devise-edge 1.2.rc

data/test/integration/recoverable_test.rb

@@ -0,0 +1,141 @@
+require 'test_helper'
+
+class PasswordTest < ActionController::IntegrationTest
+
+  def visit_new_password_path
+    visit new_user_session_path
+    click_link 'Forgot your password?'
+  end
+
+  def request_forgot_password(&block)
+    visit_new_password_path
+
+    assert_response :success
+    assert_template 'passwords/new'
+    assert_not warden.authenticated?(:user)
+
+    fill_in 'email', :with => 'user@test.com'
+    yield if block_given?
+    click_button 'Send me reset password instructions'
+  end
+
+  def reset_password(options={}, &block)
+    unless options[:visit] == false
+      visit edit_user_password_path(:reset_password_token => options[:reset_password_token])
+    end
+    assert_response :success
+    assert_template 'passwords/edit'
+
+    fill_in 'Password', :with => '987654321'
+    fill_in 'Password confirmation', :with => '987654321'
+    yield if block_given?
+    click_button 'Change my password'
+  end
+
+  test 'authenticated user should not be able to visit forgot password page' do
+    sign_in_as_user
+    assert warden.authenticated?(:user)
+
+    get new_user_password_path
+
+    assert_response :redirect
+    assert_redirected_to root_path
+  end
+
+  test 'not authenticated user should be able to request a forgot password' do
+    create_user
+    request_forgot_password
+
+    assert_template 'sessions/new'
+    assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
+  end
+
+  test 'not authenticated user with invalid email should receive an error message' do
+    request_forgot_password do
+      fill_in 'email', :with => 'invalid.test@test.com'
+    end
+
+    assert_response :success
+    assert_template 'passwords/new'
+    assert_have_selector 'input[type=text][value=\'invalid.test@test.com\']'
+    assert_contain 'not found'
+  end
+
+  test 'authenticated user should not be able to visit edit password page' do
+    sign_in_as_user
+
+    get edit_user_password_path
+
+    assert_response :redirect
+    assert_redirected_to root_path
+    assert warden.authenticated?(:user)
+  end
+
+  test 'not authenticated user with invalid reset password token should not be able to change his password' do
+    user = create_user
+    reset_password :reset_password_token => 'invalid_reset_password'
+
+    assert_response :success
+    assert_template 'passwords/edit'
+    assert_have_selector '#error_explanation'
+    assert_contain /Reset password token(.*)invalid/
+    assert_not user.reload.valid_password?('987654321')
+  end
+
+  test 'not authenticated user with valid reset password token but invalid password should not be able to change his password' do
+    user = create_user
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token do
+      fill_in 'Password confirmation', :with => 'other_password'
+    end
+
+    assert_response :success
+    assert_template 'passwords/edit'
+    assert_have_selector '#error_explanation'
+    assert_contain 'Password doesn\'t match confirmation'
+    assert_not user.reload.valid_password?('987654321')
+  end
+
+  test 'not authenticated user with valid data should be able to change his password' do
+    user = create_user
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert_template 'home/index'
+    assert_contain 'Your password was changed successfully.'
+    assert user.reload.valid_password?('987654321')
+  end
+
+  test 'after entering invalid data user should still be able to change his password' do
+    user = create_user
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token do
+      fill_in 'Password confirmation', :with => 'other_password'
+    end
+    assert_response :success
+    assert_have_selector '#error_explanation'
+    assert_not user.reload.valid_password?('987654321')
+
+    reset_password :reset_password_token => user.reload.reset_password_token, :visit => false
+    assert_contain 'Your password was changed successfully.'
+    assert user.reload.valid_password?('987654321')
+  end
+
+  test 'sign in user automatically after changing it\'s password' do
+    user = create_user
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert warden.authenticated?(:user)
+  end
+
+  test 'does not sign in user automatically after changing it\'s password if it\'s not active' do
+    user = create_user(:confirm => false)
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert_equal new_user_session_path, @request.path
+    assert !warden.authenticated?(:user)
+  end
+
+end

