authpwn_rails 0.21.1 → 0.22.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +2 -4
- data/Gemfile +6 -6
- data/Gemfile.lock +69 -65
- data/{Gemfile.rails4 → Gemfile.rails5} +7 -6
- data/{README.rdoc → README.md} +21 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/app/models/tokens/email_verification.rb +2 -2
- data/app/models/tokens/password_reset.rb +1 -1
- data/authpwn_rails.gemspec +26 -28
- data/lib/authpwn_rails/generators/templates/001_create_users.rb +1 -1
- data/lib/authpwn_rails/generators/templates/003_create_credentials.rb +2 -2
- data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
- data/lib/authpwn_rails/generators/templates/session/home.html.erb +3 -2
- data/lib/authpwn_rails/generators/templates/session_controller_test.rb +11 -11
- data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +2 -10
- data/lib/authpwn_rails/http_basic.rb +4 -4
- data/lib/authpwn_rails/http_token.rb +1 -1
- data/lib/authpwn_rails/session.rb +4 -4
- data/lib/authpwn_rails/session_controller.rb +6 -10
- data/test/{test_extensions_test.rb → action_controller_test_extensions_test.rb} +4 -5
- data/test/cookie_controller_test.rb +52 -42
- data/test/credentials/api_token_test.rb +2 -2
- data/test/credentials/email_verification_token_test.rb +2 -2
- data/test/credentials/omni_auth_uid_credential_test.rb +3 -4
- data/test/credentials/one_time_token_credential_test.rb +6 -6
- data/test/credentials/password_reset_token_test.rb +3 -3
- data/test/credentials/session_uid_token_test.rb +2 -2
- data/test/credentials/token_crendential_test.rb +3 -3
- data/test/fixtures/bare_session/forbidden.html.erb +1 -1
- data/test/fixtures/bare_session/home.html.erb +3 -2
- data/test/fixtures/bare_session/welcome.html.erb +1 -1
- data/test/helpers/db_setup.rb +2 -2
- data/test/helpers/test_order.rb +1 -3
- data/test/http_basic_controller_test.rb +24 -12
- data/test/http_token_controller_test.rb +24 -12
- data/test/session_controller_api_test.rb +140 -164
- data/test/session_mailer_api_test.rb +2 -10
- metadata +19 -27
- data/Gemfile.rails41 +0 -18
- data/Gemfile.rails42 +0 -18
@@ -35,7 +35,7 @@ class ApiTokenTest < ActiveSupport::TestCase
|
|
35
35
|
credential = credentials(:john_api_token)
|
36
36
|
assert_equal Tokens::Api, credential.class, 'bad setup'
|
37
37
|
|
38
|
-
assert_no_difference
|
38
|
+
assert_no_difference -> { Credential.count } do
|
39
39
|
credential.spend
|
40
40
|
end
|
41
41
|
end
|
@@ -58,7 +58,7 @@ class ApiTokenTest < ActiveSupport::TestCase
|
|
58
58
|
test 'random_for' do
|
59
59
|
user = users(:jane)
|
60
60
|
credential = nil
|
61
|
-
assert_difference
|
61
|
+
assert_difference -> { Credential.count }, 1 do
|
62
62
|
credential = Tokens::Api.random_for user
|
63
63
|
end
|
64
64
|
saved_credential = Tokens::Base.with_code(credential.code).first
|
@@ -47,7 +47,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
|
|
47
47
|
credential = credentials(:john_email_token)
|
48
48
|
assert_equal Tokens::EmailVerification, credential.class, 'bad setup'
|
49
49
|
|
50
|
-
assert_difference
|
50
|
+
assert_difference -> { Credential.count }, -1 do
|
51
51
|
credential.spend
|
52
52
|
end
|
53
53
|
assert credential.frozen?, 'not destroyed'
|
@@ -59,7 +59,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
|
|
59
59
|
credential = credentials(:john_email_token)
|
60
60
|
credential.email = 'bill@gmail.com'
|
61
61
|
|
62
|
-
assert_difference
|
62
|
+
assert_difference -> { Credential.count }, -1 do
|
63
63
|
credential.spend
|
64
64
|
end
|
65
65
|
assert credential.frozen?, 'not destroyed'
|
@@ -90,7 +90,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
|
|
90
90
|
User.expects(:create_from_omniauth).never
|
91
91
|
|
92
92
|
assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
|
93
|
-
assert_difference
|
93
|
+
assert_difference -> { Credentials::OmniAuthUid.count } do
|
94
94
|
assert_equal jane, Credentials::OmniAuthUid.authenticate(omniauth_hash)
|
95
95
|
end
|
96
96
|
assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
|
@@ -105,7 +105,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
|
|
105
105
|
User.expects(:create_from_omniauth).with(omniauth_hash).returns user
|
106
106
|
|
107
107
|
assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
|
108
|
-
assert_difference
|
108
|
+
assert_difference -> { Credentials::OmniAuthUid.count } do
|
109
109
|
assert_equal user, Credentials::OmniAuthUid.authenticate(omniauth_hash)
|
110
110
|
end
|
111
111
|
assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
|
@@ -119,7 +119,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
|
|
119
119
|
User.expects(:create_from_omniauth).with(omniauth_hash).returns nil
|
120
120
|
|
121
121
|
assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
|
122
|
-
assert_no_difference
|
122
|
+
assert_no_difference -> { Credentials::OmniAuthUid.count } do
|
123
123
|
assert_equal :invalid,
|
124
124
|
Credentials::OmniAuthUid.authenticate(omniauth_hash)
|
125
125
|
end
|
@@ -138,4 +138,3 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
|
|
138
138
|
end
|
139
139
|
end
|
140
140
|
end
|
141
|
-
|
@@ -30,7 +30,7 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
|
|
30
30
|
credential = credentials(:jane_token)
|
31
31
|
assert_equal Tokens::OneTime, credential.class, 'bad setup'
|
32
32
|
|
33
|
-
assert_difference
|
33
|
+
assert_difference -> { Credential.count }, -1 do
|
34
34
|
credential.spend
|
35
35
|
end
|
36
36
|
assert credential.frozen?, 'not destroyed'
|
@@ -39,10 +39,10 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
|
|
39
39
|
test 'authenticate spends the token' do
|
40
40
|
jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
|
41
41
|
bogus = 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo'
|
42
|
-
assert_difference
|
42
|
+
assert_difference -> { Credential.count }, -1, 'token spent' do
|
43
43
|
assert_equal users(:jane), Tokens::Base.authenticate(jane)
|
44
44
|
end
|
45
|
-
assert_no_difference
|
45
|
+
assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
|
46
46
|
assert_equal :invalid, Tokens::Base.authenticate(bogus)
|
47
47
|
end
|
48
48
|
end
|
@@ -51,21 +51,21 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
|
|
51
51
|
jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
|
52
52
|
|
53
53
|
with_blocked_credential credentials(:jane_token), :reason do
|
54
|
-
assert_no_difference
|
54
|
+
assert_no_difference -> { Credential.count }, 'no token spent' do
|
55
55
|
assert_equal :reason, Tokens::Base.authenticate(jane)
|
56
56
|
end
|
57
57
|
end
|
58
58
|
end
|
59
59
|
|
60
60
|
test 'instance authenticate spends the token' do
|
61
|
-
assert_difference
|
61
|
+
assert_difference -> { Credential.count }, -1, 'token spent' do
|
62
62
|
assert_equal users(:jane), credentials(:jane_token).authenticate
|
63
63
|
end
|
64
64
|
end
|
65
65
|
|
66
66
|
test 'instance authenticate calls User#auth_bounce_reason' do
|
67
67
|
with_blocked_credential credentials(:jane_token), :reason do
|
68
|
-
assert_no_difference
|
68
|
+
assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
|
69
69
|
assert_equal :reason, credentials(:jane_token).authenticate
|
70
70
|
end
|
71
71
|
end
|
@@ -40,8 +40,8 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
|
|
40
40
|
credential = credentials(:jane_password_token)
|
41
41
|
assert_equal Tokens::PasswordReset, credential.class, 'bad setup'
|
42
42
|
|
43
|
-
assert_difference
|
44
|
-
assert_difference
|
43
|
+
assert_difference -> { Credential.count }, -2 do
|
44
|
+
assert_difference -> { Credentials::Password.count }, -1 do
|
45
45
|
credential.spend
|
46
46
|
end
|
47
47
|
end
|
@@ -55,7 +55,7 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
|
|
55
55
|
password_credential.destroy
|
56
56
|
credential = credentials(:jane_password_token)
|
57
57
|
|
58
|
-
assert_difference
|
58
|
+
assert_difference -> { Credential.count }, -1 do
|
59
59
|
credential.spend
|
60
60
|
end
|
61
61
|
assert credential.frozen?, 'not destroyed'
|
@@ -80,7 +80,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
|
|
80
80
|
fresh_token.updated_at = Time.current - 1.minute
|
81
81
|
fresh_token.save!
