authpwn_rails 0.16.2 → 0.17.0

data/lib/authpwn_rails/session_controller.rb

@@ -59,7 +59,7 @@ module SessionController
 
     @redirect_url = params[:redirect_url] || session_url
     @session = Session.from_params params
-    auth = User.authenticate_signin @session.email, @session.password
+    auth = User.authenticate_signin @session
     unless auth.kind_of? Symbol
       set_session_current_user auth
       Tokens::SessionUid.remove_expired if auto_purge_sessions
@@ -97,7 +97,13 @@ module SessionController
 
     if user = (credential && credential.user)
       token = Tokens::PasswordReset.random_for user
-      ::SessionMailer.reset_password_email(email, token, root_url).deliver
+      email = ::SessionMailer.reset_password_email(email, token, root_url)
+      if email.respond_to? :deliver_now
+        # TODO(pwnall): fix the serialization errors blocking deliver_later
+        email.deliver_now
+      else
+        email.deliver
+      end
     end
 
     respond_to do |format|
@@ -218,18 +224,48 @@ module SessionController
     end
   end
 
-  if defined? ActiveModel::ForbiddenAttributesProtection
-    # Rails 4.
+  # Parameters used to change the user's password.
+  def change_password_params
+    params.require(:credential).permit :old_password, :password,
+                                       :password_confirmation
+  end
+  private :change_password_params
+
+  # GET /auth/twitter/callback
+  # POST /auth/twitter/callback
+  def omniauth
+    @redirect_url = params[:redirect_url] || session_url
+    omni_auth = request.env['omniauth.auth']
+    auth = Credentials::OmniAuthUid.authenticate omni_auth
+    unless auth.kind_of? Symbol
+      set_session_current_user auth
+      Tokens::SessionUid.remove_expired if auto_purge_sessions
+    end
 
-    # Parameters used to change the user's password.
-    def change_password_params
-      params.require(:credential).permit :old_password, :password,
-                                         :password_confirmation
+    respond_to do |format|
+      if current_user
+        format.html { redirect_to @redirect_url }
+      else
+        error_text = bounce_notice_text auth
+        format.html do
+          if params[:redirect_url]
+            redirect_to new_session_url, flash: { alert: error_text,
+                auth_redirect_url: @redirect_url }
+          else
+            redirect_to new_session_url, alert: error_text
+          end
+        end
+      end
     end
-  else
-    # Rails 3.
-    def change_password_params
-      params[:credential]
+  end
+
+  # GET /auth/failure
+  def omniauth_failure
+    respond_to do |format|
+      format.html do
+        redirect_to new_session_url,
+                    alert: 'Authentication failed. Please try again.'
+        end
     end
   end
 

data/lib/authpwn_rails/session_mailer.rb

@@ -7,15 +7,14 @@ module Authpwn
 module SessionMailer
   # Creates an e-mail containing a verification token for the e-mail address.
   #
-  # Params:
-  #   token:: the e-mail confirmation token
-  #   root_url:: the application's root URL (e.g. "https://localhost:3000/") 
+  # @param [String] token the e-mail confirmation token
+  # @param [String] the application's root URL (e.g. "https://localhost:3000/")
   def email_verification_email(token, root_url)
     @token = token
     @protocol, @host = *root_url.split('://', 2)
-    @host.slice! -1 if @host[-1] == ?/
+    @host.slice!(-1) if @host[-1] == ?/
     hostname = @host.split(':', 2).first  # Strip out any port.
-    
+
     mail to: @token.email,
          subject: email_verification_subject(token, hostname, @protocol),
          from: email_verification_from(token, hostname, @protocol)
@@ -27,38 +26,38 @@ module SessionMailer
   def email_verification_subject(token, server_hostname, protocol)
     "#{server_hostname} e-mail verification"
   end
-  
+
   # The sender e-mail address for an e-mail verification e-mail.
   #
   # The authpwn generator encourages applications to override this method.
   def email_verification_from(token, server_hostname, protocol)
     %Q|"#{server_hostname} staff" <admin@#{server_hostname}>|
-  end  
+  end
 
