authpwn_rails 0.21.1 → 0.22.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +2 -4
- data/Gemfile +6 -6
- data/Gemfile.lock +69 -65
- data/{Gemfile.rails4 → Gemfile.rails5} +7 -6
- data/{README.rdoc → README.md} +21 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/app/models/tokens/email_verification.rb +2 -2
- data/app/models/tokens/password_reset.rb +1 -1
- data/authpwn_rails.gemspec +26 -28
- data/lib/authpwn_rails/generators/templates/001_create_users.rb +1 -1
- data/lib/authpwn_rails/generators/templates/003_create_credentials.rb +2 -2
- data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session/home.html.erb +3 -2
- data/lib/authpwn_rails/generators/templates/session_controller_test.rb +11 -11
- data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +2 -10
- data/lib/authpwn_rails/http_basic.rb +4 -4
- data/lib/authpwn_rails/http_token.rb +1 -1
- data/lib/authpwn_rails/session.rb +4 -4
- data/lib/authpwn_rails/session_controller.rb +6 -10
- data/test/{test_extensions_test.rb → action_controller_test_extensions_test.rb} +4 -5
- data/test/cookie_controller_test.rb +52 -42
- data/test/credentials/api_token_test.rb +2 -2
- data/test/credentials/email_verification_token_test.rb +2 -2
- data/test/credentials/omni_auth_uid_credential_test.rb +3 -4
- data/test/credentials/one_time_token_credential_test.rb +6 -6
- data/test/credentials/password_reset_token_test.rb +3 -3
- data/test/credentials/session_uid_token_test.rb +2 -2
- data/test/credentials/token_crendential_test.rb +3 -3
- data/test/fixtures/bare_session/forbidden.html.erb +1 -1
- data/test/fixtures/bare_session/home.html.erb +3 -2
- data/test/fixtures/bare_session/welcome.html.erb +1 -1
- data/test/helpers/db_setup.rb +2 -2
- data/test/helpers/test_order.rb +1 -3
- data/test/http_basic_controller_test.rb +24 -12
- data/test/http_token_controller_test.rb +24 -12
- data/test/session_controller_api_test.rb +140 -164
- data/test/session_mailer_api_test.rb +2 -10
- metadata +19 -27
- data/Gemfile.rails41 +0 -18
- data/Gemfile.rails42 +0 -18
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
class CreateCredentials < ActiveRecord::Migration
|
|
1
|
+
class CreateCredentials < ActiveRecord::Migration[5.0]
|
|
2
2
|
def change
|
|
3
3
|
create_table :credentials do |t|
|
|
4
|
-
t.references :user, null: false
|
|
4
|
+
t.references :user, null: false, index: false, foreign_key: true
|
|
5
5
|
t.string :type, limit: 32, null: false
|
|
6
6
|
t.string :name, limit: 128, null: true
|
|
7
7
|
|
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
<p>
|
|
1
|
+
<p class="welcome-page">
|
|
2
2
|
This view gets displayed when the user is logged in. Right now,
|
|
3
|
-
user
|
|
3
|
+
user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
|
|
4
|
+
You should allow the user to
|
|
4
5
|
<%= link_to 'sign out', session_path, method: :delete %>.
|
|
5
6
|
</p>
|
|
@@ -12,7 +12,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
12
12
|
set_session_current_user @user
|
|
13
13
|
get :show
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
assert_select 'span.user-exuid', @user.exuid
|
|
16
16
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -20,8 +20,8 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
20
20
|
old_token = credentials(:jane_session_token)
|
|
21
21
|
old_token.updated_at = Time.current - 1.year
|
|
22
22
|
old_token.save!
