authpwn_rails 0.18.1 → 0.18.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f95225e77bd6c767761b3cf3495ccb273201c74e
-  data.tar.gz: cd28df6a7be62f693e4f238d16678c47173d720f
+  metadata.gz: 39e5e725d067f6fc83969be607fdbb3ec0880fd3
+  data.tar.gz: 3079f8aadda710eab3127f08a891c6f6d7b178eb
 SHA512:
-  metadata.gz: fc668c5c618028caa5d320f2247161bf6d09a23b969b7f6aa04c2173d5877ea7e917e951c7a0511621cecf0b29d3aaa9c9f190e847c4ea7e67c4acd84c85f92f
-  data.tar.gz: 925a34ef07e886f44ee7b42ef2d829d35bc6e9212f29a283a1effcef70183036cef41bcc599241b9a4947f2cf2a2cbb1b5b960ea037a262dd2cccd1fd22fbaa7
+  metadata.gz: 55e78b206a8a6d0709a3ef1b0cf1b6d336c0d319c0477528074c0265e10cfdc5331563dbf26ee14df68664e716c1e87d9703812c26a27f5efdd0fca90cb94020
+  data.tar.gz: a4a7dd595baac2da7c2f714164cd21be7975ad774caa2b070e410bd52871c9b30ce29cc12dc370655fd6f9c60797ef10983cba14f4f38e01fd2af469ca13d4f0

data/VERSION

@@ -1 +1 @@
-0.18.1
+0.18.2

data/authpwn_rails.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: authpwn_rails 0.18.1 ruby lib
+# stub: authpwn_rails 0.18.2 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.18.1"
+  s.version = "0.18.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Victor Costan"]
-  s.date = "2015-06-17"
+  s.date = "2015-06-21"
   s.description = "Works with Facebook."
   s.email = "victor@costan.us"
   s.extra_rdoc_files = [
@@ -131,7 +131,7 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/pwnall/authpwn_rails"
   s.licenses = ["MIT"]
-  s.rubygems_version = "2.4.6"
+  s.rubygems_version = "2.4.5"
   s.summary = "User authentication for Rails 4 applications."
 
   if s.respond_to? :specification_version then

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -144,29 +144,39 @@ class SessionControllerTest < ActionController::TestCase
   end
 
   test "OmniAuth login via developer strategy and good account" do
-    old_token = credentials(:jane_session_token)
-    old_token.updated_at = Time.now - 1.year
-    old_token.save!
-
-    request.env['omniauth.auth'] = {
-        'provider' => @omniauth_credential.provider,
-        'uid' => @omniauth_credential.uid }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, session_current_user, 'session'
-    assert_redirected_to session_url
-    assert_nil Tokens::Base.with_code(old_token.code).first,
-               'old session not purged'
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      old_token = credentials(:jane_session_token)
+      old_token.updated_at = Time.now - 1.year
+      old_token.save!
+
+      request.env['omniauth.auth'] = {
+          'provider' => @omniauth_credential.provider,
+          'uid' => @omniauth_credential.uid }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, session_current_user, 'session'
+      assert_redirected_to session_url
+      assert_nil Tokens::Base.with_code(old_token.code).first,
+                 'old session not purged'
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "OmniAuth login via developer strategy and new account" do
-    request.env['omniauth.auth'] = {
-        'provider' => @omniauth_credential.provider,
-        'uid' => 'new_user_gmail_com_uid',
-        'info' => { 'email' => 'new_user@gmail.com' } }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_not_nil session_current_user, 'session'
-    assert_equal true, Credentials::Email.with('new_user@gmail.com').verified?,
-        'newly created e-mail credential not verified'
-    assert_redirected_to session_url
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      request.env['omniauth.auth'] = {
+          'provider' => @omniauth_credential.provider,
+          'uid' => 'new_user_gmail_com_uid',
+          'info' => { 'email' => 'new_user@gmail.com' } }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_not_nil session_current_user, 'session'
+      assert_equal true, Credentials::Email.with('new_user@gmail.com').verified?,
+          'newly created e-mail credential not verified'
+      assert_redirected_to session_url
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 end

data/lib/authpwn_rails/session_controller.rb

@@ -14,6 +14,9 @@ module SessionController
     skip_filter :authenticate_using_session
     authenticates_using_session except: [:create, :reset_password, :token]
 
+    # NOTE: The Omniauth callback uses POST in some cases.
+    skip_filter :verify_authenticity_token, only: [:omniauth]
+
     # If set, every successful login will cause a database purge.
     class_attribute :auto_purge_sessions
     self.auto_purge_sessions = true

data/test/helpers/action_controller.rb

@@ -1,2 +1,5 @@
 # Raise exceptions so we can test require / permit on params.
 ActionController::Parameters.action_on_unpermitted_parameters = :raise
+
+# By default, CSRF protection is turned off in tests.
+ActionController::Base.allow_forgery_protection = false

data/test/helpers/application_controller.rb

@@ -2,4 +2,7 @@
 class ApplicationController < ActionController::Base
   prepend_view_path File.expand_path(
       '../../../lib/authpwn_rails/generators/templates', __FILE__)
+
+  # This is necessary for testing CSRF exceptions in API calls.
+  protect_from_forgery with: :exception
 end

data/test/session_controller_api_test.rb

@@ -689,95 +689,131 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "omniauth logs in with good account details" do
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider,
-          'uid' => @omniauth_credential.uid }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, assigns(:current_user), 'instance variable'
-    assert_equal @user, session_current_user, 'session'
-    assert_nil flash[:alert], 'no alert'
-    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
-    assert_redirected_to session_url
+    ActionController::Base.allow_forgery_protection = true
+    begin
+
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider,
+            'uid' => @omniauth_credential.uid }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, assigns(:current_user), 'instance variable'
+      assert_equal @user, session_current_user, 'session'
+      assert_nil flash[:alert], 'no alert'
+      assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+      assert_redirected_to session_url
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "omniauth logs in with good account details and no User-Agent" do
-    request.headers['User-Agent'] = nil
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      request.headers['User-Agent'] = nil
 
