clearance 1.10.1 → 1.17.0

data/spec/controllers/passwords_controller_spec.rb

@@ -5,11 +5,9 @@ describe Clearance::PasswordsController do
 
   describe "#new" do
     it "renders the password reset form" do
-      user = create(:user)
+      get :new
 
-      get :new, user_id: user
-
-      expect(response).to be_success
+      expect(response).to be_successful
       expect(response).to render_template(:new)
     end
   end
@@ -19,7 +17,9 @@ describe Clearance::PasswordsController do
       it "generates a password change token" do
         user = create(:user)
 
-        post :create, password: { email: user.email.upcase }
+        post :create, params: {
+          password: { email: user.email.upcase },
+        }
 
         expect(user.reload.confirmation_token).not_to be_nil
       end
@@ -28,7 +28,9 @@ describe Clearance::PasswordsController do
         ActionMailer::Base.deliveries.clear
         user = create(:user)
 
-        post :create, password: { email: user.email }
+        post :create, params: {
+          password: { email: user.email },
+        }
 
         email = ActionMailer::Base.deliveries.last
         expect(email.subject).to match(/change your password/i)
@@ -40,7 +42,9 @@ describe Clearance::PasswordsController do
         ActionMailer::Base.deliveries.clear
         email = "this_user_does_not_exist@non_existent_domain.com"
 
-        post :create, password: { email: email }
+        post :create, params: {
+          password: { email: email },
+        }
 
         expect(ActionMailer::Base.deliveries).to be_empty
       end
@@ -48,22 +52,42 @@ describe Clearance::PasswordsController do
       it "still responds with success so as not to leak registered users" do
         email = "this_user_does_not_exist@non_existent_domain.com"
 
-        post :create, password: { email: email }
+        post :create, params: {
+          password: { email: email },
+        }
 
-        expect(response).to be_success
+        expect(response).to be_successful
         expect(response).to render_template "passwords/create"
       end
     end
   end
 
   describe "#edit" do
-    context "valid id and token are supplied" do
-      it "renders the password form for the user" do
+    context "valid id and token are supplied in url" do
+      it "redirects to the edit page with token now removed from url" do
+        user = create(:user, :with_forgotten_password)
+
+        get :edit, params: {
+          user_id: user,
+          token: user.confirmation_token,
+        }
+
+        expect(response).to be_redirect
+        expect(response).to redirect_to edit_user_password_url(user)
+        expect(session[:password_reset_token]).to eq user.confirmation_token
+      end
+    end
+
+    context "valid id in url and valid token in session" do
+      it "renders the password reset form" do
         user = create(:user, :with_forgotten_password)
 
-        get :edit, user_id: user, token: user.confirmation_token
+        request.session[:password_reset_token] = user.confirmation_token
+        get :edit, params: {
+          user_id: user,
+        }
 
-        expect(response).to be_success
+        expect(response).to be_successful
         expect(response).to render_template(:edit)
         expect(assigns(:user)).to eq user
       end
@@ -71,7 +95,10 @@ describe Clearance::PasswordsController do
 
     context "blank token is supplied" do
       it "renders the new password reset form with a flash notice" do
-        get :edit, user_id: 1, token: ""
+        get :edit, params: {
+          user_id: 1,
+          token: "",
+        }
 
         expect(response).to render_template(:new)
         expect(flash.now[:notice]).to match(/double check the URL/i)
@@ -82,12 +109,31 @@ describe Clearance::PasswordsController do
       it "renders the new password reset form with a flash notice" do
         user = create(:user, :with_forgotten_password)
 
-        get :edit, user_id: 1, token: user.confirmation_token + "a"
+        get :edit, params: {
+          user_id: 1,
+          token: user.confirmation_token + "a",
+        }
 
         expect(response).to render_template(:new)
         expect(flash.now[:notice]).to match(/double check the URL/i)
       end
     end
+
+    context "old token in session and recent token in params" do
+      it "updates password reset session and redirect to edit page" do
+        user = create(:user, :with_forgotten_password)
+        request.session[:password_reset_token] = user.confirmation_token
+
+        user.forgot_password!
+        get :edit, params: {
+          user_id: user.id,
+          token: user.reload.confirmation_token,
+        }
+
+        expect(response).to redirect_to(edit_user_password_url(user))
+        expect(session[:password_reset_token]).to eq(user.confirmation_token)
+      end
+    end
   end
 
   describe "#update" do
@@ -96,37 +142,24 @@ describe Clearance::PasswordsController do
         user = create(:user, :with_forgotten_password)
         old_encrypted_password = user.encrypted_password
 