data/test/integration/registerable_test.rb

@@ -0,0 +1,179 @@
+require 'test_helper'
+
+class RegistrationTest < ActionController::IntegrationTest
+
+  test 'a guest admin should be able to sign in successfully' do
+    get new_admin_session_path
+    click_link 'Sign up'
+
+    assert_template 'registrations/new'
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_contain 'You have signed up successfully.'
+    assert warden.authenticated?(:admin)
+
+    admin = Admin.last :order => "id"
+    assert_equal admin.email, 'new_user@test.com'
+  end
+
+  test 'a guest user should be able to sign up successfully and be blocked by confirmation' do
+    get new_user_registration_path
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_contain 'You have signed up successfully'
+    assert_contain 'Sign in'
+    assert_not_contain 'You have to confirm your account before continuing'
+
+    assert_not warden.authenticated?(:user)
+
+    user = User.last :order => "id"
+    assert_equal user.email, 'new_user@test.com'
+    assert_not user.confirmed?
+  end
+
+  test 'a guest user cannot sign up with invalid information' do
+    get new_user_registration_path
+
+    fill_in 'email', :with => 'invalid_email'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user321'
+    click_button 'Sign up'
+
+    assert_template 'registrations/new'
+    assert_have_selector '#error_explanation'
+    assert_contain "Email is invalid"
+    assert_contain "Password doesn't match confirmation"
+    assert_nil User.first
+
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'a guest should not sign up with email/password that already exists' do
+    user = create_user
+    get new_user_registration_path
+
+    fill_in 'email', :with => 'user@test.com'
+    fill_in 'password', :with => '123456'
+    fill_in 'password confirmation', :with => '123456'
+    click_button 'Sign up'
+
+    assert_current_url '/users'
+    assert_contain(/Email.*already.*taken/)
+
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'a guest should not be able to change account' do
+    get edit_user_registration_path
+    assert_redirected_to new_user_session_path
+    follow_redirect!
+    assert_contain 'You need to sign in or sign up before continuing.'
+  end
+
+  test 'a signed in user should not be able to access sign up' do
+    sign_in_as_user
+    get new_user_registration_path
+    assert_redirected_to root_path
+  end
+
+  test 'a signed in user should be able to edit his account' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'email', :with => 'user.new@email.com'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_current_url '/'
+    assert_contain 'You updated your account successfully.'
+
+    assert_equal "user.new@email.com", User.first.email
+  end
+
+  test 'a signed in user should still be able to use the website after changing his password' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'password', :with => '12345678'
+    fill_in 'password confirmation', :with => '12345678'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_contain 'You updated your account successfully.'
+    get users_path
+    assert warden.authenticated?(:user)
+  end
+
+  test 'a signed in user should not change his current user with invalid password' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'email', :with => 'user.new@email.com'
+    fill_in 'current password', :with => 'invalid'
+    click_button 'Update'
+
+    assert_template 'registrations/edit'
+    assert_contain 'user@test.com'
+    assert_have_selector 'form input[value="user.new@email.com"]'
+
+    assert_equal "user@test.com", User.first.email
+  end
+
+  test 'a signed in user should be able to edit his password' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => 'pas123'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_current_url '/'
+    assert_contain 'You updated your account successfully.'
+
+    assert User.first.valid_password?('pas123')
+  end
+
+  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => ''
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_contain "Password doesn't match confirmation"
+    assert_not User.first.valid_password?('pas123')
+  end
+
+  test 'a signed in user should be able to cancel his account' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    click_link "Cancel my account", :method => :delete
+    assert_contain "Bye! Your account was successfully cancelled. We hope to see you again soon."
+
+    assert User.all.empty?
+  end
+
+  test 'a user should be able to cancel sign up by deleting data in the session' do
+    get "/set"
+    assert_equal "something", @request.session["user_provider_oauth_token"]
+
+    get "/users/sign_up"
+    assert_equal "something", @request.session["user_provider_oauth_token"]
+
+    get "/users/cancel"
+    assert_nil @request.session["user_provider_oauth_token"]
+    assert_redirected_to new_user_registration_path
+  end
+end

