authpwn_rails 0.21.1 → 0.22.0

data/test/credentials/api_token_test.rb

@@ -35,7 +35,7 @@ class ApiTokenTest < ActiveSupport::TestCase
     credential = credentials(:john_api_token)
     assert_equal Tokens::Api, credential.class, 'bad setup'
 
-    assert_no_difference 'Credential.count' do
+    assert_no_difference -> { Credential.count } do
       credential.spend
     end
   end
@@ -58,7 +58,7 @@ class ApiTokenTest < ActiveSupport::TestCase
   test 'random_for' do
     user = users(:jane)
     credential = nil
-    assert_difference 'Credential.count', 1 do
+    assert_difference -> { Credential.count }, 1 do
       credential = Tokens::Api.random_for user
     end
     saved_credential = Tokens::Base.with_code(credential.code).first

data/test/credentials/email_verification_token_test.rb

@@ -47,7 +47,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
     credential = credentials(:john_email_token)
     assert_equal Tokens::EmailVerification, credential.class, 'bad setup'
 
-    assert_difference 'Credential.count', -1 do
+    assert_difference -> { Credential.count }, -1 do
       credential.spend
     end
     assert credential.frozen?, 'not destroyed'
@@ -59,7 +59,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
     credential = credentials(:john_email_token)
     credential.email = 'bill@gmail.com'
 
-    assert_difference 'Credential.count', -1 do
+    assert_difference -> { Credential.count }, -1 do
       credential.spend
     end
     assert credential.frozen?, 'not destroyed'

data/test/credentials/omni_auth_uid_credential_test.rb

@@ -90,7 +90,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
     User.expects(:create_from_omniauth).never
 
     assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
-    assert_difference 'Credentials::OmniAuthUid.count' do
+    assert_difference -> { Credentials::OmniAuthUid.count } do
       assert_equal jane, Credentials::OmniAuthUid.authenticate(omniauth_hash)
     end
     assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
@@ -105,7 +105,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
     User.expects(:create_from_omniauth).with(omniauth_hash).returns user
 
     assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
-    assert_difference 'Credentials::OmniAuthUid.count' do
+    assert_difference -> { Credentials::OmniAuthUid.count } do
       assert_equal user, Credentials::OmniAuthUid.authenticate(omniauth_hash)
     end
     assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
@@ -119,7 +119,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
     User.expects(:create_from_omniauth).with(omniauth_hash).returns nil
 
     assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
-    assert_no_difference 'Credentials::OmniAuthUid.count' do
+    assert_no_difference -> { Credentials::OmniAuthUid.count } do
       assert_equal :invalid,
                    Credentials::OmniAuthUid.authenticate(omniauth_hash)
     end
@@ -138,4 +138,3 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
     end
   end
 end
-

data/test/credentials/one_time_token_credential_test.rb

@@ -30,7 +30,7 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
     credential = credentials(:jane_token)
     assert_equal Tokens::OneTime, credential.class, 'bad setup'
 
-    assert_difference 'Credential.count', -1 do
+    assert_difference -> { Credential.count }, -1 do
       credential.spend
     end
     assert credential.frozen?, 'not destroyed'
@@ -39,10 +39,10 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
   test 'authenticate spends the token' do
     jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
     bogus = 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo'
-    assert_difference 'Credential.count', -1, 'token spent' do
+    assert_difference -> { Credential.count }, -1, 'token spent' do
       assert_equal users(:jane), Tokens::Base.authenticate(jane)
     end
-    assert_no_difference 'Credential.count', 'token mistakenly spent' do
+    assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
       assert_equal :invalid, Tokens::Base.authenticate(bogus)
     end
   end
@@ -51,21 +51,21 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
     jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
 
     with_blocked_credential credentials(:jane_token), :reason do
-      assert_no_difference 'Credential.count', 'no token spent' do
+      assert_no_difference -> { Credential.count }, 'no token spent' do
         assert_equal :reason, Tokens::Base.authenticate(jane)
       end
     end
   end
 
   test 'instance authenticate spends the token' do
-    assert_difference 'Credential.count', -1, 'token spent' do
+    assert_difference -> { Credential.count }, -1, 'token spent' do
       assert_equal users(:jane), credentials(:jane_token).authenticate
     end
   end
 
   test 'instance authenticate calls User#auth_bounce_reason' do
     with_blocked_credential credentials(:jane_token), :reason do
-      assert_no_difference 'Credential.count', 'token mistakenly spent' do
+      assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
         assert_equal :reason, credentials(:jane_token).authenticate
       end
     end

data/test/credentials/password_reset_token_test.rb

@@ -40,8 +40,8 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
     credential = credentials(:jane_password_token)
     assert_equal Tokens::PasswordReset, credential.class, 'bad setup'
 
-    assert_difference 'Credential.count', -2 do
-      assert_difference 'Credentials::Password.count', -1 do
+    assert_difference -> { Credential.count }, -2 do
+      assert_difference -> { Credentials::Password.count }, -1 do
         credential.spend
       end
     end
@@ -55,7 +55,7 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
     password_credential.destroy
     credential = credentials(:jane_password_token)
 
-    assert_difference 'Credential.count', -1 do
+    assert_difference -> { Credential.count }, -1 do
       credential.spend
     end
     assert credential.frozen?, 'not destroyed'

data/test/credentials/session_uid_token_test.rb

@@ -80,7 +80,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
     fresh_token.updated_at = Time.current - 1.minute
     fresh_token.save!
 
