clearance 2.0.0.beta2 → 2.3.0

data/spec/clearance/testing/deny_access_matcher_spec.rb

@@ -0,0 +1,32 @@
+require "spec_helper"
+
+class PretendFriendsController < ActionController::Base
+  include Clearance::Controller
+  before_action :require_login
+
+  def index
+  end
+end
+
+describe PretendFriendsController, type: :controller do
+  before do
+    Rails.application.routes.draw do
+      resources :pretend_friends, only: :index
+      get "/sign_in"  => "clearance/sessions#new", as: "sign_in"
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "checks contents of deny access flash" do
+    get :index
+
+    expect(subject).to deny_access(flash: failure_message)
+  end
+
+  def failure_message
+    I18n.t("flashes.failure_when_not_signed_in")
+  end
+end

data/spec/configuration_spec.rb

@@ -1,6 +1,8 @@
 require "spec_helper"
 
 describe Clearance::Configuration do
+  let(:config) { Clearance.configuration }
+
   context "when no user_model_name is specified" do
     it "defaults to User" do
       expect(Clearance.configuration.user_model).to eq ::User
@@ -29,6 +31,28 @@ describe Clearance::Configuration do
     end
   end
 
+  context "when no parent_controller is specified" do
+    it "defaults to ApplicationController" do
+      expect(config.parent_controller).to eq ::ApplicationController
+    end
+  end
+
+  context "when a custom parent_controller is specified" do
+    before(:each) do
+      MyController = Class.new
+    end
+
+    after(:each) do
+      Object.send(:remove_const, :MyController)
+    end
+
+    it "is used instead of ApplicationController" do
+      Clearance.configure { |config| config.parent_controller = MyController }
+
+      expect(config.parent_controller).to eq ::MyController
+    end
+  end
+
   context "when secure_cookie is set to true" do
     it "returns true" do
       Clearance.configure { |config| config.secure_cookie = true }
@@ -159,28 +183,22 @@ describe Clearance::Configuration do
   end
 
   describe "#rotate_csrf_on_sign_in?" do
-    it "defaults to falsey and warns" do
-      Clearance.configuration = Clearance::Configuration.new
-      allow(Clearance.configuration).to receive(:warn)
-
-      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be_falsey
-      expect(Clearance.configuration).to have_received(:warn)
-    end
-
-    it "is true and does not warn when `rotate_csrf_on_sign_in` is true" do
+    it "is true when `rotate_csrf_on_sign_in` is set to true" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be true
-      expect(Clearance.configuration).not_to have_received(:warn)
     end
 
-    it "is false and does not warn when `rotate_csrf_on_sign_in` is false" do
+    it "is false when `rotate_csrf_on_sign_in` is set to false" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = false }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
-      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+
+    it "is false when `rotate_csrf_on_sign_in` is set to nil" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = nil }
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
     end
   end
 end

data/spec/controllers/passwords_controller_spec.rb

@@ -37,6 +37,30 @@ describe Clearance::PasswordsController do
       end
     end
 
+    context "email param is missing" do
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {},
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
+      end
+    end
+
+    context "email param is blank" do
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {
+            email: "",
+          }
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
+      end
+    end
+
     context "email does not belong to an existing user" do
       it "does not deliver an email" do
         ActionMailer::Base.deliveries.clear
@@ -166,6 +190,18 @@ describe Clearance::PasswordsController do
         expect(user.confirmation_token).to be_present
       end
 
+      it "does not raise NoMethodError from incomplete password_reset params" do
+        user = create(:user, :with_forgotten_password)
+
+        expect do
+          put :update, params: {
+            user_id: user,
+            token: user.confirmation_token,
+            password_reset: {},
+          }
+        end.not_to raise_error
+      end
+
       it "re-renders the password edit form" do
         user = create(:user, :with_forgotten_password)
 

data/spec/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,6 @@ class ApplicationController < ActionController::Base
   include Clearance::Controller
 
   def show
-    render html: "", layout: "application"
+    render inline: "Hello user #<%= current_user.id %>", layout: false
   end
 end

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -70,7 +70,30 @@ describe Clearance::Generators::InstallGenerator, :generator do
 
         expect(migration).to exist
         expect(migration).to have_correct_syntax
-        expect(migration).to contain("create_table :users")
+        expect(migration).to contain("create_table :users do")
+      end
+
+      context "active record configured for uuid" do
+        around do |example|
+          preserve_original_primary_key_type_setting do
+            Rails.application.config.generators do |g|
+              g.orm :active_record, primary_key_type: :uuid
+            end
+            example.run
+          end
+        end
+
+        it "creates a migration to create the users table with key type set" do
+          provide_existing_application_controller
+          table_does_not_exist(:users)
+
+          run_generator
+          migration = migration_file("db/migrate/create_users.rb")
+
+          expect(migration).to exist
+          expect(migration).to have_correct_syntax
+          expect(migration).to contain("create_table :users, id: :uuid do")
+        end
       end
     end
 
@@ -123,6 +146,12 @@ describe Clearance::Generators::InstallGenerator, :generator do
       and_return(false)
   end
 