-        put :update, update_parameters(user, new_password: "my_new_password")
+        put :update, params: update_parameters(
+          user,
+          new_password: "my_new_password",
+        )
 
         expect(user.reload.encrypted_password).not_to eq old_encrypted_password
       end
-
-      it "sets the remember token and clears the confirmation token" do
-        user = create(:user, :with_forgotten_password)
-
-        put :update, update_parameters(user, new_password: "my_new_password")
-
-        user.reload
-        expect(user.remember_token).not_to be_nil
-        expect(user.confirmation_token).to be_nil
-      end
-
-      it "signs the user in and redirects" do
-        user = create(:user, :with_forgotten_password)
-
-        put :update, update_parameters(user, new_password: "my_new_password")
-
-        expect(response).to redirect_to(Clearance.configuration.redirect_url)
-        expect(cookies[:remember_token]).to be_present
-      end
     end
 
-    context "no password provided" do
+    context "password update fails" do
       it "does not update the password" do
         user = create(:user, :with_forgotten_password)
         old_encrypted_password = user.encrypted_password
 
-        put :update, update_parameters(user, new_password: "")
+        put :update, params: update_parameters(
+          user,
+          new_password: "",
+        )
 
         user.reload
         expect(user.encrypted_password).to eq old_encrypted_password
@@ -136,7 +169,10 @@ describe Clearance::PasswordsController do
       it "re-renders the password edit form" do
         user = create(:user, :with_forgotten_password)
 
-        put :update, update_parameters(user, new_password: "")
+        put :update, params: update_parameters(
+          user,
+          new_password: "",
+        )
 
         expect(flash.now[:notice]).to match(/password can't be blank/i)
         expect(response).to render_template(:edit)

data/spec/controllers/permissions_controller_spec.rb

@@ -3,14 +3,18 @@ require 'spec_helper'
 class PermissionsController < ActionController::Base
   include Clearance::Controller
 
-  before_filter :require_login, only: :show
+  if respond_to?(:before_action)
+    before_action :require_login, only: :show
+  else
+    before_filter :require_login, only: :show
+  end
 
   def new
-    render text: 'New page'
+    head :ok
   end
 
   def show
-    render text: 'Show page'
+    head :ok
   end
 end
 
@@ -54,6 +58,12 @@ describe PermissionsController do
 
       expect(subject).to deny_access(redirect: sign_in_url)
     end
+
+    it "denies access to show and display a flash message" do
+      get :show
+
+      expect(flash[:notice]).to match(/^Please sign in to continue/)
+    end
   end
 
   context 'when remember_token is blank' do

data/spec/controllers/sessions_controller_spec.rb

@@ -28,7 +28,9 @@ describe Clearance::SessionsController do
       it "renders the page with error" do
         user = create(:user_with_optional_password)
 
-        post :create, session: { email: user.email, password: user.password }
+        post :create, params: {
+          session: { email: user.email, password: user.password },
+        }
 
         expect(response).to render_template(:new)
         expect(flash[:notice]).to match(/^Bad email or password/)
@@ -39,13 +41,15 @@ describe Clearance::SessionsController do
       before do
         @user = create(:user)
         @user.update_attribute :remember_token, "old-token"
-        post :create, session: { email: @user.email, password: @user.password }
+        post :create, params: {
+          session: { email: @user.email, password: @user.password },
+        }
       end
 
       it { should redirect_to_url_after_create }
 
       it "sets the user in the clearance session" do
-        expect(controller.current_user).to eq @user
+        expect(request.env[:clearance].current_user).to eq @user
       end
 
       it "should not change the remember token" do
@@ -54,15 +58,40 @@ describe Clearance::SessionsController do
     end
 
