authpwn_rails 0.21.1 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +2 -4
  3. data/Gemfile +6 -6
  4. data/Gemfile.lock +69 -65
  5. data/{Gemfile.rails4 → Gemfile.rails5} +7 -6
  6. data/{README.rdoc → README.md} +21 -13
  7. data/Rakefile +1 -1
  8. data/VERSION +1 -1
  9. data/app/models/tokens/email_verification.rb +2 -2
  10. data/app/models/tokens/password_reset.rb +1 -1
  11. data/authpwn_rails.gemspec +26 -28
  12. data/lib/authpwn_rails/generators/templates/001_create_users.rb +1 -1
  13. data/lib/authpwn_rails/generators/templates/003_create_credentials.rb +2 -2
  14. data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
  15. data/lib/authpwn_rails/generators/templates/session/home.html.erb +3 -2
  16. data/lib/authpwn_rails/generators/templates/session_controller_test.rb +11 -11
  17. data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +2 -10
  18. data/lib/authpwn_rails/http_basic.rb +4 -4
  19. data/lib/authpwn_rails/http_token.rb +1 -1
  20. data/lib/authpwn_rails/session.rb +4 -4
  21. data/lib/authpwn_rails/session_controller.rb +6 -10
  22. data/test/{test_extensions_test.rb → action_controller_test_extensions_test.rb} +4 -5
  23. data/test/cookie_controller_test.rb +52 -42
  24. data/test/credentials/api_token_test.rb +2 -2
  25. data/test/credentials/email_verification_token_test.rb +2 -2
  26. data/test/credentials/omni_auth_uid_credential_test.rb +3 -4
  27. data/test/credentials/one_time_token_credential_test.rb +6 -6
  28. data/test/credentials/password_reset_token_test.rb +3 -3
  29. data/test/credentials/session_uid_token_test.rb +2 -2
  30. data/test/credentials/token_crendential_test.rb +3 -3
  31. data/test/fixtures/bare_session/forbidden.html.erb +1 -1
  32. data/test/fixtures/bare_session/home.html.erb +3 -2
  33. data/test/fixtures/bare_session/welcome.html.erb +1 -1
  34. data/test/helpers/db_setup.rb +2 -2
  35. data/test/helpers/test_order.rb +1 -3
  36. data/test/http_basic_controller_test.rb +24 -12
  37. data/test/http_token_controller_test.rb +24 -12
  38. data/test/session_controller_api_test.rb +140 -164
  39. data/test/session_mailer_api_test.rb +2 -10
  40. metadata +19 -27
  41. data/Gemfile.rails41 +0 -18
  42. data/Gemfile.rails42 +0 -18
@@ -1,4 +1,4 @@
1
- class CreateUsers < ActiveRecord::Migration
1
+ class CreateUsers < ActiveRecord::Migration[5.0]
2
2
  def change
3
3
  create_table :users do |t|
4
4
  t.string :exuid, limit: 32, null: false
@@ -1,7 +1,7 @@
1
- class CreateCredentials < ActiveRecord::Migration
1
+ class CreateCredentials < ActiveRecord::Migration[5.0]
2
2
  def change
3
3
  create_table :credentials do |t|
4
- t.references :user, null: false
4
+ t.references :user, null: false, index: false, foreign_key: true
5
5
  t.string :type, limit: 32, null: false
6
6
  t.string :name, limit: 128, null: true
7
7
 
@@ -3,7 +3,7 @@
3
3
  </p>
4
4
 
5
5
  <% if current_user %>
6
- <p>
6
+ <p class="forbidden-logged-in-user">
7
7
  You should inform the user that they are logged in as
8
8
  <%= current_user.exuid %> and suggest them to
9
9
  <%= link_to 'sign out', session_path, method: :delete %> and sign in as a
@@ -1,5 +1,6 @@
1
- <p>
1
+ <p class="welcome-page">
2
2
  This view gets displayed when the user is logged in. Right now,
3
- user <%= current_user.exuid %> is logged in. You should allow the user to
3
+ user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
4
+ You should allow the user to
4
5
  <%= link_to 'sign out', session_path, method: :delete %>.
5
6
  </p>
@@ -12,7 +12,7 @@ class SessionControllerTest < ActionController::TestCase
12
12
  set_session_current_user @user
13
13
  get :show
14
14
 
