authpwn_rails 0.21.1 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +2 -4
  3. data/Gemfile +6 -6
  4. data/Gemfile.lock +69 -65
  5. data/{Gemfile.rails4 → Gemfile.rails5} +7 -6
  6. data/{README.rdoc → README.md} +21 -13
  7. data/Rakefile +1 -1
  8. data/VERSION +1 -1
  9. data/app/models/tokens/email_verification.rb +2 -2
  10. data/app/models/tokens/password_reset.rb +1 -1
  11. data/authpwn_rails.gemspec +26 -28
  12. data/lib/authpwn_rails/generators/templates/001_create_users.rb +1 -1
  13. data/lib/authpwn_rails/generators/templates/003_create_credentials.rb +2 -2
  14. data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +1 -1
  15. data/lib/authpwn_rails/generators/templates/session/home.html.erb +3 -2
  16. data/lib/authpwn_rails/generators/templates/session_controller_test.rb +11 -11
  17. data/lib/authpwn_rails/generators/templates/session_mailer_test.rb +2 -10
  18. data/lib/authpwn_rails/http_basic.rb +4 -4
  19. data/lib/authpwn_rails/http_token.rb +1 -1
  20. data/lib/authpwn_rails/session.rb +4 -4
  21. data/lib/authpwn_rails/session_controller.rb +6 -10
  22. data/test/{test_extensions_test.rb → action_controller_test_extensions_test.rb} +4 -5
  23. data/test/cookie_controller_test.rb +52 -42
  24. data/test/credentials/api_token_test.rb +2 -2
  25. data/test/credentials/email_verification_token_test.rb +2 -2
  26. data/test/credentials/omni_auth_uid_credential_test.rb +3 -4
  27. data/test/credentials/one_time_token_credential_test.rb +6 -6
  28. data/test/credentials/password_reset_token_test.rb +3 -3
  29. data/test/credentials/session_uid_token_test.rb +2 -2
  30. data/test/credentials/token_crendential_test.rb +3 -3
  31. data/test/fixtures/bare_session/forbidden.html.erb +1 -1
  32. data/test/fixtures/bare_session/home.html.erb +3 -2
  33. data/test/fixtures/bare_session/welcome.html.erb +1 -1
  34. data/test/helpers/db_setup.rb +2 -2
  35. data/test/helpers/test_order.rb +1 -3
  36. data/test/http_basic_controller_test.rb +24 -12
  37. data/test/http_token_controller_test.rb +24 -12
  38. data/test/session_controller_api_test.rb +140 -164
  39. data/test/session_mailer_api_test.rb +2 -10
  40. metadata +19 -27
  41. data/Gemfile.rails41 +0 -18
  42. data/Gemfile.rails42 +0 -18
@@ -35,7 +35,7 @@ class ApiTokenTest < ActiveSupport::TestCase
35
35
  credential = credentials(:john_api_token)
36
36
  assert_equal Tokens::Api, credential.class, 'bad setup'
37
37
 
38
- assert_no_difference 'Credential.count' do
38
+ assert_no_difference -> { Credential.count } do
39
39
  credential.spend
40
40
  end
41
41
  end
@@ -58,7 +58,7 @@ class ApiTokenTest < ActiveSupport::TestCase
58
58
  test 'random_for' do
59
59
  user = users(:jane)
60
60
  credential = nil
61
- assert_difference 'Credential.count', 1 do
61
+ assert_difference -> { Credential.count }, 1 do
62
62
  credential = Tokens::Api.random_for user
63
63
  end
64
64
  saved_credential = Tokens::Base.with_code(credential.code).first
@@ -47,7 +47,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
47
47
  credential = credentials(:john_email_token)
48
48
  assert_equal Tokens::EmailVerification, credential.class, 'bad setup'
49
49
 
50
- assert_difference 'Credential.count', -1 do
50
+ assert_difference -> { Credential.count }, -1 do
51
51
  credential.spend
52
52
  end
53
53
  assert credential.frozen?, 'not destroyed'
@@ -59,7 +59,7 @@ class EmailVerificationTokenTest < ActiveSupport::TestCase
59
59
  credential = credentials(:john_email_token)
60
60
  credential.email = 'bill@gmail.com'
61
61
 
62
- assert_difference 'Credential.count', -1 do
62
+ assert_difference -> { Credential.count }, -1 do
63
63
  credential.spend
64
64
  end
65
65
  assert credential.frozen?, 'not destroyed'
@@ -90,7 +90,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
90
90
  User.expects(:create_from_omniauth).never
91
91
 
92
92
  assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
93
- assert_difference 'Credentials::OmniAuthUid.count' do
93
+ assert_difference -> { Credentials::OmniAuthUid.count } do
94
94
  assert_equal jane, Credentials::OmniAuthUid.authenticate(omniauth_hash)
95
95
  end
96
96
  assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
@@ -105,7 +105,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
105
105
  User.expects(:create_from_omniauth).with(omniauth_hash).returns user
106
106
 
107
107
  assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
108
- assert_difference 'Credentials::OmniAuthUid.count' do
108
+ assert_difference -> { Credentials::OmniAuthUid.count } do
109
109
  assert_equal user, Credentials::OmniAuthUid.authenticate(omniauth_hash)
110
110
  end
111
111
  assert_not_nil Credentials::OmniAuthUid.with(omniauth_hash)
@@ -119,7 +119,7 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
119
119
  User.expects(:create_from_omniauth).with(omniauth_hash).returns nil
120
120
 
121
121
  assert_nil Credentials::OmniAuthUid.with(omniauth_hash)
122
- assert_no_difference 'Credentials::OmniAuthUid.count' do
122
+ assert_no_difference -> { Credentials::OmniAuthUid.count } do
123
123
  assert_equal :invalid,
124
124
  Credentials::OmniAuthUid.authenticate(omniauth_hash)
125
125
  end
@@ -138,4 +138,3 @@ class OmniAuthUidCredentialTest < ActiveSupport::TestCase
138
138
  end
139
139
  end
140
140
  end
141
-
@@ -30,7 +30,7 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
30
30
  credential = credentials(:jane_token)
31
31
  assert_equal Tokens::OneTime, credential.class, 'bad setup'
32
32
 
33
- assert_difference 'Credential.count', -1 do
33
+ assert_difference -> { Credential.count }, -1 do
34
34
  credential.spend
35
35
  end
36
36
  assert credential.frozen?, 'not destroyed'
@@ -39,10 +39,10 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
39
39
  test 'authenticate spends the token' do
40
40
  jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
41
41
  bogus = 'AyCMIixa5C7BBqU-XFI7l7IaUFJ4zQZPmcK6oNb3FLo'
42
- assert_difference 'Credential.count', -1, 'token spent' do
42
+ assert_difference -> { Credential.count }, -1, 'token spent' do
43
43
  assert_equal users(:jane), Tokens::Base.authenticate(jane)
44
44
  end
45
- assert_no_difference 'Credential.count', 'token mistakenly spent' do
45
+ assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
46
46
  assert_equal :invalid, Tokens::Base.authenticate(bogus)
47
47
  end
48
48
  end
@@ -51,21 +51,21 @@ class OneTimeTokenCredentialTest < ActiveSupport::TestCase
51
51
  jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
52
52
 
53
53
  with_blocked_credential credentials(:jane_token), :reason do
54
- assert_no_difference 'Credential.count', 'no token spent' do
54
+ assert_no_difference -> { Credential.count }, 'no token spent' do
55
55
  assert_equal :reason, Tokens::Base.authenticate(jane)
56
56
  end
57
57
  end
58
58
  end
59
59
 
