cbsorcery 0.8.6

data/spec/controllers/controller_oauth_spec.rb

@@ -0,0 +1,240 @@
+require 'spec_helper'
+
+# require 'shared_examples/controller_oauth_shared_examples'
+require 'ostruct'
+
+def stub_all_oauth_requests!
+  consumer = OAuth::Consumer.new("key","secret", :site => "http://myapi.com")
+  req_token = OAuth::RequestToken.new(consumer)
+  acc_token = OAuth::AccessToken.new(consumer)
+
+  response = OpenStruct.new()
+  response.body = {"following"=>false, "listed_count"=>0, "profile_link_color"=>"0084B4", "profile_image_url"=>"http://a1.twimg.com/profile_images/536178575/noamb_normal.jpg", "description"=>"Programmer/Heavy Metal Fan/New Father", "status"=>{"text"=>"coming soon to sorcery gem: twitter and facebook authentication support.", "truncated"=>false, "favorited"=>false, "source"=>"web", "geo"=>nil, "in_reply_to_screen_name"=>nil, "in_reply_to_user_id"=>nil, "in_reply_to_status_id_str"=>nil, "created_at"=>"Sun Mar 06 23:01:12 +0000 2011", "contributors"=>nil, "place"=>nil, "retweeted"=>false, "in_reply_to_status_id"=>nil, "in_reply_to_user_id_str"=>nil, "coordinates"=>nil, "retweet_count"=>0, "id"=>44533012284706816, "id_str"=>"44533012284706816"}, "show_all_inline_media"=>false, "geo_enabled"=>true, "profile_sidebar_border_color"=>"a8c7f7", "url"=>nil, "followers_count"=>10, "screen_name"=>"nbenari", "profile_use_background_image"=>true, "location"=>"Israel", "statuses_count"=>25, "profile_background_color"=>"022330", "lang"=>"en", "verified"=>false, "notifications"=>false, "profile_background_image_url"=>"http://a3.twimg.com/profile_background_images/104087198/04042010339.jpg", "favourites_count"=>5, "created_at"=>"Fri Nov 20 21:58:19 +0000 2009", "is_translator"=>false, "contributors_enabled"=>false, "protected"=>false, "follow_request_sent"=>false, "time_zone"=>"Greenland", "profile_text_color"=>"333333", "name"=>"Noam Ben Ari", "friends_count"=>10, "profile_sidebar_fill_color"=>"C0DFEC", "id"=>123, "id_str"=>"91434812", "profile_background_tile"=>false, "utc_offset"=>-10800}.to_json
+
+  session[:request_token] = req_token.token
+  session[:request_token_secret] = req_token.secret
+
+  allow(OAuth::Consumer).to receive(:new) { consumer }
+  allow(consumer).to receive(:get_request_token) { req_token }
+  allow(req_token).to receive(:get_access_token) { acc_token }
+  allow(OAuth::RequestToken).to receive(:new) { req_token }
+  allow(acc_token).to receive(:get) { response }
+end
+
+describe SorceryController do
+
+  let(:user) { double('user', id: 42) }
+
+  before(:all) do
+    sorcery_reload!([:external])
+    sorcery_controller_property_set(:external_providers, [:twitter, :jira])
+    sorcery_controller_external_property_set(:twitter, :key, "eYVNBjBDi33aa9GkA3w")
+    sorcery_controller_external_property_set(:twitter, :secret, "XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8")
+    sorcery_controller_external_property_set(:twitter, :callback_url, "http://blabla.com")
+
+    sorcery_controller_external_property_set(:jira, :key, "7810b8e317ebdc81601c72f8daecc0f1")
+    sorcery_controller_external_property_set(:jira, :secret, "MyAppUsingJira")
+    sorcery_controller_external_property_set(:jira, :site, "http://jira.mycompany.com/plugins/servlet/oauth")
+    sorcery_controller_external_property_set(:jira, :signature_method, "RSA-SHA1")
+    sorcery_controller_external_property_set(:jira, :private_key_file, "myrsakey.pem")
+    sorcery_controller_external_property_set(:jira, :callback_url, "http://myappusingjira.com/home")
+  end
+
+  # ----------------- OAuth -----------------------
+  describe SorceryController, "'using external API to login'" do
+
+    before(:each) do
+      stub_all_oauth_requests!
