authpwn_rails 0.16.2 → 0.17.0

data/test/routes_test.rb

@@ -6,26 +6,35 @@ require 'authpwn_rails/generators/templates/session_controller.rb'
 class RoutesTest < ActionController::TestCase
   tests SessionController
 
-  test "authpwn_session routes" do
-    assert_routing({path: "/session", method: :get},
+  test 'authpwn_session routes' do
+    assert_routing({path: '/session', method: :get},
                    {controller: 'session', action: 'show'})
-    assert_routing({path: "/session/new", method: :get},
+    assert_routing({path: '/session/new', method: :get},
                    {controller: 'session', action: 'new'})
-    assert_routing({path: "/session", method: :post},
+    assert_routing({path: '/session', method: :post},
                    {controller: 'session', action: 'create'})
-    assert_routing({path: "/session", method: :delete},
+    assert_routing({path: '/session', method: :delete},
                    {controller: 'session', action: 'destroy'})
-    assert_routing({path: "/session", method: :delete},
+    assert_routing({path: '/session', method: :delete},
                    {controller: 'session', action: 'destroy'})
-    assert_routing({path: "/session/change_password", method: :get},
+    assert_routing({path: '/session/change_password', method: :get},
                    {controller: 'session', action: 'password_change'})
-    assert_routing({path: "/session/change_password", method: :post},
+    assert_routing({path: '/session/change_password', method: :post},
                    {controller: 'session', action: 'change_password'})
-    assert_routing({path: "/session/reset_password", method: :post},
+    assert_routing({path: '/session/reset_password', method: :post},
                    {controller: 'session', action: 'reset_password'})
-    
+
     code = 'YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A'
     assert_routing({path: "/session/token/#{code}", method: :get},
         {controller: 'session', action: 'token', code: code})
+
+    assert_routing({path: '/auth/failure', method: :get},
+                   {controller: 'session', action: 'omniauth_failure'})
+    assert_routing({path: '/auth/twitter/callback', method: :get},
+                   {controller: 'session', action: 'omniauth',
+                    provider: 'twitter'})
+    assert_routing({path: '/auth/twitter/callback', method: :post},
+                   {controller: 'session', action: 'omniauth',
+                    provider: 'twitter'})
   end
 end

data/test/session_controller_api_test.rb

@@ -1,10 +1,5 @@
 require File.expand_path('../test_helper', __FILE__)
 
-require 'authpwn_rails/generators/templates/session_controller.rb'
-
-# Run the tests in the generator, to make sure they pass.
-require 'authpwn_rails/generators/templates/session_controller_test.rb'
-
 class BareSessionController < ApplicationController
   include Authpwn::SessionController
   self.append_view_path File.expand_path('../fixtures', __FILE__)
@@ -19,6 +14,7 @@ class SessionControllerApiTest < ActionController::TestCase
     @email_credential = credentials(:jane_email)
     @password_credential = credentials(:jane_password)
     @token_credential = credentials(:jane_token)
+    @omniauth_credential = credentials(:jane_omniauth_developer)
     @_auto_purge_sessions = BareSessionController.auto_purge_sessions
   end
 
@@ -55,7 +51,15 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
-    assert_equal session[:_csrf_token], data['csrf']
+
+    if @controller.respond_to? :valid_authenticity_token?, true
+      # Rails 4.2+ uses variable CSRF tokens.
+      assert @controller.send(:valid_authenticity_token?, session,
+                              data['csrf'])
+    else
+      # Rails 4.0 and 4.1 store the CSRF token in the session.
+      assert_equal session[:_csrf_token], data['csrf']
+    end
   end
 
   test "new redirects to session#show when a user is logged in" do
@@ -75,7 +79,7 @@ class SessionControllerApiTest < ActionController::TestCase
     get :new, {}, {}, { auth_redirect_url: url }
     assert_template :new
     assert_select 'form' do
-      assert_select "input[name=redirect_url][value=#{url}]"
+      assert_select "input[name=\"redirect_url\"][value=\"#{url}\"]"
     end
   end
 
@@ -98,6 +102,18 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_redirected_to session_url
   end
 