|
82
82
|
|
83
|
-
assert_difference
|
83
|
+
assert_difference -> { Credential.count }, -1 do
|
84
84
|
Tokens::SessionUid.remove_expired
|
85
85
|
end
|
86
86
|
assert_nil Tokens::Base.with_code(old_token.code).first
|
@@ -91,7 +91,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
|
|
91
91
|
test 'random_for' do
|
92
92
|
user = users(:john)
|
93
93
|
credential = nil
|
94
|
-
assert_difference
|
94
|
+
assert_difference -> { Credential.count }, 1 do
|
95
95
|
credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
|
96
96
|
end
|
97
97
|
saved_credential = Tokens::Base.with_code(credential.code).first
|
@@ -30,7 +30,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
30
30
|
credential = credentials(:john_token)
|
31
31
|
assert_equal Tokens::Base, credential.class, 'bad setup'
|
32
32
|
|
33
|
-
assert_no_difference
|
33
|
+
assert_no_difference -> { Credential.count } do
|
34
34
|
credential.spend
|
35
35
|
end
|
36
36
|
end
|
@@ -117,12 +117,12 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
117
117
|
token.class.stubs(:expires_after).returns 1.week
|
118
118
|
token.save!
|
119
119
|
end
|
120
|
-
assert_difference
|
120
|
+
assert_difference -> { Credential.count }, -1,
|
121
121
|
'authenticate deletes expired credential' do
|
122
122
|
assert_equal :invalid, Tokens::Base.authenticate(john),
|
123
123
|
'expired token'
|
124
124
|
end
|
125
|
-
assert_difference
|
125
|
+
assert_difference -> { Credential.count }, -1,
|
126
126
|
'authenticate deletes expired credential' do
|
127
127
|
assert_equal :invalid, Tokens::Base.authenticate(jane),
|
128
128
|
'expired token'
|
@@ -1,5 +1,6 @@
|
|
1
1
|
<p>
|
2
2
|
This view gets displayed when the user is logged in. Right now,
|
3
|
-
user
|
4
|
-
|
3
|
+
user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
|
4
|
+
You should allow the user to
|
5
|
+
<%= link_to 'sign out', session_path, method: :delete %>.
|
5
6
|
</p>
|
data/test/helpers/db_setup.rb
CHANGED
@@ -38,8 +38,8 @@ class ActiveSupport::TestCase
|
|
38
38
|
File.expand_path '../../../lib/authpwn_rails/generators/templates',
|
39
39
|
__FILE__
|
40
40
|
|
41
|
-
self.
|
42
|
-
self.use_instantiated_fixtures
|
41
|
+
self.use_transactional_tests = true
|
42
|
+
self.use_instantiated_fixtures = false
|
43
43
|
self.pre_loaded_fixtures = false
|
44
44
|
fixtures :all
|
45
45
|
end
|
data/test/helpers/test_order.rb
CHANGED
@@ -4,11 +4,23 @@ require_relative 'test_helper'
|
|
4
4
|
class HttpBasicController < ApplicationController
|
5
5
|
authenticates_using_http_basic
|
6
6
|
|
7
|
+
# NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
|
8
|
+
# instance variables. current_user is a part of authpwn's API, so we
|
9
|
+
# must test it.
|
10
|
+
before_action :export_current_user_to_cookie
|
11
|
+
def export_current_user_to_cookie
|
12
|
+
cookies['_authpwn_test_cuid'] = if current_user
|
13
|
+
current_user.id.to_s
|
14
|
+
else
|
15
|
+
'nil'
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
7
19
|
def show
|
8
20
|
if current_user
|
9
|
-
render
|
21
|
+
render plain: "User: #{current_user.id}"
|
10
22
|
else
|
11
|
-
render
|
23
|
+
render plain: "No user"
|
12
24
|
end
|
13
25
|
end
|
14
26
|
|
@@ -25,7 +37,7 @@ class HttpBasicControllerTest < ActionController::TestCase
|
|
25
37
|
test "no user_id in session cookie or header" do
|
26
38
|
get :show
|
27
39
|
assert_response :success
|
28
|
-
|
40
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
29
41
|
assert_equal 'No user', response.body
|
30
42
|
end
|
31
43
|
|
@@ -33,14 +45,14 @@ class HttpBasicControllerTest < ActionController::TestCase
|
|
33
45
|
set_session_current_user @user
|
34
46
|
get :show
|
35
47
|
assert_response :success
|
36
|
-
|
48
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
37
49
|
assert_equal 'No user', response.body
|
38
50
|
end
|
39
51
|
|
40
52
|
test "valid user credentials in header" do
|
41
53
|
set_http_basic_user @user, 'pa55w0rd'
|
42
54
|
get :show
|
43
|
-
assert_equal @user,
|
55
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
44
56
|
|
45
57
|
jane_id = ActiveRecord::FixtureSet.identify :jane
|
46
58
|
assert_equal "User: #{jane_id}", response.body
|
@@ -49,7 +61,7 @@ class HttpBasicControllerTest < ActionController::TestCase
|
|
49
61
|
test "invalid user credentials in header" do
|
50
62
|
set_http_basic_user @user, 'fail'
|
51
63
|
get :show
|
52
|
-
|
64
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
53
65
|
assert_equal 'No user', response.body
|
54
66
|
end
|
55
67
|
|
@@ -60,7 +72,7 @@ class HttpBasicControllerTest < ActionController::TestCase
|
|
60
72
|
User.expects(:authenticate_signin).at_least_once.with(signin).returns @user
|
61
73
|
set_http_basic_user @user, 'fail'
|
62
74
|
get :show
|
63
|
-
assert_equal @user,
|
75
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
64
76
|
|
65
77
|
jane_id = ActiveRecord::FixtureSet.identify :jane
|
66
78
|
assert_equal "User: #{jane_id}", response.body
|
@@ -70,30 +82,30 @@ class HttpBasicControllerTest < ActionController::TestCase
|
|
70
82
|
set_http_basic_user @user, 'pa55w0rd'
|
71
83
|
set_http_basic_user nil
|
72
84
|
get :show
|
73
|
-
|
85
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
74
86
|
assert_equal 'No user', response.body
|
75
87
|
end
|
76
88
|
|
77
89
|
test "mocked user credentials in header" do
|
78
90
|
set_http_basic_user @user
|
79
91
|
get :show
|
80
|
-
assert_equal @user,
|
92
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
81
93
|
|
82
94
|
jane_id = ActiveRecord::FixtureSet.identify :jane
|
83
95
|
assert_equal "User: #{jane_id}", response.body
|
84
96
|
end
|
85
97
|
|
86
98
|
test "invalid authpwn_suid in session" do
|
87
|
-
get :show, {}, authpwn_suid: 'random@user.com'
|
99
|
+
get :show, params: {}, session: { authpwn_suid: 'random@user.com' }
|
88
100
|
assert_response :success
|
89
|
-
|
101
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
90
102
|
end
|
91
103
|
|
92
104
|
test "valid user bounced to http authentication" do
|
93
105
|
set_http_basic_user @user
|
94
106
|
get :bouncer
|
95
107
|
assert_response :forbidden
|
96
|
-
|
108
|
+
assert_select 'p.forbidden-logged-in-user'