     context "with good credentials and a session return url" do
-      before do
-        @user = create(:user)
-        @return_url = "/url_in_the_session?foo=bar"
-        @request.session[:return_to] = @return_url
-        post :create, session: { email: @user.email, password: @user.password }
+      it "redirects to the return URL maintaining query and fragment" do
+        user = create(:user)
+        return_url = "/url_in_the_session?foo=bar#baz"
+        request.session[:return_to] = return_url
+
+        post :create, params: {
+          session: { email: user.email, password: user.password },
+        }
+
+        should redirect_to(return_url)
+      end
+
+      it "redirects to the return URL maintaining query without fragment" do
+        user = create(:user)
+        return_url = "/url_in_the_session?foo=bar"
+        request.session[:return_to] = return_url
+
+        post :create, params: {
+          session: { email: user.email, password: user.password },
+        }
+
+        should redirect_to(return_url)
       end
 
-      it "redirects to the return URL" do
-        should redirect_to(@return_url)
+      it "redirects to the return URL without query or fragment" do
+        user = create(:user)
+        return_url = "/url_in_the_session"
+        request.session[:return_to] = return_url
+
+        post :create, params: {
+          session: { email: user.email, password: user.password },
+        }
+
+        should redirect_to(return_url)
       end
     end
   end
@@ -92,7 +121,7 @@ describe Clearance::SessionsController do
       end
 
       it "should unset the current user" do
-        expect(@controller.current_user).to be_nil
+        expect(request.env[:clearance].current_user).to be_nil
       end
     end
   end

data/spec/controllers/users_controller_spec.rb

@@ -8,15 +8,17 @@ describe Clearance::UsersController do
       it "renders a form for a new user" do
         get :new
 
-        expect(response).to be_success
+        expect(response).to be_successful
         expect(response).to render_template(:new)
       end
 
       it "defaults email field to the value provided in the query string" do
-        get :new, user: { email: "a@example.com" }
+        get :new, params: {
+          user: { email: "a@example.com" },
+        }
 
         expect(assigns(:user).email).to eq "a@example.com"
-        expect(response).to be_success
+        expect(response).to be_successful
         expect(response).to render_template(:new)
       end
     end
@@ -36,10 +38,12 @@ describe Clearance::UsersController do
     context "when signed out" do
       context "with valid attributes" do
         it "assigns and creates a user then redirects to the redirect_url" do
-          user_attributes = FactoryGirl.attributes_for(:user)
+          user_attributes = FactoryBot.attributes_for(:user)
           old_user_count = User.count
 
-          post :create, user: user_attributes
+          post :create, params: {
+            user: user_attributes,
+          }
 
           expect(assigns(:user)).to be_present
           expect(User.count).to eq old_user_count + 1
@@ -49,12 +53,14 @@ describe Clearance::UsersController do
 
       context "with valid attributes and a session return url" do
         it "assigns and creates a user then redirects to the return_url" do
-          user_attributes = FactoryGirl.attributes_for(:user)
+          user_attributes = FactoryBot.attributes_for(:user)
           old_user_count = User.count
           return_url = "/url_in_the_session"
           @request.session[:return_to] = return_url
 
-          post :create, user: user_attributes
+          post :create, params: {
+            user: user_attributes,
+          }
 
           expect(assigns(:user)).to be_present
           expect(User.count).to eq old_user_count + 1
@@ -67,7 +73,9 @@ describe Clearance::UsersController do
       it "redirects to the configured clearance redirect url" do
         sign_in
 
-        post :create, user: {}
+        post :create, params: {
+          user: {},
+        }
 
         expect(response).to redirect_to(Clearance.configuration.redirect_url)
       end

data/spec/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,10 @@ class ApplicationController < ActionController::Base
   include Clearance::Controller
 
   def show
-    render text: '', layout: 'application'
+    if Rails::VERSION::MAJOR >= 5
+      render html: "", layout: "application"
+    else
+      render text: "", layout: "application"
+    end
   end
 end

data/spec/dummy/application.rb

@@ -4,10 +4,6 @@ require "clearance"
 module Dummy
   APP_ROOT = File.expand_path("..", __FILE__).freeze
 