15
- assert_equal @user, assigns(:user)
15
+ assert_select 'span.user-exuid', @user.exuid
16
16
  assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
17
17
  end
18
18
 
@@ -20,8 +20,8 @@ class SessionControllerTest < ActionController::TestCase
20
20
  old_token = credentials(:jane_session_token)
21
21
  old_token.updated_at = Time.current - 1.year
22
22
  old_token.save!
23
- post :create, session: { email: @email_credential.email,
24
- password: 'pa55w0rd' }
23
+ post :create, params: { session: { email: @email_credential.email,
24
+ password: 'pa55w0rd' } }
25
25
  assert_equal @user, session_current_user, 'session'
26
26
  assert_redirected_to session_url
27
27
  assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -39,7 +39,6 @@ class SessionControllerTest < ActionController::TestCase
39
39
  test "application welcome page" do
40
40
  get :show
41
41
 
42
- assert_equal User.count, assigns(:user_count)
43
42
  assert_select 'a[href="/session/new"]', 'sign in'
44
43
  end
45
44
 
@@ -51,7 +50,6 @@ class SessionControllerTest < ActionController::TestCase
51
50
 
52
51
  test "user login page" do
53
52
  get :new
54
- assert_template :new
55
53
 
56
54
  assert_select 'form[action=?]', session_path do
57
55
  assert_select 'input[name=?]', 'session[email]'
@@ -64,14 +62,14 @@ class SessionControllerTest < ActionController::TestCase
64
62
  test "e-mail verification link" do
65
63
  token_credential = credentials(:john_email_token)
66
64
  email_credential = credentials(:john_email)
67
- get :token, code: token_credential.code
65
+ get :token, params: { code: token_credential.code }
68
66
  assert_redirected_to session_url
69
67
  assert email_credential.reload.verified?, 'Email not verified'
70
68
  end
71
69
 
72
70
  test "password reset link" do
73
71
  password_credential = credentials(:jane_password)
74
- get :token, code: credentials(:jane_password_token).code
72
+ get :token, params: { code: credentials(:jane_password_token).code }
75
73
  assert_redirected_to change_password_session_url
76
74
  assert_nil Credential.where(id: password_credential.id).first,
77
75
  'Password not cleared'
@@ -109,8 +107,9 @@ class SessionControllerTest < ActionController::TestCase
109
107
  test "password reset request" do
110
108
  ActionMailer::Base.deliveries = []
111
109
 
112
- assert_difference 'Credential.count', 1 do
113
- post :reset_password, session: { email: @email_credential.email }
110
+ assert_difference -> { Credential.count }, 1 do
111
+ post :reset_password, params: {
112
+ session: { email: @email_credential.email } }
114
113
  end
115
114
 
116
115
  assert !ActionMailer::Base.deliveries.empty?, 'email generated'
@@ -173,7 +172,7 @@ class SessionControllerTest < ActionController::TestCase
173
172
  request.env['omniauth.auth'] = {
174
173
  'provider' => @omniauth_credential.provider,
175
174
  'uid' => @omniauth_credential.uid }
176
- post :omniauth, provider: @omniauth_credential.provider
175
+ post :omniauth, params: { provider: @omniauth_credential.provider }
177
176
  assert_equal @user, session_current_user, 'session'
178
177
  assert_redirected_to session_url
179
178
  assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -190,7 +189,7 @@ class SessionControllerTest < ActionController::TestCase
190
189
  'provider' => @omniauth_credential.provider,
191
190
  'uid' => 'new_user_gmail_com_uid',
192
191
  'info' => { 'email' => 'new_user@gmail.com' } }
193
- post :omniauth, provider: @omniauth_credential.provider
192
+ post :omniauth, params: { provider: @omniauth_credential.provider }
194
193
  assert_not_nil session_current_user, 'session'
195
194
  assert_equal true, Credentials::Email.with('new_user@gmail.com').verified?,
196
195
  'newly created e-mail credential not verified'
@@ -198,5 +197,6 @@ class SessionControllerTest < ActionController::TestCase
198
197
  ensure
199
198
  ActionController::Base.allow_forgery_protection = false
200
199
  end
200
+
201
201
  end
202
202
  end
@@ -12,11 +12,7 @@ class SessionMailerTest < ActionMailer::TestCase
12
12
  test 'email verification email' do
13
13
  email_draft = SessionMailer.email_verification_email @verification_token,
14
14
  @root_url
15
- if email_draft.respond_to? :deliver_now
16
- email = email_draft.deliver_now # Rails 4.2+
17
- else
18
- email = email_draft.deliver # Rails 4.0 and 4.1
19
- end
15
+ email = email_draft.deliver_now
20
16
  assert !ActionMailer::Base.deliveries.empty?
21
17
 