60
60
  test 'instance authenticate spends the token' do
61
- assert_difference 'Credential.count', -1, 'token spent' do
61
+ assert_difference -> { Credential.count }, -1, 'token spent' do
62
62
  assert_equal users(:jane), credentials(:jane_token).authenticate
63
63
  end
64
64
  end
65
65
 
66
66
  test 'instance authenticate calls User#auth_bounce_reason' do
67
67
  with_blocked_credential credentials(:jane_token), :reason do
68
- assert_no_difference 'Credential.count', 'token mistakenly spent' do
68
+ assert_no_difference -> { Credential.count }, 'token mistakenly spent' do
69
69
  assert_equal :reason, credentials(:jane_token).authenticate
70
70
  end
71
71
  end
@@ -40,8 +40,8 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
40
40
  credential = credentials(:jane_password_token)
41
41
  assert_equal Tokens::PasswordReset, credential.class, 'bad setup'
42
42
 
43
- assert_difference 'Credential.count', -2 do
44
- assert_difference 'Credentials::Password.count', -1 do
43
+ assert_difference -> { Credential.count }, -2 do
44
+ assert_difference -> { Credentials::Password.count }, -1 do
45
45
  credential.spend
46
46
  end
47
47
  end
@@ -55,7 +55,7 @@ class PasswordVerificationTokenTest < ActiveSupport::TestCase
55
55
  password_credential.destroy
56
56
  credential = credentials(:jane_password_token)
57
57
 
58
- assert_difference 'Credential.count', -1 do
58
+ assert_difference -> { Credential.count }, -1 do
59
59
  credential.spend
60
60
  end
61
61
  assert credential.frozen?, 'not destroyed'
@@ -80,7 +80,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
80
80
  fresh_token.updated_at = Time.current - 1.minute
81
81
  fresh_token.save!
82
82
 
83
- assert_difference 'Credential.count', -1 do
83
+ assert_difference -> { Credential.count }, -1 do
84
84
  Tokens::SessionUid.remove_expired
85
85
  end
86
86
  assert_nil Tokens::Base.with_code(old_token.code).first
@@ -91,7 +91,7 @@ class SessionUidTokenTest < ActiveSupport::TestCase
91
91
  test 'random_for' do
92
92
  user = users(:john)
93
93
  credential = nil
94
- assert_difference 'Credential.count', 1 do
94
+ assert_difference -> { Credential.count }, 1 do
95
95
  credential = Tokens::SessionUid.random_for user, '1.2.3.4', 'Test/UA'
96
96
  end
97
97
  saved_credential = Tokens::Base.with_code(credential.code).first
@@ -30,7 +30,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
30
30
  credential = credentials(:john_token)
31
31
  assert_equal Tokens::Base, credential.class, 'bad setup'
32
32
 
33
- assert_no_difference 'Credential.count' do
33
+ assert_no_difference -> { Credential.count } do
34
34
  credential.spend
35
35
  end
36
36
  end
@@ -117,12 +117,12 @@ class TokenCredentialTest < ActiveSupport::TestCase
117
117
  token.class.stubs(:expires_after).returns 1.week
118
118
  token.save!
119
119
  end
120
- assert_difference 'Credential.count', -1,
120
+ assert_difference -> { Credential.count }, -1,
121
121
  'authenticate deletes expired credential' do
122
122
  assert_equal :invalid, Tokens::Base.authenticate(john),
123
123
  'expired token'
124
124
  end
125
- assert_difference 'Credential.count', -1,
125
+ assert_difference -> { Credential.count }, -1,
126
126
  'authenticate deletes expired credential' do
127
127
  assert_equal :invalid, Tokens::Base.authenticate(jane),
128
128
  'expired token'
@@ -3,7 +3,7 @@
3
3
  </p>
4
4
 
5
5
  <% if current_user %>
6
- <p>
6
+ <p class="forbidden-logged-in-user">
7
7
  You should inform the user that they are logged in as
8
8
  <%= current_user.exuid %> and suggest them to
9
9
  <%= link_to 'sign out', session_path, method: :delete %> and sign in as a
@@ -1,5 +1,6 @@
1
1
  <p>
2
2
  This view gets displayed when the user is logged in. Right now,
3
- user <%= current_user.exuid %> is logged in. You should allow the user to
4
- <%= link_to 'Log out', session_path, method: :delete %>.
3
+ user <span class="user-exuid"><%= current_user.exuid %></span> is logged in.
4
+ You should allow the user to
5
+ <%= link_to 'sign out', session_path, method: :delete %>.
5
6
  </p>
@@ -1,4 +1,4 @@
1
- <p>
1
+ <p class="welcome-page">
2
2
  This view gets displayed when the user is not logged in. Entice the user to
3
3
  sign up for your application, and allow them to
4
4
  <%= link_to 'sign in', new_session_path %>.
@@ -38,8 +38,8 @@ class ActiveSupport::TestCase
38
38
  File.expand_path '../../../lib/authpwn_rails/generators/templates',
39
39
  __FILE__
40
40
 
41
- self.use_transactional_fixtures = false
42
- self.use_instantiated_fixtures = false
41
+ self.use_transactional_tests = true
42
+ self.use_instantiated_fixtures = false
43
43
  self.pre_loaded_fixtures = false
44
44
  fixtures :all
45
45
  end
@@ -1,3 +1 @@
1
- if ActiveSupport.respond_to? :test_order
2
- ActiveSupport.test_order = :sorted
3
- end
1
+ ActiveSupport.test_order = :sorted
@@ -4,11 +4,23 @@ require_relative 'test_helper'
4
4
  class HttpBasicController < ApplicationController
5
5
  authenticates_using_http_basic
6
6
 
7
+ # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
8
+ # instance variables. current_user is a part of authpwn's API, so we
9
+ # must test it.
10
+ before_action :export_current_user_to_cookie
11
+ def export_current_user_to_cookie
12
+ cookies['_authpwn_test_cuid'] = if current_user
13
+ current_user.id.to_s
14
+ else
15
+ 'nil'
16
+ end
17
+ end
18
+
7
19
  def show
8
20
  if current_user
9
- render text: "User: #{current_user.id}"
21
+ render plain: "User: #{current_user.id}"
10
22
  else
11
- render text: "No user"
23
+ render plain: "No user"
12
24
  end
13
25
  end
14
26
 
@@ -25,7 +37,7 @@ class HttpBasicControllerTest < ActionController::TestCase
25
37
  test "no user_id in session cookie or header" do
26
38
  get :show
27
39
  assert_response :success
28
- assert_nil assigns(:current_user)
40
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
29
41
  assert_equal 'No user', response.body
30
42
  end
31
43
 
@@ -33,14 +45,14 @@ class HttpBasicControllerTest < ActionController::TestCase
33
45
  set_session_current_user @user
34
46
  get :show
35
47
  assert_response :success
36
- assert_nil assigns(:current_user)
48
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
37
49
  assert_equal 'No user', response.body
38
50
  end
39
51
 
40
52
  test "valid user credentials in header" do
41
53
  set_http_basic_user @user, 'pa55w0rd'
42
54
  get :show
43
- assert_equal @user, assigns(:current_user)
55
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
44
56
 
45
57
  jane_id = ActiveRecord::FixtureSet.identify :jane
46
58
  assert_equal "User: #{jane_id}", response.body
@@ -49,7 +61,7 @@ class HttpBasicControllerTest < ActionController::TestCase
49
61
  test "invalid user credentials in header" do
50
62
  set_http_basic_user @user, 'fail'
51
63
  get :show
52
- assert_nil assigns(:current_user)
64
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
53
65
  assert_equal 'No user', response.body
54
66
  end
55
67
 