-    assert_difference 'Credential.count', -1 do
+    assert_difference -> { Credential.count }, -1 do
       Tokens::SessionUid.remove_expired
     end
     assert_nil Tokens::Base.with_code(old_token.code).first
@@ -91,7 +91,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
   test 'random_for' do
     user = users(:john)
     credential = nil
-    assert_difference 'Credential.count', 1 do
+    assert_difference -> { Credential.count }, 1 do
       credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
     end
     saved_credential = Tokens::Base.with_code(credential.code).first

data/test/credentials/token_crendential_test.rb

@@ -30,7 +30,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
     credential = credentials(:john_token)
     assert_equal Tokens::Base, credential.class, 'bad setup'
 
-    assert_no_difference 'Credential.count' do
+    assert_no_difference -> { Credential.count } do
       credential.spend
     end
   end
@@ -117,12 +117,12 @@ class TokenCredentialTest < ActiveSupport::TestCase
       token.class.stubs(:expires_after).returns 1.week
       token.save!
     end
-    assert_difference 'Credential.count', -1,
+    assert_difference -> { Credential.count }, -1,
                       'authenticate deletes expired credential' do
       assert_equal :invalid, Tokens::Base.authenticate(john),
                    'expired token'
     end
-    assert_difference 'Credential.count', -1,
+    assert_difference -> { Credential.count }, -1,
                       'authenticate deletes expired credential' do
       assert_equal :invalid, Tokens::Base.authenticate(jane),
                    'expired token'

data/test/fixtures/bare_session/forbidden.html.erb

@@ -3,7 +3,7 @@
 </p>
 
 <% if current_user %>
-<p>
+<p class="forbidden-logged-in-user">
   You should inform the user that they are logged in as
   <%= current_user.exuid %> and suggest them to
   <%= link_to 'sign out', session_path, method: :delete %> and sign in as a

data/test/fixtures/bare_session/home.html.erb

@@ -1,5 +1,6 @@
 <p>
   This view gets displayed when the user is logged in. Right now,
-  user <%= current_user.exuid %> is logged in. You should allow the user to
-  <%= link_to 'Log out', session_path, method: :delete %>.
+  user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
+  You should allow the user to
+  <%= link_to 'sign out', session_path, method: :delete %>.
 </p>

data/test/fixtures/bare_session/welcome.html.erb

@@ -1,4 +1,4 @@
-<p>
+<p class="welcome-page">
   This view gets displayed when the user is not logged in. Entice the user to
   sign up for your application, and allow them to
   <%= link_to 'sign in', new_session_path %>.

data/test/helpers/db_setup.rb

@@ -38,8 +38,8 @@ class ActiveSupport::TestCase
       File.expand_path '../../../lib/authpwn_rails/generators/templates',
                        __FILE__
 
-  self.use_transactional_fixtures = false
-  self.use_instantiated_fixtures  = false
+  self.use_transactional_tests = true
+  self.use_instantiated_fixtures = false
   self.pre_loaded_fixtures = false
   fixtures :all
 end

data/test/helpers/test_order.rb

@@ -1,3 +1 @@
-if ActiveSupport.respond_to? :test_order
-  ActiveSupport.test_order = :sorted
-end
+ActiveSupport.test_order = :sorted

data/test/http_basic_controller_test.rb

@@ -4,11 +4,23 @@ require_relative 'test_helper'
 class HttpBasicController < ApplicationController
   authenticates_using_http_basic
 
+  # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
+  #       instance variables. current_user is a part of authpwn's API, so we
+  #       must test it.
+  before_action :export_current_user_to_cookie
+  def export_current_user_to_cookie
+    cookies['_authpwn_test_cuid'] = if current_user
+      current_user.id.to_s
+    else
+      'nil'
+    end
+  end
+
   def show
     if current_user
-      render text: "User: #{current_user.id}"
+      render plain: "User: #{current_user.id}"
     else
-      render text: "No user"
+      render plain: "No user"
     end
   end
 
@@ -25,7 +37,7 @@ class HttpBasicControllerTest < ActionController::TestCase
   test "no user_id in session cookie or header" do
     get :show
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
@@ -33,14 +45,14 @@ class HttpBasicControllerTest < ActionController::TestCase
     set_session_current_user @user
     get :show
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
   test "valid user credentials in header" do
     set_http_basic_user @user, 'pa55w0rd'
     get :show
-    assert_equal @user, assigns(:current_user)
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
 
     jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
@@ -49,7 +61,7 @@ class HttpBasicControllerTest < ActionController::TestCase
   test "invalid user credentials in header" do
     set_http_basic_user @user, 'fail'
     get :show
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
@@ -60,7 +72,7 @@ class HttpBasicControllerTest < ActionController::TestCase
     User.expects(:authenticate_signin).at_least_once.with(signin).returns @user
     set_http_basic_user @user, 'fail'
     get :show
-    assert_equal @user, assigns(:current_user)
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
 
     jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
@@ -70,30 +82,30 @@ class HttpBasicControllerTest < ActionController::TestCase
     set_http_basic_user @user, 'pa55w0rd'
     set_http_basic_user nil
     get :show
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
   test "mocked user credentials in header" do
     set_http_basic_user @user
     get :show
-    assert_equal @user, assigns(:current_user)
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
 
     jane_id = ActiveRecord::FixtureSet.identify :jane
     assert_equal "User: #{jane_id}", response.body
   end
 
   test "invalid authpwn_suid in session" do
-    get :show, {}, authpwn_suid: 'random@user.com'
+    get :show, params: {}, session: { authpwn_suid: 'random@user.com' }
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
   end
 
   test "valid user bounced to http authentication" do
     set_http_basic_user @user
     get :bouncer
     assert_response :forbidden
-    assert_template 'session/forbidden'
+    assert_select 'p.forbidden-logged-in-user'
     assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
     # Make sure no layout was rendered.
     assert_select 'title', 0

data/test/http_token_controller_test.rb

@@ -4,11 +4,23 @@ require_relative 'test_helper'
 class HttpTokenController < ApplicationController
   authenticates_using_http_token
 
+  # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
+  #       instance variables. current_user is a part of authpwn's API, so we
+  #       must test it.
+  before_action :export_current_user_to_cookie
+  def export_current_user_to_cookie
+    cookies['_authpwn_test_cuid'] = if current_user
+      current_user.id.to_s
+    else
+      'nil'
+    end
+  end
+
   def show
     if current_user
-      render text: "User: #{current_user.id}"
+      render plain: "User: #{current_user.id}"
     else
-      render text: "No user"
+      render plain: "No user"
     end
   end
 
@@ -25,7 +37,7 @@ class HttpTokenControllerTest < ActionController::TestCase
   test "no user_id in session cookie or header" do
     get :show
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
@@ -33,14 +45,14 @@ class HttpTokenControllerTest < ActionController::TestCase
     set_session_current_user @user
     get :show
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
   test "valid user credentials in header" do
     set_http_token_user @user
     get :show
-    assert_equal @user, assigns(:current_user)
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
     assert_equal nil, session_current_user,
         'Token authentication should not update the session'
 
@@ -52,7 +64,7 @@ class HttpTokenControllerTest < ActionController::TestCase
     set_http_token_user @user
     Tokens::Api.where(user_id: @user.id).destroy_all
     get :show
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
@@ -61,7 +73,7 @@ class HttpTokenControllerTest < ActionController::TestCase
         returns @user
     set_http_token_user @user, 'ap1c0d3'
     get :show
-    assert_equal @user, assigns(:current_user)
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
     assert_equal nil, session_current_user,
         'Token authentication should not update the session'
 
@@ -73,7 +85,7 @@ class HttpTokenControllerTest < ActionController::TestCase
     set_http_token_user @user
     set_http_token_user nil
     get :show
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
     assert_equal 'No user', response.body
   end
 
@@ -81,7 +93,7 @@ class HttpTokenControllerTest < ActionController::TestCase
     user = users(:jane)
     set_http_token_user user
     get :show
-    assert_equal user, assigns(:current_user)
+    assert_equal user.id.to_s, cookies['_authpwn_test_cuid']
     assert_equal nil, session_current_user,
         'Token authentication should not update the session'
 
@@ -90,16 +102,16 @@ class HttpTokenControllerTest < ActionController::TestCase
   end
 
   test "invalid authpwn_suid in session" do
-    get :show, {}, authpwn_suid: 'random@user.com'
+    get :show, session: { authpwn_suid: 'random@user.com' }
     assert_response :success
-    assert_nil assigns(:current_user)
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
   end
 
   test "valid user bounced to http authentication" do
     set_http_token_user @user
     get :bouncer
     assert_response :forbidden
-    assert_template 'session/forbidden'
+    assert_select 'p.forbidden-logged-in-user'
     assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
     # Make sure no layout was rendered.
     assert_select 'title', 0

data/test/session_controller_api_test.rb

@@ -3,6 +3,18 @@ require_relative 'test_helper'
 class BareSessionController < ApplicationController
   include Authpwn::SessionController
   self.append_view_path File.expand_path('../fixtures', __FILE__)
+
+  # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
+  #       instance variables. current_user is a part of authpwn's API, so we
+  #       must test it.
+  before_action :export_current_user_to_cookie
+  def export_current_user_to_cookie
+    cookies['_authpwn_test_cuid'] = if current_user
+      current_user.id.to_s
+    else
+      'nil'
+    end
+  end
 end
 
 # Tests the methods injected by authpwn_session_controller.
@@ -25,8 +37,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "show renders welcome without a user" do
     @controller.expects(:welcome).once.returns nil
     get :show
-    assert_template :welcome
-    assert_nil assigns(:current_user)
+    assert_select 'p.welcome-page'
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
   end
 
   test "show json renders empty object without a user" do
@@ -40,8 +52,8 @@ class SessionControllerApiTest < ActionController::TestCase
     @controller.expects(:home).once.returns nil
     set_session_current_user @user
     get :show
-    assert_template :home
-    assert_equal @user, assigns(:current_user)
+    assert_select 'span.user-exuid', @user.exuid.to_s
+    assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
   end
 
   test "show json renders user when logged in" do
@@ -52,14 +64,7 @@ class SessionControllerApiTest < ActionController::TestCase
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
 