22
18
  assert_equal 'test.host e-mail verification', email.subject
@@ -30,11 +26,7 @@ class SessionMailerTest < ActionMailer::TestCase
30
26
  test 'password reset email' do
31
27
  email_draft = SessionMailer.reset_password_email @reset_email,
32
28
  @reset_token, @root_url
33
- if email_draft.respond_to? :deliver_now
34
- email = email_draft.deliver_now # Rails 4.2+
35
- else
36
- email = email_draft.deliver # Rails 4.0 and 4.1
37
- end
29
+ email = email_draft.deliver_now
38
30
  assert !ActionMailer::Base.deliveries.empty?
39
31
 
40
32
  assert_equal 'test.host password reset', email.subject
@@ -9,7 +9,7 @@ class ActionController::Base
9
9
  # implement find_by_id.
10
10
  def self.authenticates_using_http_basic(options = {})
11
11
  include Authpwn::HttpBasicControllerInstanceMethods
12
- before_filter :authenticate_using_http_basic, options
12
+ before_action :authenticate_using_http_basic, options
13
13
  end
14
14
  end
15
15
 
@@ -20,12 +20,12 @@ module Authpwn
20
20
  module HttpBasicControllerInstanceMethods
21
21
  include Authpwn::CurrentUser
22
22
 
23
- # Filter that implements authenticates_using_http_basic.
23
+ # The before_action that implements authenticates_using_http_basic.
24
24
  #
25
25
  # If your ApplicationController contains authenticates_using_http_basic, you
26
- # can opt out in individual controllers using skip_before_filter.
26
+ # can opt out in individual controllers using skip_before_action.
27
27
  #
28
- # skip_before_filter :authenticate_using_http_filter
28
+ # skip_before_action :authenticate_using_http_basic
29
29
  def authenticate_using_http_basic
30
30
  return if current_user
31
31
  authenticate_with_http_basic do |email, password|
@@ -25,7 +25,7 @@ module HttpTokenControllerInstanceMethods
25
25
  # If your ApplicationController contains authenticates_using_http_token, you
26
26
  # can opt out in individual controllers using skip_before_action.
27
27
  #
28
- # skip_before_action :authenticate_using_http_filter
28
+ # skip_before_action :authenticate_using_http_token
29
29
  def authenticate_using_http_token
30
30
  return if current_user
31
31
  authenticate_with_http_token do |token_code, options|
@@ -9,7 +9,7 @@ class ActionController::Base
9
9
  # find_by_id.
10
10
  def self.authenticates_using_session(options = {})
11
11
  include Authpwn::ControllerInstanceMethods
12
- before_filter :authenticate_using_session, options
12
+ before_action :authenticate_using_session, options
13
13
  end
14
14
 
15
15
  # True for controllers belonging to the authentication implementation.
@@ -51,12 +51,12 @@ module ControllerInstanceMethods
51
51
  end
52
52
  end
53
53
 
54
- # Filter that implements authenticates_using_session.
54
+ # The before_action that implements authenticates_using_session.
55
55
  #
56
56
  # If your ApplicationController contains authenticates_using_session, you
57
- # can opt out in individual controllers using skip_before_filter.
57
+ # can opt out in individual controllers using skip_before_action.
58
58
  #
59
- # skip_before_filter :authenticate_using_session
59
+ # skip_before_action :authenticate_using_session
60
60
  def authenticate_using_session
61
61
  return if current_user
62
62
  session_uid = session[:authpwn_suid]
@@ -11,11 +11,11 @@ module SessionController
11
11
  extend ActiveSupport::Concern
12
12
 
13
13
  included do
14
- skip_filter :authenticate_using_session
14
+ #skip_before_action :authenticate_using_session
15
15
  authenticates_using_session except: [:create, :reset_password, :token]
16
16
 
17
17
  # NOTE: The Omniauth callback uses POST in some cases.
18
- skip_filter :verify_authenticity_token, only: [:omniauth]
18
+ skip_before_action :verify_authenticity_token, only: [:omniauth]
19
19
 