@@ -60,7 +72,7 @@ class HttpBasicControllerTest < ActionController::TestCase
60
72
  User.expects(:authenticate_signin).at_least_once.with(signin).returns @user
61
73
  set_http_basic_user @user, 'fail'
62
74
  get :show
63
- assert_equal @user, assigns(:current_user)
75
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
64
76
 
65
77
  jane_id = ActiveRecord::FixtureSet.identify :jane
66
78
  assert_equal "User: #{jane_id}", response.body
@@ -70,30 +82,30 @@ class HttpBasicControllerTest < ActionController::TestCase
70
82
  set_http_basic_user @user, 'pa55w0rd'
71
83
  set_http_basic_user nil
72
84
  get :show
73
- assert_nil assigns(:current_user)
85
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
74
86
  assert_equal 'No user', response.body
75
87
  end
76
88
 
77
89
  test "mocked user credentials in header" do
78
90
  set_http_basic_user @user
79
91
  get :show
80
- assert_equal @user, assigns(:current_user)
92
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
81
93
 
82
94
  jane_id = ActiveRecord::FixtureSet.identify :jane
83
95
  assert_equal "User: #{jane_id}", response.body
84
96
  end
85
97
 
86
98
  test "invalid authpwn_suid in session" do
87
- get :show, {}, authpwn_suid: 'random@user.com'
99
+ get :show, params: {}, session: { authpwn_suid: 'random@user.com' }
88
100
  assert_response :success
89
- assert_nil assigns(:current_user)
101
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
90
102
  end
91
103
 
92
104
  test "valid user bounced to http authentication" do
93
105
  set_http_basic_user @user
94
106
  get :bouncer
95
107
  assert_response :forbidden
96
- assert_template 'session/forbidden'
108
+ assert_select 'p.forbidden-logged-in-user'
97
109
  assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
98
110
  # Make sure no layout was rendered.
99
111
  assert_select 'title', 0
@@ -4,11 +4,23 @@ require_relative 'test_helper'
4
4
  class HttpTokenController < ApplicationController
5
5
  authenticates_using_http_token
6
6
 
7
+ # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
8
+ # instance variables. current_user is a part of authpwn's API, so we
9
+ # must test it.
10
+ before_action :export_current_user_to_cookie
11
+ def export_current_user_to_cookie
12
+ cookies['_authpwn_test_cuid'] = if current_user
13
+ current_user.id.to_s
14
+ else
15
+ 'nil'
16
+ end
17
+ end
18
+
7
19
  def show
8
20
  if current_user
9
- render text: "User: #{current_user.id}"
21
+ render plain: "User: #{current_user.id}"
10
22
  else
11
- render text: "No user"
23
+ render plain: "No user"
12
24
  end
13
25
  end
14
26
 
@@ -25,7 +37,7 @@ class HttpTokenControllerTest < ActionController::TestCase
25
37
  test "no user_id in session cookie or header" do
26
38
  get :show
27
39
  assert_response :success
28
- assert_nil assigns(:current_user)
40
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
29
41
  assert_equal 'No user', response.body
30
42
  end
31
43
 
@@ -33,14 +45,14 @@ class HttpTokenControllerTest < ActionController::TestCase
33
45
  set_session_current_user @user
34
46
  get :show
35
47
  assert_response :success
36
- assert_nil assigns(:current_user)
48
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
37
49
  assert_equal 'No user', response.body
38
50
  end
39
51
 
40
52
  test "valid user credentials in header" do
41
53
  set_http_token_user @user
42
54
  get :show
43
- assert_equal @user, assigns(:current_user)
55
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
44
56
  assert_equal nil, session_current_user,
45
57
  'Token authentication should not update the session'
46
58
 
@@ -52,7 +64,7 @@ class HttpTokenControllerTest < ActionController::TestCase
52
64
  set_http_token_user @user
53
65
  Tokens::Api.where(user_id: @user.id).destroy_all
54
66
  get :show
55
- assert_nil assigns(:current_user)
67
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
56
68
  assert_equal 'No user', response.body
57
69
  end
58
70
 
@@ -61,7 +73,7 @@ class HttpTokenControllerTest < ActionController::TestCase
61
73
  returns @user
62
74
  set_http_token_user @user, 'ap1c0d3'
63
75
  get :show
64
- assert_equal @user, assigns(:current_user)
76
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
65
77
  assert_equal nil, session_current_user,
66
78
  'Token authentication should not update the session'
67
79
 
@@ -73,7 +85,7 @@ class HttpTokenControllerTest < ActionController::TestCase
73
85
  set_http_token_user @user
74
86
  set_http_token_user nil
75
87
  get :show
76
- assert_nil assigns(:current_user)
88
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
77
89
  assert_equal 'No user', response.body
78
90
  end
79
91
 
@@ -81,7 +93,7 @@ class HttpTokenControllerTest < ActionController::TestCase
81
93
  user = users(:jane)
82
94
  set_http_token_user user
83
95
  get :show
84
- assert_equal user, assigns(:current_user)
96
+ assert_equal user.id.to_s, cookies['_authpwn_test_cuid']
85
97
  assert_equal nil, session_current_user,
86
98
  'Token authentication should not update the session'
87
99
 
@@ -90,16 +102,16 @@ class HttpTokenControllerTest < ActionController::TestCase
90
102
  end
91
103
 
92
104
  test "invalid authpwn_suid in session" do
93
- get :show, {}, authpwn_suid: 'random@user.com'
105
+ get :show, session: { authpwn_suid: 'random@user.com' }
94
106
  assert_response :success
95
- assert_nil assigns(:current_user)
107
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
96
108
  end
97
109
 
98
110
  test "valid user bounced to http authentication" do
99
111
  set_http_token_user @user
100
112
  get :bouncer
101
113
  assert_response :forbidden
102
- assert_template 'session/forbidden'
114
+ assert_select 'p.forbidden-logged-in-user'
103
115
  assert_select 'a[href="/session"][data-method="delete"]', 'sign out'
104
116
  # Make sure no layout was rendered.
105
117
  assert_select 'title', 0
@@ -3,6 +3,18 @@ require_relative 'test_helper'
3
3
  class BareSessionController < ApplicationController
4
4
  include Authpwn::SessionController
5
5
  self.append_view_path File.expand_path('../fixtures', __FILE__)
6
+
7
+ # NOTE: As of Rails 5, tests can't use assigns to reach into the controllers'
8
+ # instance variables. current_user is a part of authpwn's API, so we
9
+ # must test it.
10
+ before_action :export_current_user_to_cookie
11
+ def export_current_user_to_cookie
12
+ cookies['_authpwn_test_cuid'] = if current_user
13
+ current_user.id.to_s
14
+ else
15
+ 'nil'
16
+ end
17
+ end
6
18
  end
7
19
 
8
20
  # Tests the methods injected by authpwn_session_controller.
@@ -25,8 +37,8 @@ class SessionControllerApiTest < ActionController::TestCase
25
37
  test "show renders welcome without a user" do
26
38
  @controller.expects(:welcome).once.returns nil
27
39
  get :show
28
- assert_template :welcome
29
- assert_nil assigns(:current_user)
40
+ assert_select 'p.welcome-page'
41
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
30
42
  end
31
43
 
32
44
  test "show json renders empty object without a user" do
@@ -40,8 +52,8 @@ class SessionControllerApiTest < ActionController::TestCase
40
52
  @controller.expects(:home).once.returns nil
41
53
  set_session_current_user @user
42
54
  get :show
43
- assert_template :home
44
- assert_equal @user, assigns(:current_user)
55
+ assert_select 'span.user-exuid', @user.exuid.to_s
56
+ assert_equal @user.id.to_s, cookies['_authpwn_test_cuid']
45
57
  end
46
58
 
