clearance 1.10.1 → 1.17.0

data/spec/acceptance/clearance_installation_spec.rb

@@ -10,6 +10,7 @@ describe "Clearance Installation" do
 
   it "can successfully run specs" do
     app_name = "testapp"
+
     generate_test_app(app_name)
 
     Dir.chdir(app_name) do
@@ -22,13 +23,19 @@ describe "Clearance Installation" do
   end
 
   def generate_test_app(app_name)
-    successfully "bundle exec rails new #{app_name} \
-       --skip-gemfile \
-       --skip-bundle \
-       --skip-git \
-       --skip-javascript \
-       --skip-sprockets \
-       --skip-keeps"
+    successfully <<-CMD.squish
+      bundle exec rails new #{app_name}
+       --no-rc
+       --skip-action-cable
+       --skip-active-storage
+       --skip-bootsnap
+       --skip-bundle
+       --skip-gemfile
+       --skip-git
+       --skip-javascript
+       --skip-keeps
+       --skip-sprockets
+    CMD
 
     FileUtils.rm_f("public/index.html")
     FileUtils.rm_f("app/views/layouts/application.html.erb")
@@ -70,6 +77,7 @@ describe "Clearance Installation" do
     end
 
     return_value = system("#{command} #{silencer}")
+
     expect(return_value).to eq true
   end
 end

data/spec/app_templates/app/models/rails5/user.rb

@@ -0,0 +1,5 @@
+class User < ApplicationRecord
+  def previously_existed?
+    true
+  end
+end

data/spec/app_templates/config/initializers/clearance.rb

@@ -0,0 +1,2 @@
+Clearance.configure do |config|
+end

data/spec/app_templates/testapp/Gemfile

@@ -2,6 +2,6 @@ gem "rails"
 gem "sqlite3"
 gem "rspec-rails"
 gem "capybara"
-gem "factory_girl_rails"
+gem "factory_bot_rails"
 gem "database_cleaner"
 gem "clearance", path: "../.."

data/spec/app_templates/testapp/app/controllers/home_controller.rb

@@ -1,5 +1,9 @@
 class HomeController < ApplicationController
   def show
-    render text: "", layout: "application"
+    if Rails::VERSION::MAJOR >= 5
+      render html: "", layout: "application"
+    else
+      render text: "", layout: "application"
+    end
   end
 end

data/spec/clearance/back_door_spec.rb

@@ -1,8 +1,11 @@
-require 'spec_helper'
+require "spec_helper"
+require "support/environment"
 
 describe Clearance::BackDoor do
-  it 'signs in as a given user' do
-    user_id = '123'
+  include EnvironmentSupport
+
+  it "signs in as a given user" do
+    user_id = "123"
     user = double("user")
     allow(User).to receive(:find).with(user_id).and_return(user)
     env = env_for_user_id(user_id)
@@ -14,7 +17,7 @@ describe Clearance::BackDoor do
     expect(result).to eq mock_app.call(env)
   end
 
-  it 'delegates directly without a user' do
+  it "delegates directly without a user" do
     env = env_without_user_id
     back_door = Clearance::BackDoor.new(mock_app)
 
@@ -24,8 +27,64 @@ describe Clearance::BackDoor do
     expect(result).to eq mock_app.call(env)
   end
 
+  it "can set the user via a block" do
+    env = env_for_username("foo")
+    user = double("user")
+    allow(User).to receive(:find_by).with(username: "foo").and_return(user)
+    back_door = Clearance::BackDoor.new(mock_app) do |username|
+      User.find_by(username: username)
+    end
+
+    result = back_door.call(env)
+
+    expect(env[:clearance]).to have_received(:sign_in).with(user)
+    expect(result).to eq mock_app.call(env)
+  end
+
+  it "can't be used outside the allowed environments" do
+    with_environment("RAILS_ENV" => "production") do
+      expect { Clearance::BackDoor.new(mock_app) }.
+        to raise_exception "Can't use auth backdoor outside of configured \
+          environments (test, ci, development).".squish
+    end
+  end
+
+  context "when the environments are disabled" do
+    before do
+      Clearance.configuration.allowed_backdoor_environments = nil
+    end
+
+    it "raises an error for a default allowed env" do
+      with_environment("RAILS_ENV" => "test") do
+        expect { Clearance::BackDoor.new(mock_app) }.
+          to raise_exception "BackDoor auth is disabled."
+      end
+    end
+  end
+
+  context "when the environments are not defaults" do
+    before do
+      Clearance.configuration.allowed_backdoor_environments = ['demo']
+    end
+
+    it "can be used with configured allowed environments" do
+      with_environment("RAILS_ENV" => "demo") do
+        user_id = "123"
+        user = double("user")
+        allow(User).to receive(:find).with(user_id).and_return(user)
+        env = env_for_user_id(user_id)
+        back_door = Clearance::BackDoor.new(mock_app)
+
+        result = back_door.call(env)
+
+        expect(env[:clearance]).to have_received(:sign_in).with(user)
+        expect(result).to eq mock_app.call(env)
+      end
+    end
+  end
+
   def env_without_user_id
-    env_for_user_id('')
+    env_for_user_id("")
   end
 