20
20
  # If set, every successful login will cause a database purge.
21
21
  class_attribute :auto_purge_sessions
@@ -145,12 +145,8 @@ module SessionController
145
145
  if user = (credential && credential.user)
146
146
  token = Tokens::PasswordReset.random_for user
147
147
  email = ::SessionMailer.reset_password_email(email, token, root_url)
148
- if email.respond_to? :deliver_now
149
- # TODO(pwnall): fix the serialization errors blocking deliver_later
150
- email.deliver_now
151
- else
152
- email.deliver
153
- end
148
+ # TODO(pwnall): fix the serialization errors blocking deliver_later
149
+ email.deliver_now
154
150
  end
155
151
 
156
152
  respond_to do |format|
@@ -231,7 +227,7 @@ module SessionController
231
227
  respond_to do |format|
232
228
  format.html do
233
229
  @credential = current_user.credentials.
234
- find { |c| c.is_a? Credentials::Password }
230
+ where(type: 'Credentials::Password').first
235
231
  unless @credential
236
232
  @credential = Credentials::Password.new
237
233
  @credential.user = current_user
@@ -249,7 +245,7 @@ module SessionController
249
245
  end
250
246
 
251
247
  @credential = current_user.credentials.
252
- find { |c| c.is_a? Credentials::Password }
248
+ where(type: 'Credentials::Password').first
253
249
  if @credential
254
250
  # An old password is set, must verify it.
255
251
  if @credential.check_password params[:credential][:old_password]
@@ -1,6 +1,6 @@
1
1
  require_relative 'test_helper'
2
2
 
3
- class TestExtensionsTest < ActionController::TestCase
3
+ class ActionControllerTestExtensionsTest < ActionController::TestCase
4
4
  def setup
5
5
  @user = users(:john)
6
6
  @token = credentials(:john_session_token)
@@ -16,7 +16,7 @@ class TestExtensionsTest < ActionController::TestCase
16
16
  end
17
17
 
18
18
  test 'set_session_current_user reuses existing token' do
19
- assert_no_difference 'Credential.count' do
19
+ assert_no_difference -> { Credential.count } do
20
20
  set_session_current_user @user
21
21
  end
22
22
  assert_equal @token.suid, request.session[:authpwn_suid]
@@ -24,7 +24,7 @@ class TestExtensionsTest < ActionController::TestCase
24
24
 
25
25
  test 'set_session_current_user creates token if necessary' do
26
26
  @token.destroy
27
- assert_difference 'Credential.count', 1 do
27
+ assert_difference -> { Credential.count }, 1 do
28
28
  set_session_current_user @user
29
29
  end
30
30
  assert_equal @user, session_current_user
@@ -32,10 +32,9 @@ class TestExtensionsTest < ActionController::TestCase
32
32
 
33
33
  test 'set_session_current_user to nil' do
34
34
  request.session[:authpwn_suid] = @token.suid
35
- assert_no_difference 'Credential.count' do
35
+ assert_no_difference -> { Credential.count } do
36
36
  set_session_current_user nil
37
37
  end
38
38
  assert_nil request.session[:authpwn_suid]
39
39
  end
40
40
  end
41
-
@@ -4,11 +4,23 @@ require_relative 'test_helper'
4
4
  class CookieController < ApplicationController
5
5
  authenticates_using_session except: :update
6
6
 
7
+ # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
8
+ # instance variables. current_user is a part of authpwn's API, so we
9
+ # must test it.
10
+ before_action :export_current_user_to_cookie
11
+ def export_current_user_to_cookie
12
+ cookies['_authpwn_test_cuid'] = if current_user
13
+ current_user.id.to_s
14
+ else
15
+ 'nil'
16
+ end
17
+ end
18
+
7
19
  def show
8
20
  if current_user
9
- render text: "User: #{current_user.id}"
21
+ render plain: "User: #{current_user.id}"
10
22
  else
11
- render text: "No user"
23
+ render plain: "No user"
12
24
  end
13
25
  end
14
26
 
@@ -18,7 +30,7 @@ class CookieController < ApplicationController
18
30
  else
19
31
  set_session_current_user User.with_param(params[:exuid]).first
20
32
  end
21
- render text: ''
33
+ render plain: ''
22
34
  end
23
35
 