|
|
23
|
-
post :create, session: { email: @email_credential.email,
|
|
24
|
-
|
|
23
|
+
post :create, params: { session: { email: @email_credential.email,
|
|
24
|
+
password: 'pa55w0rd' } }
|
|
25
25
|
assert_equal @user, session_current_user, 'session'
|
|
26
26
|
assert_redirected_to session_url
|
|
27
27
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
|
@@ -39,7 +39,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
39
39
|
test "application welcome page" do
|
|
40
40
|
get :show
|
|
41
41
|
|
|
42
|
-
assert_equal User.count, assigns(:user_count)
|
|
43
42
|
assert_select 'a[href="/session/new"]', 'sign in'
|
|
44
43
|
end
|
|
45
44
|
|
|
@@ -51,7 +50,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
51
50
|
|
|
52
51
|
test "user login page" do
|
|
53
52
|
get :new
|
|
54
|
-
assert_template :new
|
|
55
53
|
|
|
56
54
|
assert_select 'form[action=?]', session_path do
|
|
57
55
|
assert_select 'input[name=?]', 'session[email]'
|
|
@@ -64,14 +62,14 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
64
62
|
test "e-mail verification link" do
|
|
65
63
|
token_credential = credentials(:john_email_token)
|
|
66
64
|
email_credential = credentials(:john_email)
|
|
67
|
-
get :token, code: token_credential.code
|
|
65
|
+
get :token, params: { code: token_credential.code }
|
|
68
66
|
assert_redirected_to session_url
|
|
69
67
|
assert email_credential.reload.verified?, 'Email not verified'
|
|
70
68
|
end
|
|
71
69
|
|
|
72
70
|
test "password reset link" do
|
|
73
71
|
password_credential = credentials(:jane_password)
|
|
74
|
-
get :token, code: credentials(:jane_password_token).code
|
|
72
|
+
get :token, params: { code: credentials(:jane_password_token).code }
|
|
75
73
|
assert_redirected_to change_password_session_url
|
|
76
74
|
assert_nil Credential.where(id: password_credential.id).first,
|
|
77
75
|
'Password not cleared'
|
|
@@ -109,8 +107,9 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
109
107
|
test "password reset request" do
|
|
110
108
|
ActionMailer::Base.deliveries = []
|
|
111
109
|
|
|
112
|
-
assert_difference
|
|
113
|
-
post :reset_password,
|
|
110
|
+
assert_difference -> { Credential.count }, 1 do
|
|
111
|
+
post :reset_password, params: {
|
|
112
|
+
session: { email: @email_credential.email } }
|
|
114
113
|
end
|
|
115
114
|
|
|
116
115
|
assert !ActionMailer::Base.deliveries.empty?, 'email generated'
|
|
@@ -173,7 +172,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
173
172
|
request.env['omniauth.auth'] = {
|
|
174
173
|
'provider' => @omniauth_credential.provider,
|
|
175
174
|
'uid' => @omniauth_credential.uid }
|
|
176
|
-
post :omniauth, provider: @omniauth_credential.provider
|
|
175
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
|
177
176
|
assert_equal @user, session_current_user, 'session'
|
|
178
177
|
assert_redirected_to session_url
|
|
179
178
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
|
@@ -190,7 +189,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
190
189
|
'provider' => @omniauth_credential.provider,
|
|
191
190
|
'uid' => 'new_user_gmail_com_uid',
|
|
192
191
|
'info' => { 'email' => 'new_user@gmail.com' } }
|
|
193
|
-
post :omniauth, provider: @omniauth_credential.provider
|
|
192
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
|
194
193
|
assert_not_nil session_current_user, 'session'
|
|
195
194
|
assert_equal true, Credentials::Email.with('new_user@gmail.com').verified?,
|
|
196
195
|
'newly created e-mail credential not verified'
|
|
@@ -198,5 +197,6 @@ class SessionControllerTest < ActionController::TestCase
|
|
|
198
197
|
ensure
|
|
199
198
|
ActionController::Base.allow_forgery_protection = false
|
|
200
199
|
end
|
|
200
|
+
|
|
201
201
|
end
|
|
202
202
|
end
|
|
@@ -12,11 +12,7 @@ class SessionMailerTest < ActionMailer::TestCase
|
|
|
12
12
|
test 'email verification email' do
|
|
13
13
|
email_draft = SessionMailer.email_verification_email @verification_token,
|
|
14
14
|
@root_url
|
|
15
|
-
|
|
16
|
-
email = email_draft.deliver_now # Rails 4.2+
|
|
17
|
-
else
|
|
18
|
-
email = email_draft.deliver # Rails 4.0 and 4.1
|
|
19
|
-
end
|
|
15
|
+
email = email_draft.deliver_now
|
|
20
16
|
assert !ActionMailer::Base.deliveries.empty?