   def env_for_user_id(user_id)
@@ -33,7 +92,12 @@ describe Clearance::BackDoor do
     Rack::MockRequest.env_for("/?as=#{user_id}").merge(clearance: clearance)
   end
 
+  def env_for_username(username)
+    clearance = double("clearance", sign_in: true)
+    Rack::MockRequest.env_for("/?as=#{username}").merge(clearance: clearance)
+  end
+
   def mock_app
-    lambda { |env| [200, {}, ['okay']] }
+    lambda { |env| [200, {}, ["okay"]] }
   end
 end

data/spec/clearance/session_spec.rb

@@ -32,15 +32,13 @@ describe Clearance::Session do
 
   context "with a custom cookie name" do
     it "sets a custom cookie name in the header" do
-      Clearance.configuration.cookie_domain = "custom_token"
+      Clearance.configuration.cookie_name = "custom_cookie_name"
 
       session.sign_in user
       session.add_cookie_to_headers(headers)
 
-      expect(headers["Set-Cookie"]).to match(/custom_token/)
+      expect(headers["Set-Cookie"]).to match(/custom_cookie_name=.+;/)
     end
-
-    after { restore_default_config }
   end
 
   describe '#sign_in' do
@@ -113,7 +111,6 @@ describe Clearance::Session do
         expect(session.current_user).to be_nil
       end
 
-
       def stub_sign_in_guard(options)
         session_status = stub_status(options.fetch(:succeed))
 
@@ -150,7 +147,6 @@ describe Clearance::Session do
 
   context 'if httponly is set' do
     before do
-      Clearance.configuration.httponly = true
       session.sign_in(user)
     end
 
@@ -159,12 +155,11 @@ describe Clearance::Session do
 
       expect(headers['Set-Cookie']).to match(/remember_token=.+; HttpOnly/)
     end
-
-    after { restore_default_config }
   end
 
   context 'if httponly is not set' do
     before do
+      Clearance.configuration.httponly = false
       session.sign_in(user)
     end
 
@@ -196,6 +191,7 @@ describe Clearance::Session do
         expiration = -> { Time.now }
         with_custom_expiration expiration do
           session = Clearance::Session.new(env_without_remember_token)
+          session.sign_in user
           allow(session).to receive(:warn)
           session.add_cookie_to_headers headers
 
@@ -270,8 +266,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/remember_token=.+; secure/)
       end
-
-      after { restore_default_config }
     end
   end
 
@@ -287,8 +281,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
       end
-
-      after { restore_default_config }
     end
 
     context 'when not set' do
@@ -324,8 +316,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/path=\/user; expires/)
       end
-
-      after { restore_default_config }
     end
   end
 
@@ -375,7 +365,5 @@ describe Clearance::Session do
   def with_custom_expiration(custom_duration)
     Clearance.configuration.cookie_expiration = custom_duration
     yield
-  ensure
-    restore_default_config
   end
 end

data/spec/clearance/testing/controller_helpers_spec.rb

@@ -0,0 +1,38 @@
+require "spec_helper"
+
+describe Clearance::Testing::ControllerHelpers do
+  class TestClass
+    include Clearance::Testing::ControllerHelpers
+
+    def initialize
+      @request = Class.new do
+        def env
+          { clearance: Clearance::Session.new({}) }
+        end
+      end.new
+    end
+  end
+
+  describe "#sign_in" do
+    it "creates an instance of the clearance user model with FactoryBot" do
+      MyUserModel = Class.new
+      allow(FactoryBot).to receive(:create)
+      allow(Clearance.configuration).to receive(:user_model).
+        and_return(MyUserModel)
+
+      TestClass.new.sign_in
+
+      expect(FactoryBot).to have_received(:create).with(:my_user_model)
+    end
+  end
+
+  describe "#sign_in_as" do
+    it "returns the user if signed in successfully" do
+      user = build(:user)
+
+      returned_user = TestClass.new.sign_in_as user
+
+      expect(returned_user).to eq user
+    end
+  end
+end