-  def self.rails4?
-    Rails::VERSION::MAJOR >= 4
-  end
-
   I18n.enforce_available_locales = true
 
   class Application < Rails::Application
@@ -18,7 +14,6 @@ module Dummy
     config.action_mailer.delivery_method = :test
     config.active_support.deprecation = :stderr
     config.active_support.test_order = :random
-    config.assets.enabled = true
     config.cache_classes = true
     config.consider_all_requests_local = true
     config.eager_load = false
@@ -28,13 +23,16 @@ module Dummy
     config.paths["app/views"] << "#{APP_ROOT}/app/views"
     config.paths["config/database"] = "#{APP_ROOT}/config/database.yml"
     config.paths["log"] = "tmp/log/development.log"
-    config.secret_token = "SECRET_TOKEN_IS_MIN_30_CHARS_LONG"
 
-    if Dummy.rails4?
-      config.paths.add "config/routes.rb", with: "#{APP_ROOT}/config/routes.rb"
-      config.secret_key_base = "SECRET_KEY_BASE"
-    else
-      config.paths.add "config/routes", with: "#{APP_ROOT}/config/routes.rb"
+    config.paths.add "config/routes.rb", with: "#{APP_ROOT}/config/routes.rb"
+    config.secret_key_base = "SECRET_KEY_BASE"
+
+    if config.active_record.sqlite3.respond_to?(:represent_boolean_as_integer)
+      config.active_record.sqlite3.represent_boolean_as_integer = true
+    end
+
+    if config.respond_to?(:active_job)
+      config.active_job.queue_adapter = :inline
     end
 
     def require_environment!

data/spec/factories.rb

@@ -1,19 +1,19 @@
-FactoryGirl.define do
+FactoryBot.define do
   sequence :email do |n|
     "user#{n}@example.com"
   end
 
   factory :user do
     email
-    password 'password'
+    password { 'password' }
 
     trait :with_forgotten_password do
-      confirmation_token Clearance::Token.new
+      confirmation_token { Clearance::Token.new }
     end
 
     factory :user_with_optional_password, class: 'UserWithOptionalPassword' do
-      password nil
-      encrypted_password ''
+      password { nil }
+      encrypted_password { '' }
     end
   end
 end

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -37,6 +37,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
 
         expect(user_class).to exist
         expect(user_class).to have_correct_syntax
+        expect(user_class).to contain_models_inherit_from
         expect(user_class).to contain("include Clearance::User")
       end
     end
@@ -51,6 +52,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
 
         expect(user_class).to exist
         expect(user_class).to have_correct_syntax
+        expect(user_class).to contain_models_inherit_from
         expect(user_class).to contain("include Clearance::User")
         expect(user_class).to have_method("previously_existed?")
       end
@@ -61,9 +63,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
     context "users table does not exist" do
       it "creates a migration to create the users table" do
         provide_existing_application_controller
-        allow(ActiveRecord::Base.connection).to receive(:table_exists?).
-          with(:users).
-          and_return(false)
+        table_does_not_exist(:users)
 
         run_generator
         migration = migration_file("db/migrate/create_users.rb")
@@ -115,4 +115,30 @@ describe Clearance::Generators::InstallGenerator, :generator do
       end
     end
   end
+
+  def table_does_not_exist(name)
+    connection = ActiveRecord::Base.connection
+
+    if connection.respond_to?(:data_source_exists?)
+      allow(connection).to receive(:data_source_exists?).
+        with(name).
+        and_return(false)
+    else
+      allow(connection).to receive(:table_exists?).
+        with(name).
+        and_return(false)
+    end
+  end
+
+  def contain_models_inherit_from
+    contain "< #{models_inherit_from}\n"
+  end
+
+  def models_inherit_from
+    if Rails.version >= "5.0.0"
+      "ApplicationRecord"
+    else
+      "ActiveRecord::Base"
+    end
+  end
 end

data/spec/generators/clearance/routes/routes_generator_spec.rb

@@ -4,14 +4,18 @@ require "generators/clearance/routes/routes_generator"
 describe Clearance::Generators::RoutesGenerator, :generator do
   it "adds clearance routes to host application routes" do
     provide_existing_routes_file
+    provide_existing_initializer
 
     routes = file("config/routes.rb")
+    initializer = file("config/initializers/clearance.rb")
 