|
|
21
17
|
|
|
22
18
|
assert_equal 'test.host e-mail verification', email.subject
|
|
@@ -30,11 +26,7 @@ class SessionMailerTest < ActionMailer::TestCase
|
|
|
30
26
|
test 'password reset email' do
|
|
31
27
|
email_draft = SessionMailer.reset_password_email @reset_email,
|
|
32
28
|
@reset_token, @root_url
|
|
33
|
-
|
|
34
|
-
email = email_draft.deliver_now # Rails 4.2+
|
|
35
|
-
else
|
|
36
|
-
email = email_draft.deliver # Rails 4.0 and 4.1
|
|
37
|
-
end
|
|
29
|
+
email = email_draft.deliver_now
|
|
38
30
|
assert !ActionMailer::Base.deliveries.empty?
|
|
39
31
|
|
|
40
32
|
assert_equal 'test.host password reset', email.subject
|
|
@@ -9,7 +9,7 @@ class ActionController::Base
|
|
|
9
9
|
# implement find_by_id.
|
|
10
10
|
def self.authenticates_using_http_basic(options = {})
|
|
11
11
|
include Authpwn::HttpBasicControllerInstanceMethods
|
|
12
|
-
|
|
12
|
+
before_action :authenticate_using_http_basic, options
|
|
13
13
|
end
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -20,12 +20,12 @@ module Authpwn
|
|
|
20
20
|
module HttpBasicControllerInstanceMethods
|
|
21
21
|
include Authpwn::CurrentUser
|
|
22
22
|
|
|
23
|
-
#
|
|
23
|
+
# The before_action that implements authenticates_using_http_basic.
|
|
24
24
|
#
|
|
25
25
|
# If your ApplicationController contains authenticates_using_http_basic, you
|
|
26
|
-
# can opt out in individual controllers using
|
|
26
|
+
# can opt out in individual controllers using skip_before_action.
|
|
27
27
|
#
|
|
28
|
-
#
|
|
28
|
+
# skip_before_action :authenticate_using_http_basic
|
|
29
29
|
def authenticate_using_http_basic
|
|
30
30
|
return if current_user
|
|
31
31
|
authenticate_with_http_basic do |email, password|
|
|
@@ -25,7 +25,7 @@ module HttpTokenControllerInstanceMethods
|
|
|
25
25
|
# If your ApplicationController contains authenticates_using_http_token, you
|
|
26
26
|
# can opt out in individual controllers using skip_before_action.
|
|
27
27
|
#
|
|
28
|
-
# skip_before_action :
|
|
28
|
+
# skip_before_action :authenticate_using_http_token
|
|
29
29
|
def authenticate_using_http_token
|
|
30
30
|
return if current_user
|
|
31
31
|
authenticate_with_http_token do |token_code, options|
|
|
@@ -9,7 +9,7 @@ class ActionController::Base
|
|
|
9
9
|
# find_by_id.
|
|
10
10
|
def self.authenticates_using_session(options = {})