data/spec/clearance/testing/view_helpers_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+
+describe Clearance::Testing::ViewHelpers do
+  describe "#sign_in" do
+    it "sets the signed in user to a new user object" do
+      user_model = Class.new
+      allow(Clearance.configuration).to receive(:user_model).
+        and_return(user_model)
+
+      view = test_view_class.new
+      view.sign_in
+
+      expect(view.current_user).to be_an_instance_of(user_model)
+    end
+  end
+
+  describe "#sign_in_as" do
+    it "sets the signed in user to the object provided" do
+      user = double("User")
+
+      view = test_view_class.new
+      view.sign_in_as(user)
+
+      expect(view.current_user).to eq user
+    end
+  end
+
+  def test_view_class
+    Class.new do
+      include Clearance::Testing::ViewHelpers
+
+      def view
+        @view ||= extend Clearance::Testing::ViewHelpers::CurrentUser
+      end
+    end
+  end
+end

data/spec/configuration_spec.rb

@@ -1,150 +1,117 @@
-require 'spec_helper'
+require "spec_helper"
 
 describe Clearance::Configuration do
-  after { restore_default_config }
-
-  context 'when no user_model_name is specified' do
-    before do
-      Clearance.configure do |config|
-      end
-    end
-
-    it 'defaults to User' do
+  context "when no user_model_name is specified" do
+    it "defaults to User" do
       expect(Clearance.configuration.user_model).to eq ::User
     end
   end
 
-  context 'when a custom user_model_name is specified' do
-    before do
+  context "when a custom user_model_name is specified" do
+    it "is used instead of User" do
       MyUser = Class.new
+      Clearance.configure { |config| config.user_model = MyUser }
 
-      Clearance.configure do |config|
-        config.user_model = MyUser
-      end
-    end
-
-    it 'is used instead of User' do
       expect(Clearance.configuration.user_model).to eq ::MyUser
     end
   end
 
-  context 'when secure_cookie is set to true' do
-    before do
-      Clearance.configure do |config|
-        config.secure_cookie = true
-      end
-    end
-
-    it 'returns true' do
+  context "when secure_cookie is set to true" do
+    it "returns true" do
+      Clearance.configure { |config| config.secure_cookie = true }
       expect(Clearance.configuration.secure_cookie).to eq true
     end
   end
 
-  context 'when secure_cookie is not specified' do
-    before do
-      Clearance.configure do |config|
-      end
-    end
-
-    it 'defaults to false' do
+  context "when secure_cookie is not specified" do
+    it "defaults to false" do
       expect(Clearance.configuration.secure_cookie).to eq false
     end
   end
 
-  context 'when no redirect URL specified' do
+  context "when no redirect URL specified" do
     it 'returns "/" as redirect URL' do
-      expect(Clearance::Configuration.new.redirect_url).to eq '/'
+      expect(Clearance::Configuration.new.redirect_url).to eq "/"
     end
   end
 
-  context 'when redirect URL is specified' do
-    let(:new_redirect_url) { '/admin' }
-
-    before do
-      Clearance.configure do |config|
-        config.redirect_url = new_redirect_url
-      end
-    end
+  context "when redirect URL is specified" do
+    it "returns new redirect URL" do
+      new_redirect_url = "/admin"
+      Clearance.configure { |config| config.redirect_url = new_redirect_url }
 
-    it 'returns new redirect URL' do
       expect(Clearance.configuration.redirect_url).to eq new_redirect_url
     end
   end
 
-  context 'when specifying sign in guards' do
-    DummyGuard = Class.new
+  context "when specifying sign in guards" do
+    it "returns the stack with added guards" do
+      DummyGuard = Class.new
+      Clearance.configure { |config| config.sign_in_guards = [DummyGuard] }
 
-    before do
-      Clearance.configure do |config|
-        config.sign_in_guards = [DummyGuard]
-      end
-    end
-
-    it 'returns the stack with added guards' do
       expect(Clearance.configuration.sign_in_guards).to eq [DummyGuard]
     end
   end
 
-  context 'when cookie domain is specified' do
-    let(:domain) { '.example.com' }
-
-    before do
-      Clearance.configure do |config|
-        config.cookie_domain = domain
-      end
-    end
+  context "when cookie domain is specified" do
+    it "returns configured value" do
+      domain = ".example.com"
+      Clearance.configure { |config| config.cookie_domain = domain }
 
-    it 'returns configured value' do
       expect(Clearance.configuration.cookie_domain).to eq domain
     end
   end
 
-  context 'when cookie path is specified' do
-    let(:path) { '/user' }
-
-    before do
-      Clearance.configure do |config|
-        config.cookie_path = path
-      end
-    end
+  context "when cookie path is specified" do
+    it "returns configured value" do
+      path = "/user"
+      Clearance.configure { |config| config.cookie_path = path }
 