|
97
109
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
98
110
|
# Make sure no layout was rendered.
|
99
111
|
assert_select 'title', 0
|
@@ -4,11 +4,23 @@ require_relative 'test_helper'
|
|
4
4
|
class HttpTokenController < ApplicationController
|
5
5
|
authenticates_using_http_token
|
6
6
|
|
7
|
+
# NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
|
8
|
+
# instance variables. current_user is a part of authpwn's API, so we
|
9
|
+
# must test it.
|
10
|
+
before_action :export_current_user_to_cookie
|
11
|
+
def export_current_user_to_cookie
|
12
|
+
cookies['_authpwn_test_cuid'] = if current_user
|
13
|
+
current_user.id.to_s
|
14
|
+
else
|
15
|
+
'nil'
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
7
19
|
def show
|
8
20
|
if current_user
|
9
|
-
render
|
21
|
+
render plain: "User: #{current_user.id}"
|
10
22
|
else
|
11
|
-
render
|
23
|
+
render plain: "No user"
|
12
24
|
end
|
13
25
|
end
|
14
26
|
|
@@ -25,7 +37,7 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
25
37
|
test "no user_id in session cookie or header" do
|
26
38
|
get :show
|
27
39
|
assert_response :success
|
28
|
-
|
40
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
29
41
|
assert_equal 'No user', response.body
|
30
42
|
end
|
31
43
|
|
@@ -33,14 +45,14 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
33
45
|
set_session_current_user @user
|
34
46
|
get :show
|
35
47
|
assert_response :success
|
36
|
-
|
48
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
37
49
|
assert_equal 'No user', response.body
|
38
50
|
end
|
39
51
|
|
40
52
|
test "valid user credentials in header" do
|
41
53
|
set_http_token_user @user
|
42
54
|
get :show
|
43
|
-
assert_equal @user,
|
55
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
44
56
|
assert_equal nil, session_current_user,
|
45
57
|
'Token authentication should not update the session'
|
46
58
|
|
@@ -52,7 +64,7 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
52
64
|
set_http_token_user @user
|
53
65
|
Tokens::Api.where(user_id: @user.id).destroy_all
|
54
66
|
get :show
|
55
|
-
|
67
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
56
68
|
assert_equal 'No user', response.body
|
57
69
|
end
|
58
70
|
|
@@ -61,7 +73,7 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
61
73
|
returns @user
|
62
74
|
set_http_token_user @user, 'ap1c0d3'
|
63
75
|
get :show
|
64
|
-
assert_equal @user,
|
76
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
65
77
|
assert_equal nil, session_current_user,
|
66
78
|
'Token authentication should not update the session'
|
67
79
|
|
@@ -73,7 +85,7 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
73
85
|
set_http_token_user @user
|
74
86
|
set_http_token_user nil
|
75
87
|
get :show
|
76
|
-
|
88
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
77
89
|
assert_equal 'No user', response.body
|
78
90
|
end
|
79
91
|
|
@@ -81,7 +93,7 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
81
93
|
user = users(:jane)
|
82
94
|
set_http_token_user user
|
83
95
|
get :show
|
84
|
-
assert_equal user,
|
96
|
+
assert_equal user.id.to_s, cookies['_authpwn_test_cuid']
|
85
97
|
assert_equal nil, session_current_user,
|
86
98
|
'Token authentication should not update the session'
|
87
99
|
|
@@ -90,16 +102,16 @@ class HttpTokenControllerTest < ActionController::TestCase
|
|
90
102
|
end
|
91
103
|
|
92
104
|
test "invalid authpwn_suid in session" do
|
93
|
-
get :show, {
|
105
|
+
get :show, session: { authpwn_suid: 'random@user.com' }
|
94
106
|
assert_response :success
|
95
|
-
|
107
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
96
108
|
end
|
97
109
|
|
98
110
|
test "valid user bounced to http authentication" do
|
99
111
|
set_http_token_user @user
|
100
112
|
get :bouncer
|
101
113
|
assert_response :forbidden
|
102
|
-
|
114
|
+
assert_select 'p.forbidden-logged-in-user'
|
103
115
|
assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
|
104
116
|
# Make sure no layout was rendered.
|
105
117
|
assert_select 'title', 0
|
@@ -3,6 +3,18 @@ require_relative 'test_helper'
|
|
3
3
|
class BareSessionController < ApplicationController
|
4
4
|
include Authpwn::SessionController
|
5
5
|
self.append_view_path File.expand_path('../fixtures', __FILE__)
|
6
|
+
|
7
|
+
# NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
|
8
|
+
# instance variables. current_user is a part of authpwn's API, so we
|
9
|
+
# must test it.
|
10
|
+
before_action :export_current_user_to_cookie
|
11
|
+
def export_current_user_to_cookie
|
12
|
+
cookies['_authpwn_test_cuid'] = if current_user
|
13
|
+
current_user.id.to_s
|
14
|
+
else
|
15
|
+
'nil'
|
16
|
+
end
|
17
|
+
end
|
6
18
|
end
|
7
19
|
|
8
20
|
# Tests the methods injected by authpwn_session_controller.
|
@@ -25,8 +37,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
25
37
|
test "show renders welcome without a user" do
|
26
38
|
@controller.expects(:welcome).once.returns nil
|
27
39
|
get :show
|
28
|
-
|
29
|
-
|
40
|
+
assert_select 'p.welcome-page'
|
41
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
30
42
|
end
|
31
43
|
|
32
44
|
test "show json renders empty object without a user" do
|
@@ -40,8 +52,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
40
52
|
@controller.expects(:home).once.returns nil
|
41
53
|
set_session_current_user @user
|
42
54
|
get :show
|
43
|
-
|
44
|
-
assert_equal @user,
|
55
|
+
assert_select 'span.user-exuid', @user.exuid.to_s
|
56
|
+
assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
|
45
57
|
end
|
46
58
|
|
47
59
|
test "show json renders user when logged in" do
|
@@ -52,14 +64,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
52
64
|
data = ActiveSupport::JSON.decode response.body
|
53
65
|
assert_equal @user.exuid, data['user']['exuid']