|
|
11
11
|
include Authpwn::ControllerInstanceMethods
|
|
12
|
-
|
|
12
|
+
before_action :authenticate_using_session, options
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
# True for controllers belonging to the authentication implementation.
|
|
@@ -51,12 +51,12 @@ module ControllerInstanceMethods
|
|
|
51
51
|
end
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
-
#
|
|
54
|
+
# The before_action that implements authenticates_using_session.
|
|
55
55
|
#
|
|
56
56
|
# If your ApplicationController contains authenticates_using_session, you
|
|
57
|
-
# can opt out in individual controllers using
|
|
57
|
+
# can opt out in individual controllers using skip_before_action.
|
|
58
58
|
#
|
|
59
|
-
#
|
|
59
|
+
# skip_before_action :authenticate_using_session
|
|
60
60
|
def authenticate_using_session
|
|
61
61
|
return if current_user
|
|
62
62
|
session_uid = session[:authpwn_suid]
|
|
@@ -11,11 +11,11 @@ module SessionController
|
|
|
11
11
|
extend ActiveSupport::Concern
|
|
12
12
|
|
|
13
13
|
included do
|
|
14
|
-
|
|
14
|
+
#skip_before_action :authenticate_using_session
|
|
15
15
|
authenticates_using_session except: [:create, :reset_password, :token]
|
|
16
16
|
|
|
17
17
|
# NOTE: The Omniauth callback uses POST in some cases.
|
|
18
|
-
|
|
18
|
+
skip_before_action :verify_authenticity_token, only: [:omniauth]
|
|
19
19
|
|
|
20
20
|
# If set, every successful login will cause a database purge.
|
|
21
21
|
class_attribute :auto_purge_sessions
|
|
@@ -145,12 +145,8 @@ module SessionController
|
|
|
145
145
|
if user = (credential && credential.user)
|
|
146
146
|
token = Tokens::PasswordReset.random_for user
|
|
147
147
|
email = ::SessionMailer.reset_password_email(email, token, root_url)
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
email.deliver_now
|
|
151
|
-
else
|
|
152
|
-
email.deliver
|
|
153
|
-
end
|
|
148
|
+
# TODO(pwnall): fix the serialization errors blocking deliver_later
|
|
149
|
+
email.deliver_now
|
|
154
150
|
end
|
|
155
151
|
|
|
156
152
|
respond_to do |format|
|
|
@@ -231,7 +227,7 @@ module SessionController
|
|
|
231
227
|
respond_to do |format|
|
|
232
228
|
format.html do
|
|
233
229
|
@credential = current_user.credentials.
|
|
234
|
-
|
|
230
|
+
where(type: 'Credentials::Password').first
|
|
235
231
|
unless @credential
|
|
236
232
|
@credential = Credentials::Password.new
|
|
237
233
|
@credential.user = current_user
|
|
@@ -249,7 +245,7 @@ module SessionController
|
|
|
249
245
|
end
|
|
250
246
|
|
|
251
247
|
@credential = current_user.credentials.
|
|
252
|
-
|
|
248
|
+
where(type: 'Credentials::Password').first
|
|
253
249
|
if @credential
|
|
254
250
|
# An old password is set, must verify it.
|
|
255
251
|
if @credential.check_password params[:credential][:old_password]
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
require_relative 'test_helper'
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class ActionControllerTestExtensionsTest < ActionController::TestCase
|
|
4
4
|
def setup
|
|
5
5
|
@user = users(:john)
|
|
6
6
|
@token = credentials(:john_session_token)
|
|
@@ -16,7 +16,7 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
test 'set_session_current_user reuses existing token' do
|
|
19
|
-
assert_no_difference
|
|
19
|
+
assert_no_difference -> { Credential.count } do
|
|
20
20
|
set_session_current_user @user
|
|
21
21
|
end
|
|
22
22
|
assert_equal @token.suid, request.session[:authpwn_suid]
|
|
@@ -24,7 +24,7 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
24
24
|
|
|
25
25
|
test 'set_session_current_user creates token if necessary' do
|
|
26
26
|
@token.destroy
|
|
27
|
-
assert_difference
|
|
27
|
+
assert_difference -> { Credential.count }, 1 do
|
|
28
28
|
set_session_current_user @user
|
|
29
29
|
end
|
|
30
30
|
assert_equal @user, session_current_user
|
|
@@ -32,10 +32,9 @@ class TestExtensionsTest < ActionController::TestCase
|
|
|
32
32
|
|
|
33
33
|
test 'set_session_current_user to nil' do
|
|
34
34
|
request.session[:authpwn_suid] = @token.suid
|
|
35
|
-
assert_no_difference
|
|
35
|
+
assert_no_difference -> { Credential.count } do
|
|
36
36
|
set_session_current_user nil
|
|
37
37
|
end
|
|
38
38
|
assert_nil request.session[:authpwn_suid]
|
|
39
39
|
end
|
|
40
40
|
end
|
|
41
|
-
|
|
@@ -4,11 +4,23 @@ require_relative 'test_helper'