47
59
  test "show json renders user when logged in" do
@@ -52,14 +64,7 @@ class SessionControllerApiTest < ActionController::TestCase
52
64
  data = ActiveSupport::JSON.decode response.body
53
65
  assert_equal @user.exuid, data['user']['exuid']
54
66
 
55
- if @controller.respond_to? :valid_authenticity_token?, true
56
- # Rails 4.2+ uses variable CSRF tokens.
57
- assert @controller.send(:valid_authenticity_token?, session,
58
- data['csrf'])
59
- else
60
- # Rails 4.0 and 4.1 store the CSRF token in the session.
61
- assert_equal session[:_csrf_token], data['csrf']
62
- end
67
+ assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
63
68
  end
64
69
 
65
70
  test "new redirects to session#show when a user is logged in" do
@@ -70,23 +75,21 @@ class SessionControllerApiTest < ActionController::TestCase
70
75
 
71
76
  test "new renders login form without a user" do
72
77
  get :new
73
- assert_template :new
74
- assert_nil assigns(:current_user), 'current_user should not be set'
78
+ assert_select 'form[action="/session"]'
79
+ assert_equal 'nil', cookies['_authpwn_test_cuid']
75
80
  end
76
81
 
77
82
  test "new renders redirect_url when present in flash" do
78
83
  url = 'http://authpwn.redirect.url'
79
- get :new, {}, {}, { auth_redirect_url: url }
80
- assert_template :new
81
- assert_select 'form' do
84
+ get :new, flash: { auth_redirect_url: url }
85
+ assert_select 'form[action="/session"]' do
82
86
  assert_select "input[name=\"redirect_url\"][value=\"#{url}\"]"
83
87
  end
84
88
  end
85
89
 
86
90
  test "create logs in with good account details" do
87
- post :create, session: { email: @email_credential.email,
88
- password: 'pa55w0rd' }
89
- assert_equal @user, assigns(:current_user), 'instance variable'
91
+ post :create, params: { session: { email: @email_credential.email,
92
+ password: 'pa55w0rd' } }
90
93
  assert_equal @user, session_current_user, 'session'
91
94
  assert_nil flash[:alert], 'no alert'
92
95
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -94,8 +97,8 @@ class SessionControllerApiTest < ActionController::TestCase
94
97
  end
95
98
 
96
99
  test "create logs in with good raw account details" do
97
- post :create, email: @email_credential.email, password: 'pa55w0rd'
98
- assert_equal @user, assigns(:current_user), 'instance variable'
100
+ post :create, params: { email: @email_credential.email,
101
+ password: 'pa55w0rd' }
99
102
  assert_equal @user, session_current_user, 'session'
100
103
  assert_nil flash[:alert], 'no alert'
101
104
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -105,9 +108,8 @@ class SessionControllerApiTest < ActionController::TestCase
105
108
  test "create logs in with good account details and no User-Agent" do
106
109
  request.headers['User-Agent'] = nil
107
110
 
108
- post :create, session: { email: @email_credential.email,
109
- password: 'pa55w0rd' }
110
- assert_equal @user, assigns(:current_user), 'instance variable'
111
+ post :create, params: { session: { email: @email_credential.email,
112
+ password: 'pa55w0rd' } }
111
113
  assert_equal @user, session_current_user, 'session'
112
114
  assert_nil flash[:alert], 'no alert'
113
115
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -119,8 +121,8 @@ class SessionControllerApiTest < ActionController::TestCase
119
121
  old_token = credentials(:jane_session_token)
120
122
  old_token.updated_at = Time.current - 1.year
121
123
  old_token.save!
122
- post :create, session: { email: @email_credential.email,
123
- password: 'pa55w0rd' }
124
+ post :create, params: { session: { email: @email_credential.email,
125
+ password: 'pa55w0rd' } }
124
126
  assert_equal @user, session_current_user, 'session'
125
127
  assert_nil Tokens::Base.with_code(old_token.code).first,
126
128
  'old session not purged'
@@ -131,29 +133,23 @@ class SessionControllerApiTest < ActionController::TestCase
131
133
  old_token = credentials(:jane_session_token)
132
134
  old_token.updated_at = Time.current - 1.year
133
135
  old_token.save!
134
- post :create, email: @email_credential.email, password: 'pa55w0rd'
136
+ post :create, params: { session: { email: @email_credential.email,
137
+ password: 'pa55w0rd' } }
135
138
  assert_equal @user, session_current_user, 'session'
136
139
  assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
137
140
  'old session purged'
138
141
  end
139
142
 
140
143
  test "create by json logs in with good account details" do
141
- post :create, email: @email_credential.email, password: 'pa55w0rd',
142
- format: 'json'
144
+ post :create, format: 'json', params: { email: @email_credential.email,
145
+ password: 'pa55w0rd' }
146
+
143
147
  assert_response :ok
144
148
  data = ActiveSupport::JSON.decode response.body
145
149
  assert_equal @user.exuid, data['user']['exuid']
146
- assert_equal @user, assigns(:current_user), 'instance variable'
147
150
  assert_equal @user, session_current_user, 'session'
148
151
 
149
- if @controller.respond_to? :valid_authenticity_token?, true
150
- # Rails 4.2+ uses variable CSRF tokens.
151
- assert @controller.send(:valid_authenticity_token?, session,
152
- data['csrf'])
153
- else
154
- # Rails 4.0 and 4.1 store the CSRF token in the session.
155
- assert_equal session[:_csrf_token], data['csrf']
156
- end
152
+ assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
157
153
  end
158
154
 
159
155
  test "create by json purges sessions when logging in" do
@@ -161,8 +157,9 @@ class SessionControllerApiTest < ActionController::TestCase
161
157
  old_token = credentials(:jane_session_token)
162
158
  old_token.updated_at = Time.current - 1.year
163
159
  old_token.save!
164
- post :create, email: @email_credential.email, password: 'pa55w0rd',
165
- format: 'json'
160
+ post :create, format: 'json', params: { email: @email_credential.email,
161
+ password: 'pa55w0rd' }
162
+
166
163
  assert_response :ok
167
164
  assert_equal @user, session_current_user, 'session'
168
165
  assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -171,17 +168,17 @@ class SessionControllerApiTest < ActionController::TestCase
171
168
 
172
169
  test "create redirects properly with good account details" do
173
170
  url = 'http://authpwn.redirect.url'
174
- post :create, session: { email: @email_credential.email,
175
- password: 'pa55w0rd' }, redirect_url: url
171
+ post :create, params: { redirect_url: url, session: {
172
+ email: @email_credential.email, password: 'pa55w0rd' } }
176
173
  assert_redirected_to url
177
174
  assert_nil flash[:alert], 'no alert'
178
175
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
179
176
  end
180
177
 