+    end
+
+    context "when callback_url begin with /" do
+      before do
+        sorcery_controller_external_property_set(:twitter, :callback_url, "/oauth/twitter/callback")
+      end
+      it "login_at redirects correctly" do
+        get :login_at_test
+        expect(response).to be_a_redirect
+        expect(response).to redirect_to("http://myapi.com/oauth/authorize?oauth_callback=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&oauth_token=")
+      end
+      after do
+        sorcery_controller_external_property_set(:twitter, :callback_url, "http://blabla.com")
+      end
+    end
+
+    context "when callback_url begin with http://" do
+      it "login_at redirects correctly", pending: true do
+        get :login_at_test
+        expect(response).to be_a_redirect
+        expect(response).to redirect_to("http://myapi.com/oauth/authorize?oauth_callback=http%3A%2F%2Fblabla.com&oauth_token=")
+      end
+    end
+
+    it "logins if user exists" do
+      expect(User).to receive(:load_from_provider).with(:twitter, '123').and_return(user)
+
+      get :test_login_from, :oauth_verifier => "blablaRERASDFcxvSDFA"
+      expect(flash[:notice]).to eq "Success!"
+    end
+
+    it "'login_from' fails if user doesn't exist" do
+      expect(User).to receive(:load_from_provider).with(:twitter, '123').and_return(nil)
+
+      get :test_login_from, :oauth_verifier => "blablaRERASDFcxvSDFA"
+      expect(flash[:alert]).to eq "Failed!"
+    end
+
+    it "on successful 'login_from' the user is redirected to the url he originally wanted" do
+      expect(User).to receive(:load_from_provider).with(:twitter, '123').and_return(user)
+      get :test_return_to_with_external, {}, :return_to_url => "fuu"
+      expect(response).to redirect_to("fuu")
+      expect(flash[:notice]).to eq "Success!"
+    end
+
+    context "when jira" do
+      it "user logins successfully" do
+        get :login_at_test_jira
+        expect(session[:request_token]).not_to be_nil
+        expect(response).to be_a_redirect
+      end
+    end
+
+  end
+
+  describe SorceryController do
+    describe "using 'create_from'" do
+      before(:each) do
+        stub_all_oauth_requests!
+      end
+
+      it "creates a new user" do
+        sorcery_controller_external_property_set(:twitter, :user_info_mapping, {:username => "screen_name"})
+        expect(User).to receive(:load_from_provider).with('twitter', '123').and_return(nil)
+        expect(User).to receive(:create_from_provider).with('twitter', '123', {username: 'nbenari'}).and_return(user)
+
+        get :test_create_from_provider, :provider => "twitter"
+      end
+
+      it "supports nested attributes" do
+        sorcery_controller_external_property_set(:twitter, :user_info_mapping, {:username => "status/text"})
+        expect(User).to receive(:load_from_provider).with('twitter', '123').and_return(nil)
+        expect(User).to receive(:create_from_provider).with('twitter', '123', {username: 'coming soon to sorcery gem: twitter and facebook authentication support.'}).and_return(user)
+
+        get :test_create_from_provider, :provider => "twitter"
+      end
+
+      it "does not crash on missing nested attributes" do
+        sorcery_controller_external_property_set(:twitter, :user_info_mapping, {:username => "status/text", :created_at => "does/not/exist"})
+        expect(User).to receive(:load_from_provider).with('twitter', '123').and_return(nil)
+        expect(User).to receive(:create_from_provider).with('twitter', '123', {username: 'coming soon to sorcery gem: twitter and facebook authentication support.'}).and_return(user)
+
+        get :test_create_from_provider, :provider => "twitter"
+      end
+
+      it "binds new provider" do
+        sorcery_model_property_set(:authentications_class, UserProvider)
+
+        allow(user).to receive_message_chain(:sorcery_config, :username_attribute_names, :first) { :username }
+        allow(user).to receive(:username).and_return('bla@bla.com')
+        login_user(user)
+
+        expect(user).to receive(:add_provider_to_user).with('twitter', '123')
+        get :test_add_second_provider, :provider => "twitter"
+      end
+
+      describe "with a block" do
+        it "does not create user" do
+          sorcery_model_property_set(:authentications_class, Authentication)
+          sorcery_controller_external_property_set(:twitter, :user_info_mapping, {:username => "screen_name"})
+
+          u = double('user')
+          expect(User).to receive(:load_from_provider).with('twitter', '123').and_return(nil)
+          expect(User).to receive(:create_from_provider).with('twitter', '123', {username: 'nbenari'}).and_return(u).and_yield(u)
+
+          get :test_create_from_provider_with_block, :provider => "twitter"
+        end
+
+      end
+    end
+  end
+
+  describe SorceryController, "OAuth with user activation features"  do
+    before(:all) do
+      sorcery_reload!([:activity_logging, :external])
+    end
+
+    context "when twitter" do
+      before(:each) do
+        sorcery_controller_property_set(:register_login_time, true)
+        sorcery_controller_property_set(:register_logout_time, false)
+        sorcery_controller_property_set(:register_last_activity_time, false)
+        sorcery_controller_property_set(:register_last_ip_address, false)
+        stub_all_oauth_requests!