|
|
|
4
4
|
class CookieController < ApplicationController
|
|
5
5
|
authenticates_using_session except: :update
|
|
6
6
|
|
|
7
|
+
# NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
|
|
8
|
+
# instance variables. current_user is a part of authpwn's API, so we
|
|
9
|
+
# must test it.
|
|
10
|
+
before_action :export_current_user_to_cookie
|
|
11
|
+
def export_current_user_to_cookie
|
|
12
|
+
cookies['_authpwn_test_cuid'] = if current_user
|
|
13
|
+
current_user.id.to_s
|
|
14
|
+
else
|
|
15
|
+
'nil'
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
7
19
|
def show
|
|
8
20
|
if current_user
|
|
9
|
-
render
|
|
21
|
+
render plain: "User: #{current_user.id}"
|
|
10
22
|
else
|
|
11
|
-
render
|
|
23
|
+
render plain: "No user"
|
|
12
24
|
end
|
|
13
25
|
end
|
|
14
26
|
|
|
@@ -18,7 +30,7 @@ class CookieController < ApplicationController
|
|
|
18
30
|
else
|
|
19
31
|
set_session_current_user User.with_param(params[:exuid]).first
|
|
20
32
|
end
|
|
21
|
-
render
|
|
33
|
+
render plain: ''
|
|
22
34
|
end
|
|
23
35
|
|
|
24
36
|
def bouncer
|
|
@@ -35,7 +47,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
35
47
|
test "no suid in session" do
|
|
36
48
|
get :show
|
|
37
49
|
assert_response :success
|
|
38
|
-
|
|
50
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
39
51
|
assert_equal 'No user', response.body
|
|
40
52
|
end
|
|
41
53
|
|
|
@@ -43,7 +55,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
43
55
|
request.session[:authpwn_suid] = @token.suid
|
|
44
56
|
get :show
|
|
45
57
|
assert_response :success
|
|
46
|
-
assert_equal @user,
|
|
58
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
47
59
|
john_id = ActiveRecord::FixtureSet.identify :john
|
|
48
60
|
assert_equal "User: #{john_id}", response.body
|
|
49
61
|
end
|
|
@@ -54,7 +66,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
54
66
|
@token.save!
|
|
55
67
|
get :show
|
|
56
68
|
assert_response :success
|
|
57
|
-
assert_equal @user,
|
|
69
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
58
70
|
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
|
59
71
|
end
|
|
60
72
|
|
|
@@ -64,7 +76,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
64
76
|
@token.save!
|
|
65
77
|
get :show
|
|
66
78
|
assert_response :success
|
|
67
|
-
assert_equal @user,
|
|
79
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
68
80
|
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
|
69
81
|
end
|
|
70
82
|
|
|
@@ -74,7 +86,7 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
74
86
|
@token.save!
