authpwn_rails 0.21.1 → 0.22.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -4
- data/Gemfile +6 -6
- data/Gemfile.lock +69 -65
- data/{Gemfile.rails4 → Gemfile.rails5} +7 -6
- data/{README.rdoc → README.md} +21 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/app/models/tokens/email_verification.rb +2 -2
- data/app/models/tokens/password_reset.rb +1 -1
- data/authpwn_rails.gemspec +26 -28
- data/lib/authpwn_rails/generators/templates/001_create_users.rb +1 -1
- data/lib/authpwn_rails/generators/templates/003_create_credentials.rb +2 -2
- data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session/home.html.erb +3 -2
- data/lib/authpwn_rails/generators/templates/session_controller_test.rb +11 -11
- data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +2 -10
- data/lib/authpwn_rails/http_basic.rb +4 -4
- data/lib/authpwn_rails/http_token.rb +1 -1
- data/lib/authpwn_rails/session.rb +4 -4
- data/lib/authpwn_rails/session_controller.rb +6 -10
- data/test/{test_extensions_test.rb → action_controller_test_extensions_test.rb} +4 -5
- data/test/cookie_controller_test.rb +52 -42
- data/test/credentials/api_token_test.rb +2 -2
- data/test/credentials/email_verification_token_test.rb +2 -2
- data/test/credentials/omni_auth_uid_credential_test.rb +3 -4
- data/test/credentials/one_time_token_credential_test.rb +6 -6
- data/test/credentials/password_reset_token_test.rb +3 -3
- data/test/credentials/session_uid_token_test.rb +2 -2
- data/test/credentials/token_crendential_test.rb +3 -3
- data/test/fixtures/bare_session/forbidden.html.erb +1 -1
- data/test/fixtures/bare_session/home.html.erb +3 -2
- data/test/fixtures/bare_session/welcome.html.erb +1 -1
- data/test/helpers/db_setup.rb +2 -2
- data/test/helpers/test_order.rb +1 -3
- data/test/http_basic_controller_test.rb +24 -12
- data/test/http_token_controller_test.rb +24 -12
- data/test/session_controller_api_test.rb +140 -164
- data/test/session_mailer_api_test.rb +2 -10
- metadata +19 -27
- data/Gemfile.rails41 +0 -18
- data/Gemfile.rails42 +0 -18
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
class CreateCredentials < ActiveRecord::Migration
|
|
1
|
+
class CreateCredentials < ActiveRecord::Migration[5.0]
|
|
2
2
|
def change
|
|
3
3
|
create_table :credentials do |t|
|
|
4
|
-
t.references :user, null: false
|
|
4
|
+
t.references :user, null: false, index: false, foreign_key: true
|
|
5
5
|
t.string :type, limit: 32, null: false
|
|
6
6
|
t.string :name, limit: 128, null: true
|
|
7
7
|
|
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
<p>
|
|
1
|
+
<p class="welcome-page">
|
|
2
2
|
This view gets displayed when the user is logged in. Right now,
|
|
3
|
-
user
|
|
3
|
+
user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
|
|
4
|
+
You should allow the user to
|
|
4
5
|
<%= link_to 'sign out', session_path, method: :delete %>.
|
|
5
6
|
</p>
|
|
@@ -12,7 +12,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
12
12
|
set_session_current_user @user
|
|
13
13
|
get :show
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
assert_select 'span.user-exuid', @user.exuid
|
|
16
16
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -20,8 +20,8 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
20
20
|
old_token = credentials(:jane_session_token)
|
|
21
21
|
old_token.updated_at = Time.current - 1.year
|
|
22
22
|
old_token.save!