   # Creates an e-mail containing a password reset token.
   #
-  # Params:
-  #   email:: the email to send the token to
-  #   token:: the password reset token
-  #   root_url:: the application's root URL (e.g. "https://localhost:3000/") 
+  # @param [String] email the email to send the token to
+  # @param [String] token the password reset token
+  # @param [String] root_url the application's root URL
+  #     (e.g. "https://localhost:3000/")
   def reset_password_email(email, token, root_url)
     @email, @token, @host, @protocol = email, token
     @token = token
     @protocol, @host = *root_url.split('://', 2)
-    @host.slice! -1 if @host[-1] == ?/
+    @host.slice!(-1) if @host[-1] == ?/
 
     hostname = @host.split(':', 2).first  # Strip out any port.
     mail to: email, from: reset_password_from(token, hostname, @protocol),
          subject: reset_password_subject(token, hostname, @protocol)
   end
-  
+
   # The subject line in a password reset e-mail.
   #
   # The authpwn generator encourages applications to override this method.
   def reset_password_subject(token, server_hostname, protocol)
     "#{server_hostname} password reset"
   end
-  
+
   # The sender e-mail address for a password reset e-mail.
   #
   # The authpwn generator encourages applications to override this method.

data/lib/authpwn_rails/session_model.rb

@@ -4,39 +4,19 @@ require 'active_model'
 # :nodoc: namespace
 module Authpwn
 
-# Included by the model class that collects sign-up information.
+# Included by the model class that collects signin information.
 #
 # Parts of the codebase assume the model will be named Session.
 module SessionModel
   extend ActiveSupport::Concern
 
   included do
-    if defined? ActiveModel::Model
-      # Rails 4.
-      include ActiveModel::Model
-    else
-      # Rails 3.
-      include ActiveModel::Conversion
-      extend  ActiveModel::Naming
-      extend  ActiveModel::Translation
-      include ActiveModel::Validations
-
-      def initialize(params={})
-        params.each do |attr, value|
-          self.public_send("#{attr}=", value)
-        end if params
-
-        super()
-      end
-      def persisted?
-        false
-      end
-    end
+    include ActiveModel::Model
 
-    # The e-mail used to sign up.
+    # The e-mail used to sign in.
     attr_accessor :email
 
-    # The password used to sign up.
+    # The password used to sign in.
     attr_accessor :password
   end
 

data/lib/authpwn_rails/user_extensions/email_field.rb

@@ -24,30 +24,14 @@ module EmailField
         record.errors.add attr, :blank
       end
     end
-    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
-      attr_accessible :email
-    end
   end
 
   module ClassMethods
-    begin
-      ActiveRecord::QueryMethods.instance_method :references
-      # Rails 4.
-
-      # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
-      def with_email(email)
-        credential = Credentials::Email.where(name: email).
-            includes(:user).references(:user).first
-        credential && credential.user
-      end
-    rescue NameError
-      # Rails 3.
-
-      def with_email(email)
-        credential = Credentials::Email.where(name: email).includes(:user).
-                                        first
-        credential && credential.user
-      end
+    # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
+    def with_email(email)
+      credential = Credentials::Email.where(name: email).includes(:user).
+          references(:user).first
+      credential && credential.user
     end
   end
 

data/lib/authpwn_rails/user_extensions/password_field.rb

@@ -14,10 +14,6 @@ module PasswordField
   included do
     validates :password, presence: { on: :create },
                          confirmation: { allow_nil: true }
-
-    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
-      attr_accessible :password, :password_confirmation
-    end
   end
 
   module ClassMethods

data/lib/authpwn_rails/user_model.rb

@@ -26,11 +26,6 @@ module UserModel
 
     # Automatically assign exuid.
     before_validation :set_default_exuid, on: :create
-
-    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
-      # Forms should not be able to touch any attribute.
-      attr_accessible :credentials_attributes
-    end
   end
 