+  test "create logs in with good account details and no User-Agent" do
+    request.headers['User-Agent'] = nil
+
+    post :create, session: { email: @email_credential.email,
+                             password: 'pa55w0rd' }
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+    assert_nil flash[:alert], 'no alert'
+    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+    assert_redirected_to session_url
+  end
+
   test "create purges sessions when logging in" do
     BareSessionController.auto_purge_sessions = true
     old_token = credentials(:jane_session_token)
@@ -127,9 +143,17 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
-    assert_equal session[:_csrf_token], data['csrf']
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
+
+    if @controller.respond_to? :valid_authenticity_token?, true
+      # Rails 4.2+ uses variable CSRF tokens.
+      assert @controller.send(:valid_authenticity_token?, session,
+                              data['csrf'])
+    else
+      # Rails 4.0 and 4.1 store the CSRF token in the session.
+      assert_equal session[:_csrf_token], data['csrf']
+    end
   end
 
   test "create by json purges sessions when logging in" do
@@ -199,8 +223,11 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "create uses User.authenticate_signin" do
-    User.expects(:authenticate_signin).at_least_once.
-        with('em@ail.com', 'fail').returns @email_credential.user
+    signin = Session.new email: 'em@ail.com', password: 'fail'
+    Session.expects(:new).at_least_once.with(
+        email: 'em@ail.com', password: 'fail').returns signin
+    User.expects(:authenticate_signin).at_least_once.with(signin).
+         returns @email_credential.user
     post :create, email: 'em@ail.com', password: 'fail'
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
@@ -273,6 +300,19 @@ class SessionControllerApiTest < ActionController::TestCase
                'one-time credential is spent'
   end
 
+  test "token logs in with good token and no user-agent" do
+    request.headers['User-Agent'] = nil
+
+    @controller.expects(:home_with_token).once.with(@token_credential).
+                returns(nil)
+    get :token, code: @token_credential.code
+    assert_redirected_to session_url
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+    assert_nil Tokens::Base.with_code(@token_credential.code).first,
+               'one-time credential is spent'
+  end
+
   test "token by json logs in with good token" do
     @controller.expects(:home_with_token).once.with(@token_credential).
                 returns(nil)
@@ -280,11 +320,19 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
-    assert_equal session[:_csrf_token], data['csrf']
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(@token_credential.code).first,
                'one-time credential is spent'
+
+    if @controller.respond_to? :valid_authenticity_token?, true
+      # Rails 4.2+ uses variable CSRF tokens.
+      assert @controller.send(:valid_authenticity_token?, session,
+                              data['csrf'])
+    else
+      # Rails 4.0 and 4.1 store the CSRF token in the session.
+      assert_equal session[:_csrf_token], data['csrf']
+    end
   end
 
   test "token does not log in with random token" do
@@ -376,8 +424,8 @@ class SessionControllerApiTest < ActionController::TestCase
         password: 'hacks', password_confirmation: 'hacks'}
     assert_redirected_to session_url
     assert_equal @password_credential, assigns(:credential)
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'hacks'), 'password not changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password works with correct input and extra form input" do
@@ -387,8 +435,8 @@ class SessionControllerApiTest < ActionController::TestCase
         commit: 'Change Password'
     assert_redirected_to session_url
     assert_equal @password_credential, assigns(:credential)
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'hacks'), 'password not changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password rejects bad old password" do
@@ -398,8 +446,9 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'pa55w0rd'), 'password wrongly changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'pa55w0rd')),
+        'password wrongly changed'
   end
 
   test "change_password rejects un-confirmed password" do
@@ -409,8 +458,9 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     assert_template :password_change
     assert_equal @password_credential, assigns(:credential)
-    assert_equal @user, User.authenticate_signin( @email_credential.email,
-        'pa55w0rd'), 'password wrongly changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'pa55w0rd')),
+        'password wrongly changed'
   end
 
   test "change_password works for password recovery" do
@@ -419,8 +469,8 @@ class SessionControllerApiTest < ActionController::TestCase
     post :change_password, credential: { password: 'hacks',
                                          password_confirmation: 'hacks' }
     assert_redirected_to session_url
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'hacks'), 'password not changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password rejects un-confirmed password on recovery" do
@@ -449,8 +499,8 @@ class SessionControllerApiTest < ActionController::TestCase
         credential: { old_password: 'pa55w0rd', password: 'hacks',
                       password_confirmation: 'hacks' }
     assert_response :ok
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'hacks'), 'password not changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password by json rejects bad old password" do
@@ -462,8 +512,9 @@ class SessionControllerApiTest < ActionController::TestCase
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
     assert_equal @password_credential, assigns(:credential)
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'pa55w0rd'), 'password wrongly changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'pa55w0rd')),
+        'password wrongly changed'
   end
 
   test "change_password by json rejects un-confirmed password" do
@@ -474,8 +525,9 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
-    assert_equal @user, User.authenticate_signin(@email_credential.email,
-        'pa55w0rd'), 'password wrongly changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'pa55w0rd')),
+        'password wrongly changed'
   end
 
   test "change_password by json works for password recovery" do
@@ -484,8 +536,8 @@ class SessionControllerApiTest < ActionController::TestCase
     post :change_password, format: 'json',
          credential: { password: 'hacks', password_confirmation: 'hacks' }
     assert_response :ok
-    assert_equal @user, User.authenticate_signin(
-         @email_credential.email, 'hacks'), 'password not changed'
+    assert_equal @user, User.authenticate_signin(Session.new(email:
+        @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password by json rejects un-confirmed password on recovery" do
@@ -502,7 +554,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "reset_password for good e-mail" do
     ActionMailer::Base.deliveries = []
-    @request.host = 'mail.test.host:1234'
+    request.host = 'mail.test.host:1234'
 
     assert_difference 'Credential.count', 1 do
       post :reset_password, session: { email: @email_credential.email }
@@ -578,6 +630,105 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal @user, token.user, 'password reset token user'
   end
 