-    if @controller.respond_to? :valid_authenticity_token?, true
-      # Rails 4.2+ uses variable CSRF tokens.
-      assert @controller.send(:valid_authenticity_token?, session,
-                              data['csrf'])
-    else
-      # Rails 4.0 and 4.1 store the CSRF token in the session.
-      assert_equal session[:_csrf_token], data['csrf']
-    end
+    assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
   end
 
   test "new redirects to session#show when a user is logged in" do
@@ -70,23 +75,21 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "new renders login form without a user" do
     get :new
-    assert_template :new
-    assert_nil assigns(:current_user), 'current_user should not be set'
+    assert_select 'form[action="/session"]'
+    assert_equal 'nil', cookies['_authpwn_test_cuid']
   end
 
   test "new renders redirect_url when present in flash" do
     url = 'http://authpwn.redirect.url'
-    get :new, {}, {}, { auth_redirect_url: url }
-    assert_template :new
-    assert_select 'form' do
+    get :new, flash: { auth_redirect_url: url }
+    assert_select 'form[action="/session"]' do
       assert_select "input[name=\"redirect_url\"][value=\"#{url}\"]"
     end
   end
 
   test "create logs in with good account details" do
-    post :create, session: { email: @email_credential.email,
-                             password: 'pa55w0rd' }
-    assert_equal @user, assigns(:current_user), 'instance variable'
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'pa55w0rd' } }
     assert_equal @user, session_current_user, 'session'
     assert_nil flash[:alert], 'no alert'
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -94,8 +97,8 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "create logs in with good raw account details" do
-    post :create, email: @email_credential.email, password: 'pa55w0rd'
-    assert_equal @user, assigns(:current_user), 'instance variable'
+    post :create, params: { email: @email_credential.email,
+                            password: 'pa55w0rd' }
     assert_equal @user, session_current_user, 'session'
     assert_nil flash[:alert], 'no alert'
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -105,9 +108,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create logs in with good account details and no User-Agent" do
     request.headers['User-Agent'] = nil
 
-    post :create, session: { email: @email_credential.email,
-                             password: 'pa55w0rd' }
-    assert_equal @user, assigns(:current_user), 'instance variable'
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'pa55w0rd' } }
     assert_equal @user, session_current_user, 'session'
     assert_nil flash[:alert], 'no alert'
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -119,8 +121,8 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.current - 1.year
     old_token.save!
-    post :create, session: { email: @email_credential.email,
-                             password: 'pa55w0rd' }
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'pa55w0rd' } }
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(old_token.code).first,
                'old session not purged'
@@ -131,29 +133,23 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.current - 1.year
     old_token.save!
-    post :create, email: @email_credential.email, password: 'pa55w0rd'
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'pa55w0rd' } }
     assert_equal @user, session_current_user, 'session'
     assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
                'old session purged'
   end
 
   test "create by json logs in with good account details" do
-    post :create, email: @email_credential.email, password: 'pa55w0rd',
-                  format: 'json'
+    post :create, format: 'json', params: { email: @email_credential.email,
+                                            password: 'pa55w0rd' }
+
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
-    assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
 
-    if @controller.respond_to? :valid_authenticity_token?, true
-      # Rails 4.2+ uses variable CSRF tokens.
-      assert @controller.send(:valid_authenticity_token?, session,
-                              data['csrf'])
-    else
-      # Rails 4.0 and 4.1 store the CSRF token in the session.
-      assert_equal session[:_csrf_token], data['csrf']
-    end
+    assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
   end
 
   test "create by json purges sessions when logging in" do
@@ -161,8 +157,9 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.current - 1.year
     old_token.save!
-    post :create, email: @email_credential.email, password: 'pa55w0rd',
-                  format: 'json'
+    post :create, format: 'json', params: { email: @email_credential.email,
+                                            password: 'pa55w0rd' }
+
     assert_response :ok
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -171,17 +168,17 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "create redirects properly with good account details" do
     url = 'http://authpwn.redirect.url'
-    post :create, session: { email: @email_credential.email,
-                             password: 'pa55w0rd' }, redirect_url: url
+    post :create, params: { redirect_url: url, session: {
+        email: @email_credential.email, password: 'pa55w0rd' } }
     assert_redirected_to url
     assert_nil flash[:alert], 'no alert'
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
   end
 