   # Class methods on models that include Authpwn::UserModel.
@@ -53,16 +48,55 @@ module UserModel
 
     # Authenticates a user given the information on a signup form.
     #
-    # The method's parameter names are an acknowledgement to the email and
-    # password fields on automatically-generated forms.
-    #
     # The easiest method of accepting other login information is to override
     # this method, locate the user's email, and supply it in a call to super.
     #
-    # Returns an authenticated user, or a symbol indicating the reason why the
-    # authentication failed.
-    def authenticate_signin(email, password)
-      Credentials::Password.authenticate_email email, password
+    # @param [Session] signin the information entered in the sign-in form
+    # @return [User, Symbol] the authenticated user, or a symbol indicating the
+    #     reason why the authentication failed
+    def authenticate_signin(signin)
+      Credentials::Password.authenticate_email signin.email, signin.password
+    end
+
+    # Looks up the User tat may be related to an OmniAuth sign-in.
+    #
+    # This method is called when there is no Credential matching the OmniAuth
+    # information, but before {User#create_from_omniauth}. It is an opportunity
+    # to identify an existing user who uses a new sign-in method.
+    #
+    # The default implementation finds an user whose e-mail matches the 'email'
+    # value in the OmniAuth hash.
+    #
+    # @param [Hash] omniauth_hash the hash provided by OmniAuth
+    # @return [User] the user who should be signed in, or nil if no such user
+    #   exists
+    def related_to_omniauth(omniauth_hash)
+      info_hash = omniauth_hash['info']
+      return nil unless email = info_hash && info_hash['email']
+      credential = Credentials::Email.with email
+      credential and credential.user
+    end
+
+    # Change this to customize on-demand user creation on OmniAuth signup.
+    #
+    # This method is called when there is no existing user matching the
+    # OmniAuth information, and is responsible for creating a user. It is an
+    # opportunity to collect the OmniAuth information to populate the user's
+    # account.
+    #
+    # The default implementation creates a user with the e-mail matching the
+    # 'email' key in the OmniAuth hash. If no e-mail key is present, no User is
+    # created.
+    #
+    # @param [Hash] omniauth_hash the hash provided by OmniAuth
+    # @return [User] a saved User, or nil if the OmniAuth sign-in information
+    #   should not be used to create a user
+    def create_from_omniauth(omniauth_hash)
+      info_hash = omniauth_hash['info']
+      return nil unless email = info_hash && info_hash['email']
+      user = User.create!
+      Credentials::Email.create! user: user, email: email, verified: true
+      user
     end
   end  # module Authpwn::UserModel::ClassMethods
 

data/lib/authpwn_rails.rb

@@ -15,12 +15,10 @@ module Authpwn
   # Contains extensions to the User model.
   module UserExtensions
     autoload :EmailField, 'authpwn_rails/user_extensions/email_field.rb'
-    autoload :FacebookFields, 'authpwn_rails/user_extensions/facebook_fields.rb'
     autoload :PasswordField, 'authpwn_rails/user_extensions/password_field.rb'
   end
 end
 
-require 'authpwn_rails/facebook_session.rb'
 require 'authpwn_rails/http_basic.rb'
 require 'authpwn_rails/routes.rb'
 require 'authpwn_rails/session.rb'

data/test/cookie_controller_test.rb

@@ -44,13 +44,7 @@ class CookieControllerTest < ActionController::TestCase
     get :show
     assert_response :success
     assert_equal @user, assigns(:current_user)
-    john_id = if defined? ActiveRecord::FixtureSet
-      # Rails 4
-      ActiveRecord::FixtureSet.identify :john
-    else
-      # Rails 3
-      ActiveRecord::Fixtures.identify :john
-    end
+    john_id =  ActiveRecord::FixtureSet.identify :john
     assert_equal "User: #{john_id}", response.body
   end
 

