_password, old_password: '_pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks'}
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'password'), 'password wrongly changed'
+        'pa55w0rd'), 'password wrongly changed'
   end
 
   test "change_password rejects un-confirmed password" do
     set_session_current_user @user
-    post :change_password, old_password: 'password',
+    post :change_password, old_password: 'pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks_'}
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin( @email_credential.email,
-        'password'), 'password wrongly changed'
+        'pa55w0rd'), 'password wrongly changed'
   end
 
   test "change_password works for password recovery" do
@@ -438,7 +438,7 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "change_password by json bounces without logged in user" do
-    post :change_password, format: 'json', old_password: 'password',
+    post :change_password, format: 'json', old_password: 'pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
@@ -447,7 +447,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password by json works with correct input" do
     set_session_current_user @user
-    post :change_password, format: 'json', old_password: 'password',
+    post :change_password, format: 'json', old_password: 'pa55w0rd',
          credential: { password: 'hacks',
                           password_confirmation: 'hacks'}
     assert_response :ok
@@ -457,25 +457,25 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password by json rejects bad old password" do
     set_session_current_user @user
-    post :change_password, format: 'json', old_password: '_password',
+    post :change_password, format: 'json', old_password: '_pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
     assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'password'), 'password wrongly changed'
+        'pa55w0rd'), 'password wrongly changed'
   end
 
   test "change_password by json rejects un-confirmed password" do
     set_session_current_user @user
-    post :change_password, format: 'json', old_password: 'password',
+    post :change_password, format: 'json', old_password: 'pa55w0rd',
          credential: { password: 'hacks', password_confirmation: 'hacks_'}
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
-    assert_equal @user, User.authenticate_signin( @email_credential.email,
-        'password'), 'password wrongly changed'
+    assert_equal @user, User.authenticate_signin(@email_credential.email,
+        'pa55w0rd'), 'password wrongly changed'
   end
 
   test "change_password by json works for password recovery" do

data/test/user_test.rb

@@ -56,12 +56,14 @@ class UserTest < ActiveSupport::TestCase
     assert_equal nil, User.find_by_param(nil)
   end
 
-  test 'authenticate_email' do
-    assert_equal users(:john),
-        User.authenticate_signin('john@gmail.com', 'password')
+  test 'authenticate_signin' do
+    assert_equal users(:jane),
+        User.authenticate_signin('jane@gmail.com', 'pa55w0rd')
     assert_equal :invalid,
-        User.authenticate_signin('john@gmail.com', 'pa55w0rd'),
-        "Jane's password on John's account"
+        User.authenticate_signin('jane@gmail.com', 'password'),
+        "John's password on Jane's account"
+    assert_equal :blocked,
+        User.authenticate_signin('john@gmail.com', 'password')
   end
 
   test 'autosaves credentials' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authpwn_rails
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.16.1
 platform: ruby
 authors:
 - Victor Costan