181
178
  test "create does not log in with bad password" do
182
- post :create, session: { email: @email_credential.email, password: 'fail' }
179
+ post :create, params: { session: { email: @email_credential.email,
180
+ password: 'fail' } }
183
181
  assert_redirected_to new_session_url
184
- assert_nil assigns(:current_user), 'instance variable'
185
182
  assert_nil session_current_user, 'session'
186
183
  assert_match(/Invalid/, flash[:alert])
187
184
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -190,10 +187,9 @@ class SessionControllerApiTest < ActionController::TestCase
190
187
  test "create does not log in with expired password" do
191
188
  @password_credential.updated_at = Time.current - 2.years
192
189
  @password_credential.save!
193
- post :create, session: { email: @email_credential.email,
194
- password: 'pa55w0rd' }
190
+ post :create, params: { session: { email: @email_credential.email,
191
+ password: 'pa55w0rd' } }
195
192
  assert_redirected_to new_session_url
196
- assert_nil assigns(:current_user), 'instance variable'
197
193
  assert_nil session_current_user, 'session'
198
194
  assert_match(/expired/, flash[:alert])
199
195
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -204,7 +200,8 @@ class SessionControllerApiTest < ActionController::TestCase
204
200
  old_token = credentials(:jane_session_token)
205
201
  old_token.updated_at = Time.current - 1.year
206
202
  old_token.save!
207
- post :create, session: { email: @email_credential.email, password: 'fail' }
203
+ post :create, params: { session: { email: @email_credential.email,
204
+ password: 'fail' } }
208
205
  assert_nil session_current_user, 'session'
209
206
  assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
210
207
  'old session purged'
@@ -212,11 +209,10 @@ class SessionControllerApiTest < ActionController::TestCase
212
209
 
213
210
  test "create does not log in blocked accounts" do
214
211
  with_blocked_credential @email_credential do
215
- post :create, session: { email: @email_credential.email,
216
- password: 'pa55w0rd' }
212
+ post :create, params: { session: { email: @email_credential.email,
213
+ password: 'pa55w0rd' } }
217
214
  end
218
215
  assert_redirected_to new_session_url
219
- assert_nil assigns(:current_user), 'instance variable'
220
216
  assert_nil session_current_user, 'session'
221
217
  assert_match(/ blocked/, flash[:alert])
222
218
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -228,62 +224,59 @@ class SessionControllerApiTest < ActionController::TestCase
228
224
  email: 'em@ail.com', password: 'fail').returns signin
229
225
  User.expects(:authenticate_signin).at_least_once.with(signin).
230
226
  returns @email_credential.user
231
- post :create, email: 'em@ail.com', password: 'fail'
232
- assert_equal @user, assigns(:current_user), 'instance variable'
227
+ post :create, params: { email: 'em@ail.com', password: 'fail' }
233
228
  assert_equal @user, session_current_user, 'session'
234
229
  assert_redirected_to session_url
235
230
  end
236
231
 
237
232
  test "create by json does not log in with bad password" do
238
- post :create, email: @email_credential.email, password: 'fail',
239
- format: 'json'
233
+ post :create, format: 'json', params: {
234
+ email: @email_credential.email, password: 'fail' }
235
+
240
236
  assert_response :ok
241
237
  data = ActiveSupport::JSON.decode response.body
242
238
  assert_equal 'invalid', data['error']
243
239
  assert_match(/invalid/i , data['text'])
244
- assert_nil assigns(:current_user), 'instance variable'
245
240
  assert_nil session_current_user, 'session'
246
241
  end
247
242
 
248
243
  test "create by json does not log in with expired password" do
249
244
  @password_credential.updated_at = Time.current - 2.years
250
245
  @password_credential.save!
251
- post :create, email: @email_credential.email, password: 'pa55w0rd',
252
- format: 'json'
246
+ post :create, format: 'json', params: {
247
+ email: @email_credential.email, password: 'pa55w0rd' }
248
+
253
249
  assert_response :ok
254
250
  data = ActiveSupport::JSON.decode response.body
255
251
  assert_equal 'expired', data['error']
256
252
  assert_match(/expired/i , data['text'])
257
- assert_nil assigns(:current_user), 'instance variable'
258
253
  assert_nil session_current_user, 'session'
259
254
  end
260
255
 
261
256
  test "create by json does not log in blocked accounts" do
262
257
  with_blocked_credential @email_credential do
263
- post :create, email: @email_credential.email, password: 'pa55w0rd',
264
- format: 'json'
258
+ post :create, format: 'json', params: {
259
+ email: @email_credential.email, password: 'pa55w0rd' }
265
260
  end
266
261
  assert_response :ok
267
262
  data = ActiveSupport::JSON.decode response.body
268
263
  assert_equal 'blocked', data['error']
269
264
  assert_match(/blocked/i , data['text'])
270
- assert_nil assigns(:current_user), 'instance variable'
271
265
  assert_nil session_current_user, 'session'
272
266
  end
273
267
 
274
268
  test "create maintains redirect_url for bad logins" do
275
269
  url = 'http://authpwn.redirect.url'
276
- post :create, session: { email: @email_credential.email,
277
- password: 'fail' }, redirect_url: url
270
+ post :create, params: { redirect_url: url, session: {
271
+ email: @email_credential.email, password: 'fail' } }
278
272
  assert_redirected_to new_session_url
279
273
  assert_match(/Invalid /, flash[:alert])
280
274
  assert_equal url, flash[:auth_redirect_url]
281
275
  end
282
276
 
283
277
  test "create does not log in with bad e-mail" do
284
- post :create, email: 'nobody@gmail.com', password: 'no'
278
+ post :create, params: { email: 'nobody@gmail.com', password: 'no' }
285
279
  assert_redirected_to new_session_url
286
- assert_nil assigns(:current_user), 'instance variable'
287
280
  assert_nil session_current_user, 'session'
288
281
  assert_match(/Invalid /, flash[:alert])
289
282
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -292,9 +285,8 @@ class SessionControllerApiTest < ActionController::TestCase
292
285
  test "token logs in with good token" do
293
286
  @controller.expects(:home_with_token).once.with(@token_credential).
294
287
  returns(nil)
295
- get :token, code: @token_credential.code
288
+ get :token, params: { code: @token_credential.code }
296
289
  assert_redirected_to session_url
297
- assert_equal @user, assigns(:current_user), 'instance variable'
298
290
  assert_equal @user, session_current_user, 'session'
299
291
  assert_nil Tokens::Base.with_code(@token_credential.code).first,
300
292
  'one-time credential is spent'
@@ -305,9 +297,8 @@ class SessionControllerApiTest < ActionController::TestCase
305
297
 
306
298
  @controller.expects(:home_with_token).once.with(@token_credential).
307
299
  returns(nil)
308
- get :token, code: @token_credential.code
300
+ get :token, params: { code: @token_credential.code }
309
301
  assert_redirected_to session_url
310
- assert_equal @user, assigns(:current_user), 'instance variable'
311
302
  assert_equal @user, session_current_user, 'session'
312
303
  assert_nil Tokens::Base.with_code(@token_credential.code).first,
313
304
  'one-time credential is spent'
@@ -316,70 +307,58 @@ class SessionControllerApiTest < ActionController::TestCase
316
307
  test "token by json logs in with good token" do
317
308
  @controller.expects(:home_with_token).once.with(@token_credential).
318
309
  returns(nil)
319
- get :token, code: @token_credential.code, format: 'json'
310
+ get :token, format: 'json', params: { code: @token_credential.code }
320
311
  assert_response :ok
321
312
  data = ActiveSupport::JSON.decode response.body
322
313
  assert_equal @user.exuid, data['user']['exuid']
323
- assert_equal @user, assigns(:current_user), 'instance variable'
324
314
  assert_equal @user, session_current_user, 'session'
325
315
  assert_nil Tokens::Base.with_code(@token_credential.code).first,
326
316
  'one-time credential is spent'
327
317
 
328
- if @controller.respond_to? :valid_authenticity_token?, true
329
- # Rails 4.2+ uses variable CSRF tokens.
330
- assert @controller.send(:valid_authenticity_token?, session,
331
- data['csrf'])
332
- else
333
- # Rails 4.0 and 4.1 store the CSRF token in the session.
334
- assert_equal session[:_csrf_token], data['csrf']
335
- end
318
+ assert @controller.send(:valid_authenticity_token?, session, data['csrf'])
336
319
  end
337
320
 