   test "create does not log in with bad password" do
-    post :create, session: { email: @email_credential.email, password: 'fail' }
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'fail' } }
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/Invalid/, flash[:alert])
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -190,10 +187,9 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create does not log in with expired password" do
     @password_credential.updated_at = Time.current - 2.years
     @password_credential.save!
-    post :create, session: { email: @email_credential.email,
-                             password: 'pa55w0rd' }
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'pa55w0rd' } }
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/expired/, flash[:alert])
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -204,7 +200,8 @@ class SessionControllerApiTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.current - 1.year
     old_token.save!
-    post :create, session: { email: @email_credential.email, password: 'fail' }
+    post :create, params: { session: { email: @email_credential.email,
+                                       password: 'fail' } }
     assert_nil session_current_user, 'session'
     assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
                'old session purged'
@@ -212,11 +209,10 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "create does not log in blocked accounts" do
     with_blocked_credential @email_credential do
-      post :create, session: { email: @email_credential.email,
-                               password: 'pa55w0rd' }
+      post :create, params: { session: { email: @email_credential.email,
+                                         password: 'pa55w0rd' } }
     end
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/ blocked/, flash[:alert])
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -228,62 +224,59 @@ class SessionControllerApiTest < ActionController::TestCase
         email: 'em@ail.com', password: 'fail').returns signin
     User.expects(:authenticate_signin).at_least_once.with(signin).
          returns @email_credential.user
-    post :create, email: 'em@ail.com', password: 'fail'
-    assert_equal @user, assigns(:current_user), 'instance variable'
+    post :create, params: { email: 'em@ail.com', password: 'fail' }
     assert_equal @user, session_current_user, 'session'
     assert_redirected_to session_url
   end
 
   test "create by json does not log in with bad password" do
-    post :create, email: @email_credential.email, password: 'fail',
-                  format: 'json'
+    post :create, format: 'json', params: {
+        email: @email_credential.email, password: 'fail' }
+
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
     assert_match(/invalid/i , data['text'])
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
 
   test "create by json does not log in with expired password" do
     @password_credential.updated_at = Time.current - 2.years
     @password_credential.save!
-    post :create, email: @email_credential.email, password: 'pa55w0rd',
-                  format: 'json'
+    post :create, format: 'json', params: {
+        email: @email_credential.email, password: 'pa55w0rd' }
+
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'expired', data['error']
     assert_match(/expired/i , data['text'])
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
 
   test "create by json does not log in blocked accounts" do
     with_blocked_credential @email_credential do
-      post :create, email: @email_credential.email, password: 'pa55w0rd',
-                    format: 'json'
+      post :create, format: 'json', params: {
+          email: @email_credential.email, password: 'pa55w0rd' }
     end
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'blocked', data['error']
     assert_match(/blocked/i , data['text'])
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
 
   test "create maintains redirect_url for bad logins" do
     url = 'http://authpwn.redirect.url'
-    post :create, session: { email: @email_credential.email,
-                             password: 'fail' }, redirect_url: url
+    post :create, params: { redirect_url: url, session: {
+        email: @email_credential.email, password: 'fail' } }
     assert_redirected_to new_session_url
     assert_match(/Invalid /, flash[:alert])
     assert_equal url, flash[:auth_redirect_url]
   end
 
   test "create does not log in with bad e-mail" do
-    post :create, email: 'nobody@gmail.com', password: 'no'
+    post :create, params: { email: 'nobody@gmail.com', password: 'no' }
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/Invalid /, flash[:alert])
     assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -292,9 +285,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "token logs in with good token" do
     @controller.expects(:home_with_token).once.with(@token_credential).
                 returns(nil)
-    get :token, code: @token_credential.code
+    get :token, params: { code: @token_credential.code }
     assert_redirected_to session_url
-    assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(@token_credential.code).first,
                'one-time credential is spent'
@@ -305,9 +297,8 @@ class SessionControllerApiTest < ActionController::TestCase
 
     @controller.expects(:home_with_token).once.with(@token_credential).
                 returns(nil)
-    get :token, code: @token_credential.code
+    get :token, params: { code: @token_credential.code }
     assert_redirected_to session_url
-    assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(@token_credential.code).first,
                'one-time credential is spent'
@@ -316,70 +307,58 @@ class SessionControllerApiTest < ActionController::TestCase
   test "token by json logs in with good token" do
     @controller.expects(:home_with_token).once.with(@token_credential).
                 returns(nil)
-    get :token, code: @token_credential.code, format: 'json'
+    get :token, format: 'json', params: { code: @token_credential.code }
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal @user.exuid, data['user']['exuid']
-    assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
     assert_nil Tokens::Base.with_code(@token_credential.code).first,
                'one-time credential is spent'
 
-    if @controller.respond_to? :valid_authenticity_token?, true
-      # Rails 4.2+ uses variable CSRF tokens.
-      assert @controller.send(:valid_authenticity_token?, session,
-                              data['csrf'])
-    else
-      # Rails 4.0 and 4.1 store the CSRF token in the session.
-      assert_equal session[:_csrf_token], data['csrf']
-    end
+    assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
   end
 
   test "token does not log in with random token" do
-    assert_no_difference 'Credential.count', 'no credential is spent' do
-      get :token, code: 'no-such-token'
+    assert_no_difference -> { Credential.count }, 'no credential is spent' do
+      get :token, params: { code: 'no-such-token' }
     end
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/Invalid/, flash[:alert])
   end
 
   test "token does not log in blocked accounts" do
     with_blocked_credential @token_credential do
-      assert_no_difference 'Credential.count', 'no credential is spent' do
-        get :token, code: @token_credential.code
+      assert_no_difference -> { Credential.count }, 'no credential is spent' do
+        get :token, params: { code: @token_credential.code }
       end
     end
     assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
     assert_match(/ blocked/, flash[:alert])
   end
 
   test "token by json does not log in with random token" do
-    assert_no_difference 'Credential.count', 'no credential is spent' do
-      get :token, code: 'no-such-token', format: 'json'
+    assert_no_difference -> { Credential.count }, 'no credential is spent' do
+      get :token, format: 'json', params: { code: 'no-such-token' }
     end
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
     assert_match(/invalid/i , data['text'])
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
 
   test "token by json does not log in blocked accounts" do
     with_blocked_credential @token_credential do
-      assert_no_difference 'Credential.count', 'no credential is spent' do
-        get :token, code: @token_credential.code, format: 'json'
+      assert_no_difference -> { Credential.count }, 'no credential is spent' do
+        get :token, format: 'json', params: { code: @token_credential.code }
       end
     end
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'blocked', data['error']
     assert_match(/blocked/i , data['text'])
-    assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
 