|
54
66
|
|
55
|
-
|
56
|
-
# Rails 4.2+ uses variable CSRF tokens.
|
57
|
-
assert @controller.send(:valid_authenticity_token?, session,
|
58
|
-
data['csrf'])
|
59
|
-
else
|
60
|
-
# Rails 4.0 and 4.1 store the CSRF token in the session.
|
61
|
-
assert_equal session[:_csrf_token], data['csrf']
|
62
|
-
end
|
67
|
+
assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
|
63
68
|
end
|
64
69
|
|
65
70
|
test "new redirects to session#show when a user is logged in" do
|
@@ -70,23 +75,21 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
70
75
|
|
71
76
|
test "new renders login form without a user" do
|
72
77
|
get :new
|
73
|
-
|
74
|
-
|
78
|
+
assert_select 'form[action="/session"]'
|
79
|
+
assert_equal 'nil', cookies['_authpwn_test_cuid']
|
75
80
|
end
|
76
81
|
|
77
82
|
test "new renders redirect_url when present in flash" do
|
78
83
|
url = 'http://authpwn.redirect.url'
|
79
|
-
get :new,
|
80
|
-
|
81
|
-
assert_select 'form' do
|
84
|
+
get :new, flash: { auth_redirect_url: url }
|
85
|
+
assert_select 'form[action="/session"]' do
|
82
86
|
assert_select "input[name=\"redirect_url\"][value=\"#{url}\"]"
|
83
87
|
end
|
84
88
|
end
|
85
89
|
|
86
90
|
test "create logs in with good account details" do
|
87
|
-
post :create, session: { email: @email_credential.email,
|
88
|
-
|
89
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
91
|
+
post :create, params: { session: { email: @email_credential.email,
|
92
|
+
password: 'pa55w0rd' } }
|
90
93
|
assert_equal @user, session_current_user, 'session'
|
91
94
|
assert_nil flash[:alert], 'no alert'
|
92
95
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -94,8 +97,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
94
97
|
end
|
95
98
|
|
96
99
|
test "create logs in with good raw account details" do
|
97
|
-
post :create, email: @email_credential.email,
|
98
|
-
|
100
|
+
post :create, params: { email: @email_credential.email,
|
101
|
+
password: 'pa55w0rd' }
|
99
102
|
assert_equal @user, session_current_user, 'session'
|
100
103
|
assert_nil flash[:alert], 'no alert'
|
101
104
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -105,9 +108,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
105
108
|
test "create logs in with good account details and no User-Agent" do
|
106
109
|
request.headers['User-Agent'] = nil
|
107
110
|
|
108
|
-
post :create, session: { email: @email_credential.email,
|
109
|
-
|
110
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
111
|
+
post :create, params: { session: { email: @email_credential.email,
|
112
|
+
password: 'pa55w0rd' } }
|
111
113
|
assert_equal @user, session_current_user, 'session'
|
112
114
|
assert_nil flash[:alert], 'no alert'
|
113
115
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -119,8 +121,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
119
121
|
old_token = credentials(:jane_session_token)
|
120
122
|
old_token.updated_at = Time.current - 1.year
|
121
123
|
old_token.save!
|
122
|
-
post :create, session: { email: @email_credential.email,
|
123
|
-
|
124
|
+
post :create, params: { session: { email: @email_credential.email,
|
125
|
+
password: 'pa55w0rd' } }
|
124
126
|
assert_equal @user, session_current_user, 'session'
|
125
127
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
126
128
|
'old session not purged'
|
@@ -131,29 +133,23 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
131
133
|
old_token = credentials(:jane_session_token)
|
132
134
|
old_token.updated_at = Time.current - 1.year
|
133
135
|
old_token.save!
|
134
|
-
post :create, email: @email_credential.email,
|
136
|
+
post :create, params: { session: { email: @email_credential.email,
|
137
|
+
password: 'pa55w0rd' } }
|
135
138
|
assert_equal @user, session_current_user, 'session'
|
136
139
|
assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
|
137
140
|
'old session purged'
|
138
141
|
end
|
139
142
|
|
140
143
|
test "create by json logs in with good account details" do
|
141
|
-
post :create, email: @email_credential.email,
|
142
|
-
|
144
|
+
post :create, format: 'json', params: { email: @email_credential.email,
|
145
|
+
password: 'pa55w0rd' }
|
146
|
+
|
143
147
|
assert_response :ok
|
144
148
|
data = ActiveSupport::JSON.decode response.body
|
145
149
|
assert_equal @user.exuid, data['user']['exuid']
|
146
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
147
150
|
assert_equal @user, session_current_user, 'session'
|
148
151
|
|
149
|
-
|
150
|
-
# Rails 4.2+ uses variable CSRF tokens.
|
151
|
-
assert @controller.send(:valid_authenticity_token?, session,
|
152
|
-
data['csrf'])
|
153
|
-
else
|
154
|
-
# Rails 4.0 and 4.1 store the CSRF token in the session.
|
155
|
-
assert_equal session[:_csrf_token], data['csrf']
|
156
|
-
end
|
152
|
+
assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
|
157
153
|
end
|
158
154
|
|
159
155
|
test "create by json purges sessions when logging in" do
|
@@ -161,8 +157,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
161
157
|
old_token = credentials(:jane_session_token)
|
162
158
|
old_token.updated_at = Time.current - 1.year
|
163
159
|
old_token.save!
|
164
|
-
post :create, email: @email_credential.email,
|
165
|
-
|
160
|
+
post :create, format: 'json', params: { email: @email_credential.email,
|
161
|
+
password: 'pa55w0rd' }
|
162
|
+
|
166
163
|
assert_response :ok
|
167
164
|
assert_equal @user, session_current_user, 'session'
|
168
165
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
@@ -171,17 +168,17 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
171
168
|
|
172
169
|
test "create redirects properly with good account details" do
|
173
170
|
url = 'http://authpwn.redirect.url'
|
174
|
-
post :create,
|
175
|
-
|
171
|
+
post :create, params: { redirect_url: url, session: {
|
172
|
+
email: @email_credential.email, password: 'pa55w0rd' } }
|
176
173
|
assert_redirected_to url
|
177
174
|
assert_nil flash[:alert], 'no alert'
|
178
175
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
179
176
|
end
|
180
177
|
|
181
178
|
test "create does not log in with bad password" do
|
182
|
-
post :create, session: { email: @email_credential.email,
|
179
|
+
post :create, params: { session: { email: @email_credential.email,
|
180
|
+
password: 'fail' } }
|
183
181
|
assert_redirected_to new_session_url
|
184
|
-
assert_nil assigns(:current_user), 'instance variable'
|
185
182
|
assert_nil session_current_user, 'session'
|
186
183
|
assert_match(/Invalid/, flash[:alert])
|
187
184
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -190,10 +187,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
190
187
|
test "create does not log in with expired password" do
|
191
188
|
@password_credential.updated_at = Time.current - 2.years
|
192
189
|
@password_credential.save!
|
193
|
-
post :create, session: { email: @email_credential.email,
|
194
|
-
|
190
|
+
post :create, params: { session: { email: @email_credential.email,
|
191
|
+
password: 'pa55w0rd' } }
|
195
192
|
assert_redirected_to new_session_url
|
196
|
-
assert_nil assigns(:current_user), 'instance variable'
|
197
193
|
assert_nil session_current_user, 'session'
|
198
194
|
assert_match(/expired/, flash[:alert])
|
199
195
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -204,7 +200,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
204
200
|
old_token = credentials(:jane_session_token)
|
205
201
|
old_token.updated_at = Time.current - 1.year
|
206
202
|
old_token.save!