     run_generator
 
+    expect(initializer).to have_correct_syntax
+    expect(initializer).to contain("config.routes = false")
     expect(routes).to have_correct_syntax
     expect(routes).to contain(
-      "get '/sign_in' => 'clearance/sessions#new', as: 'sign_in'"
+      'get "/sign_in" => "clearance/sessions#new", as: "sign_in"'
     )
   end
 end

data/spec/helpers/helper_helpers_spec.rb

@@ -0,0 +1,10 @@
+require "spec_helper"
+
+describe "Clearance RSpec helper spec configuration", type: :helper do
+  it "lets me use clearance's helper methods in helper specs" do
+    user = double("User")
+    sign_in_as(user)
+
+    expect(helper.current_user).to eq user
+  end
+end

data/spec/{user_spec.rb → models/user_spec.rb}

@@ -23,7 +23,7 @@ describe User do
     end
 
     subject { create(:user) }
-    it { is_expected.to validate_uniqueness_of(:email) }
+    it { is_expected.to validate_uniqueness_of(:email).case_insensitive }
   end
 
   describe ".authenticate" do
@@ -85,6 +85,15 @@ describe User do
 
         expect(user.confirmation_token).to be_nil
       end
+
+      it "sets the remember token" do
+        user = create(:user, :with_forgotten_password)
+
+        user.update_password("my_new_password")
+
+        user.reload
+        expect(user.remember_token).not_to be_nil
+      end
     end
 
     context "with blank password" do

data/spec/password_strategies/blowfish_spec.rb

@@ -24,7 +24,7 @@ describe Clearance::PasswordStrategies::Blowfish do
         model_instance.salt = salt
         model_instance.password = password
         cipher = OpenSSL::Cipher::Cipher.new("bf-cbc").encrypt
-        cipher.key = Digest::SHA256.digest(salt)
+        cipher.key = Digest::SHA256.digest(salt).first(16)
         expected = cipher.update("--#{salt}--#{password}--") << cipher.final
 
         encrypted_password = Base64.decode64(model_instance.encrypted_password)

data/spec/requests/cookie_options_spec.rb

@@ -0,0 +1,52 @@
+require "spec_helper"
+
+describe "Cookie options" do
+  before do
+    Clearance.configuration.httponly = httponly
+  end
+
+  context "when httponly config value is false" do
+    let(:httponly) { false }
+    describe "sign in" do
+      before do
+        user = create(:user, password: "password")
+        get sign_in_path
+
+        post session_path, params: {
+          session: { email: user.email, password: "password" },
+        }
+      end
+
+      it { should_have_one_remember_token }
+
+      it "should not have the httponly flag set" do
+        expect(remember_token_cookies.last).not_to match(/HttpOnly/)
+      end
+    end
+  end
+
+  context "when httponly config value is true" do
+    let(:httponly) { true }
+    describe "sign in" do
+      before do
+        user = create(:user, password: "password")
+        get sign_in_path
+
+        post session_path, params: {
+          session: { email: user.email, password: "password" },
+        }
+      end
+
+      it { should_have_one_remember_token }
+
+      it "should have the httponly flag set" do
+        expect(remember_token_cookies.last).to match(/HttpOnly/)
+      end
+    end
+  end
+
+  def should_have_one_remember_token
+    expect(remember_token_cookies.length).to eq(1),
+      "expected one 'remember_token' cookie:\n#{remember_token_cookies}"
+  end
+end

data/spec/requests/csrf_rotation_spec.rb

@@ -0,0 +1,35 @@
+require "spec_helper"
+
+describe "CSRF Rotation" do
+  around do |example|
+    ActionController::Base.allow_forgery_protection = true
+    example.run
+    ActionController::Base.allow_forgery_protection = false
+  end
+
+  context "Clearance is configured to rotate CSRF token on sign in" do
+    describe "sign in" do
+      it "rotates the CSRF token" do
+        Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
+        get sign_in_path
+        user = create(:user, password: "password")
+        original_token = csrf_token
+
+        post session_path, params: {
+          session: session_params(user, "password"),
+        }
+
+        expect(csrf_token).not_to eq original_token
+        expect(csrf_token).to be_present
+      end
+    end
+  end
+
+  def csrf_token
+    session[:_csrf_token]
+  end
+
+  def session_params(user, password)
+    { email: user.email, password: password, authenticity_token: csrf_token }
+  end
+end