data/test/credentials/omni_auth_uid_credential_test.rb

@@ -0,0 +1,141 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+class OmniAuthUidCredentialTest < ActiveSupport::TestCase
+  def setup
+    @credential = Credentials::OmniAuthUid.new
+    @credential.provider = 'developer'
+    @credential.uid = 'dvdjohn@mit.edu'
+    @credential.user = users(:bill)
+  end
+
+  test 'setup' do
+    assert @credential.valid?
+  end
+
+  test 'provider required' do
+    @credential.provider = ''
+    assert !@credential.valid?
+  end
+
+  test 'uid required' do
+    @credential.uid = ''
+    assert !@credential.valid?
+  end
+
+  test 'blocked set to true' do
+    @credential.blocked = true
+    assert_equal '0', @credential.key, 'key'
+    assert_equal true, @credential.blocked?, 'blocked?'
+  end
+
+  test 'blocked set to false' do
+    @credential.blocked = false
+    assert_equal '1', @credential.key, 'key'
+    assert_equal false, @credential.blocked?, 'blocked?'
+  end
+
+  test 'user required' do
+    @credential.user = nil
+    assert !@credential.valid?
+  end
+
+  test 'uid length' do
+    @credential.uid = 'abcde' * 25 + '@mit.edu'
+    assert !@credential.valid?, 'Overly long uid'
+    assert @credential.errors[:name].any? { |m| /too long/i =~ m },
+           'Validation errors include length error'
+  end
+
+  test 'provider+uid uniqueness' do
+    @credential.uid = credentials(:john_omniauth_developer).uid
+    assert !@credential.valid?
+    assert @credential.errors[:name].any? { |m| m == 'has already been taken' }
+  end
+
+  test 'name_from_omniauth' do
+    assert_equal 'developer,dvdjohn@mit.edu',
+        Credentials::OmniAuthUid.name_from_omniauth('provider' => 'developer',
+        'uid' => 'dvdjohn@mit.edu')
+    assert_equal 'twitter,dvdjohn',
+        Credentials::OmniAuthUid.name_from_omniauth('provider' => 'twitter',
+        'uid' => 'dvdjohn')
+    assert_equal ',dvdjohn',
+        Credentials::OmniAuthUid.name_from_omniauth('uid' => 'dvdjohn')
+    assert_equal 'twitter,',
+        Credentials::OmniAuthUid.name_from_omniauth('provider' => 'twitter')
+  end
+
+  test 'authenticate with existing credential' do
+    assert_equal users(:jane), Credentials::OmniAuthUid.authenticate(
+        'provider' => 'developer', 'uid' => 'jane@gmail.com')
+  end
+
+  test 'authenticate with blocked existing credential' do
+    omniauth_hash = { 'provider' => 'developer', 'uid' => 'john@gmail.com' }
+    assert_equal :blocked, Credentials::OmniAuthUid.authenticate(omniauth_hash)
+
+    john_omniauth_developer = credentials(:john_omniauth_developer)
+    john_omniauth_developer.blocked = false
+    john_omniauth_developer.save!
+    assert_equal users(:john),
+                 Credentials::OmniAuthUid.authenticate(omniauth_hash)
+  end
+
+  test 'authenticate calls User#related_to_omniauth' do
+    jane = users(:jane)
+    credentials(:jane_omniauth_developer).destroy
+
+    omniauth_hash = { 'provider' => 'developer', 'uid' => 'jane@gmail.com' }
+    User.expects(:related_to_omniauth).with(omniauth_hash).returns jane
+    User.expects(:create_from_omniauth).never
+
+    assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
+    assert_difference 'Credentials::OmniAuthUid.count' do
+      assert_equal jane, Credentials::OmniAuthUid.authenticate(omniauth_hash)
+    end
+    assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
+    assert_equal jane, Credentials::OmniAuthUid.with(omniauth_hash).user
+  end
+
+  test 'authenticate calls User#create_from_omniauth' do
+    user = User.create!
+    omniauth_hash = { 'provider' => 'developer', 'uid' => 'new_user@gmail.com',
+                      'email' => 'new_user@gmail.com' }
+    User.expects(:related_to_omniauth).with(omniauth_hash).returns nil
+    User.expects(:create_from_omniauth).with(omniauth_hash).returns user
+
+    assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
+    assert_difference 'Credentials::OmniAuthUid.count' do
+      assert_equal user, Credentials::OmniAuthUid.authenticate(omniauth_hash)
+    end
+    assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
+    assert_equal user, Credentials::OmniAuthUid.with(omniauth_hash).user
+  end
+
+  test 'authenticate fails if User#create_from_omniauth returns nil' do
+    omniauth_hash = { 'provider' => 'developer', 'uid' => 'new_user@gmail.com',
+                      'email' => 'new_user@gmail.com' }
+    User.expects(:related_to_omniauth).with(omniauth_hash).returns nil
+    User.expects(:create_from_omniauth).with(omniauth_hash).returns nil
+
+    assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
+    assert_no_difference 'Credentials::OmniAuthUid.count' do
+      assert_equal :invalid,
+                   Credentials::OmniAuthUid.authenticate(omniauth_hash)
+    end
+  end
+
+  test 'authenticate calls User#auth_bounce_reason' do
+    with_blocked_credential credentials(:jane_omniauth_developer), :reason do
+      assert_equal :reason, Credentials::OmniAuthUid.authenticate(
+          'provider' => 'developer', 'uid' => 'jane@gmail.com')
+
+      john_omniauth = credentials(:john_omniauth_developer)
+      john_omniauth.blocked = false
+      john_omniauth.save!
+      assert_equal users(:john), Credentials::OmniAuthUid.authenticate(
+          'provider' => 'developer', 'uid' => 'john@gmail.com')
+    end
+  end
+end
+