338
321
  test "token does not log in with random token" do
339
- assert_no_difference 'Credential.count', 'no credential is spent' do
340
- get :token, code: 'no-such-token'
322
+ assert_no_difference -> { Credential.count }, 'no credential is spent' do
323
+ get :token, params: { code: 'no-such-token' }
341
324
  end
342
325
  assert_redirected_to new_session_url
343
- assert_nil assigns(:current_user), 'instance variable'
344
326
  assert_nil session_current_user, 'session'
345
327
  assert_match(/Invalid/, flash[:alert])
346
328
  end
347
329
 
348
330
  test "token does not log in blocked accounts" do
349
331
  with_blocked_credential @token_credential do
350
- assert_no_difference 'Credential.count', 'no credential is spent' do
351
- get :token, code: @token_credential.code
332
+ assert_no_difference -> { Credential.count }, 'no credential is spent' do
333
+ get :token, params: { code: @token_credential.code }
352
334
  end
353
335
  end
354
336
  assert_redirected_to new_session_url
355
- assert_nil assigns(:current_user), 'instance variable'
356
337
  assert_nil session_current_user, 'session'
357
338
  assert_match(/ blocked/, flash[:alert])
358
339
  end
359
340
 
360
341
  test "token by json does not log in with random token" do
361
- assert_no_difference 'Credential.count', 'no credential is spent' do
362
- get :token, code: 'no-such-token', format: 'json'
342
+ assert_no_difference -> { Credential.count }, 'no credential is spent' do
343
+ get :token, format: 'json', params: { code: 'no-such-token' }
363
344
  end
364
345
  assert_response :ok
365
346
  data = ActiveSupport::JSON.decode response.body
366
347
  assert_equal 'invalid', data['error']
367
348
  assert_match(/invalid/i , data['text'])
368
- assert_nil assigns(:current_user), 'instance variable'
369
349
  assert_nil session_current_user, 'session'
370
350
  end
371
351
 
372
352
  test "token by json does not log in blocked accounts" do
373
353
  with_blocked_credential @token_credential do
374
- assert_no_difference 'Credential.count', 'no credential is spent' do
375
- get :token, code: @token_credential.code, format: 'json'
354
+ assert_no_difference -> { Credential.count }, 'no credential is spent' do
355
+ get :token, format: 'json', params: { code: @token_credential.code }
376
356
  end
377
357
  end
378
358
  assert_response :ok
379
359
  data = ActiveSupport::JSON.decode response.body
380
360
  assert_equal 'blocked', data['error']
381
361
  assert_match(/blocked/i , data['text'])
382
- assert_nil assigns(:current_user), 'instance variable'
383
362
  assert_nil session_current_user, 'session'
384
363
  end
385
364
 
@@ -388,7 +367,6 @@ class SessionControllerApiTest < ActionController::TestCase
388
367
  delete :destroy
389
368
 
390
369
  assert_redirected_to session_url
391
- assert_nil assigns(:current_user)
392
370
  end
393
371
 
394
372
  test "logout by json" do
@@ -396,7 +374,6 @@ class SessionControllerApiTest < ActionController::TestCase
396
374
  delete :destroy, format: 'json'
397
375
 
398
376
  assert_response :ok
399
- assert_nil assigns(:current_user)
400
377
  end
401
378
 
402
379
  test "api_token request" do
@@ -409,7 +386,7 @@ class SessionControllerApiTest < ActionController::TestCase
409
386
 
410
387
  test "api_token request from user without token" do
411
388
  set_session_current_user @user
412
- assert_difference 'Tokens::Api.count', 1 do
389
+ assert_difference -> { Tokens::Api.count }, 1 do
413
390
  get :api_token
414
391
  end
415
392
  assert_response :ok
@@ -433,7 +410,7 @@ class SessionControllerApiTest < ActionController::TestCase
433
410
 
434
411
  test "api_token JSON request from user without token" do
435
412
  set_session_current_user @user
436
- assert_difference 'Tokens::Api.count', 1 do
413
+ assert_difference -> { Tokens::Api.count }, 1 do
437
414
  get :api_token, format: 'json'
438
415
  end
439
416
  token = @user.credentials.where(type: 'Tokens::Api').first
@@ -453,7 +430,7 @@ class SessionControllerApiTest < ActionController::TestCase
453
430
  test "api_token destroy request" do
454
431
  user = users(:john)
455
432
  set_session_current_user user
456
- assert_difference 'Tokens::Api.count', -1 do
433
+ assert_difference -> { Tokens::Api.count }, -1 do
457
434
  delete :destroy_api_token
458
435
  end
459
436
  assert_nil user.credentials.where(type: 'Tokens::Api').first
@@ -463,7 +440,7 @@ class SessionControllerApiTest < ActionController::TestCase
463
440
 
464
441
  test "api_token destroy request from user without token" do
465
442
  set_session_current_user @user
466
- assert_no_difference 'Tokens::Api.count' do
443
+ assert_no_difference -> { Tokens::Api.count } do
467
444
  delete :destroy_api_token
468
445
  end
469
446
  assert_nil @user.credentials.where(type: 'Tokens::Api').first
@@ -479,7 +456,7 @@ class SessionControllerApiTest < ActionController::TestCase
479
456
  test "api_token destroy JSON request" do
480
457
  user = users(:john)
481
458
  set_session_current_user user
482
- assert_difference 'Tokens::Api.count', -1 do
459
+ assert_difference -> { Tokens::Api.count }, -1 do
483
460
  delete :destroy_api_token, format: 'json'
484
461
  end
485
462
 
@@ -490,7 +467,7 @@ class SessionControllerApiTest < ActionController::TestCase
490
467
 
491
468
  test "api_token destroy JSON request from user without token" do
492
469
  set_session_current_user @user
493
- assert_no_difference 'Tokens::Api.count' do
470
+ assert_no_difference -> { Tokens::Api.count } do
494
471
  delete :destroy_api_token, format: 'json'
495
472
  end
496
473
 
@@ -518,15 +495,15 @@ class SessionControllerApiTest < ActionController::TestCase
518
495
  set_session_current_user @user
519
496
  get :password_change
520
497
  assert_response :ok
521
- assert_template :password_change
522
- assert_equal @password_credential, assigns(:credential)
498
+ assert_select 'form[action="/session/change_password"][method="post"]' do
499
+ assert_select 'input[name="credential[old_password]"]'
500
+ end
523
501
  end
524
502
 
525
503
  test "change_password bounces without logged in user" do
526
- post :change_password, credential: { old_password: 'pa55w0rd',
527
- password: 'hacks', password_confirmation: 'hacks' }
504
+ post :change_password, params: { credential: { old_password: 'pa55w0rd',
505
+ password: 'hacks', password_confirmation: 'hacks' } }
528
506
  assert_response :forbidden
529
- assert_template 'session/forbidden'
530
507
  # Make sure no layout was rendered.
531
508
  assert_select 'title', 0
532
509
  assert_select 'h1', 0
@@ -534,32 +511,31 @@ class SessionControllerApiTest < ActionController::TestCase
534
511
 
535
512
  test "change_password works with correct input" do
536
513
  set_session_current_user @user
537
- post :change_password, credential: { old_password: 'pa55w0rd',
538
- password: 'hacks', password_confirmation: 'hacks'}
514
+ post :change_password, params: { credential: { old_password: 'pa55w0rd',
515
+ password: 'hacks', password_confirmation: 'hacks'} }
539
516
  assert_redirected_to session_url
540
- assert_equal @password_credential, assigns(:credential)
541
517
  assert_equal @user, User.authenticate_signin(Session.new(email:
542
518
  @email_credential.email, password: 'hacks')), 'password not changed'
543
519
  end
544
520
 