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider,
-          'uid' => @omniauth_credential.uid }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, assigns(:current_user), 'instance variable'
-    assert_equal @user, session_current_user, 'session'
-    assert_nil flash[:alert], 'no alert'
-    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
-    assert_redirected_to session_url
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider,
+            'uid' => @omniauth_credential.uid }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, assigns(:current_user), 'instance variable'
+      assert_equal @user, session_current_user, 'session'
+      assert_nil flash[:alert], 'no alert'
+      assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+      assert_redirected_to session_url
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "omniauth purges sessions when logging in" do
-    BareSessionController.auto_purge_sessions = true
-    old_token = credentials(:jane_session_token)
-    old_token.updated_at = Time.now - 1.year
-    old_token.save!
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider,
-          'uid' => @omniauth_credential.uid }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, session_current_user, 'session'
-    assert_nil Tokens::Base.with_code(old_token.code).first,
-               'old session not purged'
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      BareSessionController.auto_purge_sessions = true
+      old_token = credentials(:jane_session_token)
+      old_token.updated_at = Time.now - 1.year
+      old_token.save!
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider,
+            'uid' => @omniauth_credential.uid }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, session_current_user, 'session'
+      assert_nil Tokens::Base.with_code(old_token.code).first,
+                 'old session not purged'
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "omniauth does not purge sessions if auto_purge_sessions is false" do
-    BareSessionController.auto_purge_sessions = false
-    old_token = credentials(:jane_session_token)
-    old_token.updated_at = Time.now - 1.year
-    old_token.save!
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider,
-          'uid' => @omniauth_credential.uid }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, session_current_user, 'session'
-    assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
-               'old session purged'
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      BareSessionController.auto_purge_sessions = false
+      old_token = credentials(:jane_session_token)
+      old_token.updated_at = Time.now - 1.year
+      old_token.save!
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider,
+            'uid' => @omniauth_credential.uid }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, session_current_user, 'session'
+      assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
+                 'old session purged'
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "omniauth does not purge sessions if not logged in" do
-    BareSessionController.auto_purge_sessions = true
-    old_token = credentials(:jane_session_token)
-    old_token.updated_at = Time.now - 1.year
-    old_token.save!
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_nil session_current_user, 'session'
-    assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
-               'old session purged'
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      BareSessionController.auto_purge_sessions = true
+      old_token = credentials(:jane_session_token)
+      old_token.updated_at = Time.now - 1.year
+      old_token.save!
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_nil session_current_user, 'session'
+      assert_equal old_token, Tokens::Base.with_code(old_token.code).first,
+                 'old session purged'
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "omniauth does not log in blocked accounts" do
-    request.env['omniauth.auth'] =
-        { 'provider' => @omniauth_credential.provider,
-          'uid' => @omniauth_credential.uid }
-    with_blocked_credential @omniauth_credential do
-      post :omniauth, provider: @omniauth_credential.provider
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      request.env['omniauth.auth'] =
+          { 'provider' => @omniauth_credential.provider,
+            'uid' => @omniauth_credential.uid }
+      with_blocked_credential @omniauth_credential do
+        post :omniauth, provider: @omniauth_credential.provider
+      end
+      assert_redirected_to new_session_url
+      assert_nil assigns(:current_user), 'instance variable'
+      assert_nil session_current_user, 'session'
+      assert_match(/ blocked/, flash[:alert])
+      assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
+    ensure
+      ActionController::Base.allow_forgery_protection = false
     end
-    assert_redirected_to new_session_url
-    assert_nil assigns(:current_user), 'instance variable'
-    assert_nil session_current_user, 'session'
-    assert_match(/ blocked/, flash[:alert])
-    assert_nil flash[:auth_redirect_url], 'no redirect URL in flash'
   end
 
   test "omniauth uses Credentials::OmniAuthUid.authenticate" do
-    omniauth_hash = { 'provider' => 'fail', 'uid' => 'fail' }
-    request.env['omniauth.auth'] = omniauth_hash
-    Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
-        with(omniauth_hash).returns @omniauth_credential.user
-    post :omniauth, provider: @omniauth_credential.provider
-    assert_equal @user, assigns(:current_user), 'instance variable'
-    assert_equal @user, session_current_user, 'session'
-    assert_redirected_to session_url
+    ActionController::Base.allow_forgery_protection = true
+    begin
+      omniauth_hash = { 'provider' => 'fail', 'uid' => 'fail' }
+      request.env['omniauth.auth'] = omniauth_hash
+      Credentials::OmniAuthUid.expects(:authenticate).at_least_once.
+          with(omniauth_hash).returns @omniauth_credential.user
+      post :omniauth, provider: @omniauth_credential.provider
+      assert_equal @user, assigns(:current_user), 'instance variable'
+      assert_equal @user, session_current_user, 'session'
+      assert_redirected_to session_url
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
   end
 
   test "auth_controller? is true" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authpwn_rails
 version: !ruby/object:Gem::Version
-  version: 0.18.1
+  version: 0.18.2
 platform: ruby
 authors:
 - Victor Costan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-17 00:00:00.000000000 Z
+date: 2015-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -315,7 +315,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: User authentication for Rails 4 applications.