|
207
|
-
post :create, session: { email: @email_credential.email,
|
203
|
+
post :create, params: { session: { email: @email_credential.email,
|
204
|
+
password: 'fail' } }
|
208
205
|
assert_nil session_current_user, 'session'
|
209
206
|
assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
|
210
207
|
'old session purged'
|
@@ -212,11 +209,10 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
212
209
|
|
213
210
|
test "create does not log in blocked accounts" do
|
214
211
|
with_blocked_credential @email_credential do
|
215
|
-
post :create, session: { email: @email_credential.email,
|
216
|
-
|
212
|
+
post :create, params: { session: { email: @email_credential.email,
|
213
|
+
password: 'pa55w0rd' } }
|
217
214
|
end
|
218
215
|
assert_redirected_to new_session_url
|
219
|
-
assert_nil assigns(:current_user), 'instance variable'
|
220
216
|
assert_nil session_current_user, 'session'
|
221
217
|
assert_match(/ blocked/, flash[:alert])
|
222
218
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -228,62 +224,59 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
228
224
|
email: 'em@ail.com', password: 'fail').returns signin
|
229
225
|
User.expects(:authenticate_signin).at_least_once.with(signin).
|
230
226
|
returns @email_credential.user
|
231
|
-
post :create, email: 'em@ail.com', password: 'fail'
|
232
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
227
|
+
post :create, params: { email: 'em@ail.com', password: 'fail' }
|
233
228
|
assert_equal @user, session_current_user, 'session'
|
234
229
|
assert_redirected_to session_url
|
235
230
|
end
|
236
231
|
|
237
232
|
test "create by json does not log in with bad password" do
|
238
|
-
post :create,
|
239
|
-
|
233
|
+
post :create, format: 'json', params: {
|
234
|
+
email: @email_credential.email, password: 'fail' }
|
235
|
+
|
240
236
|
assert_response :ok
|
241
237
|
data = ActiveSupport::JSON.decode response.body
|
242
238
|
assert_equal 'invalid', data['error']
|
243
239
|
assert_match(/invalid/i , data['text'])
|
244
|
-
assert_nil assigns(:current_user), 'instance variable'
|
245
240
|
assert_nil session_current_user, 'session'
|
246
241
|
end
|
247
242
|
|
248
243
|
test "create by json does not log in with expired password" do
|
249
244
|
@password_credential.updated_at = Time.current - 2.years
|
250
245
|
@password_credential.save!
|
251
|
-
post :create,
|
252
|
-
|
246
|
+
post :create, format: 'json', params: {
|
247
|
+
email: @email_credential.email, password: 'pa55w0rd' }
|
248
|
+
|
253
249
|
assert_response :ok
|
254
250
|
data = ActiveSupport::JSON.decode response.body
|
255
251
|
assert_equal 'expired', data['error']
|
256
252
|
assert_match(/expired/i , data['text'])
|
257
|
-
assert_nil assigns(:current_user), 'instance variable'
|
258
253
|
assert_nil session_current_user, 'session'
|
259
254
|
end
|
260
255
|
|
261
256
|
test "create by json does not log in blocked accounts" do
|
262
257
|
with_blocked_credential @email_credential do
|
263
|
-
post :create,
|
264
|
-
|
258
|
+
post :create, format: 'json', params: {
|
259
|
+
email: @email_credential.email, password: 'pa55w0rd' }
|
265
260
|
end
|
266
261
|
assert_response :ok
|
267
262
|
data = ActiveSupport::JSON.decode response.body
|
268
263
|
assert_equal 'blocked', data['error']
|
269
264
|
assert_match(/blocked/i , data['text'])
|
270
|
-
assert_nil assigns(:current_user), 'instance variable'
|
271
265
|
assert_nil session_current_user, 'session'
|
272
266
|
end
|
273
267
|
|
274
268
|
test "create maintains redirect_url for bad logins" do
|
275
269
|
url = 'http://authpwn.redirect.url'
|
276
|
-
post :create,
|
277
|
-
|
270
|
+
post :create, params: { redirect_url: url, session: {
|
271
|
+
email: @email_credential.email, password: 'fail' } }
|
278
272
|
assert_redirected_to new_session_url
|
279
273
|
assert_match(/Invalid /, flash[:alert])
|
280
274
|
assert_equal url, flash[:auth_redirect_url]
|
281
275
|
end
|
282
276
|
|
283
277
|
test "create does not log in with bad e-mail" do
|
284
|
-
post :create, email: 'nobody@gmail.com', password: 'no'
|
278
|
+
post :create, params: { email: 'nobody@gmail.com', password: 'no' }
|
285
279
|
assert_redirected_to new_session_url
|
286
|
-
assert_nil assigns(:current_user), 'instance variable'
|
287
280
|
assert_nil session_current_user, 'session'
|
288
281
|
assert_match(/Invalid /, flash[:alert])
|
289
282
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -292,9 +285,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
292
285
|
test "token logs in with good token" do
|
293
286
|
@controller.expects(:home_with_token).once.with(@token_credential).
|
294
287
|
returns(nil)
|
295
|
-
get :token, code: @token_credential.code
|
288
|
+
get :token, params: { code: @token_credential.code }
|
296
289
|
assert_redirected_to session_url
|
297
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
298
290
|
assert_equal @user, session_current_user, 'session'
|
299
291
|
assert_nil Tokens::Base.with_code(@token_credential.code).first,
|
300
292
|
'one-time credential is spent'
|
@@ -305,9 +297,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
305
297
|
|
306
298
|
@controller.expects(:home_with_token).once.with(@token_credential).
|
307
299
|
returns(nil)
|
308
|
-
get :token, code: @token_credential.code
|
300
|
+
get :token, params: { code: @token_credential.code }
|
309
301
|
assert_redirected_to session_url
|
310
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
311
302
|
assert_equal @user, session_current_user, 'session'
|
312
303
|
assert_nil Tokens::Base.with_code(@token_credential.code).first,
|
313
304
|
'one-time credential is spent'
|
@@ -316,70 +307,58 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
316
307
|
test "token by json logs in with good token" do
|
317
308
|
@controller.expects(:home_with_token).once.with(@token_credential).