24
36
  def bouncer
@@ -35,7 +47,7 @@ class CookieControllerTest < ActionController::TestCase
35
47
  test "no suid in session" do
36
48
  get :show
37
49
  assert_response :success
38
- assert_nil assigns(:current_user)
50
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
39
51
  assert_equal 'No user', response.body
40
52
  end
41
53
 
@@ -43,7 +55,7 @@ class CookieControllerTest < ActionController::TestCase
43
55
  request.session[:authpwn_suid] = @token.suid
44
56
  get :show
45
57
  assert_response :success
46
- assert_equal @user, assigns(:current_user)
58
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
47
59
  john_id = ActiveRecord::FixtureSet.identify :john
48
60
  assert_equal "User: #{john_id}", response.body
49
61
  end
@@ -54,7 +66,7 @@ class CookieControllerTest < ActionController::TestCase
54
66
  @token.save!
55
67
  get :show
56
68
  assert_response :success
57
- assert_equal @user, assigns(:current_user)
69
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
58
70
  assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
59
71
  end
60
72
 
@@ -64,7 +76,7 @@ class CookieControllerTest < ActionController::TestCase
64
76
  @token.save!
65
77
  get :show
66
78
  assert_response :success
67
- assert_equal @user, assigns(:current_user)
79
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
68
80
  assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
69
81
  end
70
82
 
@@ -74,7 +86,7 @@ class CookieControllerTest < ActionController::TestCase
74
86
  @token.save!
75
87
  get :show
76
88
  assert_response :success
77
- assert_nil assigns(:current_user), 'current_user set'
89
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
78
90
  assert_nil Tokens::Base.with_code(@token.suid).first,
79
91
  'session token not destroyed'
80
92
  end
@@ -84,126 +96,125 @@ class CookieControllerTest < ActionController::TestCase
84
96
  @token.destroy
85
97
  get :show
86
98
  assert_response :success
87
- assert_nil assigns(:current_user)
99
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
88
100
  end
89
101
 
90
102
  test "set_session_current_user creates new token by default" do
91
- assert_difference 'Credential.count', 1 do
92
- put :update, exuid: @user.exuid
103
+ assert_difference -> { Credential.count }, 1 do
104
+ put :update, params: { exuid: @user.exuid }
93
105
  end
94
106
  assert_response :success
95
107
  assert_not_equal @token.suid, request.session[:authpwn_suid]
96
108
 
97
109
  get :show
98
110
  assert_response :success
99
- assert_equal @user, assigns(:current_user)
111
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
100
112
  end
101
113
 
102
114
  test "set_session_current_user reuses existing token when suitable" do
103
115
  request.session[:authpwn_suid] = @token.suid
104
- assert_no_difference 'Credential.count', 'existing token not reused' do
105
- put :update, exuid: @user.exuid
116
+ assert_no_difference -> { Credential.count },
117
+ 'existing token not reused' do
118
+ put :update, params: { exuid: @user.exuid }
106
119
  end
107
120
  assert_response :success
108
121
  assert_equal @token.suid, request.session[:authpwn_suid]
109
- assert_equal @user, assigns(:current_user)
110
122
 
111
123
  get :show
112
124
  assert_response :success
113
- assert_equal @user, assigns(:current_user)
125
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
114
126
  end
115
127
 
116
128
  test "set_session_current_user refreshes old token" do
117
129
  @token.updated_at = Time.current - 1.day
118
130
  request.session[:authpwn_suid] = @token.suid
119
- assert_no_difference 'Credential.count', 'existing token not reused' do
120
- put :update, exuid: @user.exuid
131
+ assert_no_difference -> { Credential.count },
132
+ 'existing token not reused' do
133
+ put :update, params: { exuid: @user.exuid }
121
134
  end
122
135
  assert_response :success
123
136
  assert_operator @token.reload.updated_at, :>=, Time.current - 1.hour,
124
137
  'Old token not refreshed'
125
- assert_equal @user, assigns(:current_user)
126
138
 
127
139
  get :show
128
140
  assert_response :success
129
- assert_equal @user, assigns(:current_user)
141
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
130
142
  end
131
143
 
