clearance 2.0.0 → 2.3.1

data/spec/configuration_spec.rb

@@ -1,6 +1,8 @@
 require "spec_helper"
 
 describe Clearance::Configuration do
+  let(:config) { Clearance.configuration }
+
   context "when no user_model_name is specified" do
     it "defaults to User" do
       expect(Clearance.configuration.user_model).to eq ::User
@@ -29,6 +31,28 @@ describe Clearance::Configuration do
     end
   end
 
+  context "when no parent_controller is specified" do
+    it "defaults to ApplicationController" do
+      expect(config.parent_controller).to eq ::ApplicationController
+    end
+  end
+
+  context "when a custom parent_controller is specified" do
+    before(:each) do
+      MyController = Class.new
+    end
+
+    after(:each) do
+      Object.send(:remove_const, :MyController)
+    end
+
+    it "is used instead of ApplicationController" do
+      Clearance.configure { |config| config.parent_controller = MyController }
+
+      expect(config.parent_controller).to eq ::MyController
+    end
+  end
+
   context "when secure_cookie is set to true" do
     it "returns true" do
       Clearance.configure { |config| config.secure_cookie = true }
@@ -42,6 +66,34 @@ describe Clearance::Configuration do
     end
   end
 
+  context "when signed_cookie is set to true" do
+    it "returns true" do
+      Clearance.configure { |config| config.signed_cookie = true }
+      expect(Clearance.configuration.signed_cookie).to eq true
+    end
+  end
+
+  context "when signed_cookie is not specified" do
+    it "defaults to false" do
+      expect(Clearance.configuration.signed_cookie).to eq false
+    end
+  end
+
+  context "when signed_cookie is set to :migrate" do
+    it "returns :migrate" do
+      Clearance.configure { |config| config.signed_cookie = :migrate }
+      expect(Clearance.configuration.signed_cookie).to eq :migrate
+    end
+  end
+
+  context "when signed_cookie is set to an unexpected value" do
+    it "returns :migrate" do
+      expect {
+        Clearance.configure { |config| config.signed_cookie = "unknown" }
+      }.to raise_exception(RuntimeError)
+    end
+  end
+
   context "when no redirect URL specified" do
     it 'returns "/" as redirect URL' do
       expect(Clearance::Configuration.new.redirect_url).to eq "/"
@@ -159,28 +211,22 @@ describe Clearance::Configuration do
   end
 
   describe "#rotate_csrf_on_sign_in?" do
-    it "defaults to falsey and warns" do
-      Clearance.configuration = Clearance::Configuration.new
-      allow(Clearance.configuration).to receive(:warn)
-
-      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be_falsey
-      expect(Clearance.configuration).to have_received(:warn)
-    end
-
-    it "is true and does not warn when `rotate_csrf_on_sign_in` is true" do
+    it "is true when `rotate_csrf_on_sign_in` is set to true" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be true
-      expect(Clearance.configuration).not_to have_received(:warn)
     end
 
-    it "is false and does not warn when `rotate_csrf_on_sign_in` is false" do
+    it "is false when `rotate_csrf_on_sign_in` is set to false" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = false }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
-      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+
+    it "is false when `rotate_csrf_on_sign_in` is set to nil" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = nil }
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
     end
   end
 end

data/spec/controllers/passwords_controller_spec.rb

@@ -38,12 +38,26 @@ describe Clearance::PasswordsController do
     end
 
     context "email param is missing" do
-      it "does not raise error" do
-        expect do
-          post :create, params: {
-            password: {},
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {},
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
+      end
+    end
+
+    context "email param is blank" do
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {
+            email: "",
           }
-        end.not_to raise_error
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
       end
     end
 

data/spec/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,6 @@ class ApplicationController < ActionController::Base
   include Clearance::Controller
 
   def show
-    render html: "", layout: "application"
+    render inline: "Hello user #<%= current_user.id %>", layout: false
   end
 end