|
|
23
|
-
post :create, session: { email: @email_credential.email,
|
|
24
|
-
|
|
23
|
+
post :create, params: { session: { email: @email_credential.email,
|
|
24
|
+
password: 'pa55w0rd' } }
|
|
25
25
|
assert_equal @user, session_current_user, 'session'
|
|
26
26
|
assert_redirected_to session_url
|
|
27
27
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
|
@@ -39,7 +39,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
39
39
|
test "application welcome page" do
|
|
40
40
|
get :show
|
|
41
41
|
|
|
42
|
-
assert_equal User.count, assigns(:user_count)
|
|
43
42
|
assert_select 'a[href="/session/new"]', 'sign in'
|
|
44
43
|
end
|
|
45
44
|
|
|
@@ -51,7 +50,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
51
50
|
|
|
52
51
|
test "user login page" do
|
|
53
52
|
get :new
|
|
54
|
-
assert_template :new
|
|
55
53
|
|
|
56
54
|
assert_select 'form[action=?]', session_path do
|
|
57
55
|
assert_select 'input[name=?]', 'session[email]'
|
|
@@ -64,14 +62,14 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
64
62
|
test "e-mail verification link" do
|
|
65
63
|
token_credential = credentials(:john_email_token)
|
|
66
64
|
email_credential = credentials(:john_email)
|
|
67
|
-
get :token, code: token_credential.code
|
|
65
|
+
get :token, params: { code: token_credential.code }
|
|
68
66
|
assert_redirected_to session_url
|
|
69
67
|
assert email_credential.reload.verified?, 'Email not verified'
|
|
70
68
|
end
|
|
71
69
|
|
|
72
70
|
test "password reset link" do
|
|
73
71
|
password_credential = credentials(:jane_password)
|
|
74
|
-
get :token, code: credentials(:jane_password_token).code
|
|
72
|
+
get :token, params: { code: credentials(:jane_password_token).code }
|
|
75
73
|
assert_redirected_to change_password_session_url
|
|
76
74
|
assert_nil Credential.where(id: password_credential.id).first,
|
|
77
75
|
'Password not cleared'
|
|
@@ -109,8 +107,9 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
109
107
|
test "password reset request" do
|
|
110
108
|
ActionMailer::Base.deliveries = []
|
|
111
109
|
|
|
112
|
-
assert_difference
|
|
113
|
-
post :reset_password,
|
|
110
|
+
assert_difference -> { Credential.count }, 1 do
|
|
111
|
+
post :reset_password, params: {
|
|
112
|
+
session: { email: @email_credential.email } }
|
|
114
113
|
end
|
|
115
114
|
|
|
116
115
|
assert !ActionMailer::Base.deliveries.empty?, 'email generated'
|
|
@@ -173,7 +172,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
173
172
|
request.env['omniauth.auth'] = {
|
|
174
173
|
'provider' => @omniauth_credential.provider,
|
|
175
174
|
'uid' => @omniauth_credential.uid }
|
|
176
|
-
post :omniauth, provider: @omniauth_credential.provider
|
|
175
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
|
177
176
|
assert_equal @user, session_current_user, 'session'
|
|
178
177
|
assert_redirected_to session_url
|
|
179
178
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
|
@@ -190,7 +189,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
190
189
|
'provider' => @omniauth_credential.provider,
|
|
191
190
|
'uid' => 'new_user_gmail_com_uid',
|
|
192
191
|
'info' => { 'email' => 'new_user@gmail.com' } }
|
|
193
|
-
post :omniauth, provider: @omniauth_credential.provider
|
|
192
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
|
194
193
|
assert_not_nil session_current_user, 'session'
|
|
195
194
|
assert_equal true, Credentials::Email.with('new_user@gmail.com').verified?,
|
|
196
195
|
'newly created e-mail credential not verified'
|
|
@@ -198,5 +197,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
198
197
|
ensure
|
|
199
198
|
ActionController::Base.allow_forgery_protection = false
|
|
200
199
|
end
|
|
200
|
+
|
|
201
201
|
end
|
|
202
202
|
end
|
|
@@ -12,11 +12,7 @@ class SessionMailerTest < ActionMailer::TestCase
|
|
|
12
12
|
test 'email verification email' do
|
|
13
13
|
email_draft = SessionMailer.email_verification_email @verification_token,
|
|
14
14
|
@root_url
|
|
15
|
-
|
|
16
|
-
email = email_draft.deliver_now # Rails 4.2+
|
|
17
|
-
else
|
|
18
|
-
email = email_draft.deliver # Rails 4.0 and 4.1
|
|
19
|
-
end
|
|
15
|
+
email = email_draft.deliver_now
|
|
20
16
|
assert !ActionMailer::Base.deliveries.empty?