data/test/helpers/action_controller.rb

@@ -1,8 +1,2 @@
-if defined?(ActionController::Parameters) &&
-    ActionController::Parameters.respond_to?(
-    :action_on_unpermitted_parameters=)
-  # Rails 4.
-
-  # Raise exceptions so we can test against them.
-  ActionController::Parameters.action_on_unpermitted_parameters = :raise
-end
+# Raise exceptions so we can test require / permit on params.
+ActionController::Parameters.action_on_unpermitted_parameters = :raise

data/test/helpers/db_setup.rb

@@ -1,3 +1,5 @@
+ar_config = { adapter: 'sqlite3', database: ':memory:'}
+
 case ENV['DB']
 when /mysql/i
   create_sql = 'CREATE DATABASE plugin_dev DEFAULT CHARACTER SET utf8;'
@@ -6,28 +8,18 @@ when /mysql/i
   end
 
   `mysql -u root -e "DROP DATABASE IF EXISTS plugin_dev; #{create_sql}"`
-  ActiveRecord::Base.establish_connection adapter: 'mysql2',
-      database: 'plugin_dev', username: 'root', password: ''
+   ar_config = { adapter: 'mysql2', database: 'plugin_dev',
+                 username: 'root', password: '' }
 when /pg/i
   pg_user = ENV['DB_USER'] || ENV['USER']
   `psql -U #{pg_user} -d postgres -c "DROP DATABASE IF EXISTS plugin_dev;"`
   `psql -U #{pg_user} -d postgres -c "CREATE DATABASE plugin_dev;"`
-  ActiveRecord::Base.establish_connection adapter: 'postgresql',
-      database: 'plugin_dev', username: pg_user, password: ''
-else
-  ActiveRecord::Base.establish_connection adapter: 'sqlite3',
-                                          database: ':memory:'
+  ar_config = { adapter: 'postgresql', database: 'plugin_dev',
+                username: pg_user, password: '' }
 end
 
-class ActiveRecord::Base
-  self.configurations = true
-  if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
-    self.mass_assignment_sanitizer = :strict
-
-    # Hacky equivalent to config.active_record.whitelist_attributes = true
-    attr_accessible
-  end
-end
+ActiveRecord::Base.configurations = { 'test' => ar_config }
+ActiveRecord::Base.establish_connection :test
 
