authpwn_rails 0.18.0 → 0.18.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 65618dde26dcdad94e8dc8e72daa2f32fd9ceef2
4
- data.tar.gz: 423f8dcf94083a6e5c3ab49f6c73caa8ed6567ed
3
+ metadata.gz: f95225e77bd6c767761b3cf3495ccb273201c74e
4
+ data.tar.gz: cd28df6a7be62f693e4f238d16678c47173d720f
5
5
  SHA512:
6
- metadata.gz: 434cb53b2466d1fa67cef7daa6b3d5a46a588568ebd82b7cef7533ac5c33e4f883b034113d8bc6a07911026e3f61d9617740e525a450aad5fb5081dd7c89bf07
7
- data.tar.gz: 243f68501820c8eaecddc32d17ff36b5931ebdeacb703d0f09d696e4919ca92c687a2ea319878e155e30c2f7e63547d2aa2f394f38b73a41832e72c89f739005
6
+ metadata.gz: fc668c5c618028caa5d320f2247161bf6d09a23b969b7f6aa04c2173d5877ea7e917e951c7a0511621cecf0b29d3aaa9c9f190e847c4ea7e67c4acd84c85f92f
7
+ data.tar.gz: 925a34ef07e886f44ee7b42ef2d829d35bc6e9212f29a283a1effcef70183036cef41bcc599241b9a4947f2cf2a2cbb1b5b960ea037a262dd2cccd1fd22fbaa7
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.18.0
1
+ 0.18.1
@@ -2,11 +2,11 @@
2
2
  # DO NOT EDIT THIS FILE DIRECTLY
3
3
  # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
4
  # -*- encoding: utf-8 -*-
5
- # stub: authpwn_rails 0.18.0 ruby lib
5
+ # stub: authpwn_rails 0.18.1 ruby lib
6
6
 
7
7
  Gem::Specification.new do |s|
8
8
  s.name = "authpwn_rails"
9
- s.version = "0.18.0"
9
+ s.version = "0.18.1"
10
10
 
11
11
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
12
12
  s.require_paths = ["lib"]
@@ -57,6 +57,7 @@ Gem::Specification.new do |s|
57
57
  "lib/authpwn_rails/generators/templates/initializer.rb",
58
58
  "lib/authpwn_rails/generators/templates/omniauth_initializer.rb",
59
59
  "lib/authpwn_rails/generators/templates/session.rb",
60
+ "lib/authpwn_rails/generators/templates/session/api_token.html.erb",
60
61
  "lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
61
62
  "lib/authpwn_rails/generators/templates/session/home.html.erb",
62
63
  "lib/authpwn_rails/generators/templates/session/new.html.erb",
@@ -94,6 +95,7 @@ Gem::Specification.new do |s|
94
95
  "test/credentials/password_reset_token_test.rb",
95
96
  "test/credentials/session_uid_token_test.rb",
96
97
  "test/credentials/token_crendential_test.rb",
98
+ "test/fixtures/bare_session/api_token.html.erb",
97
99
  "test/fixtures/bare_session/forbidden.html.erb",
98
100
  "test/fixtures/bare_session/home.html.erb",
99
101
  "test/fixtures/bare_session/new.html.erb",
@@ -32,6 +32,8 @@ class AllGenerator < Rails::Generators::Base
32
32
  end
33
33
 
34
34
  def create_session_views
35
+ copy_file File.join('session', 'api_token.html.erb'),
36
+ File.join('app', 'views', 'session', 'api_token.html.erb')
35
37
  copy_file File.join('session', 'forbidden.html.erb'),
36
38
  File.join('app', 'views', 'session', 'forbidden.html.erb')
37
39
  copy_file File.join('session', 'home.html.erb'),
@@ -0,0 +1,5 @@
1
+ <h1>API Token</h1>
2
+
3
+ <p>
4
+ Your API token is: <span class="api-token"><%= @api_token %></span>
5
+ </p>
@@ -120,6 +120,23 @@ class SessionControllerTest < ActionController::TestCase
120
120
  assert_redirected_to new_session_url
121
121
  end
122
122
 
123
+ test "API token request" do
124
+ user = users(:john)
125
+ set_session_current_user user
126
+ get :api_token
127
+
128
+ assert_select 'span[class="api-token"]', credentials(:john_api_token).code
129
+ end
130
+
131
+ test "API token JSON request" do
132
+ user = users(:john)
133
+ set_session_current_user user
134
+ get :api_token, format: 'json'
135
+
136
+ assert_equal credentials(:john_api_token).code,
137
+ ActiveSupport::JSON.decode(response.body)['api_token']
138
+ end
139
+
123
140
  test "OmniAuth failure" do
124
141
  get :omniauth_failure
125
142
 
@@ -37,6 +37,8 @@ module MapperMixin
37
37
  post "/#{paths}", controller: controller, action: 'create'
38
38
  delete "/#{paths}", controller: controller, action: 'destroy'
39
39
 
40
+ get "/#{paths}/api_token", controller: controller, action: 'api_token',
41
+ as: "api_token_#{methods}"
40
42
  get "/#{paths}/change_password", controller: controller,
41
43
  action: 'password_change',
42
44
  as: "change_password_#{methods}"
@@ -90,6 +90,22 @@ module SessionController
90
90
  end
91
91
  end
92
92
 