545
521
  test "change_password works with correct input and extra form input" do
546
522
  set_session_current_user @user
547
- post :change_password, credential: { old_password: 'pa55w0rd',
523
+ post :change_password, params: { credential: { old_password: 'pa55w0rd',
548
524
  password: 'hacks', password_confirmation: 'hacks' }, utf8: "\u2713",
549
- commit: 'Change Password'
525
+ commit: 'Change Password' }
550
526
  assert_redirected_to session_url
551
- assert_equal @password_credential, assigns(:credential)
552
527
  assert_equal @user, User.authenticate_signin(Session.new(email:
553
528
  @email_credential.email, password: 'hacks')), 'password not changed'
554
529
  end
555
530
 
556
531
  test "change_password rejects bad old password" do
557
532
  set_session_current_user @user
558
- post :change_password, credential: { old_password: '_pa55w0rd',
559
- password: 'hacks', password_confirmation: 'hacks' }
533
+ post :change_password, params: { credential: { old_password: '_pa55w0rd',
534
+ password: 'hacks', password_confirmation: 'hacks' } }
560
535
  assert_response :ok
561
- assert_template :password_change
562
- assert_equal @password_credential, assigns(:credential)
536
+ assert_select 'form[action="/session/change_password"][method="post"]' do
537
+ assert_select 'input[name="credential[old_password]"]'
538
+ end
563
539
  assert_equal @user, User.authenticate_signin(Session.new(email:
564
540
  @email_credential.email, password: 'pa55w0rd')),
565
541
  'password wrongly changed'
@@ -567,11 +543,12 @@ class SessionControllerApiTest < ActionController::TestCase
567
543
 
568
544
  test "change_password rejects un-confirmed password" do
569
545
  set_session_current_user @user
570
- post :change_password, credential: { old_password: 'pa55w0rd',
571
- password: 'hacks', password_confirmation: 'hacks_' }
546
+ post :change_password, params: { credential: { old_password: 'pa55w0rd',
547
+ password: 'hacks', password_confirmation: 'hacks_' } }
572
548
  assert_response :ok
573
- assert_template :password_change
574
- assert_equal @password_credential, assigns(:credential)
549
+ assert_select 'form[action="/session/change_password"][method="post"]' do
550
+ assert_select 'input[name="credential[old_password]"]'
551
+ end
575
552
  assert_equal @user, User.authenticate_signin(Session.new(email:
576
553
  @email_credential.email, password: 'pa55w0rd')),
577
554
  'password wrongly changed'
@@ -580,8 +557,8 @@ class SessionControllerApiTest < ActionController::TestCase
580
557
  test "change_password works for password recovery" do
581
558
  set_session_current_user @user
582
559
  @password_credential.destroy
583
- post :change_password, credential: { password: 'hacks',
584
- password_confirmation: 'hacks' }
560
+ post :change_password, params: { credential: { password: 'hacks',
561
+ password_confirmation: 'hacks' } }
585
562
  assert_redirected_to session_url
586
563
  assert_equal @user, User.authenticate_signin(Session.new(email:
587
564
  @email_credential.email, password: 'hacks')), 'password not changed'
@@ -590,18 +567,20 @@ class SessionControllerApiTest < ActionController::TestCase
590
567
  test "change_password rejects un-confirmed password on recovery" do
591
568
  set_session_current_user @user
592
569
  @password_credential.destroy
593
- assert_no_difference 'Credential.count' do
594
- post :change_password, credential: { password: 'hacks',
595
- password_confirmation: 'hacks_' }
570
+ assert_no_difference -> { Credential.count } do
571
+ post :change_password, params: { credential: { password: 'hacks',
572
+ password_confirmation: 'hacks_' } }
596
573
  end
597
574
  assert_response :ok
598
- assert_template :password_change
575
+ assert_select 'form[action="/session/change_password"][method="post"]' do
576
+ assert_select 'input[name="credential[old_password]"]', count: 0
577
+ end
599
578
  end
600
579
 
601
580
  test "change_password by json bounces without logged in user" do
602
- post :change_password, format: 'json',
581
+ post :change_password, format: 'json', params: {
603
582
  credential: { old_password: 'pa55w0rd', password: 'hacks',
604
- password_confirmation: 'hacks' }
583
+ password_confirmation: 'hacks' } }
605
584
  assert_response :ok
606
585
  data = ActiveSupport::JSON.decode response.body
607
586
  assert_equal 'Please sign in', data['error']
@@ -609,9 +588,9 @@ class SessionControllerApiTest < ActionController::TestCase
609
588
 
610
589
  test "change_password by json works with correct input" do
611
590
  set_session_current_user @user
612
- post :change_password, format: 'json',
591
+ post :change_password, format: 'json', params: {
613
592
  credential: { old_password: 'pa55w0rd', password: 'hacks',
614
- password_confirmation: 'hacks' }
593
+ password_confirmation: 'hacks' } }
615
594
  assert_response :ok
616
595
  assert_equal @user, User.authenticate_signin(Session.new(email:
617
596
  @email_credential.email, password: 'hacks')), 'password not changed'
@@ -619,13 +598,12 @@ class SessionControllerApiTest < ActionController::TestCase
619
598
 
620
599
  test "change_password by json rejects bad old password" do
621
600
  set_session_current_user @user
622
- post :change_password, format: 'json',
601
+ post :change_password, format: 'json', params: {
623
602
  credential: { old_password: '_pa55w0rd', password: 'hacks',
624
- password_confirmation: 'hacks' }
603
+ password_confirmation: 'hacks' } }
625
604
  assert_response :ok
626
605
  data = ActiveSupport::JSON.decode response.body
627
606
  assert_equal 'invalid', data['error']
628
- assert_equal @password_credential, assigns(:credential)
629
607
  assert_equal @user, User.authenticate_signin(Session.new(email:
630
608
  @email_credential.email, password: 'pa55w0rd')),
631
609
  'password wrongly changed'
@@ -633,9 +611,9 @@ class SessionControllerApiTest < ActionController::TestCase
633
611
 
634
612
  test "change_password by json rejects un-confirmed password" do
635
613
  set_session_current_user @user
636
- post :change_password, format: 'json',
614
+ post :change_password, format: 'json', params: {
637
615
  credential: { old_password: 'pa55w0rd', password: 'hacks',
638
- password_confirmation: 'hacks_' }
616
+ password_confirmation: 'hacks_' } }
639
617
  assert_response :ok
640
618
  data = ActiveSupport::JSON.decode response.body
641
619
  assert_equal 'invalid', data['error']
@@ -647,8 +625,8 @@ class SessionControllerApiTest < ActionController::TestCase
647
625
  test "change_password by json works for password recovery" do
648
626
  set_session_current_user @user
649
627
  @password_credential.destroy
650
- post :change_password, format: 'json',
651
- credential: { password: 'hacks', password_confirmation: 'hacks' }
628
+ post :change_password, format: 'json', params: {
629
+ credential: { password: 'hacks', password_confirmation: 'hacks' } }
652
630
  assert_response :ok
653
631
  assert_equal @user, User.authenticate_signin(Session.new(email:
654
632
  @email_credential.email, password: 'hacks')), 'password not changed'
@@ -657,9 +635,9 @@ class SessionControllerApiTest < ActionController::TestCase
657
635
  test "change_password by json rejects un-confirmed password on recovery" do
658
636
  set_session_current_user @user
659
637
  @password_credential.destroy
660
- assert_no_difference 'Credential.count' do
661
- post :change_password, format: 'json',
662
- credential: { password: 'hacks', password_confirmation: 'hacks_' }
638
+ assert_no_difference -> { Credential.count } do
639
+ post :change_password, format: 'json', params: {
640
+ credential: { password: 'hacks', password_confirmation: 'hacks_' } }
663
641
  end
664
642
  assert_response :ok
665
643
  data = ActiveSupport::JSON.decode response.body
@@ -670,8 +648,9 @@ class SessionControllerApiTest < ActionController::TestCase
670
648
  ActionMailer::Base.deliveries = []
671
649
  request.host = 'mail.test.host:1234'
672
650
 