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -70,7 +70,30 @@ describe Clearance::Generators::InstallGenerator, :generator do
 
         expect(migration).to exist
         expect(migration).to have_correct_syntax
-        expect(migration).to contain("create_table :users")
+        expect(migration).to contain("create_table :users do")
+      end
+
+      context "active record configured for uuid" do
+        around do |example|
+          preserve_original_primary_key_type_setting do
+            Rails.application.config.generators do |g|
+              g.orm :active_record, primary_key_type: :uuid
+            end
+            example.run
+          end
+        end
+
+        it "creates a migration to create the users table with key type set" do
+          provide_existing_application_controller
+          table_does_not_exist(:users)
+
+          run_generator
+          migration = migration_file("db/migrate/create_users.rb")
+
+          expect(migration).to exist
+          expect(migration).to have_correct_syntax
+          expect(migration).to contain("create_table :users, id: :uuid do")
+        end
       end
     end
 
@@ -123,6 +146,18 @@ describe Clearance::Generators::InstallGenerator, :generator do
       and_return(false)
   end
 
+  def preserve_original_primary_key_type_setting
+    active_record = Rails.configuration.generators.active_record
+    active_record ||= Rails.configuration.generators.options[:active_record]
+    original = active_record[:primary_key_type]
+
+    yield
+
+    Rails.application.config.generators do |g|
+      g.orm :active_record, primary_key_type: original
+    end
+  end
+
   def contain_models_inherit_from
     contain "< #{models_inherit_from}\n"
   end

data/spec/generators/clearance/views/views_generator_spec.rb

@@ -8,7 +8,6 @@ describe Clearance::Generators::ViewsGenerator, :generator do
     views = %w(
       clearance_mailer/change_password.html.erb
       clearance_mailer/change_password.text.erb
-      layouts/application.html.erb
       passwords/create.html.erb
       passwords/edit.html.erb
       passwords/new.html.erb

data/spec/mailers/clearance_mailer_spec.rb

@@ -55,4 +55,37 @@ describe ClearanceMailer do
       text: I18n.t("clearance_mailer.change_password.link_text")
     )
   end
+
+  context "when using a custom model" do
+    it "contains a link for a custom model" do
+      define_people_routes
+      Person = Class.new(User)
+      person = Person.new(email: "person@example.com", password: "password")
+
+      person.forgot_password!
+      host = ActionMailer::Base.default_url_options[:host]
+      link = "http://#{host}/people/#{person.id}/password/edit" \
+        "?token=#{person.confirmation_token}"
+
+      email = ClearanceMailer.change_password(person)
+
+      expect(email.text_part.body).to include(link)
+      expect(email.html_part.body).to include(link)
+
+      Object.send(:remove_const, :Person)
+      Rails.application.reload_routes!
+    end
+
+    def define_people_routes
+      Rails.application.routes.draw do
+        resources :people, controller: "clearance/users", only: :create do
+          resource(
+            :password,
+            controller: "clearance/passwords",
+            only: %i[edit update],
+          )
+        end
+      end
+    end
+  end
 end

data/spec/models/user_spec.rb

@@ -5,15 +5,15 @@ describe User do
   it { is_expected.to have_db_index(:remember_token) }
   it { is_expected.to validate_presence_of(:email) }
   it { is_expected.to validate_presence_of(:password) }
+  it { is_expected.to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.to allow_value("foo@.example.com").for(:email) }
+  it { is_expected.to allow_value("foo@example..com").for(:email) }
   it { is_expected.to allow_value("foo@example.co.uk").for(:email) }
   it { is_expected.to allow_value("foo@example.com").for(:email) }
   it { is_expected.to allow_value("foo+bar@example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo@").for(:email) }
-  it { is_expected.not_to allow_value("foo@example..com").for(:email) }
-  it { is_expected.not_to allow_value("foo@.example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo").for(:email) }
   it { is_expected.not_to allow_value("example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.not_to allow_value("foo").for(:email) }
+  it { is_expected.not_to allow_value("foo@").for(:email) }
 
   describe "#email" do
     it "stores email in down case and removes whitespace" do
@@ -47,6 +47,35 @@ describe User do
       expect(User.authenticate(user.email, "bad_password")).to be_nil
     end
 