-    it 'returns configured value' do
       expect(Clearance.configuration.cookie_path).to eq path
     end
   end
 
-  describe '#allow_sign_up?' do
-    context 'when allow_sign_up is configured to false' do
-      it 'returns false' do
+  describe "#allow_sign_up?" do
+    context "when allow_sign_up is configured to false" do
+      it "returns false" do
         Clearance.configure { |config| config.allow_sign_up = false }
         expect(Clearance.configuration.allow_sign_up?).to eq false
       end
     end
 
-    context 'when allow_sign_up has not been configured' do
-      it 'returns true' do
+    context "when allow_sign_up has not been configured" do
+      it "returns true" do
         expect(Clearance.configuration.allow_sign_up?).to eq true
       end
     end
   end
 
-  describe '#user_actions' do
-    context 'when allow_sign_up is configured to false' do
-      it 'returns empty array' do
+  describe "#user_actions" do
+    context "when allow_sign_up is configured to false" do
+      it "returns empty array" do
         Clearance.configure { |config| config.allow_sign_up = false }
         expect(Clearance.configuration.user_actions).to eq []
       end
     end
 
-    context 'when sign_up has not been configured' do
-      it 'returns create' do
+    context "when sign_up has not been configured" do
+      it "returns create" do
         expect(Clearance.configuration.user_actions).to eq [:create]
       end
     end
   end
 
-  describe '#user_id_parameter' do
-    it 'returns the parameter key to use based on the user_model' do
+  describe "#user_parameter" do
+    it "returns the parameter key to use based on the user_model" do
+      Account = Class.new(ActiveRecord::Base)
+      Clearance.configure { |config| config.user_model = Account }
+
+      expect(Clearance.configuration.user_parameter).to eq :account
+    end
+  end
+
+  describe "#user_id_parameter" do
+    it "returns the parameter key to use based on the user_model" do
       CustomUser = Class.new(ActiveRecord::Base)
       Clearance.configure { |config| config.user_model = CustomUser }
 
@@ -152,12 +119,12 @@ describe Clearance::Configuration do
     end
   end
 
-  describe '#routes_enabled?' do
-    it 'is true by default' do
+  describe "#routes_enabled?" do
+    it "is true by default" do
       expect(Clearance.configuration.routes_enabled?).to be true
     end
 
-    it 'is false when routes are set to false' do
+    it "is false when routes are set to false" do
       Clearance.configure { |config| config.routes = false }
       expect(Clearance.configuration.routes_enabled?).to be false
     end
@@ -177,4 +144,30 @@ describe Clearance::Configuration do
       expect(Clearance.configuration.reload_user_model).to be_nil
     end
   end
+
+  describe "#rotate_csrf_on_sign_in?" do
+    it "defaults to falsey and warns" do
+      Clearance.configuration = Clearance::Configuration.new
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be_falsey
+      expect(Clearance.configuration).to have_received(:warn)
+    end
+
+    it "is true and does not warn when `rotate_csrf_on_sign_in` is true" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be true
+      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+
+    it "is false and does not warn when `rotate_csrf_on_sign_in` is false" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = false }
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
+      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+  end
 end

data/spec/controllers/apis_controller_spec.rb

@@ -3,10 +3,14 @@ require 'spec_helper'
 class ApisController < ActionController::Base
   include Clearance::Controller
 
-  before_filter :require_login
+  if respond_to?(:before_action)
+    before_action :require_login
+  else
+    before_filter :require_login
+  end
 
   def show
-    render text: 'response'
+    head :ok
   end
 end
 

data/spec/controllers/forgeries_controller_spec.rb

@@ -4,7 +4,12 @@ class ForgeriesController < ActionController::Base
   include Clearance::Controller
 
   protect_from_forgery
-  before_filter :require_login
+
+  if respond_to?(:before_action)
+    before_action :require_login
+  else
+    before_filter :require_login
+  end
 
   # This is off in test by default, but we need it for this test
   self.allow_forgery_protection = true
@@ -33,12 +38,16 @@ describe ForgeriesController do
 
     it 'succeeds with authentic token' do
       token = controller.send(:form_authenticity_token)
-      post :create, authenticity_token: token
+      post :create, params: {
+        authenticity_token: token,
+      }
       expect(subject).to redirect_to(action: 'index')
     end
 
     it 'fails with invalid token' do
-      post :create, authenticity_token: 'hax0r'
+      post :create, params: {
+        authenticity_token: "hax0r",
+      }
       expect(subject).to deny_access
     end