673
- assert_difference 'Credential.count', 1 do
674
- post :reset_password, session: { email: @email_credential.email }
651
+ assert_difference -> { Credential.count }, 1 do
652
+ post :reset_password, params: {
653
+ session: { email: @email_credential.email } }
675
654
  end
676
655
 
677
656
  token = Credential.last
@@ -692,9 +671,10 @@ class SessionControllerApiTest < ActionController::TestCase
692
671
  test "reset_password for good e-mail by json" do
693
672
  ActionMailer::Base.deliveries = []
694
673
 
695
- assert_difference 'Credential.count', 1 do
696
- post :reset_password, session: { email: @email_credential.email },
697
- format: 'json'
674
+ assert_difference -> { Credential.count }, 1 do
675
+ post :reset_password, format: 'json', params: {
676
+ session: { email: @email_credential.email } }
677
+
698
678
  end
699
679
 
700
680
  token = Credential.last
@@ -710,8 +690,8 @@ class SessionControllerApiTest < ActionController::TestCase
710
690
  test "reset_password for invalid e-mail" do
711
691
  ActionMailer::Base.deliveries = []
712
692
 
713
- assert_no_difference 'Credential.count' do
714
- post :reset_password, session: { email: 'no@such.email' }
693
+ assert_no_difference -> { Credential.count } do
694
+ post :reset_password, params: { session: { email: 'no@such.email' } }
715
695
  end
716
696
  assert ActionMailer::Base.deliveries.empty?, 'no email generated'
717
697
 
@@ -721,8 +701,9 @@ class SessionControllerApiTest < ActionController::TestCase
721
701
  test "reset_password for invalid e-mail by json" do
722
702
  ActionMailer::Base.deliveries = []
723
703
 
724
- assert_no_difference 'Credential.count' do
725
- post :reset_password, session: { email: 'no@such.email' }, format: 'json'
704
+ assert_no_difference -> { Credential.count } do
705
+ post :reset_password, format: 'json', params: {
706
+ session: { email: 'no@such.email' } }
726
707
  end
727
708
  assert ActionMailer::Base.deliveries.empty?, 'no email generated'
728
709
 
@@ -734,9 +715,9 @@ class SessionControllerApiTest < ActionController::TestCase
734
715
  test "create delegation to reset_password" do
735
716
  ActionMailer::Base.deliveries = []
736
717
 
737
- assert_difference 'Credential.count', 1 do
738
- post :create, session: { email: @email_credential.email, password: '' },
739
- reset_password: :requested
718
+ assert_difference -> { Credential.count }, 1 do
719
+ post :create, params: { session: { email: @email_credential.email,
720
+ password: '' }, reset_password: 'requested' }
740
721
  end
741
722
 
742
723
  token = Credential.last
@@ -754,12 +735,10 @@ class SessionControllerApiTest < ActionController::TestCase
754
735
  test "omniauth logs in with good account details" do
755
736
  ActionController::Base.allow_forgery_protection = true
756
737
  begin
757
-
758
738
  request.env['omniauth.auth'] =
759
739
  { 'provider' => @omniauth_credential.provider,
760
740
  'uid' => @omniauth_credential.uid }
761
- post :omniauth, provider: @omniauth_credential.provider
762
- assert_equal @user, assigns(:current_user), 'instance variable'
741
+ post :omniauth, params: { provider: @omniauth_credential.provider }
763
742
  assert_equal @user, session_current_user, 'session'
764
743
  assert_nil flash[:alert], 'no alert'
765
744
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -777,8 +756,7 @@ class SessionControllerApiTest < ActionController::TestCase
777
756
  request.env['omniauth.auth'] =
778
757
  { 'provider' => @omniauth_credential.provider,
779
758
  'uid' => @omniauth_credential.uid }
780
- post :omniauth, provider: @omniauth_credential.provider
781
- assert_equal @user, assigns(:current_user), 'instance variable'
759
+ post :omniauth, params: { provider: @omniauth_credential.provider }
782
760
  assert_equal @user, session_current_user, 'session'
783
761
  assert_nil flash[:alert], 'no alert'
784
762
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -798,7 +776,7 @@ class SessionControllerApiTest < ActionController::TestCase
798
776
  request.env['omniauth.auth'] =
799
777
  { 'provider' => @omniauth_credential.provider,
800
778
  'uid' => @omniauth_credential.uid }
801
- post :omniauth, provider: @omniauth_credential.provider
779
+ post :omniauth, params: { provider: @omniauth_credential.provider }
802
780
  assert_equal @user, session_current_user, 'session'
803
781
  assert_nil Tokens::Base.with_code(old_token.code).first,
804
782
  'old session not purged'
@@ -817,7 +795,7 @@ class SessionControllerApiTest < ActionController::TestCase
817
795
  request.env['omniauth.auth'] =
818
796
  { 'provider' => @omniauth_credential.provider,
819
797
  'uid' => @omniauth_credential.uid }
820
- post :omniauth, provider: @omniauth_credential.provider
798
+ post :omniauth, params: { provider: @omniauth_credential.provider }
821
799
  assert_equal @user, session_current_user, 'session'
822
800
  assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
823
801
  'old session purged'
@@ -835,7 +813,7 @@ class SessionControllerApiTest < ActionController::TestCase
835
813
  old_token.save!
836
814
  request.env['omniauth.auth'] =
837
815
  { 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
838
- post :omniauth, provider: @omniauth_credential.provider
816
+ post :omniauth, params: { provider: @omniauth_credential.provider }
839
817
  assert_nil session_current_user, 'session'
840
818
  assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
841
819
  'old session purged'
@@ -851,10 +829,9 @@ class SessionControllerApiTest < ActionController::TestCase
851
829
  { 'provider' => @omniauth_credential.provider,
852
830
  'uid' => @omniauth_credential.uid }
853
831
  with_blocked_credential @omniauth_credential do
854
- post :omniauth, provider: @omniauth_credential.provider
832
+ post :omniauth, params: { provider: @omniauth_credential.provider }
855
833
  end
856
834
  assert_redirected_to new_session_url
857
- assert_nil assigns(:current_user), 'instance variable'
858
835
  assert_nil session_current_user, 'session'
859
836
  assert_match(/ blocked/, flash[:alert])
860
837
  assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
@@ -870,8 +847,7 @@ class SessionControllerApiTest < ActionController::TestCase
870
847
  request.env['omniauth.auth'] = omniauth_hash
871
848
  Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
872
849
  with(omniauth_hash).returns @omniauth_credential.user
873
- post :omniauth, provider: @omniauth_credential.provider
874
- assert_equal @user, assigns(:current_user), 'instance variable'
850
+ post :omniauth, params: { provider: @omniauth_credential.provider }
875
851
  assert_equal @user, session_current_user, 'session'
876
852
  assert_redirected_to session_url
877
853
  ensure