+  test "OmniAuth failure" do
+    get :omniauth_failure
+
+    assert_redirected_to new_session_url
+    assert_match(/failed/, flash[:alert])
+  end
+
+  test "omniauth logs in with good account details" do
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+    assert_nil flash[:alert], 'no alert'
+    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+    assert_redirected_to session_url
+  end
+
+  test "omniauth logs in with good account details and no User-Agent" do
+    request.headers['User-Agent'] = nil
+
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+    assert_nil flash[:alert], 'no alert'
+    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+    assert_redirected_to session_url
+  end
+
+  test "omniauth purges sessions when logging in" do
+    BareSessionController.auto_purge_sessions = true
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_equal @user, session_current_user, 'session'
+    assert_nil Tokens::Base.with_code(old_token.code).first,
+               'old session not purged'
+  end
+
+  test "omniauth does not purge sessions if auto_purge_sessions is false" do
+    BareSessionController.auto_purge_sessions = false
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_equal @user, session_current_user, 'session'
+    assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
+               'old session purged'
+  end
+
+  test "omniauth does not purge sessions if not logged in" do
+    BareSessionController.auto_purge_sessions = true
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_nil session_current_user, 'session'
+    assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
+               'old session purged'
+  end
+
+  test "omniauth does not log in blocked accounts" do
+    request.env['omniauth.auth'] =
+        { 'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+    with_blocked_credential @omniauth_credential do
+      post :omniauth, provider: @omniauth_credential.provider
+    end
+    assert_redirected_to new_session_url
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+    assert_match(/ blocked/, flash[:alert])
+    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+  end
+
+  test "omniauth uses Credentials::OmniAuthUid.authenticate" do
+    omniauth_hash = { 'provider' => 'fail', 'uid' => 'fail' }
+    request.env['omniauth.auth'] = omniauth_hash
+    Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
+        with(omniauth_hash).returns @omniauth_credential.user
+    post :omniauth, provider: @omniauth_credential.provider
+    assert_equal @user, assigns(:current_user), 'instance variable'
+    assert_equal @user, session_current_user, 'session'
+    assert_redirected_to session_url
+  end
+
   test "auth_controller? is true" do
     assert_equal true, @controller.auth_controller?
   end

data/test/session_controller_test.rb

@@ -0,0 +1,6 @@
+require File.expand_path('../test_helper', __FILE__)
+
+require 'authpwn_rails/generators/templates/session_controller.rb'
+
+# Run the tests in the generator, to make sure they pass.
+require 'authpwn_rails/generators/templates/session_controller_test.rb'

data/test/session_mailer_api_test.rb

@@ -1,10 +1,5 @@
 require File.expand_path('../test_helper', __FILE__)
 
-require 'authpwn_rails/generators/templates/session_mailer.rb'
-
-# Run the tests in the generator, to make sure they pass.
-require 'authpwn_rails/generators/templates/session_mailer_test.rb'
-
 class SessionMailerApiTest < ActionMailer::TestCase
   setup do
     @reset_email = credentials(:jane_email).email
@@ -30,7 +25,7 @@ class SessionMailerApiTest < ActionMailer::TestCase
       end
     end
   end
-  
+
   teardown do
     SessionMailer.class_eval do
       undef :email_verification_from
@@ -44,10 +39,15 @@ class SessionMailerApiTest < ActionMailer::TestCase
   end
 
   test 'email verification email contents' do
-    email = SessionMailer.email_verification_email(@verification_token,
-                                                   @root_url).deliver
+    email_draft = SessionMailer.email_verification_email @verification_token,
+                                                         @root_url
+    if email_draft.respond_to? :deliver_now
+      email = email_draft.deliver_now
+    else
+      email = email_draft.deliver
+    end
     assert !ActionMailer::Base.deliveries.empty?
-    
+
     assert_equal 'test.host e-mail verification', email.subject
     assert_equal ['email_check@test.host'], email.from
     assert_equal [@verification_email], email.to
@@ -56,14 +56,19 @@ class SessionMailerApiTest < ActionMailer::TestCase
   end
 
