clearance 1.0.0.rc7 → 1.0.0.rc8

data/lib/clearance/configuration.rb

@@ -2,6 +2,7 @@ module Clearance
   class Configuration
     attr_accessor \
       :cookie_expiration,
+      :httponly,
       :mailer_sender,
       :password_strategy,
       :redirect_url,
@@ -10,6 +11,7 @@ module Clearance
 
     def initialize
       @cookie_expiration = lambda { 1.year.from_now.utc }
+      @httponly = false
       @mailer_sender = 'reply@example.com'
       @secure_cookie = false
       @redirect_url = '/'

data/lib/clearance/engine.rb

@@ -7,6 +7,6 @@ module Clearance
       app.config.filter_parameters += [:password, :token]
     end
 
-    config.app_middleware.insert_after ActionDispatch::Cookies, Clearance::RackSession
+    config.app_middleware.insert_after ActionDispatch::ParamsParser, Clearance::RackSession
   end
 end

data/lib/clearance/session.rb

@@ -7,15 +7,15 @@ module Clearance
     end
 
     def add_cookie_to_headers(headers)
-      if signed_in?
-        Rack::Utils.set_cookie_header!(
-          headers, REMEMBER_TOKEN_COOKIE,
-          :value => current_user.remember_token,
-          :expires => Clearance.configuration.cookie_expiration.call,
-          :secure => Clearance.configuration.secure_cookie,
-          :path => '/'
-        )
-      end
+      Rack::Utils.set_cookie_header!(
+        headers,
+        REMEMBER_TOKEN_COOKIE,
+        :value => remember_token,
+        :expires => Clearance.configuration.cookie_expiration.call,
+        :secure => Clearance.configuration.secure_cookie,
+        :httponly => Clearance.configuration.httponly,
+        :path => '/'
+      )
     end
 
     def current_user
@@ -26,6 +26,7 @@ module Clearance
 
     def sign_in(user)
       @current_user = user
+      cookies[REMEMBER_TOKEN_COOKIE] = @current_user.remember_token
     end
 
     def sign_out
@@ -56,8 +57,8 @@ module Clearance
     end
 
     def with_remember_token
-      if token = remember_token
-        yield token
+      if remember_token
+        yield remember_token
       end
     end
   end

data/lib/clearance/testing.rb

@@ -2,10 +2,6 @@ require 'clearance/testing/assertion_error'
 require 'clearance/testing/deny_access_matcher'
 require 'clearance/testing/helpers'
 
-Clearance.configure do |config|
-  config.password_strategy = Clearance::PasswordStrategies::Fake
-end
-
 if defined?(ActionController::TestCase)
   ActionController::TestCase.extend Clearance::Testing::Matchers
 

data/lib/clearance/testing/application.rb

@@ -4,41 +4,40 @@ module Clearance
   module Testing
     APP_ROOT = File.expand_path('..', __FILE__).freeze
 
-    class Application < Rails::Application
-      config.encoding = "utf-8"
-      config.action_mailer.default_url_options = { :host => 'localhost' }
-
-      if Rails::VERSION::MAJOR >= 3 && Rails::VERSION::MINOR >= 1
-        config.paths['config/database'] = "#{APP_ROOT}/config/database.yml"
-        config.paths['config/routes'] << "#{APP_ROOT}/config/routes.rb"
-        config.paths['app/controllers'] << "#{APP_ROOT}/app/controllers"
-        config.paths['app/views'] << "#{APP_ROOT}/app/views"
-        config.paths['log'] = "tmp/log/development.log"
-        config.assets.enabled = true
-      else
-        config.paths.config.database = "#{APP_ROOT}/config/database.yml"
-        config.paths.config.routes << "#{APP_ROOT}/config/routes.rb"
-        config.paths.app.controllers << "#{APP_ROOT}/app/controllers"
-        config.paths.app.views << "#{APP_ROOT}/app/views"
-        config.paths.log = "tmp/log"
-      end
+    def self.rails4?
+      Rails::VERSION::MAJOR == 4
+    end
 
-      config.cache_classes = true
-      config.whiny_nils = true
-      config.consider_all_requests_local = true
+    class Application < Rails::Application
+      config.action_controller.allow_forgery_protection = false
       config.action_controller.perform_caching = false
       config.action_dispatch.show_exceptions = false
-      config.action_controller.allow_forgery_protection = false
+      config.action_mailer.default_url_options = { :host => 'localhost' }
       config.action_mailer.delivery_method = :test
       config.active_support.deprecation = :stderr
-      config.secret_token = "SECRET_TOKEN_IS_MIN_30_CHARS_LONG"
+      config.assets.enabled = true
+      config.cache_classes = true
+      config.consider_all_requests_local = true
+      config.eager_load = false
+      config.encoding = 'utf-8'
+      config.paths['app/controllers'] << "#{APP_ROOT}/app/controllers"
+      config.paths['app/views'] << "#{APP_ROOT}/app/views"
+      config.paths['config/database'] = "#{APP_ROOT}/config/database.yml"
+      config.paths['log'] = 'tmp/log/development.log'
+      config.secret_token = 'SECRET_TOKEN_IS_MIN_30_CHARS_LONG'
+
+      if Clearance::Testing.rails4?
+        config.paths.add 'config/routes.rb', with: "#{APP_ROOT}/config/routes.rb"
+      else
+        config.paths.add 'config/routes', with: "#{APP_ROOT}/config/routes.rb"
+      end
 