|
|
21
17
|
|
|
22
18
|
assert_equal 'test.host e-mail verification', email.subject
|
|
@@ -30,11 +26,7 @@ class SessionMailerTest < ActionMailer::TestCase
|
|
|
30
26
|
test 'password reset email' do
|
|
31
27
|
email_draft = SessionMailer.reset_password_email @reset_email,
|
|
32
28
|
@reset_token, @root_url
|
|
33
|
-
|
|
34
|
-
email = email_draft.deliver_now # Rails 4.2+
|
|
35
|
-
else
|
|
36
|
-
email = email_draft.deliver # Rails 4.0 and 4.1
|
|
37
|
-
end
|
|
29
|
+
email = email_draft.deliver_now
|
|
38
30
|
assert !ActionMailer::Base.deliveries.empty?
|
|
39
31
|
|
|
40
32
|
assert_equal 'test.host password reset', email.subject
|
|
@@ -9,7 +9,7 @@ class ActionController::Base
|
|
|
9
9
|
# implement find_by_id.
|
|
10
10
|
def self.authenticates_using_http_basic(options = {})
|
|
11
11
|
include Authpwn::HttpBasicControllerInstanceMethods
|
|
12
|
-
|
|
12
|
+
before_action :authenticate_using_http_basic, options
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -20,12 +20,12 @@ module Authpwn
|
|
|
20
20
|
module HttpBasicControllerInstanceMethods
|
|
21
21
|
include Authpwn::CurrentUser
|
|
22
22
|
|
|
23
|
-
#
|
|
23
|
+
# The before_action that implements authenticates_using_http_basic.
|
|
24
24
|
#
|
|
25
25
|
# If your ApplicationController contains authenticates_using_http_basic, you
|
|
26
|
-
# can opt out in individual controllers using
|
|
26
|
+
# can opt out in individual controllers using skip_before_action.
|
|
27
27
|
#
|
|
28
|
-
#
|
|
28
|
+
# skip_before_action :authenticate_using_http_basic
|
|
29
29
|
def authenticate_using_http_basic
|
|
30
30
|
return if current_user
|
|
31
31
|
authenticate_with_http_basic do |email, password|
|
|
@@ -25,7 +25,7 @@ module HttpTokenControllerInstanceMethods
|
|
|
25
25
|
# If your ApplicationController contains authenticates_using_http_token, you
|
|
26
26
|
# can opt out in individual controllers using skip_before_action.
|
|
27
27
|
#
|
|
28
|
-
# skip_before_action :
|
|
28
|
+
# skip_before_action :authenticate_using_http_token
|
|
29
29
|
def authenticate_using_http_token
|
|
30
30
|
return if current_user
|
|
31
31
|
authenticate_with_http_token do |token_code, options|
|
|
@@ -9,7 +9,7 @@ class ActionController::Base
|
|
|
9
9
|
# find_by_id.
|
|
10
10
|
def self.authenticates_using_session(options = {})