+  def preserve_original_primary_key_type_setting
+    original = Rails.configuration.generators.active_record[:primary_key_type]
+    yield
+    Rails.configuration.generators.active_record[:primary_key_type] = original
+  end
+
   def contain_models_inherit_from
     contain "< #{models_inherit_from}\n"
   end

data/spec/generators/clearance/views/views_generator_spec.rb

@@ -8,7 +8,6 @@ describe Clearance::Generators::ViewsGenerator, :generator do
     views = %w(
       clearance_mailer/change_password.html.erb
       clearance_mailer/change_password.text.erb
-      layouts/application.html.erb
       passwords/create.html.erb
       passwords/edit.html.erb
       passwords/new.html.erb

data/spec/models/user_spec.rb

@@ -5,15 +5,15 @@ describe User do
   it { is_expected.to have_db_index(:remember_token) }
   it { is_expected.to validate_presence_of(:email) }
   it { is_expected.to validate_presence_of(:password) }
+  it { is_expected.to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.to allow_value("foo@.example.com").for(:email) }
+  it { is_expected.to allow_value("foo@example..com").for(:email) }
   it { is_expected.to allow_value("foo@example.co.uk").for(:email) }
   it { is_expected.to allow_value("foo@example.com").for(:email) }
   it { is_expected.to allow_value("foo+bar@example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo@").for(:email) }
-  it { is_expected.not_to allow_value("foo@example..com").for(:email) }
-  it { is_expected.not_to allow_value("foo@.example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo").for(:email) }
   it { is_expected.not_to allow_value("example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.not_to allow_value("foo").for(:email) }
+  it { is_expected.not_to allow_value("foo@").for(:email) }
 
   describe "#email" do
     it "stores email in down case and removes whitespace" do
@@ -47,6 +47,35 @@ describe User do
       expect(User.authenticate(user.email, "bad_password")).to be_nil
     end
 
+    it "takes the same amount of time to authenticate regardless of whether user exists" do
+      user = create(:user)
+      password = user.password
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, password)
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", password)
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
+    end
+
+    it "takes the same amount of time to fail authentication regardless of whether user exists" do
+      user = create(:user)
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, "bad_password")
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", "bad_password")
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
+    end
+
     it "is retrieved via a case-insensitive search" do
       user = create(:user)
 

data/spec/password_strategies/argon2_spec.rb

@@ -0,0 +1,79 @@
+require "spec_helper"
+
+describe Clearance::PasswordStrategies::Argon2 do
+  include FakeModelWithPasswordStrategy
+
+  describe "#password=" do
+    it "encrypts the password into encrypted_password" do
+      stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(model_instance.encrypted_password).to eq encrypted_password
+    end
+
+    it "encrypts with Argon2 using default cost in non test environments" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      allow(Rails).to receive(:env).
+        and_return(ActiveSupport::StringInquirer.new("production"))
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    it "encrypts with Argon2 using minimum cost in test environment" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    def stub_argon2_password
+      hasher = double(Argon2::Password)
+      allow(hasher).to receive(:create).and_return(encrypted_password)
+      allow(Argon2::Password).to receive(:new).and_return(hasher)
+      hasher
+    end
+
+    def encrypted_password
+      @encrypted_password ||= double("encrypted password")
+    end
+  end
+
+  describe "#authenticated?" do
+    context "given a password" do
+      it "is authenticated with Argon2" do
+        model_instance = fake_model_with_argon2_strategy
+
+        model_instance.password = password
+
+        expect(model_instance).to be_authenticated(password)
+      end
+    end
+
+    context "given no password" do
+      it "is not authenticated" do
+        model_instance = fake_model_with_argon2_strategy
+
+        password = nil
+
+        expect(model_instance).not_to be_authenticated(password)
+      end
+    end
+  end
+
+  def fake_model_with_argon2_strategy
+    @fake_model_with_argon2_strategy ||= fake_model_with_password_strategy(
+      Clearance::PasswordStrategies::Argon2,
+    )
+  end
+
+  def password
+    "password"
+  end
+end

data/spec/password_strategies/bcrypt_spec.rb

@@ -22,10 +22,23 @@ describe Clearance::PasswordStrategies::BCrypt do
 
       expect(BCrypt::Password).to have_received(:create).with(
         password,
-        cost: ::BCrypt::Engine::DEFAULT_COST
+        cost: ::BCrypt::Engine::DEFAULT_COST,
       )
     end
 
+    it "uses an explicity configured BCrypt cost" do
+      stub_bcrypt_cost(8)
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(8)
+    end
+
+    it "uses the default BCrypt cost value implicitly" do
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(BCrypt::Engine::DEFAULT_COST)
+    end
+
     it "encrypts with BCrypt using minimum cost in test environment" do
       stub_bcrypt_password
       model_instance = fake_model_with_bcrypt_strategy
@@ -42,6 +55,10 @@ describe Clearance::PasswordStrategies::BCrypt do
       allow(BCrypt::Password).to receive(:create).and_return(encrypted_password)
     end
 
+    def stub_bcrypt_cost(cost)
+      allow(BCrypt::Engine).to receive(:cost).and_return(cost)
+    end
+
     def encrypted_password
       @encrypted_password ||= double("encrypted password")
     end

data/spec/requests/authentication_cookie_spec.rb

@@ -0,0 +1,55 @@
+require "spec_helper"
+
+class PagesController < ApplicationController
+  include Clearance::Controller
+  before_action :require_login, only: :private
+
+  # A page requiring user authentication
+  def private
+    head :ok
+  end
+
+  # A page that does not require user authentication
+  def public
+    head :ok
+  end
+end
+
+describe "Authentication cookies in the response" do
+  before do
+    draw_test_routes
+    create_user_and_sign_in
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "are not present if the request does not authenticate" do
+    get public_path
+
+    expect(headers["Set-Cookie"]).to be_nil
+  end
+
+  it "are present if the request does authenticate" do
+    get private_path
+
+    expect(headers["Set-Cookie"]).to match(/remember_token=/)
+  end
+
+  def draw_test_routes
+    Rails.application.routes.draw do
+      get "/private" => "pages#private", as: :private
+      get "/public" => "pages#public", as: :public
+      resource :session, controller: "clearance/sessions", only: [:create]
+    end
+  end
+
+  def create_user_and_sign_in
+    user = create(:user, password: "password")
+
+    post session_path, params: {
+      session: { email: user.email, password: "password" },
+    }
+  end
+end