|
318
309
|
returns(nil)
|
319
|
-
get :token, code: @token_credential.code
|
310
|
+
get :token, format: 'json', params: { code: @token_credential.code }
|
320
311
|
assert_response :ok
|
321
312
|
data = ActiveSupport::JSON.decode response.body
|
322
313
|
assert_equal @user.exuid, data['user']['exuid']
|
323
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
324
314
|
assert_equal @user, session_current_user, 'session'
|
325
315
|
assert_nil Tokens::Base.with_code(@token_credential.code).first,
|
326
316
|
'one-time credential is spent'
|
327
317
|
|
328
|
-
|
329
|
-
# Rails 4.2+ uses variable CSRF tokens.
|
330
|
-
assert @controller.send(:valid_authenticity_token?, session,
|
331
|
-
data['csrf'])
|
332
|
-
else
|
333
|
-
# Rails 4.0 and 4.1 store the CSRF token in the session.
|
334
|
-
assert_equal session[:_csrf_token], data['csrf']
|
335
|
-
end
|
318
|
+
assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
|
336
319
|
end
|
337
320
|
|
338
321
|
test "token does not log in with random token" do
|
339
|
-
assert_no_difference
|
340
|
-
get :token, code: 'no-such-token'
|
322
|
+
assert_no_difference -> { Credential.count }, 'no credential is spent' do
|
323
|
+
get :token, params: { code: 'no-such-token' }
|
341
324
|
end
|
342
325
|
assert_redirected_to new_session_url
|
343
|
-
assert_nil assigns(:current_user), 'instance variable'
|
344
326
|
assert_nil session_current_user, 'session'
|
345
327
|
assert_match(/Invalid/, flash[:alert])
|
346
328
|
end
|
347
329
|
|
348
330
|
test "token does not log in blocked accounts" do
|
349
331
|
with_blocked_credential @token_credential do
|
350
|
-
assert_no_difference
|
351
|
-
get :token, code: @token_credential.code
|
332
|
+
assert_no_difference -> { Credential.count }, 'no credential is spent' do
|
333
|
+
get :token, params: { code: @token_credential.code }
|
352
334
|
end
|
353
335
|
end
|
354
336
|
assert_redirected_to new_session_url
|
355
|
-
assert_nil assigns(:current_user), 'instance variable'
|
356
337
|
assert_nil session_current_user, 'session'
|
357
338
|
assert_match(/ blocked/, flash[:alert])
|
358
339
|
end
|
359
340
|
|
360
341
|
test "token by json does not log in with random token" do
|
361
|
-
assert_no_difference
|
362
|
-
get :token, code: 'no-such-token'
|
342
|
+
assert_no_difference -> { Credential.count }, 'no credential is spent' do
|
343
|
+
get :token, format: 'json', params: { code: 'no-such-token' }
|
363
344
|
end
|
364
345
|
assert_response :ok
|
365
346
|
data = ActiveSupport::JSON.decode response.body
|
366
347
|
assert_equal 'invalid', data['error']
|
367
348
|
assert_match(/invalid/i , data['text'])
|
368
|
-
assert_nil assigns(:current_user), 'instance variable'
|
369
349
|
assert_nil session_current_user, 'session'
|
370
350
|
end
|
371
351
|
|
372
352
|
test "token by json does not log in blocked accounts" do
|
373
353
|
with_blocked_credential @token_credential do
|
374
|
-
assert_no_difference
|
375
|
-
get :token, code: @token_credential.code
|
354
|
+
assert_no_difference -> { Credential.count }, 'no credential is spent' do
|
355
|
+
get :token, format: 'json', params: { code: @token_credential.code }
|
376
356
|
end
|
377
357
|
end
|
378
358
|
assert_response :ok
|
379
359
|
data = ActiveSupport::JSON.decode response.body
|
380
360
|
assert_equal 'blocked', data['error']
|
381
361
|
assert_match(/blocked/i , data['text'])
|
382
|
-
assert_nil assigns(:current_user), 'instance variable'
|
383
362
|
assert_nil session_current_user, 'session'
|
384
363
|
end
|
385
364
|
|
@@ -388,7 +367,6 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
388
367
|
delete :destroy
|
389
368
|
|
390
369
|
assert_redirected_to session_url
|
391
|
-
assert_nil assigns(:current_user)
|
392
370
|
end
|
393
371
|
|
394
372
|
test "logout by json" do
|
@@ -396,7 +374,6 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
396
374
|
delete :destroy, format: 'json'
|
397
375
|
|
398
376
|
assert_response :ok
|
399
|
-
assert_nil assigns(:current_user)
|
400
377
|
end
|
401
378
|
|
402
379
|
test "api_token request" do
|
@@ -409,7 +386,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
409
386
|
|
410
387
|
test "api_token request from user without token" do
|
411
388
|
set_session_current_user @user
|
412
|
-
assert_difference
|
389
|
+
assert_difference -> { Tokens::Api.count }, 1 do
|
413
390
|
get :api_token
|
414
391
|
end
|
415
392
|
assert_response :ok
|
@@ -433,7 +410,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
433
410
|
|
434
411
|
test "api_token JSON request from user without token" do
|
435
412
|
set_session_current_user @user
|
436
|
-
assert_difference
|
413
|
+
assert_difference -> { Tokens::Api.count }, 1 do
|
437
414
|
get :api_token, format: 'json'
|
438
415
|
end
|
439
416
|
token = @user.credentials.where(type: 'Tokens::Api').first
|
@@ -453,7 +430,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
453
430
|
test "api_token destroy request" do
|
454
431
|
user = users(:john)
|
455
432
|
set_session_current_user user
|
456
|
-
assert_difference
|
433
|
+
assert_difference -> { Tokens::Api.count }, -1 do
|
457
434
|
delete :destroy_api_token
|
458
435
|
end
|
459
436
|
assert_nil user.credentials.where(type: 'Tokens::Api').first
|
@@ -463,7 +440,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
463
440
|
|
464
441
|
test "api_token destroy request from user without token" do
|
465
442
|
set_session_current_user @user
|
466
|
-
assert_no_difference
|
443
|
+
assert_no_difference -> { Tokens::Api.count } do
|
467
444
|
delete :destroy_api_token
|
468
445
|
end
|
469
446
|
assert_nil @user.credentials.where(type: 'Tokens::Api').first
|
@@ -479,7 +456,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
479
456
|
test "api_token destroy JSON request" do
|
480
457
|
user = users(:john)
|
481
458
|
set_session_current_user user
|
482
|
-
assert_difference
|
459
|
+
assert_difference -> { Tokens::Api.count }, -1 do
|
483
460
|
delete :destroy_api_token, format: 'json'
|
484
461
|
end
|
485
462
|
|
@@ -490,7 +467,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
490
467
|
|
491
468
|
test "api_token destroy JSON request from user without token" do
|
492
469
|
set_session_current_user @user
|
493
|
-
assert_no_difference
|
470
|
+
assert_no_difference -> { Tokens::Api.count } do
|
494
471
|
delete :destroy_api_token, format: 'json'
|
495
472
|
end
|
496
473
|
|
@@ -518,15 +495,15 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
518
495
|
set_session_current_user @user
|
519
496
|
get :password_change
|
520
497
|
assert_response :ok
|
521
|
-
|
522
|
-
|
498
|
+
assert_select 'form[action="/session/change_password"][method="post"]' do
|
499
|
+
assert_select 'input[name="credential[old_password]"]'
|
500
|
+
end
|
523
501
|
end
|
524
502
|
|
525
503
|
test "change_password bounces without logged in user" do
|
526
|
-
post :change_password, credential: { old_password: 'pa55w0rd',
|
527
|
-
password: 'hacks', password_confirmation: 'hacks' }
|
504
|
+
post :change_password, params: { credential: { old_password: 'pa55w0rd',
|
505
|
+
password: 'hacks', password_confirmation: 'hacks' } }
|
528
506
|
assert_response :forbidden
|
529
|
-
assert_template 'session/forbidden'