@@ -388,7 +367,6 @@ class SessionControllerApiTest < ActionController::TestCase
     delete :destroy
 
     assert_redirected_to session_url
-    assert_nil assigns(:current_user)
   end
 
   test "logout by json" do
@@ -396,7 +374,6 @@ class SessionControllerApiTest < ActionController::TestCase
     delete :destroy, format: 'json'
 
     assert_response :ok
-    assert_nil assigns(:current_user)
   end
 
   test "api_token request" do
@@ -409,7 +386,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "api_token request from user without token" do
     set_session_current_user @user
-    assert_difference 'Tokens::Api.count', 1 do
+    assert_difference -> { Tokens::Api.count }, 1 do
       get :api_token
     end
     assert_response :ok
@@ -433,7 +410,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "api_token JSON request from user without token" do
     set_session_current_user @user
-    assert_difference 'Tokens::Api.count', 1 do
+    assert_difference -> { Tokens::Api.count }, 1 do
       get :api_token, format: 'json'
     end
     token = @user.credentials.where(type: 'Tokens::Api').first
@@ -453,7 +430,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "api_token destroy request" do
     user = users(:john)
     set_session_current_user user
-    assert_difference 'Tokens::Api.count', -1 do
+    assert_difference -> { Tokens::Api.count }, -1 do
       delete :destroy_api_token
     end
     assert_nil user.credentials.where(type: 'Tokens::Api').first
@@ -463,7 +440,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "api_token destroy request from user without token" do
     set_session_current_user @user
-    assert_no_difference 'Tokens::Api.count' do
+    assert_no_difference -> { Tokens::Api.count } do
       delete :destroy_api_token
     end
     assert_nil @user.credentials.where(type: 'Tokens::Api').first
@@ -479,7 +456,7 @@ class SessionControllerApiTest < ActionController::TestCase
   test "api_token destroy JSON request" do
     user = users(:john)
     set_session_current_user user
-    assert_difference 'Tokens::Api.count', -1 do
+    assert_difference -> { Tokens::Api.count }, -1 do
       delete :destroy_api_token, format: 'json'
     end
 
@@ -490,7 +467,7 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "api_token destroy JSON request from user without token" do
     set_session_current_user @user
-    assert_no_difference 'Tokens::Api.count' do
+    assert_no_difference -> { Tokens::Api.count } do
       delete :destroy_api_token, format: 'json'
     end
 
@@ -518,15 +495,15 @@ class SessionControllerApiTest < ActionController::TestCase
     set_session_current_user @user
     get :password_change
     assert_response :ok
-    assert_template :password_change
-    assert_equal @password_credential, assigns(:credential)
+    assert_select 'form[action="/session/change_password"][method="post"]' do
+      assert_select 'input[name="credential[old_password]"]'
+    end
   end
 
   test "change_password bounces without logged in user" do
-    post :change_password, credential: { old_password: 'pa55w0rd',
-        password: 'hacks', password_confirmation: 'hacks' }
+    post :change_password, params: { credential: { old_password: 'pa55w0rd',
+        password: 'hacks', password_confirmation: 'hacks' } }
     assert_response :forbidden
-    assert_template 'session/forbidden'
     # Make sure no layout was rendered.
     assert_select 'title', 0
     assert_select 'h1', 0
@@ -534,32 +511,31 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password works with correct input" do
     set_session_current_user @user
-    post :change_password, credential: { old_password: 'pa55w0rd',
-        password: 'hacks', password_confirmation: 'hacks'}
+    post :change_password, params: { credential: { old_password: 'pa55w0rd',
+        password: 'hacks', password_confirmation: 'hacks'} }
     assert_redirected_to session_url
-    assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password works with correct input and extra form input" do
     set_session_current_user @user
-    post :change_password, credential: { old_password: 'pa55w0rd',
+    post :change_password, params: { credential: { old_password: 'pa55w0rd',
         password: 'hacks', password_confirmation: 'hacks' }, utf8: "\u2713",
-        commit: 'Change Password'
+        commit: 'Change Password' }
     assert_redirected_to session_url
-    assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'hacks')), 'password not changed'
   end
 