+      end
+
+      it "registers login time" do
+        now = Time.now.in_time_zone
+        Timecop.freeze(now)
+        expect(User).to receive(:load_from_provider).and_return(user)
+        expect(user).to receive(:set_last_login_at).with(be_within(0.1).of(now))
+        get :test_login_from
+        Timecop.return
+      end
+
+      it "does not register login time if configured so" do
+        sorcery_controller_property_set(:register_login_time, false)
+        now = Time.now.in_time_zone
+        Timecop.freeze(now)
+        expect(User).to receive(:load_from_provider).and_return(user)
+        expect(user).to receive(:set_last_login_at).never
+        get :test_login_from
+        Timecop.return
+      end
+    end
+  end
+
+  describe SorceryController, "OAuth with session timeout features" do
+    before(:all) do
+      if SORCERY_ORM == :active_record
+        ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate/external")
+        User.reset_column_information
+      end
+
+      sorcery_reload!([:session_timeout, :external])
+    end
+
+    after(:all) do
+      if SORCERY_ORM == :active_record
+        ActiveRecord::Migrator.rollback("#{Rails.root}/db/migrate/external")
+      end
+    end
+
+    context "when twitter" do
+      before(:each) do
+        sorcery_model_property_set(:authentications_class, Authentication)
+        sorcery_controller_property_set(:session_timeout,0.5)
+        stub_all_oauth_requests!
+      end
+
+      after(:each) do
+        Timecop.return
+      end
+
+      it "does not reset session before session timeout" do
+        expect(User).to receive(:load_from_provider).with(:twitter, '123').and_return(user)
+        get :test_login_from
+
+        expect(session[:user_id]).not_to be_nil
+        expect(flash[:notice]).to eq "Success!"
+      end
+
+      it "resets session after session timeout" do
+        get :test_login_from
+        Timecop.travel(Time.now.in_time_zone+0.6)
+        get :test_should_be_logged_in
+
+        expect(session[:user_id]).to be_nil
+        expect(response).to be_a_redirect
+      end
+    end
+  end
+end

data/spec/controllers/controller_remember_me_spec.rb

@@ -0,0 +1,117 @@
+require 'spec_helper'
+
+describe SorceryController do
+
+  let!(:user) { double('user', id: 42) }
+
+  # ----------------- REMEMBER ME -----------------------
+  context "with remember me features" do
+
+    before(:all) do
+      sorcery_reload!([:remember_me])
+    end
+
+    after(:each) do
+      session = nil
+      cookies = nil
+    end
+
+    before(:each) do
+      allow(user).to receive(:remember_me_token)
+      allow(user).to receive(:remember_me_token_expires_at)
+      allow(user).to receive_message_chain(:sorcery_config, :remember_me_token_attribute_name).and_return(:remember_me_token)
+      allow(user).to receive_message_chain(:sorcery_config, :remember_me_token_expires_at_attribute_name).and_return(:remember_me_token_expires_at)
+    end
+
+    it "sets cookie on remember_me!" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+      expect(user).to receive(:remember_me!)