   test 'password reset email contents' do
-    email = SessionMailer.reset_password_email(@reset_email, @reset_token,
-                                               @root_url).deliver
+    email_draft = SessionMailer.reset_password_email @reset_email,
+                                                     @reset_token, @root_url
+    if email_draft.respond_to? :deliver_now
+      email = email_draft.deliver_now
+    else
+      email = email_draft.deliver
+    end
     assert !ActionMailer::Base.deliveries.empty?
-    
+
     assert_equal 'test.host password reset', email.subject
     assert_equal ['reset@test.host'], email.from
     assert_equal [@reset_email], email.to
-    assert_match @reset_token.code, email.encoded    
+    assert_match @reset_token.code, email.encoded
     assert_match 'hxxp://test.host:8808/session/token/', email.encoded
   end
 end

data/test/session_mailer_test.rb

@@ -0,0 +1,6 @@
+require File.expand_path('../test_helper', __FILE__)
+
+require 'authpwn_rails/generators/templates/session_mailer.rb'
+
+# Run the tests in the generator, to make sure they pass.
+require 'authpwn_rails/generators/templates/session_mailer_test.rb'

data/test/test_helper.rb

@@ -1,13 +1,12 @@
 require 'rubygems'
-require 'test/unit'
+require 'minitest/autorun'
 
 require 'action_controller'
 require 'action_mailer'
 require 'active_record'
+require 'active_support/core_ext'
 require 'rails'
 
-require 'fbgraph_rails'
-require 'fbgraph_rails/controller'
 require 'sqlite3'
 
 require 'mocha/setup'
@@ -25,6 +24,7 @@ require 'helpers/fbgraph.rb'
 require 'helpers/i18n.rb'
 require 'helpers/rails.rb'
 require 'helpers/routes.rb'
+require 'helpers/test_order.rb'
 
 # Simulate Rails' initializer loading.
 require 'authpwn_rails/generators/templates/initializer.rb'

data/test/user_test.rb

@@ -56,14 +56,61 @@ class UserTest < ActiveSupport::TestCase
     assert_equal nil, User.find_by_param(nil)
   end
 
-  test 'authenticate_signin' do
-    assert_equal users(:jane),
-        User.authenticate_signin('jane@gmail.com', 'pa55w0rd')
-    assert_equal :invalid,
-        User.authenticate_signin('jane@gmail.com', 'password'),
+  test 'authenticate_signin with valid data' do
+    signin = Session.new email: 'jane@gmail.com', password: 'pa55w0rd'
+    assert_equal users(:jane), User.authenticate_signin(signin)
+  end
+
+  test 'authenticate_signin with wrong password' do
+    signin = Session.new email: 'jane@gmail.com', password: 'password'
+    assert_equal :invalid, User.authenticate_signin(signin),
         "John's password on Jane's account"
-    assert_equal :blocked,
-        User.authenticate_signin('john@gmail.com', 'password')
+  end
+
+  test 'authenticate_signin on blocked e-mail' do
+    signin = Session.new email: 'john@gmail.com', password: 'pa55w0rd'
+    assert_equal :blocked, User.authenticate_signin(signin)
+  end
+
+  test 'related_to_omniauth without e-mail' do
+    assert_equal nil, User.related_to_omniauth('provider' => 'developer',
+                                               'uid' => 'john@gmail.com')
+    assert_equal nil, User.related_to_omniauth('provider' => 'developer',
+                                               'uid' => 'john@gmail.com',
+                                               'info' => {})
+  end
+
+  test 'related_to_omniauth with existing e-mail' do
+    Credentials::OmniAuthUid.destroy_all
+    assert_equal users(:john), User.related_to_omniauth(
+        'provider' => 'developer', 'uid' => 'john_gmail_com_uid',
+        'info' => { 'email' => 'john@gmail.com' })
+  end
+
+  test 'related_to_omniauth with non-existing e-mail' do
+    assert_equal nil, User.related_to_omniauth('provider' => 'developer',
+        'uid' => 'new_user@gmail.com',
+        'info' => { 'email' => 'new_user@gmail.com' })
+  end
+
+  test 'create_from_omniauth without e-mail' do
+    assert_equal nil, User.create_from_omniauth('provider' => 'developer',
+                                                'uid' => 'newuser@gmail.com')
+    assert_equal nil, User.create_from_omniauth('provider' => 'developer',
+                                                'uid' => 'newuser@gmail.com',
+                                                'info' => {})
+  end
+
+  test 'create_from_omniauth with e-mail' do
+    omniauth_hash = { 'provider' => 'developer',
+        'uid' => 'newuser_gmail_com_uid',
+        'info' => { 'email' => 'newuser@gmail.com' } }
+    user = User.create_from_omniauth omniauth_hash
+    assert_not_nil user
+    email_credential = Credentials::Email.where(user: user).first
+    assert_not_nil email_credential
+    assert_equal 'newuser@gmail.com', email_credential.email
+    assert_equal true, email_credential.valid?
   end
 
   test 'autosaves credentials' do