   test "change_password rejects bad old password" do
     set_session_current_user @user
-    post :change_password, credential: { old_password: '_pa55w0rd',
-        password: 'hacks', password_confirmation: 'hacks' }
+    post :change_password, params: { credential: { old_password: '_pa55w0rd',
+        password: 'hacks', password_confirmation: 'hacks' } }
     assert_response :ok
-    assert_template :password_change
-    assert_equal @password_credential, assigns(:credential)
+    assert_select 'form[action="/session/change_password"][method="post"]' do
+      assert_select 'input[name="credential[old_password]"]'
+    end
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'pa55w0rd')),
         'password wrongly changed'
@@ -567,11 +543,12 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password rejects un-confirmed password" do
     set_session_current_user @user
-    post :change_password, credential: { old_password: 'pa55w0rd',
-        password: 'hacks', password_confirmation: 'hacks_' }
+    post :change_password, params: { credential: { old_password: 'pa55w0rd',
+        password: 'hacks', password_confirmation: 'hacks_' } }
     assert_response :ok
-    assert_template :password_change
-    assert_equal @password_credential, assigns(:credential)
+    assert_select 'form[action="/session/change_password"][method="post"]' do
+      assert_select 'input[name="credential[old_password]"]'
+    end
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'pa55w0rd')),
         'password wrongly changed'
@@ -580,8 +557,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password works for password recovery" do
     set_session_current_user @user
     @password_credential.destroy
-    post :change_password, credential: { password: 'hacks',
-                                         password_confirmation: 'hacks' }
+    post :change_password, params: { credential: { password: 'hacks',
+        password_confirmation: 'hacks' } }
     assert_redirected_to session_url
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'hacks')), 'password not changed'
@@ -590,18 +567,20 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password rejects un-confirmed password on recovery" do
     set_session_current_user @user
     @password_credential.destroy
-    assert_no_difference 'Credential.count' do
-      post :change_password, credential: { password: 'hacks',
-                                           password_confirmation: 'hacks_' }
+    assert_no_difference -> { Credential.count } do
+      post :change_password, params: { credential: { password: 'hacks',
+          password_confirmation: 'hacks_' } }
     end
     assert_response :ok
-    assert_template :password_change
+    assert_select 'form[action="/session/change_password"][method="post"]' do
+      assert_select 'input[name="credential[old_password]"]', count: 0
+    end
   end
 
   test "change_password by json bounces without logged in user" do
-    post :change_password, format: 'json',
+    post :change_password, format: 'json', params: {
         credential: { old_password: 'pa55w0rd', password: 'hacks',
-                      password_confirmation: 'hacks' }
+                      password_confirmation: 'hacks' } }
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'Please sign in', data['error']
@@ -609,9 +588,9 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password by json works with correct input" do
     set_session_current_user @user
-    post :change_password, format: 'json',
+    post :change_password, format: 'json', params: {
         credential: { old_password: 'pa55w0rd', password: 'hacks',
-                      password_confirmation: 'hacks' }
+                      password_confirmation: 'hacks' } }
     assert_response :ok
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'hacks')), 'password not changed'
@@ -619,13 +598,12 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password by json rejects bad old password" do
     set_session_current_user @user
-    post :change_password, format: 'json',
+    post :change_password, format: 'json', params: {
         credential: { old_password: '_pa55w0rd', password: 'hacks',
-                      password_confirmation: 'hacks' }
+                      password_confirmation: 'hacks' } }
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
-    assert_equal @password_credential, assigns(:credential)
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'pa55w0rd')),
         'password wrongly changed'
@@ -633,9 +611,9 @@ class SessionControllerApiTest < ActionController::TestCase
 
   test "change_password by json rejects un-confirmed password" do
     set_session_current_user @user
-    post :change_password, format: 'json',
+    post :change_password, format: 'json', params: {
          credential: { old_password: 'pa55w0rd', password: 'hacks',
-                       password_confirmation: 'hacks_' }
+                       password_confirmation: 'hacks_' } }
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
     assert_equal 'invalid', data['error']
@@ -647,8 +625,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password by json works for password recovery" do
     set_session_current_user @user
     @password_credential.destroy
-    post :change_password, format: 'json',
-         credential: { password: 'hacks', password_confirmation: 'hacks' }
+    post :change_password, format: 'json', params: {
+         credential: { password: 'hacks', password_confirmation: 'hacks' } }
     assert_response :ok
     assert_equal @user, User.authenticate_signin(Session.new(email:
         @email_credential.email, password: 'hacks')), 'password not changed'
@@ -657,9 +635,9 @@ class SessionControllerApiTest < ActionController::TestCase
   test "change_password by json rejects un-confirmed password on recovery" do
     set_session_current_user @user
     @password_credential.destroy
-    assert_no_difference 'Credential.count' do
-      post :change_password, format: 'json',
-           credential: { password: 'hacks', password_confirmation: 'hacks_' }
+    assert_no_difference -> { Credential.count } do
+      post :change_password, format: 'json', params: {
+           credential: { password: 'hacks', password_confirmation: 'hacks_' } }
     end
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
@@ -670,8 +648,9 @@ class SessionControllerApiTest < ActionController::TestCase
     ActionMailer::Base.deliveries = []
     request.host = 'mail.test.host:1234'
 
-    assert_difference 'Credential.count', 1 do
-      post :reset_password, session: { email: @email_credential.email }
+    assert_difference -> { Credential.count }, 1 do
+      post :reset_password, params: {
+          session: { email: @email_credential.email } }
     end
 
     token = Credential.last
@@ -692,9 +671,10 @@ class SessionControllerApiTest < ActionController::TestCase
   test "reset_password for good e-mail by json" do
     ActionMailer::Base.deliveries = []
 