data/test/integration/rememberable_test.rb

@@ -0,0 +1,179 @@
+require 'test_helper'
+
+class RememberMeTest < ActionController::IntegrationTest
+  def create_user_and_remember(add_to_token='')
+    user = create_user
+    user.remember_me!
+    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
+    cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
+    user
+  end
+
+  def create_admin_and_remember
+    admin = create_admin
+    admin.remember_me!
+    raw_cookie = Admin.serialize_into_cookie(admin)
+    cookies['remember_admin_token'] = generate_signed_cookie(raw_cookie)
+    admin
+  end
+
+  def generate_signed_cookie(raw_cookie)
+    request = ActionDispatch::TestRequest.new
+    request.cookie_jar.signed['raw_cookie'] = raw_cookie
+    request.cookie_jar['raw_cookie']
+  end
+
+  def signed_cookie(key)
+    controller.send(:cookies).signed[key]
+  end
+
+  def cookie_expires(key)
+    cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
+    cookie.split(";").map(&:strip).grep(/^expires=/)
+    Time.parse($')
+  end
+
+  test 'do not remember the user if he has not checked remember me option' do
+    user = sign_in_as_user
+    assert_nil request.cookies["remember_user_cookie"]
+  end
+
+  test 'generate remember token after sign in' do
+    user = sign_in_as_user :remember_me => true
+    assert request.cookies["remember_user_token"]
+  end
+
+  test 'generate remember token after sign in setting cookie options' do
+    # We test this by asserting the cookie is not sent after the redirect
+    # since we changed the domain. This is the only difference with the
+    # previous test.
+    swap Devise, :cookie_options => { :domain => "omg.somewhere.com" } do
+      user = sign_in_as_user :remember_me => true
+      assert_nil request.cookies["remember_user_token"]
+    end
+  end
+
+  test 'generate remember token after sign in setting session options' do
+    begin
+      Rails.configuration.session_options[:domain] = "omg.somewhere.com"
+      user = sign_in_as_user :remember_me => true
+      assert_nil request.cookies["remember_user_token"]
+    ensure
+      Rails.configuration.session_options.delete(:domain)
+    end
+  end
+
+  test 'remember the user before sign in' do
+    user = create_user_and_remember
+    get users_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert warden.user(:user) == user
+  end
+
+  test 'does not extend remember period through sign in' do
+    swap Devise, :extend_remember_period => true, :remember_for => 1.year do
+      user = create_user
+      user.remember_me!
+
+      user.remember_created_at = old = 10.days.ago
+      user.save
+
+      sign_in_as_user :remember_me => true
+      user.reload
+
+      assert warden.user(:user) == user
+      assert_equal old.to_i, user.remember_created_at.to_i
+    end
+  end
+
+  test 'if both extend_remember_period and remember_across_browsers are true, sends the same token with a new expire date' do
+    swap Devise, :remember_across_browsers => true, :extend_remember_period => true, :remember_for => 1.year do
+      admin = create_admin_and_remember
+      token = admin.remember_token
+
+      admin.remember_created_at = old = 10.minutes.ago
+      admin.save!
+
+      get root_path
+      assert (cookie_expires("remember_admin_token") - 1.year) > (old + 5.minutes)
+      assert_equal token, signed_cookie("remember_admin_token").last
+    end
+  end
+
+  test 'if both extend_remember_period and remember_across_browsers are false, sends a new token with old expire date' do
+    swap Devise, :remember_across_browsers => false, :extend_remember_period => false, :remember_for => 1.year do
+      admin = create_admin_and_remember
+      token = admin.remember_token
+
+      admin.remember_created_at = old = 10.minutes.ago
+      admin.save!
+
+      get root_path
+      assert (cookie_expires("remember_admin_token") - 1.year) < (old + 5.minutes)
+      assert_not_equal token, signed_cookie("remember_admin_token").last
+    end
+  end
+
+  test 'do not remember other scopes' do
+    user = create_user_and_remember
+    get root_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+
+  test 'do not remember with invalid token' do
+    user = create_user_and_remember('add')
+    get users_path
+    assert_not warden.authenticated?(:user)
+    assert_redirected_to new_user_session_path
+  end
+
+  test 'do not remember with expired token' do
+    user = create_user_and_remember
+    swap Devise, :remember_for => 0 do
+      get users_path
+      assert_not warden.authenticated?(:user)
+      assert_redirected_to new_user_session_path
+    end
+  end
+
+  test 'do not remember the user anymore after forget' do
+    user = create_user_and_remember
+    get users_path
+    assert warden.authenticated?(:user)
+
+    get destroy_user_session_path
+    assert_not warden.authenticated?(:user)
+    assert_nil warden.cookies['remember_user_token']
+
+    get users_path
+    assert_not warden.authenticated?(:user)
+    assert_nil warden.cookies['remember_user_token']
+  end
+
+  test 'do not remember the admin anymore after forget' do
+    admin = create_admin_and_remember
+    get root_path
+    assert warden.authenticated?(:admin)
+
+    get destroy_admin_session_path
+    assert_not warden.authenticated?(:admin)
+    assert_nil warden.cookies['remember_admin_token']
+
+    get root_path
+    assert_not warden.authenticated?(:admin)
+    assert_nil warden.cookies['remember_admin_token']
+  end
+
+  test 'changing user password expires remember me token' do
+    user = create_user_and_remember
+    user.password = "another_password"
+    user.password_confirmation = "another_password"
+    user.save!
+
+    get users_path
+    assert_not warden.authenticated?(:user)
+  end
+end