+    it "takes the same amount of time to authenticate regardless of whether user exists" do
+      user = create(:user)
+      password = user.password
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, password)
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", password)
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
+    end
+
+    it "takes the same amount of time to fail authentication regardless of whether user exists" do
+      user = create(:user)
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, "bad_password")
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", "bad_password")
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
+    end
+
     it "is retrieved via a case-insensitive search" do
       user = create(:user)
 

data/spec/password_strategies/argon2_spec.rb

@@ -0,0 +1,79 @@
+require "spec_helper"
+
+describe Clearance::PasswordStrategies::Argon2 do
+  include FakeModelWithPasswordStrategy
+
+  describe "#password=" do
+    it "encrypts the password into encrypted_password" do
+      stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(model_instance.encrypted_password).to eq encrypted_password
+    end
+
+    it "encrypts with Argon2 using default cost in non test environments" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      allow(Rails).to receive(:env).
+        and_return(ActiveSupport::StringInquirer.new("production"))
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    it "encrypts with Argon2 using minimum cost in test environment" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    def stub_argon2_password
+      hasher = double(Argon2::Password)
+      allow(hasher).to receive(:create).and_return(encrypted_password)
+      allow(Argon2::Password).to receive(:new).and_return(hasher)
+      hasher
+    end
+
+    def encrypted_password
+      @encrypted_password ||= double("encrypted password")
+    end
+  end
+
+  describe "#authenticated?" do
+    context "given a password" do
+      it "is authenticated with Argon2" do
+        model_instance = fake_model_with_argon2_strategy
+
+        model_instance.password = password
+
+        expect(model_instance).to be_authenticated(password)
+      end
+    end
+
+    context "given no password" do
+      it "is not authenticated" do
+        model_instance = fake_model_with_argon2_strategy
+
+        password = nil
+
+        expect(model_instance).not_to be_authenticated(password)
+      end
+    end
+  end
+
+  def fake_model_with_argon2_strategy
+    @fake_model_with_argon2_strategy ||= fake_model_with_password_strategy(
+      Clearance::PasswordStrategies::Argon2,
+    )
+  end
+
+  def password
+    "password"
+  end
+end

data/spec/requests/authentication_cookie_spec.rb

@@ -0,0 +1,55 @@
+require "spec_helper"
+
+class PagesController < ApplicationController
+  include Clearance::Controller
+  before_action :require_login, only: :private
+
+  # A page requiring user authentication
+  def private
+    head :ok
+  end
+
+  # A page that does not require user authentication
+  def public
+    head :ok
+  end
+end
+
+describe "Authentication cookies in the response" do
+  before do
+    draw_test_routes
+    create_user_and_sign_in
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "are not present if the request does not authenticate" do
+    get public_path
+
+    expect(headers["Set-Cookie"]).to be_nil
+  end
+
+  it "are present if the request does authenticate" do
+    get private_path
+
+    expect(headers["Set-Cookie"]).to match(/remember_token=/)
+  end
+
+  def draw_test_routes
+    Rails.application.routes.draw do
+      get "/private" => "pages#private", as: :private
+      get "/public" => "pages#public", as: :public
+      resource :session, controller: "clearance/sessions", only: [:create]
+    end
+  end
+
+  def create_user_and_sign_in
+    user = create(:user, password: "password")
+
+    post session_path, params: {
+      session: { email: user.email, password: "password" },
+    }
+  end
+end

data/spec/spec_helper.rb

@@ -46,5 +46,4 @@ end
 
 def restore_default_warning_free_config
   Clearance.configuration = nil
-  Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
 end