+
+      post :test_login_with_remember, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(cookies.signed["remember_me_token"]).to eq assigns[:current_user].remember_me_token
+    end
+
+    it "clears cookie on forget_me!" do
+      cookies["remember_me_token"] == {:value => 'asd54234dsfsd43534', :expires => 3600}
+      get :test_logout
+
+      expect(cookies["remember_me_token"]).to be_nil
+    end
+
+    it "login(email,password,remember_me) logs user in and remembers" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret', '1').and_return(user)
+      expect(user).to receive(:remember_me!)
+      expect(user).to receive(:remember_me_token).and_return('abracadabra').twice
+
+      post :test_login_with_remember_in_login, :email => 'bla@bla.com', :password => 'secret', :remember => "1"
+
+      expect(cookies.signed["remember_me_token"]).not_to be_nil
+      expect(cookies.signed["remember_me_token"]).to eq assigns[:user].remember_me_token
+    end
+
+    it "logout also calls forget_me!" do
+      session[:user_id] = user.id.to_s
+			expect(User.sorcery_adapter).to receive(:find_by_id).with(user.id.to_s).and_return(user)
+      expect(user).to receive(:remember_me!)
+      expect(user).to receive(:forget_me!)
+      get :test_logout_with_remember
+
+      expect(cookies["remember_me_token"]).to be_nil
+    end
+
+    it "logs user in from cookie" do
+			session[:user_id] = user.id.to_s
+			expect(User.sorcery_adapter).to receive(:find_by_id).with(user.id.to_s).and_return(user)
+      expect(user).to receive(:remember_me!)
+      expect(user).to receive(:remember_me_token).and_return('token').twice
+      expect(user).to receive(:has_remember_me_token?) { true }
+
+      subject.remember_me!
+      subject.instance_eval do
+        remove_instance_variable :@current_user
+      end
+      session[:user_id] = nil
+
+      expect(User.sorcery_adapter).to receive(:find_by_remember_me_token).with('token').and_return(user)
+
+      get :test_login_from_cookie
+
+      expect(assigns[:current_user]).to eq user
+    end
+
+    it "doest not remember_me! when not asked to, even if third parameter is used" do
+      post :test_login_with_remember_in_login, :email => 'bla@bla.com', :password => 'secret', :remember => "0"
+
+      expect(cookies["remember_me_token"]).to be_nil
+    end
+
+    it "doest not remember_me! when not asked to" do
+      post :test_login, :email => 'bla@bla.com', :password => 'secret'
+      expect(cookies["remember_me_token"]).to be_nil
+    end
+
+    # --- login_user(user) ---
+    specify { expect(@controller).to respond_to :auto_login }
+
+    it "auto_login(user) logs in an user instance without remembering" do
+      session[:user_id] = nil
+      subject.auto_login(user)
+      get :test_login_from_cookie
+
+      expect(assigns[:current_user]).to eq user
+      expect(cookies["remember_me_token"]).to be_nil
+    end
+
+    it "auto_login(user, true) logs in an user instance with remembering" do
+      session[:user_id] = nil
+      expect(user).to receive(:remember_me!)
+      subject.auto_login(user, true)
+
+      get :test_login_from_cookie
+
+      expect(assigns[:current_user]).to eq user
+      expect(cookies["remember_me_token"]).not_to be_nil
+    end
+  end
+end

data/spec/controllers/controller_session_timeout_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe SorceryController do
+
+  let!(:user) { double('user', id: 42) }
+
+  # ----------------- SESSION TIMEOUT -----------------------
+  context "with session timeout features" do
+    before(:all) do
+      sorcery_reload!([:session_timeout])
+      sorcery_controller_property_set(:session_timeout,0.5)
+    end
+
+    after(:each) do
+      Timecop.return
+    end
+
+    before(:each) do
+      allow(user).to receive(:username)
+      allow(user).to receive_message_chain(:sorcery_config, :username_attribute_names, :first) { :username }
+    end
+
+    it "does not reset session before session timeout" do
+      login_user user
+      get :test_should_be_logged_in
+
+      expect(session[:user_id]).not_to be_nil
+      expect(response).to be_a_success
+    end
+
+    it "resets session after session timeout" do
+      login_user user
+      Timecop.travel(Time.now.in_time_zone+0.6)
+      get :test_should_be_logged_in
+
+      expect(session[:user_id]).to be_nil
+      expect(response).to be_a_redirect
+    end
+
+    it "works if the session is stored as a string or a Time" do
+      session[:login_time] = Time.now.to_s
+      # TODO: ???