|
|
75
87
|
get :show
|
|
76
88
|
assert_response :success
|
|
77
|
-
|
|
89
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
78
90
|
assert_nil Tokens::Base.with_code(@token.suid).first,
|
|
79
91
|
'session token not destroyed'
|
|
80
92
|
end
|
|
@@ -84,126 +96,125 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
84
96
|
@token.destroy
|
|
85
97
|
get :show
|
|
86
98
|
assert_response :success
|
|
87
|
-
|
|
99
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
88
100
|
end
|
|
89
101
|
|
|
90
102
|
test "set_session_current_user creates new token by default" do
|
|
91
|
-
assert_difference
|
|
92
|
-
put :update, exuid: @user.exuid
|
|
103
|
+
assert_difference -> { Credential.count }, 1 do
|
|
104
|
+
put :update, params: { exuid: @user.exuid }
|
|
93
105
|
end
|
|
94
106
|
assert_response :success
|
|
95
107
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
96
108
|
|
|
97
109
|
get :show
|
|
98
110
|
assert_response :success
|
|
99
|
-
assert_equal @user,
|
|
111
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
100
112
|
end
|
|
101
113
|
|
|
102
114
|
test "set_session_current_user reuses existing token when suitable" do
|
|
103
115
|
request.session[:authpwn_suid] = @token.suid
|
|
104
|
-
assert_no_difference
|
|
105
|
-
|
|
116
|
+
assert_no_difference -> { Credential.count },
|
|
117
|
+
'existing token not reused' do
|
|
118
|
+
put :update, params: { exuid: @user.exuid }
|
|
106
119
|
end
|
|
107
120
|
assert_response :success
|
|
108
121
|
assert_equal @token.suid, request.session[:authpwn_suid]
|
|
109
|
-
assert_equal @user, assigns(:current_user)
|
|
110
122
|
|
|
111
123
|
get :show
|
|
112
124
|
assert_response :success
|
|
113
|
-
assert_equal @user,
|
|
125
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
114
126
|
end
|
|
115
127
|
|
|
116
128
|
test "set_session_current_user refreshes old token" do
|
|
117
129
|
@token.updated_at = Time.current - 1.day
|
|
118
130
|
request.session[:authpwn_suid] = @token.suid
|
|
119
|
-
assert_no_difference
|
|
120
|
-
|
|
131
|
+
assert_no_difference -> { Credential.count },
|
|
132
|
+
'existing token not reused' do
|
|
133
|
+
put :update, params: { exuid: @user.exuid }
|
|
121
134
|
end
|
|
122
135
|
assert_response :success
|
|
123
136
|
assert_operator @token.reload.updated_at, :>=, Time.current - 1.hour,
|
|
124
137
|
'Old token not refreshed'
|
|
125
|
-
assert_equal @user, assigns(:current_user)
|
|
126
138
|
|
|
127
139
|
get :show
|
|
128
140
|
assert_response :success
|
|
129
|
-
assert_equal @user,
|
|
141
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
130
142
|
end
|
|
131
143
|
|
|
132
144
|
test "set_session_current_user creates new token if old token is invalid" do
|
|
133
145
|
@token.destroy
|
|
134
146
|
request.session[:authpwn_suid] = @token.suid
|
|
135
|
-
assert_difference
|
|
136
|
-
|
|
147
|
+
assert_difference -> { Credential.count }, 1,
|
|
148
|
+
'session token not created' do
|
|
149
|
+
put :update, params: { exuid: @user.exuid }
|
|
137
150
|
end
|
|
138
151
|
assert_response :success
|
|
139
152
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
140
153
|
|
|
141
154
|
get :show
|
|
142
155
|
assert_response :success
|
|
143
|
-
assert_equal @user,
|
|
156
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
144
157
|
end
|
|
145
158
|
|
|
146
159
|
test "set_session_current_user switches users correctly" do
|
|
147
160
|
old_token = credentials(:jane_session_token)
|
|
148
161
|
request.session[:authpwn_suid] = old_token.suid
|
|
149
|
-
assert_no_difference
|
|
162
|
+
assert_no_difference -> { Credential.count },
|
|
150
163
|
"old user's token not destroyed or no new token created" do