|
|
11
11
|
include Authpwn::ControllerInstanceMethods
|
|
12
|
-
|
|
12
|
+
before_action :authenticate_using_session, options
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
# True for controllers belonging to the authentication implementation.
|
|
@@ -51,12 +51,12 @@ module ControllerInstanceMethods
|
|
|
51
51
|
end
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
-
#
|
|
54
|
+
# The before_action that implements authenticates_using_session.
|
|
55
55
|
#
|
|
56
56
|
# If your ApplicationController contains authenticates_using_session, you
|
|
57
|
-
# can opt out in individual controllers using
|
|
57
|
+
# can opt out in individual controllers using skip_before_action.
|
|
58
58
|
#
|
|
59
|
-
#
|
|
59
|
+
# skip_before_action :authenticate_using_session
|
|
60
60
|
def authenticate_using_session
|
|
61
61
|
return if current_user
|
|
62
62
|
session_uid = session[:authpwn_suid]
|
|
@@ -11,11 +11,11 @@ module SessionController
|
|
|
11
11
|
extend ActiveSupport::Concern
|
|
12
12
|
|
|
13
13
|
included do
|
|
14
|
-
|
|
14
|
+
#skip_before_action :authenticate_using_session
|
|
15
15
|
authenticates_using_session except: [:create, :reset_password, :token]
|
|
16
16
|
|
|
17
17
|
# NOTE: The Omniauth callback uses POST in some cases.
|
|
18
|
-
|
|
18
|
+
skip_before_action :verify_authenticity_token, only: [:omniauth]
|
|
19
19
|
|
|
20
20
|
# If set, every successful login will cause a database purge.
|
|
21
21
|
class_attribute :auto_purge_sessions
|
|
@@ -145,12 +145,8 @@ module SessionController
|
|
|
145
145
|
if user = (credential && credential.user)
|
|
146
146
|
token = Tokens::PasswordReset.random_for user
|
|
147
147
|
email = ::SessionMailer.reset_password_email(email, token, root_url)
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
email.deliver_now
|
|
151
|
-
else
|
|
152
|
-
email.deliver
|
|
153
|
-
end
|
|
148
|
+
# TODO(pwnall): fix the serialization errors blocking deliver_later
|
|
149
|
+
email.deliver_now
|
|
154
150
|
end
|
|
155
151
|
|
|
156
152
|
respond_to do |format|
|
|
@@ -231,7 +227,7 @@ module SessionController
|
|
|
231
227
|
respond_to do |format|
|
|
232
228
|
format.html do
|
|
233
229
|
@credential = current_user.credentials.
|
|
234
|
-
|
|
230
|
+
where(type: 'Credentials::Password').first
|
|
235
231
|
unless @credential
|
|
236
232
|
@credential = Credentials::Password.new
|
|
237
233
|
@credential.user = current_user
|
|
@@ -249,7 +245,7 @@ module SessionController
|
|
|
249
245
|
end
|
|
250
246
|
|
|
251
247
|
@credential = current_user.credentials.
|
|
252
|
-
|
|
248
|
+
where(type: 'Credentials::Password').first
|
|
253
249
|
if @credential
|
|
254
250
|
# An old password is set, must verify it.
|
|
255
251
|
if @credential.check_password params[:credential][:old_password]
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
require_relative 'test_helper'
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class ActionControllerTestExtensionsTest < ActionController::TestCase
|
|
4
4
|
def setup
|
|
5
5
|
@user = users(:john)
|
|
6
6
|
@token = credentials(:john_session_token)
|
|
@@ -16,7 +16,7 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
test 'set_session_current_user reuses existing token' do
|
|
19
|
-
assert_no_difference
|
|
19
|
+
assert_no_difference -> { Credential.count } do
|
|
20
20
|
set_session_current_user @user
|
|
21
21
|
end
|
|
22
22
|
assert_equal @token.suid, request.session[:authpwn_suid]
|
|
@@ -24,7 +24,7 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
24
24
|
|
|
25
25
|
test 'set_session_current_user creates token if necessary' do
|
|
26
26
|
@token.destroy
|
|
27
|
-
assert_difference
|
|
27
|
+
assert_difference -> { Credential.count }, 1 do
|
|
28
28
|
set_session_current_user @user
|
|
29
29
|
end
|
|
30
30
|
assert_equal @user, session_current_user
|
|
@@ -32,10 +32,9 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
32
32
|
|
|
33
33
|
test 'set_session_current_user to nil' do
|
|
34
34
|
request.session[:authpwn_suid] = @token.suid
|
|
35
|
-
assert_no_difference
|
|
35
|
+
assert_no_difference -> { Credential.count } do
|
|
36
36
|
set_session_current_user nil
|
|
37
37
|
end
|
|
38
38
|
assert_nil request.session[:authpwn_suid]
|
|
39
39
|
end
|
|
40
40
|
end
|
|
41
|
-
|
|
@@ -4,11 +4,23 @@ require_relative 'test_helper'