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+
+      get :test_login, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(session[:user_id]).not_to be_nil
+      expect(response).to be_a_success
+    end
+
+    context "with 'session_timeout_from_last_action'" do
+      it "does not logout if there was activity" do
+        sorcery_controller_property_set(:session_timeout_from_last_action, true)
+        expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+
+        get :test_login, :email => 'bla@bla.com', :password => 'secret'
+        Timecop.travel(Time.now.in_time_zone+0.3)
+        get :test_should_be_logged_in
+
+        expect(session[:user_id]).not_to be_nil
+
+        Timecop.travel(Time.now.in_time_zone+0.3)
+        get :test_should_be_logged_in
+
+        expect(session[:user_id]).not_to be_nil
+        expect(response).to be_a_success
+      end
+
+      it "with 'session_timeout_from_last_action' logs out if there was no activity" do
+        sorcery_controller_property_set(:session_timeout_from_last_action, true)
+        get :test_login, :email => 'bla@bla.com', :password => 'secret'
+        Timecop.travel(Time.now.in_time_zone+0.6)
+        get :test_should_be_logged_in
+
+        expect(session[:user_id]).to be_nil
+        expect(response).to be_a_redirect
+      end
+    end
+  end
+end

data/spec/controllers/controller_spec.rb

@@ -0,0 +1,215 @@
+require 'spec_helper'
+
+describe SorceryController do
+  describe "plugin configuration" do
+    before(:all) do
+      sorcery_reload!
+    end
+
+    after(:each) do
+      Sorcery::Controller::Config.reset!
+      sorcery_reload!
+    end
+
+    it "enables configuration option 'user_class'" do
+      sorcery_controller_property_set(:user_class, "TestUser")
+
+      expect(Sorcery::Controller::Config.user_class).to eq "TestUser"
+    end
+
+    it "enables configuration option 'not_authenticated_action'" do
+      sorcery_controller_property_set(:not_authenticated_action, :my_action)
+
+      expect(Sorcery::Controller::Config.not_authenticated_action).to eq :my_action
+    end
+
+  end
+
+  # ----------------- PLUGIN ACTIVATED -----------------------
+  context "when activated with sorcery" do
+    let(:user) { double('user', id: 42) }
+
+    before(:all) do
+      sorcery_reload!
+    end
+
+    after(:each) do
+      Sorcery::Controller::Config.reset!
+      sorcery_reload!
+      sorcery_controller_property_set(:user_class, User)
+      sorcery_model_property_set(:username_attribute_names, [:email])
+    end
+
+    specify { should respond_to(:login) }
+
+    specify { should respond_to(:logout) }
+
+    specify { should respond_to(:logged_in?) }
+
+    specify { should respond_to(:current_user) }
+
+    it "login(username,password) returns the user when success and set the session with user.id" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+
+      get :test_login, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(assigns[:user]).to eq user
+      expect(session[:user_id]).to eq "42"
+    end
+
+    it "login(email,password) returns the user when success and set the session with user.id" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+
+      get :test_login, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(assigns[:user]).to eq user
+      expect(session[:user_id]).to eq user.id.to_s
+    end
+
+    it "login(username,password) returns nil and not set the session when failure" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'opensesame!').and_return(nil)
+
+      get :test_login, :email => 'bla@bla.com', :password => 'opensesame!'