|
|
151
|
-
put :update, exuid: @user.exuid
|
|
164
|
+
put :update, params: { exuid: @user.exuid }
|
|
152
165
|
end
|
|
153
166
|
assert_response :success
|
|
154
167
|
assert_nil Tokens::Base.with_code(old_token.suid).first,
|
|
155
168
|
"old user's token not destroyed"
|
|
156
169
|
assert_not_equal @token.suid, request.session[:authpwn_suid]
|
|
157
|
-
assert_equal @user, assigns(:current_user)
|
|
158
170
|
|
|
159
171
|
get :show
|
|
160
172
|
assert_response :success
|
|
161
|
-
assert_equal @user,
|
|
173
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
162
174
|
end
|
|
163
175
|
|
|
164
176
|
test "set_session_current_user reuses token when switching users" do
|
|
165
177
|
@token.destroy
|
|
166
178
|
request.session[:authpwn_suid] = credentials(:jane_session_token).suid
|
|
167
|
-
assert_no_difference
|
|
179
|
+
assert_no_difference -> { Credential.count },
|
|
168
180
|
"old user's token not destroyed or new user's token not created" do
|
|
169
|
-
put :update, exuid: @user.exuid
|
|
181
|
+
put :update, params: { exuid: @user.exuid }
|
|
170
182
|
end
|
|
171
183
|
assert_response :success
|
|
172
|
-
assert_equal @user, assigns(:current_user)
|
|
173
184
|
|
|
174
185
|
get :show
|
|
175
186
|
assert_response :success
|
|
176
|
-
assert_equal @user,
|
|
187
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
|
177
188
|
end
|
|
178
189
|
|
|
179
190
|
test "set_session_current_user logs off a user correctly" do
|
|
180
191
|
request.session[:authpwn_suid] = @token.suid
|
|
181
|
-
assert_difference
|
|
182
|
-
put :update, exuid: ''
|
|
192
|
+
assert_difference -> { Credential.count }, -1, 'token not destroyed' do
|
|
193
|
+
put :update, params: { exuid: '' }
|
|
183
194
|
end
|
|
184
195
|
assert_response :success
|
|
185
196
|
assert_nil request.session[:authpwn_suid]
|
|
186
|
-
assert_equal nil,
|
|
197
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
187
198
|
|
|
188
199
|
get :show
|
|
189
200
|
assert_response :success
|
|
190
|
-
assert_equal nil,
|
|
201
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
191
202
|
end
|
|
192
203
|
|
|
193
204
|
test "set_session_current_user behavhttps://appear.in/pwnalles when no user is logged off" do
|
|
194
|
-
assert_no_difference
|
|
195
|
-
put :update, exuid: ''
|
|
205
|
+
assert_no_difference -> { Credential.count } do
|
|
206
|
+
put :update, params: { exuid: '' }
|
|
196
207
|
end
|
|
197
208
|
assert_response :success
|
|
198
209
|
assert_nil request.session[:authpwn_suid]
|
|
199
|
-
assert_equal nil,
|
|
210
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
|
200
211
|
end
|
|
201
212
|
|
|
202
213
|
test "valid user_id bounced" do
|
|
203
214
|
request.session[:authpwn_suid] = @token.suid
|
|
204
215
|
get :bouncer
|
|
205
216
|
assert_response :forbidden
|
|
206
|
-
|
|
217
|
+
assert_select 'p.forbidden-logged-in-user'
|
|
207
218
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
|
208
219
|
# Make sure no layout was rendered.
|
|
209
220
|
assert_select 'title', 0
|
|
@@ -221,13 +232,12 @@ class CookieControllerTest < ActionController::TestCase
|
|
|
221
232
|
test "no user_id bounced" do
|
|
222
233
|
get :bouncer
|
|
223
234
|
assert_response :forbidden
|
|
224
|
-
assert_template 'session/forbidden'
|
|
225
235
|
assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
|
|
226
236
|
# Make sure no layout was rendered.
|
|
227
237
|
assert_select 'title', 0
|
|
228
238
|
assert_select 'h1', 0
|
|
229
|
-
|
|
230
|
-
|
|
239
|
+
assert_select 'script[type="text/javascript"]',
|
|
240
|
+
%r/.*window.location.*#{new_session_path}.*/
|
|
231
241
|
end
|
|
232
242
|
|
|
233
243
|
test "no user_id bounced in json" do
|