|
|
|
4
4
|
class CookieController < ApplicationController
|
|
5
5
|
authenticates_using_session except: :update
|
|
6
6
|
|
|
7
|
+
# NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
|
|
8
|
+
# instance variables. current_user is a part of authpwn's API, so we
|
|
9
|
+
# must test it.
|
|
10
|
+
before_action :export_current_user_to_cookie
|
|
11
|
+
def export_current_user_to_cookie
|
|
12
|
+
cookies['_authpwn_test_cuid'] = if current_user
|
|
13
|
+
current_user.id.to_s
|
|
14
|
+
else
|
|
15
|
+
'nil'
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
7
19
|
def show
|
|
8
20
|
if current_user
|
|
9
|
-
render
|
|
21
|
+
render plain: "User: #{current_user.id}"
|
|
10
22
|
else
|
|
11
|
-
render
|
|
23
|
+
render plain: "No user"
|
|
12
24
|
end
|
|
13
25
|
end
|
|
14
26
|
|
|
@@ -18,7 +30,7 @@ class CookieController < ApplicationController
|
|
|
18
30
|
else
|
|
19
31
|
set_session_current_user User.with_param(params[:exuid]).first
|
|
20
32
|
end
|
|
21
|
-
render
|
|
33
|
+
render plain: ''
|
|
22
34
|
end
|
|
23
35
|
|
|
24
36
|
def bouncer
|
|
@@ -35,7 +47,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
35
47
|
test "no suid in session" do
|
|
36
48
|
get :show
|
|
37
49
|
assert_response :success
|
|
38
|
-
|
|
50
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
39
51
|
assert_equal 'No user', response.body
|
|
40
52
|
end
|
|
41
53
|
|
|
@@ -43,7 +55,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
43
55
|
request.session[:authpwn_suid] = @token.suid
|
|
44
56
|
get :show
|
|
45
57
|
assert_response :success
|
|
46
|
-
assert_equal @user,
|
|
58
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
47
59
|
john_id = ActiveRecord::FixtureSet.identify :john
|
|
48
60
|
assert_equal "User: #{john_id}", response.body
|
|
49
61
|
end
|
|
@@ -54,7 +66,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
54
66
|
@token.save!
|
|
55
67
|
get :show
|
|
56
68
|
assert_response :success
|
|
57
|
-
assert_equal @user,
|
|
69
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
58
70
|
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
|
59
71
|
end
|
|
60
72
|
|
|
@@ -64,7 +76,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
64
76
|
@token.save!
|
|
65
77
|
get :show
|
|
66
78
|
assert_response :success
|
|
67
|
-
assert_equal @user,
|
|
79
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
68
80
|
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
|
69
81
|
end
|
|
70
82
|
|
|
@@ -74,7 +86,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
74
86
|
@token.save!