|
530
507
|
# Make sure no layout was rendered.
|
531
508
|
assert_select 'title', 0
|
532
509
|
assert_select 'h1', 0
|
@@ -534,32 +511,31 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
534
511
|
|
535
512
|
test "change_password works with correct input" do
|
536
513
|
set_session_current_user @user
|
537
|
-
post :change_password, credential: { old_password: 'pa55w0rd',
|
538
|
-
password: 'hacks', password_confirmation: 'hacks'}
|
514
|
+
post :change_password, params: { credential: { old_password: 'pa55w0rd',
|
515
|
+
password: 'hacks', password_confirmation: 'hacks'} }
|
539
516
|
assert_redirected_to session_url
|
540
|
-
assert_equal @password_credential, assigns(:credential)
|
541
517
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
542
518
|
@email_credential.email, password: 'hacks')), 'password not changed'
|
543
519
|
end
|
544
520
|
|
545
521
|
test "change_password works with correct input and extra form input" do
|
546
522
|
set_session_current_user @user
|
547
|
-
post :change_password, credential: { old_password: 'pa55w0rd',
|
523
|
+
post :change_password, params: { credential: { old_password: 'pa55w0rd',
|
548
524
|
password: 'hacks', password_confirmation: 'hacks' }, utf8: "\u2713",
|
549
|
-
commit: 'Change Password'
|
525
|
+
commit: 'Change Password' }
|
550
526
|
assert_redirected_to session_url
|
551
|
-
assert_equal @password_credential, assigns(:credential)
|
552
527
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
553
528
|
@email_credential.email, password: 'hacks')), 'password not changed'
|
554
529
|
end
|
555
530
|
|
556
531
|
test "change_password rejects bad old password" do
|
557
532
|
set_session_current_user @user
|
558
|
-
post :change_password, credential: { old_password: '_pa55w0rd',
|
559
|
-
password: 'hacks', password_confirmation: 'hacks' }
|
533
|
+
post :change_password, params: { credential: { old_password: '_pa55w0rd',
|
534
|
+
password: 'hacks', password_confirmation: 'hacks' } }
|
560
535
|
assert_response :ok
|
561
|
-
|
562
|
-
|
536
|
+
assert_select 'form[action="/session/change_password"][method="post"]' do
|
537
|
+
assert_select 'input[name="credential[old_password]"]'
|
538
|
+
end
|
563
539
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
564
540
|
@email_credential.email, password: 'pa55w0rd')),
|
565
541
|
'password wrongly changed'
|
@@ -567,11 +543,12 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
567
543
|
|
568
544
|
test "change_password rejects un-confirmed password" do
|
569
545
|
set_session_current_user @user
|
570
|
-
post :change_password, credential: { old_password: 'pa55w0rd',
|
571
|
-
password: 'hacks', password_confirmation: 'hacks_' }
|
546
|
+
post :change_password, params: { credential: { old_password: 'pa55w0rd',
|
547
|
+
password: 'hacks', password_confirmation: 'hacks_' } }
|
572
548
|
assert_response :ok
|
573
|
-
|
574
|
-
|
549
|
+
assert_select 'form[action="/session/change_password"][method="post"]' do
|
550
|
+
assert_select 'input[name="credential[old_password]"]'
|
551
|
+
end
|
575
552
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
576
553
|
@email_credential.email, password: 'pa55w0rd')),
|
577
554
|
'password wrongly changed'
|
@@ -580,8 +557,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
580
557
|
test "change_password works for password recovery" do
|
581
558
|
set_session_current_user @user
|
582
559
|
@password_credential.destroy
|
583
|
-
post :change_password, credential: { password: 'hacks',
|
584
|
-
|
560
|
+
post :change_password, params: { credential: { password: 'hacks',
|
561
|
+
password_confirmation: 'hacks' } }
|
585
562
|
assert_redirected_to session_url
|
586
563
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
587
564
|
@email_credential.email, password: 'hacks')), 'password not changed'
|
@@ -590,18 +567,20 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
590
567
|
test "change_password rejects un-confirmed password on recovery" do
|
591
568
|
set_session_current_user @user
|
592
569
|
@password_credential.destroy
|
593
|
-
assert_no_difference
|
594
|
-
post :change_password, credential: { password: 'hacks',
|
595
|
-
|
570
|
+
assert_no_difference -> { Credential.count } do
|
571
|
+
post :change_password, params: { credential: { password: 'hacks',
|
572
|
+
password_confirmation: 'hacks_' } }
|
596
573
|
end
|
597
574
|
assert_response :ok
|
598
|
-
|
575
|
+
assert_select 'form[action="/session/change_password"][method="post"]' do
|
576
|
+
assert_select 'input[name="credential[old_password]"]', count: 0
|
577
|
+
end
|
599
578
|
end
|
600
579
|
|
601
580
|
test "change_password by json bounces without logged in user" do
|
602
|
-
post :change_password, format: 'json',
|
581
|
+
post :change_password, format: 'json', params: {
|
603
582
|
credential: { old_password: 'pa55w0rd', password: 'hacks',
|
604
|
-
password_confirmation: 'hacks' }
|
583
|
+
password_confirmation: 'hacks' } }
|
605
584
|
assert_response :ok
|
606
585
|
data = ActiveSupport::JSON.decode response.body
|
607
586
|
assert_equal 'Please sign in', data['error']
|
@@ -609,9 +588,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
609
588
|
|
610
589
|
test "change_password by json works with correct input" do
|
611
590
|
set_session_current_user @user
|
612
|
-
post :change_password, format: 'json',
|
591
|
+
post :change_password, format: 'json', params: {
|
613
592
|
credential: { old_password: 'pa55w0rd', password: 'hacks',
|
614
|
-
password_confirmation: 'hacks' }
|
593
|
+
password_confirmation: 'hacks' } }
|
615
594
|
assert_response :ok
|
616
595
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
617
596
|
@email_credential.email, password: 'hacks')), 'password not changed'
|
@@ -619,13 +598,12 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
619
598
|
|
620
599
|
test "change_password by json rejects bad old password" do
|
621
600
|
set_session_current_user @user
|
622
|
-
post :change_password, format: 'json',
|
601
|
+
post :change_password, format: 'json', params: {
|
623
602
|
credential: { old_password: '_pa55w0rd', password: 'hacks',
|
624
|
-
password_confirmation: 'hacks' }
|
603
|
+
password_confirmation: 'hacks' } }
|
625
604
|
assert_response :ok
|
626
605
|
data = ActiveSupport::JSON.decode response.body
|
627
606
|
assert_equal 'invalid', data['error']
|
628
|
-
assert_equal @password_credential, assigns(:credential)
|
629
607
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
630
608
|
@email_credential.email, password: 'pa55w0rd')),
|
631
609
|
'password wrongly changed'
|
@@ -633,9 +611,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
633
611
|
|
634
612
|
test "change_password by json rejects un-confirmed password" do
|
635
613
|
set_session_current_user @user
|
636
|
-
post :change_password, format: 'json',
|
614
|
+
post :change_password, format: 'json', params: {
|
637
615
|
credential: { old_password: 'pa55w0rd', password: 'hacks',
|
638
|
-
password_confirmation: 'hacks_' }
|
616
|
+
password_confirmation: 'hacks_' } }
|
639
617
|
assert_response :ok
|
640
618
|
data = ActiveSupport::JSON.decode response.body
|
641
619
|
assert_equal 'invalid', data['error']
|
@@ -647,8 +625,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
647
625
|
test "change_password by json works for password recovery" do
|
648
626
|
set_session_current_user @user
|
649
627
|
@password_credential.destroy
|
650
|
-
post :change_password, format: 'json',
|
651
|
-
credential: { password: 'hacks', password_confirmation: 'hacks' }
|
628
|
+
post :change_password, format: 'json', params: {
|
629
|
+