 ActiveRecord::Migration.verbose = false
 require 'authpwn_rails/generators/templates/001_create_users.rb'

data/test/helpers/routes.rb

@@ -1,35 +1,40 @@
-# :nodoc: the routes used in all tests
-class ActionController::TestCase
-  def setup_routes
-    if defined? ActionDispatch::Routing
-      # Rails 4.
-      @routes = ActionDispatch::Routing::RouteSet.new
-    else
-      # Rails 3.
-      @routes = ActionController::Routing::RouteSet.new
-    end
-    @routes.draw do
-      resource :cookie, controller: 'cookie' do
-        collection do
-          get :bouncer
-          put :update
-        end
-      end
-      resource :http_basic, controller: 'http_basic' do
-        collection { get :bouncer }
+def setup_authpwn_routes
+  # The routes used in all the tests.
+  routes = ActionDispatch::Routing::RouteSet.new
+  routes.draw do
+    resource :cookie, controller: 'cookie' do
+      collection do
+        get :bouncer
+        put :update
       end
-      resource :facebook, controller: 'facebook'
-      authpwn_session controller: 'bare_session', method_names: 'bare_session'
-      authpwn_session controller: 'bare_session2',
-                      method_names: 'bare_session2'
-      root to: 'session#index'
-
-      # NOTE: this route should be kept in sync with the session template.
-      authpwn_session
     end
-    ApplicationController.send :include, @routes.url_helpers
-    ActionMailer::Base.send :include, @routes.url_helpers
+    resource :http_basic, controller: 'http_basic' do
+      collection { get :bouncer }
+    end
+
+    authpwn_session controller: 'bare_session', method_names: 'bare_session',
+                    omniauth_path_prefix: '/bare_auth'
+    authpwn_session controller: 'bare_session2',
+                    method_names: 'bare_session2',
+                    omniauth_path_prefix: '/bare_auth2'
+    root to: 'session#index'
+
+    # NOTE: this route should be kept in sync with the session template.
+    authpwn_session
   end
 
-  setup :setup_routes
+  # NOTE: this must happen before any ActionController or ActionMailer tests
+  #       run
+  ApplicationController.send :include, routes.url_helpers
+  ActionMailer::Base.send :include, routes.url_helpers
+
+  # NOTE: ActionController tests expect @routes to be set to the drawn routes.
+  #       We use the block form of define_method to capture the routes local
+  #       variable.
+  ActionController::TestCase.send :define_method, :setup_authpwn_routes do
+    @routes = routes
+  end
+  ActionController::TestCase.setup :setup_authpwn_routes
 end
+
+setup_authpwn_routes

data/test/helpers/test_order.rb

@@ -0,0 +1,3 @@
+if ActiveSupport.respond_to? :test_order
+  ActiveSupport.test_order = :sorted
+end

data/test/http_basic_controller_test.rb

@@ -42,11 +42,7 @@ class HttpBasicControllerTest < ActionController::TestCase
     get :show
     assert_equal @user, assigns(:current_user)
 
-    jane_id = if defined? ActiveRecord::FixtureSet
-      ActiveRecord::FixtureSet.identify :jane
-    else
-      ActiveRecord::Fixtures.identify :jane
-    end
+    jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
   end
 
@@ -58,21 +54,18 @@ class HttpBasicControllerTest < ActionController::TestCase
   end
 
   test "uses User.authenticate_signin" do
-    User.expects(:authenticate_signin).at_least_once.
-        with('jane@gmail.com', 'fail').returns @user
+    signin = Session.new email: 'jane@gmail.com', password: 'fail'
+    Session.expects(:new).at_least_once.with(
+        email: 'jane@gmail.com', password: 'fail').returns signin
+    User.expects(:authenticate_signin).at_least_once.with(signin).returns @user
     set_http_basic_user @user, 'fail'
     get :show
     assert_equal @user, assigns(:current_user)
 
-    jane_id = if defined? ActiveRecord::FixtureSet
-      ActiveRecord::FixtureSet.identify :jane
-    else
-      ActiveRecord::Fixtures.identify :jane
-    end
+    jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
   end
 
-
   test "reset user credentials in header" do
     set_http_basic_user @user, 'pa55w0rd'
     set_http_basic_user nil
@@ -86,11 +79,7 @@ class HttpBasicControllerTest < ActionController::TestCase
     get :show
     assert_equal @user, assigns(:current_user)
 
-    jane_id = if defined? ActiveRecord::FixtureSet
-      ActiveRecord::FixtureSet.identify :jane
-    else
-      ActiveRecord::Fixtures.identify :jane
-    end
+    jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
   end