|
|
75
87
|
get :show
|
|
76
88
|
assert_response :success
|
|
77
|
-
|
|
89
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
78
90
|
assert_nil Tokens::Base.with_code(@token.suid).first,
|
|
79
91
|
'session token not destroyed'
|
|
80
92
|
end
|
|
@@ -84,126 +96,125 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
84
96
|
@token.destroy
|
|
85
97
|
get :show
|
|
86
98
|
assert_response :success
|
|
87
|
-
|
|
99
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
88
100
|
end
|
|
89
101
|
|
|
90
102
|
test "set_session_current_user creates new token by default" do
|
|
91
|
-
assert_difference
|
|
92
|
-
put :update, exuid: @user.exuid
|
|
103
|
+
assert_difference -> { Credential.count }, 1 do
|
|
104
|
+
put :update, params: { exuid: @user.exuid }
|
|
93
105
|
end
|
|
94
106
|
assert_response :success
|
|
95
107
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
96
108
|
|
|
97
109
|
get :show
|
|
98
110
|
assert_response :success
|
|
99
|
-
assert_equal @user,
|
|
111
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
100
112
|
end
|
|
101
113
|
|
|
102
114
|
test "set_session_current_user reuses existing token when suitable" do
|
|
103
115
|
request.session[:authpwn_suid] = @token.suid
|
|
104
|
-
assert_no_difference
|
|
105
|
-
|
|
116
|
+
assert_no_difference -> { Credential.count },
|
|
117
|
+
'existing token not reused' do
|
|
118
|
+
put :update, params: { exuid: @user.exuid }
|
|
106
119
|
end
|
|
107
120
|
assert_response :success
|
|
108
121
|
assert_equal @token.suid, request.session[:authpwn_suid]
|
|
109
|
-
assert_equal @user, assigns(:current_user)
|
|
110
122
|
|
|
111
123
|
get :show
|
|
112
124
|
assert_response :success
|
|
113
|
-
assert_equal @user,
|
|
125
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
114
126
|
end
|
|
115
127
|
|
|
116
128
|
test "set_session_current_user refreshes old token" do
|
|
117
129
|
@token.updated_at = Time.current - 1.day
|
|
118
130
|
request.session[:authpwn_suid] = @token.suid
|
|
119
|
-
assert_no_difference
|
|
120
|
-
|
|
131
|
+
assert_no_difference -> { Credential.count },
|
|
132
|
+
'existing token not reused' do
|
|
133
|
+
put :update, params: { exuid: @user.exuid }
|
|
121
134
|
end
|
|
122
135
|
assert_response :success
|
|
123
136
|
assert_operator @token.reload.updated_at, :>=, Time.current - 1.hour,
|
|
124
137
|
'Old token not refreshed'
|
|
125
|
-
assert_equal @user, assigns(:current_user)
|
|
126
138
|
|
|
127
139
|
get :show
|
|
128
140
|
assert_response :success
|
|
129
|
-
assert_equal @user,
|
|
141
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
130
142
|
end
|
|
131
143
|
|
|
132
144
|
test "set_session_current_user creates new token if old token is invalid" do
|
|
133
145
|
@token.destroy
|
|
134
146
|
request.session[:authpwn_suid] = @token.suid
|
|
135
|
-
assert_difference
|
|
136
|
-
|
|
147
|
+
assert_difference -> { Credential.count }, 1,
|
|
148
|
+
'session token not created' do
|
|
149
|
+
put :update, params: { exuid: @user.exuid }
|
|
137
150
|
end
|
|
138
151
|
assert_response :success
|
|
139
152
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
140
153
|
|
|
141
154
|
get :show
|
|
142
155
|
assert_response :success
|
|
143
|
-
assert_equal @user,
|
|
156
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
144
157
|
end
|
|
145
158
|
|
|
146
159
|
test "set_session_current_user switches users correctly" do
|
|
147
160
|
old_token = credentials(:jane_session_token)
|
|
148
161
|
request.session[:authpwn_suid] = old_token.suid
|
|
149
|
-
assert_no_difference
|
|
162
|
+
assert_no_difference -> { Credential.count },
|
|
150
163
|
"old user's token not destroyed or no new token created" do