       def require_environment!
         initialize!
       end
 
       def initialize!
-        FileUtils.mkdir_p(Rails.root.join("db").to_s)
+        FileUtils.mkdir_p(Rails.root.join('db').to_s)
         super unless @initialized
       end
     end

data/lib/clearance/testing/helpers.rb

@@ -15,7 +15,7 @@ module Clearance
       end
 
       def sign_out
-        @controller.current_user = nil
+        @controller.sign_out
       end
     end
   end

data/lib/clearance/user.rb

@@ -11,16 +11,13 @@ module Clearance
 
       include Validations
       include Callbacks
-      include(
-        Clearance.configuration.password_strategy ||
-        Clearance::PasswordStrategies::BCrypt
-      )
+      include password_strategy
     end
 
     module ClassMethods
       def authenticate(email, password)
         if user = find_by_normalized_email(email)
-          if user.authenticated? password
+          if password.present? && user.authenticated?(password)
             return user
           end
         end
@@ -33,6 +30,12 @@ module Clearance
       def normalize_email(email)
         email.to_s.downcase.gsub(/\s+/, "")
       end
+
+      private
+
+      def password_strategy
+        Clearance.configuration.password_strategy || PasswordStrategies::BCrypt
+      end
     end
 
     module Validations
@@ -45,7 +48,7 @@ module Clearance
           uniqueness: { allow_blank: true },
           unless: :email_optional?
 
-        validates :password, presence: true, unless: :password_optional?
+        validates :password, presence: true, unless: :skip_password_validation?
       end
     end
 
@@ -90,6 +93,14 @@ module Clearance
       false
     end
 
+    def password_optional?
+      false
+    end
+
+    def skip_password_validation?
+      password_optional? || (encrypted_password.present? && !password_changing)
+    end
+
     def generate_confirmation_token
       self.confirmation_token = SecureRandom.hex(20).encode('UTF-8')
     end
@@ -97,9 +108,5 @@ module Clearance
     def generate_remember_token
       self.remember_token = SecureRandom.hex(20).encode('UTF-8')
     end
-
-    def password_optional?
-      encrypted_password.present? && password.blank? && password_changing.blank?
-    end
   end
 end

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = '1.0.0.rc7'
+  VERSION = '1.0.0.rc8'
 end

data/lib/generators/clearance/specs/templates/{integration → features}/clearance/visitor_resets_password_spec.rb

@@ -1,6 +1,14 @@
 require 'spec_helper'
 
 feature 'Visitor resets password' do
+  scenario 'by navigating to the page' do
+    visit sign_in_path
+
+    click_link I18n.t('sessions.form.forgot_password')
+
+    current_path.should eq new_password_path
+  end
+
   scenario 'with valid email' do
     user = user_with_reset_password
 
@@ -25,4 +33,20 @@ feature 'Visitor resets password' do
   def page_should_display_change_password_message
     page.should have_content I18n.t('passwords.create.description')
   end
+
+  def mailer_should_have_delivery(recipient, subject, body)
+    ActionMailer::Base.deliveries.should_not be_empty
+
+    message = ActionMailer::Base.deliveries.any? do |email|
+      email.to == [recipient] &&
+        email.subject =~ /#{subject}/i &&
+        email.body =~ /#{body}/
+    end
+
+    message.should be
+  end
+
+  def mailer_should_have_no_deliveries
+    ActionMailer::Base.deliveries.should be_empty
+  end
 end

data/lib/generators/clearance/specs/templates/{integration → features}/clearance/visitor_signs_up_spec.rb

@@ -1,6 +1,14 @@
 require 'spec_helper'
 
 feature 'Visitor signs up' do
+  scenario 'by navigating to the page' do
+    visit sign_in_path
+
+    click_link I18n.t('sessions.form.sign_up')
+
+    current_path.should eq sign_up_path
+  end
+
   scenario 'with valid email and password' do
     sign_up_with 'valid@example.com', 'password'
 

data/lib/generators/clearance/specs/templates/support/features.rb

@@ -0,0 +1,5 @@
+Dir[Rails.root.join('spec/support/features/*.rb')].each { |f| require f }
+
+RSpec.configure do |config|
+  config.include Features::ClearanceHelpers, :type => :feature
+end

data/lib/generators/clearance/specs/templates/support/{integration → features}/clearance_helpers.rb

@@ -1,4 +1,4 @@
-module Integration
+module Features
   module ClearanceHelpers
     def sign_up_with(email, password)
       visit sign_up_path

data/spec/clearance/session_spec.rb

@@ -38,6 +38,33 @@ describe Clearance::Session do
     session.current_user.should == user
   end
 