credential: { password: 'hacks', password_confirmation: 'hacks' } }
|
652
630
|
assert_response :ok
|
653
631
|
assert_equal @user, User.authenticate_signin(Session.new(email:
|
654
632
|
@email_credential.email, password: 'hacks')), 'password not changed'
|
@@ -657,9 +635,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
657
635
|
test "change_password by json rejects un-confirmed password on recovery" do
|
658
636
|
set_session_current_user @user
|
659
637
|
@password_credential.destroy
|
660
|
-
assert_no_difference
|
661
|
-
post :change_password, format: 'json',
|
662
|
-
credential: { password: 'hacks', password_confirmation: 'hacks_' }
|
638
|
+
assert_no_difference -> { Credential.count } do
|
639
|
+
post :change_password, format: 'json', params: {
|
640
|
+
credential: { password: 'hacks', password_confirmation: 'hacks_' } }
|
663
641
|
end
|
664
642
|
assert_response :ok
|
665
643
|
data = ActiveSupport::JSON.decode response.body
|
@@ -670,8 +648,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
670
648
|
ActionMailer::Base.deliveries = []
|
671
649
|
request.host = 'mail.test.host:1234'
|
672
650
|
|
673
|
-
assert_difference
|
674
|
-
post :reset_password,
|
651
|
+
assert_difference -> { Credential.count }, 1 do
|
652
|
+
post :reset_password, params: {
|
653
|
+
session: { email: @email_credential.email } }
|
675
654
|
end
|
676
655
|
|
677
656
|
token = Credential.last
|
@@ -692,9 +671,10 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
692
671
|
test "reset_password for good e-mail by json" do
|
693
672
|
ActionMailer::Base.deliveries = []
|
694
673
|
|
695
|
-
assert_difference
|
696
|
-
post :reset_password,
|
697
|
-
|
674
|
+
assert_difference -> { Credential.count }, 1 do
|
675
|
+
post :reset_password, format: 'json', params: {
|
676
|
+
session: { email: @email_credential.email } }
|
677
|
+
|
698
678
|
end
|
699
679
|
|
700
680
|
token = Credential.last
|
@@ -710,8 +690,8 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
710
690
|
test "reset_password for invalid e-mail" do
|
711
691
|
ActionMailer::Base.deliveries = []
|
712
692
|
|
713
|
-
assert_no_difference
|
714
|
-
post :reset_password, session: { email: 'no@such.email' }
|
693
|
+
assert_no_difference -> { Credential.count } do
|
694
|
+
post :reset_password, params: { session: { email: 'no@such.email' } }
|
715
695
|
end
|
716
696
|
assert ActionMailer::Base.deliveries.empty?, 'no email generated'
|
717
697
|
|
@@ -721,8 +701,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
721
701
|
test "reset_password for invalid e-mail by json" do
|
722
702
|
ActionMailer::Base.deliveries = []
|
723
703
|
|
724
|
-
assert_no_difference
|
725
|
-
post :reset_password,
|
704
|
+
assert_no_difference -> { Credential.count } do
|
705
|
+
post :reset_password, format: 'json', params: {
|
706
|
+
session: { email: 'no@such.email' } }
|
726
707
|
end
|
727
708
|
assert ActionMailer::Base.deliveries.empty?, 'no email generated'
|
728
709
|
|
@@ -734,9 +715,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
734
715
|
test "create delegation to reset_password" do
|
735
716
|
ActionMailer::Base.deliveries = []
|
736
717
|
|
737
|
-
assert_difference
|
738
|
-
post :create, session: { email: @email_credential.email,
|
739
|
-
|
718
|
+
assert_difference -> { Credential.count }, 1 do
|
719
|
+
post :create, params: { session: { email: @email_credential.email,
|
720
|
+
password: '' }, reset_password: 'requested' }
|
740
721
|
end
|
741
722
|
|
742
723
|
token = Credential.last
|
@@ -754,12 +735,10 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
754
735
|
test "omniauth logs in with good account details" do
|
755
736
|
ActionController::Base.allow_forgery_protection = true
|
756
737
|
begin
|
757
|
-
|
758
738
|
request.env['omniauth.auth'] =
|
759
739
|
{ 'provider' => @omniauth_credential.provider,
|
760
740
|
'uid' => @omniauth_credential.uid }
|
761
|
-
post :omniauth, provider: @omniauth_credential.provider
|
762
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
741
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
763
742
|
assert_equal @user, session_current_user, 'session'
|
764
743
|
assert_nil flash[:alert], 'no alert'
|
765
744
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -777,8 +756,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
777
756
|
request.env['omniauth.auth'] =
|
778
757
|
{ 'provider' => @omniauth_credential.provider,
|
779
758
|
'uid' => @omniauth_credential.uid }
|
780
|
-
post :omniauth, provider: @omniauth_credential.provider
|
781
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
759
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
782
760
|
assert_equal @user, session_current_user, 'session'
|
783
761
|
assert_nil flash[:alert], 'no alert'
|
784
762
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -798,7 +776,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
798
776
|
request.env['omniauth.auth'] =
|
799
777
|
{ 'provider' => @omniauth_credential.provider,
|
800
778
|
'uid' => @omniauth_credential.uid }
|
801
|
-
post :omniauth, provider: @omniauth_credential.provider
|
779
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
802
780
|
assert_equal @user, session_current_user, 'session'
|
803
781
|
assert_nil Tokens::Base.with_code(old_token.code).first,
|
804
782
|
'old session not purged'
|
@@ -817,7 +795,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
817
795
|
request.env['omniauth.auth'] =
|
818
796
|
{ 'provider' => @omniauth_credential.provider,
|
819
797
|
'uid' => @omniauth_credential.uid }
|
820
|
-
post :omniauth, provider: @omniauth_credential.provider
|
798
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
821
799
|
assert_equal @user, session_current_user, 'session'
|
822
800
|
assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
|
823
801
|
'old session purged'
|
@@ -835,7 +813,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
835
813
|
old_token.save!
|
836
814
|
request.env['omniauth.auth'] =
|
837
815
|
{ 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
|
838
|
-
post :omniauth, provider: @omniauth_credential.provider
|
816
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
839
817
|
assert_nil session_current_user, 'session'
|
840
818
|
assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
|
841
819
|
'old session purged'
|
@@ -851,10 +829,9 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
851
829
|
{ 'provider' => @omniauth_credential.provider,
|
852
830
|
'uid' => @omniauth_credential.uid }
|
853
831
|
with_blocked_credential @omniauth_credential do
|
854
|
-
post :omniauth, provider: @omniauth_credential.provider
|
832
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
855
833
|
end
|
856
834
|
assert_redirected_to new_session_url
|
857
|
-
assert_nil assigns(:current_user), 'instance variable'
|
858
835
|
assert_nil session_current_user, 'session'
|
859
836
|
assert_match(/ blocked/, flash[:alert])
|
860
837
|
assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
|
@@ -870,8 +847,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
870
847
|
request.env['omniauth.auth'] = omniauth_hash
|
871
848
|
Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
|
872
849
|
with(omniauth_hash).returns @omniauth_credential.user
|
873
|
-
post :omniauth, provider: @omniauth_credential.provider
|
874
|
-
assert_equal @user, assigns(:current_user), 'instance variable'
|
850
|
+
post :omniauth, params: { provider: @omniauth_credential.provider }
|
875
851
|
assert_equal @user, session_current_user, 'session'
|
876
852
|
assert_redirected_to session_url
|
877
853
|
ensure
|