+
+      expect(assigns[:user]).to be_nil
+      expect(session[:user_id]).to be_nil
+    end
+
+    it "login(email,password) returns the user when success and set the session with the _csrf_token" do
+      expect(User).to receive(:authenticate).with('bla@bla.com', 'secret').and_return(user)
+      get :test_login, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(session[:_csrf_token]).not_to be_nil
+    end
+
+    it "login(username,password) returns nil and not set the session when upper case username" do
+      get :test_login, :email => 'BLA@BLA.COM', :password => 'secret'
+
+      expect(assigns[:user]).to be_nil
+      expect(session[:user_id]).to be_nil
+    end
+
+    # TODO: move test to model
+    it "login(username,password) returns the user and set the session with user.id when upper case username and config is downcase before authenticating" do
+      sorcery_model_property_set(:downcase_username_before_authenticating, true)
+      expect(User).to receive(:authenticate).with('BLA@BLA.COM', 'secret').and_return(user)
+      get :test_login, :email => 'BLA@BLA.COM', :password => 'secret'
+
+      expect(assigns[:user]).to eq user
+      expect(session[:user_id]).to eq user.id.to_s
+    end
+
+    # TODO: move test to model
+    it "login(username,password) returns nil and not set the session when user was created with upper case username, config is default, and log in username is lower case" do
+      expect(User).to receive(:authenticate).with('bla1@bla.com', 'secret1').and_return(nil)
+      get :test_login, :email => 'bla1@bla.com', :password => 'secret1'
+
+      expect(assigns[:user]).to be_nil
+      expect(session[:user_id]).to be_nil
+    end
+
+    # TODO: move test to model
+    it "login(username,password) returns the user and set the session with user.id when user was created with upper case username and config is downcase before authenticating" do
+      sorcery_model_property_set(:downcase_username_before_authenticating, true)
+      expect(User).to receive(:authenticate).with('bla1@bla.com', 'secret1').and_return(user)
+      get :test_login, :email => 'bla1@bla.com', :password => 'secret1'
+
+      expect(assigns[:user]).to eq user
+      expect(session[:user_id]).to eq user.id.to_s
+    end
+
+    it "logout clears the session" do
+      cookies[:remember_me_token] = nil
+      session[:user_id] = user.id.to_s
+      expect(User.sorcery_adapter).to receive(:find_by_id).with("42") { user }
+      get :test_logout
+
+      expect(session[:user_id]).to be_nil
+    end
+
+    it "logged_in? returns true if logged in" do
+      session[:user_id] = user.id.to_s
+      expect(User.sorcery_adapter).to receive(:find_by_id).with("42") { user }
+
+      expect(subject.logged_in?).to be true
+    end
+
+    it "logged_in? returns false if not logged in" do
+      session[:user_id] = nil
+
+      expect(subject.logged_in?).to be false
+    end
+
+    it "current_user returns the user instance if logged in" do
+      session[:user_id] = user.id.to_s
+      expect(User.sorcery_adapter).to receive(:find_by_id).with("42") { user }
+
+      2.times { expect(subject.current_user).to eq user } # memoized!
+    end
+
+    it "current_user returns false if not logged in" do
+      session[:user_id] = nil
+      expect(User.sorcery_adapter).to_not receive(:find_by_id)
+
+      2.times { expect(subject.current_user).to be_nil } # memoized!
+    end
+
+    specify { should respond_to(:require_login) }
+
+    it "calls the configured 'not_authenticated_action' when authenticate before_filter fails" do
+      session[:user_id] = nil
+      sorcery_controller_property_set(:not_authenticated_action, :test_not_authenticated_action)
+      get :test_logout
+
+      expect(response.body).to eq "test_not_authenticated_action"
+    end
+
+    it "require_login before_filter saves the url that the user originally wanted" do
+      get :some_action
+
+      expect(session[:return_to_url]).to eq "http://test.host/some_action"
+      expect(response).to redirect_to("http://test.host/")
+    end
+
+    it "require_login before_filter does not save the url that the user originally wanted upon all non-get http methods" do
+      [:post, :put, :delete].each do |m|
+        self.send(m, :some_action)
+
+        expect(session[:return_to_url]).to be_nil
+      end
+    end
+
+    it "on successful login the user is redirected to the url he originally wanted" do
+      session[:return_to_url] = "http://test.host/some_action"
+      post :test_return_to, :email => 'bla@bla.com', :password => 'secret'
+
+      expect(response).to redirect_to("http://test.host/some_action")
+      expect(flash[:notice]).to eq "haha!"
+    end
+
+
+    # --- auto_login(user) ---
+    specify { should respond_to(:auto_login) }
+
+    it "auto_login(user) los in a user instance" do
+      session[:user_id] = nil
+      subject.auto_login(user)
+
+      expect(subject.logged_in?).to be true
+    end
+
+    it "auto_login(user) works even if current_user was already set to false" do
+      get :test_logout
+
+      expect(session[:user_id]).to be_nil
+      expect(subject.current_user).to be_nil
+
+      expect(User).to receive(:first) { user }
+
+      get :test_auto_login
+
+      expect(assigns[:result]).to eq user
+    end
+  end
+
+end