+  context 'if httponly is set' do
+    before do
+      Clearance.configuration.httponly = true
+      session.sign_in(user)
+    end
+
+    it 'sets a httponly cookie' do
+      session.add_cookie_to_headers(headers)
+
+      headers['Set-Cookie'].should =~ /remember_token=.+; HttpOnly/
+    end
+
+    after { restore_default_config }
+  end
+
+  context 'if httponly is not set' do
+    before do
+      session.sign_in(user)
+    end
+
+    it 'sets a standard cookie' do
+      session.add_cookie_to_headers(headers)
+
+      headers['Set-Cookie'].should_not =~ /remember_token=.+; HttpOnly/
+    end
+  end
+
   it 'sets a remember token cookie with a default expiration of 1 year from now' do
     user = create(:user)
     headers = {}

data/spec/controllers/apis_controller_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+class ApisController < ActionController::Base
+  include Clearance::Controller
+
+  before_filter :authorize
+
+  respond_to :js
+
+  def show
+    render text: 'response'
+  end
+
+  protected
+
+  def authorize
+    deny_access 'Access denied.'
+  end
+end
+
+describe ApisController do
+  before do
+    Rails.application.routes.draw do
+      resource :api, only: [:show]
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it 'responds with HTTP status code 401 when denied' do
+    get :show, format: :js
+    subject.should respond_with(:unauthorized)
+  end
+end

data/spec/controllers/passwords_controller_spec.rb

@@ -1,13 +1,6 @@
 require 'spec_helper'
 
 describe Clearance::PasswordsController do
-  include Shoulda::Matchers::ActionMailer
-
-  it {
-   should route(:get, '/users/1/password/edit').
-     to(:controller => 'clearance/passwords', :action  => 'edit', :user_id => '1')
-  }
-
   describe 'a signed up user' do
     before do
       @user = create(:user)
@@ -31,7 +24,11 @@ describe Clearance::PasswordsController do
           @user.reload.confirmation_token.should_not be_nil
         end
 
-        it { should have_sent_email.with_subject(/change your password/i) }
+        it 'sends an email with relevant subject' do
+          email = ActionMailer::Base.deliveries.last
+          email.subject.should match(/change your password/i)
+        end
+
         it { should respond_with(:success) }
       end
 
@@ -45,7 +42,11 @@ describe Clearance::PasswordsController do
           @user.reload.confirmation_token.should_not be_nil
         end
 
-        it { should have_sent_email.with_subject(/change your password/i) }
+        it 'sends an email with relevant subject' do
+          email = ActionMailer::Base.deliveries.last
+          email.subject.should match(/change your password/i)
+        end
+
         it { should respond_with(:success) }
       end
 
@@ -113,14 +114,15 @@ describe Clearance::PasswordsController do
     describe 'on PUT to #update with password' do
       before do
         @new_password = 'new_password'
-        @user.encrypted_password.should_not == @new_password
+        @old_encrypted_password = @user.encrypted_password
+
         put :update, :user_id => @user, :token => @user.confirmation_token,
           :password_reset => { :password => @new_password }
         @user.reload
       end
 
       it 'should update password' do
-        @user.encrypted_password.should == @new_password
+        @user.encrypted_password.to_s.should_not eq @old_encrypted_password
       end
 
       it 'should clear confirmation token' do

data/spec/controllers/sessions_controller_spec.rb

@@ -9,6 +9,19 @@ describe Clearance::SessionsController do
     it { should_not set_the_flash }
   end
 
+  context 'when password is optional' do
+    describe 'POST create' do
+      it 'renders the page with error' do
+        user = create(:user_with_optional_password)
+
+        post :create, session: { email: user.email, password: user.password }
+
+        expect(response).to render_template(:new)
+        expect(flash[:notice]).to match /^Bad email or password/
+      end
+    end
+  end
+
   describe 'on POST to #create with good credentials' do
     before do
       @user = create(:user)
@@ -40,33 +53,6 @@ describe Clearance::SessionsController do
     end
   end
 
-  describe 'on POST to #create with good credentials and a request return url' do
-    before do
-      @user = create(:user)
-      @return_url = '/url_in_the_request'
-      post :create, :session => { :email => @user.email, :password  => @user.password },
-        :return_to => @return_url
-    end
-
-    it 'redirects to the return URL' do
-      should redirect_to(@return_url)
-    end
-  end
-
-  describe 'on POST to #create with good credentials and a session return url and request return url' do
-    before do
-      @user = create(:user)
-      @return_url = '/url_in_the_session'
-      @request.session[:return_to] = @return_url
-      post :create, :session => { :email => @user.email, :password => @user.password },
-        :return_to => '/url_in_the_request'
-    end
-
-    it 'redirects to the return url' do
-      should redirect_to(@return_url)
-    end
-  end
-
   describe 'on DELETE to #destroy given a signed out user' do
     before do
       sign_out