132
144
  test "set_session_current_user creates new token if old token is invalid" do
133
145
  @token.destroy
134
146
  request.session[:authpwn_suid] = @token.suid
135
- assert_difference 'Credential.count', 1, 'session token not created' do
136
- put :update, exuid: @user.exuid
147
+ assert_difference -> { Credential.count }, 1,
148
+ 'session token not created' do
149
+ put :update, params: { exuid: @user.exuid }
137
150
  end
138
151
  assert_response :success
139
152
  assert_not_equal @token.suid, request.session[:authpwn_suid]
140
153
 
141
154
  get :show
142
155
  assert_response :success
143
- assert_equal @user, assigns(:current_user)
156
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
144
157
  end
145
158
 
146
159
  test "set_session_current_user switches users correctly" do
147
160
  old_token = credentials(:jane_session_token)
148
161
  request.session[:authpwn_suid] = old_token.suid
149
- assert_no_difference 'Credential.count',
162
+ assert_no_difference -> { Credential.count },
150
163
  "old user's token not destroyed or no new token created" do
151
- put :update, exuid: @user.exuid
164
+ put :update, params: { exuid: @user.exuid }
152
165
  end
153
166
  assert_response :success
154
167
  assert_nil Tokens::Base.with_code(old_token.suid).first,
155
168
  "old user's token not destroyed"
156
169
  assert_not_equal @token.suid, request.session[:authpwn_suid]
157
- assert_equal @user, assigns(:current_user)
158
170
 
159
171
  get :show
160
172
  assert_response :success
161
- assert_equal @user, assigns(:current_user)
173
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
162
174
  end
163
175
 
164
176
  test "set_session_current_user reuses token when switching users" do
165
177
  @token.destroy
166
178
  request.session[:authpwn_suid] = credentials(:jane_session_token).suid
167
- assert_no_difference 'Credential.count',
179
+ assert_no_difference -> { Credential.count },
168
180
  "old user's token not destroyed or new user's token not created" do
169
- put :update, exuid: @user.exuid
181
+ put :update, params: { exuid: @user.exuid }
170
182
  end
171
183
  assert_response :success
172
- assert_equal @user, assigns(:current_user)
173
184
 
174
185
  get :show
175
186
  assert_response :success
176
- assert_equal @user, assigns(:current_user)
187
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
177
188
  end
178
189
 
179
190
  test "set_session_current_user logs off a user correctly" do
180
191
  request.session[:authpwn_suid] = @token.suid
181
- assert_difference 'Credential.count', -1, 'token not destroyed' do
182
- put :update, exuid: ''
192
+ assert_difference -> { Credential.count }, -1, 'token not destroyed' do
193
+ put :update, params: { exuid: '' }
183
194
  end
184
195
  assert_response :success
185
196
  assert_nil request.session[:authpwn_suid]
186
- assert_equal nil, assigns(:current_user)
197
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
187
198
 
188
199
  get :show
189
200
  assert_response :success
190
- assert_equal nil, assigns(:current_user)
201
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
191
202
  end
192
203
 
193
204
  test "set_session_current_user behavhttps://appear.in/pwnalles when no user is logged off" do
194
- assert_no_difference 'Credential.count' do
195
- put :update, exuid: ''
205
+ assert_no_difference -> { Credential.count } do
206
+ put :update, params: { exuid: '' }
196
207
  end
197
208
  assert_response :success
198
209
  assert_nil request.session[:authpwn_suid]
199
- assert_equal nil, assigns(:current_user)
210
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
200
211
  end
201
212
 
202
213
  test "valid user_id bounced" do
203
214
  request.session[:authpwn_suid] = @token.suid
204
215
  get :bouncer
205
216
  assert_response :forbidden
206
- assert_template 'session/forbidden'
217
+ assert_select 'p.forbidden-logged-in-user'
207
218
  assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
208
219
  # Make sure no layout was rendered.
209
220
  assert_select 'title', 0
@@ -221,13 +232,12 @@ class CookieControllerTest < ActionController::TestCase
221
232
  test "no user_id bounced" do
222
233
  get :bouncer
223
234
  assert_response :forbidden
224
- assert_template 'session/forbidden'
225
235
  assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
226
236
  # Make sure no layout was rendered.
227
237
  assert_select 'title', 0
228
238
  assert_select 'h1', 0
229
-
230
- assert_select 'script', %r/.*window.location.*#{new_session_path}.*/
239
+ assert_select 'script[type="text/javascript"]',
240
+ %r/.*window.location.*#{new_session_path}.*/
231
241
  end
232
242
 
233
243
  test "no user_id bounced in json" do