|
|
151
|
-
put :update, exuid: @user.exuid
|
|
164
|
+
put :update, params: { exuid: @user.exuid }
|
|
152
165
|
end
|
|
153
166
|
assert_response :success
|
|
154
167
|
assert_nil Tokens::Base.with_code(old_token.suid).first,
|
|
155
168
|
"old user's token not destroyed"
|
|
156
169
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
157
|
-
assert_equal @user, assigns(:current_user)
|
|
158
170
|
|
|
159
171
|
get :show
|
|
160
172
|
assert_response :success
|
|
161
|
-
assert_equal @user,
|
|
173
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
162
174
|
end
|
|
163
175
|
|
|
164
176
|
test "set_session_current_user reuses token when switching users" do
|
|
165
177
|
@token.destroy
|
|
166
178
|
request.session[:authpwn_suid] = credentials(:jane_session_token).suid
|
|
167
|
-
assert_no_difference
|
|
179
|
+
assert_no_difference -> { Credential.count },
|
|
168
180
|
"old user's token not destroyed or new user's token not created" do
|
|
169
|
-
put :update, exuid: @user.exuid
|
|
181
|
+
put :update, params: { exuid: @user.exuid }
|
|
170
182
|
end
|
|
171
183
|
assert_response :success
|
|
172
|
-
assert_equal @user, assigns(:current_user)
|
|
173
184
|
|
|
174
185
|
get :show
|
|
175
186
|
assert_response :success
|
|
176
|
-
assert_equal @user,
|
|
187
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
177
188
|
end
|
|
178
189
|
|
|
179
190
|
test "set_session_current_user logs off a user correctly" do
|
|
180
191
|
request.session[:authpwn_suid] = @token.suid
|
|
181
|
-
assert_difference
|
|
182
|
-
put :update, exuid: ''
|
|
192
|
+
assert_difference -> { Credential.count }, -1, 'token not destroyed' do
|
|
193
|
+
put :update, params: { exuid: '' }
|
|
183
194
|
end
|
|
184
195
|
assert_response :success
|
|
185
196
|
assert_nil request.session[:authpwn_suid]
|
|
186
|
-
assert_equal nil,
|
|
197
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
187
198
|
|
|
188
199
|
get :show
|
|
189
200
|
assert_response :success
|
|
190
|
-
assert_equal nil,
|
|
201
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
191
202
|
end
|
|
192
203
|
|
|
193
204
|
test "set_session_current_user behavhttps://appear.in/pwnalles when no user is logged off" do
|
|
194
|
-
assert_no_difference
|
|
195
|
-
put :update, exuid: ''
|
|
205
|
+
assert_no_difference -> { Credential.count } do
|
|
206
|
+
put :update, params: { exuid: '' }
|
|
196
207
|
end
|
|
197
208
|
assert_response :success
|
|
198
209
|
assert_nil request.session[:authpwn_suid]
|
|
199
|
-
assert_equal nil,
|
|
210
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
200
211
|
end
|
|
201
212
|
|
|
202
213
|
test "valid user_id bounced" do
|
|
203
214
|
request.session[:authpwn_suid] = @token.suid
|
|
204
215
|
get :bouncer
|
|
205
216
|
assert_response :forbidden
|
|
206
|
-
|
|
217
|
+
assert_select 'p.forbidden-logged-in-user'
|
|
207
218
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
|
208
219
|
# Make sure no layout was rendered.
|
|
209
220
|
assert_select 'title', 0
|
|
@@ -221,13 +232,12 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
221
232
|
test "no user_id bounced" do
|
|
222
233
|
get :bouncer
|
|
223
234
|
assert_response :forbidden
|
|
224
|
-
assert_template 'session/forbidden'
|
|
225
235
|
assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
|
|
226
236
|
# Make sure no layout was rendered.
|
|
227
237
|
assert_select 'title', 0
|
|
228
238
|
assert_select 'h1', 0
|
|
229
|
-
|
|
230
|
-
|
|
239
|
+
assert_select 'script[type="text/javascript"]',
|
|
240
|
+
%r/.*window.location.*#{new_session_path}.*/
|
|
231
241
|
end
|
|
232
242
|
|
|
233
243
|
test "no user_id bounced in json" do
|