93
+ # GET /api_token
94
+ def api_token
95
+ unless current_user
96
+ bounce_user
97
+ return
98
+ end
99
+
100
+ token = Tokens::Api.where(user_id: current_user.id).first ||
101
+ Tokens::Api.random_for(current_user)
102
+ @api_token = token.code
103
+ respond_to do |format|
104
+ format.html
105
+ format.json { render json: { api_token: @api_token } }
106
+ end
107
+ end
108
+
93
109
  # POST /session/reset_password
94
110
  def reset_password
95
111
  email = params[:session] && params[:session][:email]
@@ -127,9 +143,12 @@ module SessionController
127
143
 
128
144
  # GET /session/token/token-code
129
145
  def token
130
- # NOTE: This repeats the code in Token::Base.authenticate, because we need
131
- # the token.
132
- if token = Tokens::Base.with_code(params[:code]).first
146
+ # NOTE: We don't use Tokens::Base here because we don't want users to abuse
147
+ # API tokens to build permanent login links.
148
+ #
149
+ # This repeats the code in Token::Base.authenticate, because we need the
150
+ # token.
151
+ if token = Tokens::OneTime.with_code(params[:code]).first
133
152
  auth = token.authenticate
134
153
  else
135
154
  auth = :invalid
@@ -0,0 +1,5 @@
1
+ <h1>API Token</h1>
2
+
3
+ <p>
4
+ Your API token is: <span class="api-token"><%= @api_token %></span>
5
+ </p>
data/test/routes_test.rb CHANGED
@@ -15,8 +15,8 @@ class RoutesTest < ActionController::TestCase
15
15
  {controller: 'session', action: 'create'})
16
16
  assert_routing({path: '/session', method: :delete},
17
17
  {controller: 'session', action: 'destroy'})
18
- assert_routing({path: '/session', method: :delete},
19
- {controller: 'session', action: 'destroy'})
18
+ assert_routing({path: '/session/api_token', method: :get},
19
+ {controller: 'session', action: 'api_token'})
20
20
  assert_routing({path: '/session/change_password', method: :get},
21
21
  {controller: 'session', action: 'password_change'})
22
22
  assert_routing({path: '/session/change_password', method: :post},
@@ -399,6 +399,57 @@ class SessionControllerApiTest < ActionController::TestCase
399
399
  assert_nil assigns(:current_user)
400
400
  end
401
401
 
402
+ test "api_token request" do
403
+ user = users(:john)
404
+ set_session_current_user user
405
+ get :api_token
406
+ assert_response :ok
407
+ assert_select 'span[class="api-token"]', credentials(:john_api_token).code
408
+ end
409
+
410
+ test "api_token request from user without token" do
411
+ set_session_current_user @user
412
+ assert_difference 'Tokens::Api.count', 1 do
413
+ get :api_token
414
+ end
415
+ assert_response :ok
416
+ token = @user.credentials.where(type: 'Tokens::Api').first
417
+ assert_select 'span[class="api-token"]', token.code
418
+ end
419
+
420
+ test "api_token request without logged in user" do
421
+ get :api_token
422
+ assert_response :forbidden
423
+ end
424
+
425
+ test "api_token JSON request" do
426
+ user = users(:john)
427
+ set_session_current_user user
428
+ get :api_token, format: 'json'
429
+
430
+ data = ActiveSupport::JSON.decode response.body
431
+ assert_equal credentials(:john_api_token).code, data['api_token']
432
+ end
433
+
434
+ test "api_token JSON request from user without token" do
435
+ set_session_current_user @user
436
+ assert_difference 'Tokens::Api.count', 1 do
437
+ get :api_token, format: 'json'
438
+ end
439
+ token = @user.credentials.where(type: 'Tokens::Api').first
440
+
441
+ data = ActiveSupport::JSON.decode response.body
442
+ assert_equal token.code, data['api_token']
443
+ end
444
+
445
+ test "api_token JSON request without logged in user" do
446
+ get :api_token, format: 'json'
447
+ assert_response :ok
448
+
449
+ data = ActiveSupport::JSON.decode response.body
450
+ assert_equal 'Please sign in', data['error']
451
+ end
452
+
402
453
  test "password_change bounces without logged in user" do
403
454
  get :password_change
404
455
  assert_response :forbidden
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: authpwn_rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.18.0
4
+ version: 0.18.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Victor Costan
@@ -224,6 +224,7 @@ files:
224
224
  - lib/authpwn_rails/generators/templates/initializer.rb
225
225
  - lib/authpwn_rails/generators/templates/omniauth_initializer.rb
226
226
  - lib/authpwn_rails/generators/templates/session.rb
227
+ - lib/authpwn_rails/generators/templates/session/api_token.html.erb
227
228
  - lib/authpwn_rails/generators/templates/session/forbidden.html.erb
228
229
  - lib/authpwn_rails/generators/templates/session/home.html.erb
229
230
  - lib/authpwn_rails/generators/templates/session/new.html.erb
@@ -261,6 +262,7 @@ files:
261
262
  - test/credentials/password_reset_token_test.rb
262
263
  - test/credentials/session_uid_token_test.rb
263
264
  - test/credentials/token_crendential_test.rb
265
+ - test/fixtures/bare_session/api_token.html.erb
264
266
  - test/fixtures/bare_session/forbidden.html.erb
265
267
  - test/fixtures/bare_session/home.html.erb
266
268
  - test/fixtures/bare_session/new.html.erb