-    assert_difference 'Credential.count', 1 do
-      post :reset_password, session: { email: @email_credential.email },
-                            format: 'json'
+    assert_difference -> { Credential.count }, 1 do
+      post :reset_password, format: 'json', params: {
+          session: { email: @email_credential.email } }
+
     end
 
     token = Credential.last
@@ -710,8 +690,8 @@ class SessionControllerApiTest < ActionController::TestCase
   test "reset_password for invalid e-mail" do
     ActionMailer::Base.deliveries = []
 
-    assert_no_difference 'Credential.count' do
-      post :reset_password, session: { email: 'no@such.email' }
+    assert_no_difference -> { Credential.count } do
+      post :reset_password, params: { session: { email: 'no@such.email' } }
     end
     assert ActionMailer::Base.deliveries.empty?, 'no email generated'
 
@@ -721,8 +701,9 @@ class SessionControllerApiTest < ActionController::TestCase
   test "reset_password for invalid e-mail by json" do
     ActionMailer::Base.deliveries = []
 
-    assert_no_difference 'Credential.count' do
-      post :reset_password, session: { email: 'no@such.email' }, format: 'json'
+    assert_no_difference -> { Credential.count } do
+      post :reset_password, format: 'json', params: {
+          session: { email: 'no@such.email' } }
     end
     assert ActionMailer::Base.deliveries.empty?, 'no email generated'
 
@@ -734,9 +715,9 @@ class SessionControllerApiTest < ActionController::TestCase
   test "create delegation to reset_password" do
     ActionMailer::Base.deliveries = []
 
-    assert_difference 'Credential.count', 1 do
-      post :create, session: { email: @email_credential.email, password: '' },
-                    reset_password: :requested
+    assert_difference -> { Credential.count }, 1 do
+      post :create, params: { session: { email: @email_credential.email,
+          password: '' }, reset_password: 'requested' }
     end
 
     token = Credential.last
@@ -754,12 +735,10 @@ class SessionControllerApiTest < ActionController::TestCase
   test "omniauth logs in with good account details" do
     ActionController::Base.allow_forgery_protection = true
     begin
-
       request.env['omniauth.auth'] =
           { 'provider' => @omniauth_credential.provider,
             'uid' => @omniauth_credential.uid }
-      post :omniauth, provider: @omniauth_credential.provider
-      assert_equal @user, assigns(:current_user), 'instance variable'
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_equal @user, session_current_user, 'session'
       assert_nil flash[:alert], 'no alert'
       assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -777,8 +756,7 @@ class SessionControllerApiTest < ActionController::TestCase
       request.env['omniauth.auth'] =
           { 'provider' => @omniauth_credential.provider,
             'uid' => @omniauth_credential.uid }
-      post :omniauth, provider: @omniauth_credential.provider
-      assert_equal @user, assigns(:current_user), 'instance variable'
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_equal @user, session_current_user, 'session'
       assert_nil flash[:alert], 'no alert'
       assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -798,7 +776,7 @@ class SessionControllerApiTest < ActionController::TestCase
       request.env['omniauth.auth'] =
           { 'provider' => @omniauth_credential.provider,
             'uid' => @omniauth_credential.uid }
-      post :omniauth, provider: @omniauth_credential.provider
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_equal @user, session_current_user, 'session'
       assert_nil Tokens::Base.with_code(old_token.code).first,
                  'old session not purged'
@@ -817,7 +795,7 @@ class SessionControllerApiTest < ActionController::TestCase
       request.env['omniauth.auth'] =
           { 'provider' => @omniauth_credential.provider,
             'uid' => @omniauth_credential.uid }
-      post :omniauth, provider: @omniauth_credential.provider
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_equal @user, session_current_user, 'session'
       assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
                  'old session purged'
@@ -835,7 +813,7 @@ class SessionControllerApiTest < ActionController::TestCase
       old_token.save!
       request.env['omniauth.auth'] =
           { 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
-      post :omniauth, provider: @omniauth_credential.provider
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_nil session_current_user, 'session'
       assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
                  'old session purged'
@@ -851,10 +829,9 @@ class SessionControllerApiTest < ActionController::TestCase
           { 'provider' => @omniauth_credential.provider,
             'uid' => @omniauth_credential.uid }
       with_blocked_credential @omniauth_credential do
-        post :omniauth, provider: @omniauth_credential.provider
+        post :omniauth, params: { provider: @omniauth_credential.provider }
       end
       assert_redirected_to new_session_url
-      assert_nil assigns(:current_user), 'instance variable'
       assert_nil session_current_user, 'session'
       assert_match(/ blocked/, flash[:alert])
       assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -870,8 +847,7 @@ class SessionControllerApiTest < ActionController::TestCase
       request.env['omniauth.auth'] = omniauth_hash
       Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
           with(omniauth_hash).returns @omniauth_credential.user
-      post :omniauth, provider: @omniauth_credential.provider
-      assert_equal @user, assigns(:current_user), 'instance variable'
+      post :omniauth, params: { provider: @omniauth_credential.provider }
       assert_equal @user, session_current_user, 'session'
       assert_redirected_to session_url
     ensure