devise 1.2.rc → 1.2.rc2

data/test/integration/rememberable_test.rb

@@ -28,9 +28,9 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   def cookie_expires(key)
-    cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
-    cookie.split(";").map(&:strip).grep(/^expires=/)
-    Time.parse($')
+    cookie  = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
+    expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
+    Time.parse(expires).utc
   end
 
   test 'do not remember the user if he has not checked remember me option' do
@@ -69,6 +69,17 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
+    assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
   end
 
   test 'does not extend remember period through sign in' do
@@ -150,7 +161,6 @@ class RememberMeTest < ActionController::IntegrationTest
 
     get users_path
     assert_not warden.authenticated?(:user)
-    assert_nil warden.cookies['remember_user_token']
   end
 
   test 'do not remember the admin anymore after forget' do
@@ -160,11 +170,11 @@ class RememberMeTest < ActionController::IntegrationTest
 
     get destroy_admin_session_path
     assert_not warden.authenticated?(:admin)
+    assert_nil admin.reload.remember_token
     assert_nil warden.cookies['remember_admin_token']
 
     get root_path
     assert_not warden.authenticated?(:admin)
-    assert_nil warden.cookies['remember_admin_token']
   end
 
   test 'changing user password expires remember me token' do
@@ -176,4 +186,4 @@ class RememberMeTest < ActionController::IntegrationTest
     get users_path
     assert_not warden.authenticated?(:user)
   end
-end
+end

data/test/integration/token_authenticatable_test.rb

@@ -76,15 +76,42 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
+    swap Devise, :token_authentication_key => :secret_token, :stateless_token => true, :timeout_in => (0.1).second do
+      user = sign_in_as_new_user_with_token
+      assert warden.authenticated?(:user)
+
+      # Expiring does not work because we are setting the session value when accessing it
+      sleep 0.3
+
+      get_users_path_as_existing_user(user)
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'should not be subject to injection' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user1 = create_user_with_authentication_token()
+
+      # Clean up user cache
+      @user = nil
+
+      user2 = create_user_with_authentication_token(:email => "another@test.com")
+      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
+
+      assert_not_equal user1, user2
+      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
+      assert_nil warden.user(:user) 
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})
-      options[:auth_token_key] ||= Devise.token_authentication_key
-      options[:auth_token]     ||= VALID_AUTHENTICATION_TOKEN
+      user = options.delete(:user) || create_user_with_authentication_token(options)
 
-      user = create_user(options)
-      user.authentication_token = VALID_AUTHENTICATION_TOKEN
-      user.save
+      options[:auth_token_key] ||= Devise.token_authentication_key
+      options[:auth_token]     ||= user.authentication_token
 
       if options[:http_auth]
         header = "Basic #{ActiveSupport::Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
@@ -96,4 +123,15 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
       user
     end
 
+    def create_user_with_authentication_token(options={})
+      user = create_user(options)
+      user.authentication_token = VALID_AUTHENTICATION_TOKEN
+      user.save
+      user
+    end
+
+    def get_users_path_as_existing_user(user)
+      sign_in_as_new_user_with_token(:user => user)
+    end
+
 end

data/test/models/confirmable_test.rb

@@ -51,7 +51,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'should find and confirm an user automatically' do
+  test 'should find and confirm a user automatically' do
     user = create_user
     confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert_equal confirmed_user, user
@@ -127,7 +127,7 @@ class ConfirmableTest < ActiveSupport::TestCase
       User.send_confirmation_instructions(:email => user.email)
     end
   end
-  
+
   test 'should always have confirmation token when email is sent' do
     user = new_user
     user.instance_eval { def confirmation_required?; false end }
@@ -210,7 +210,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert_not user.reload.active?
   end
-  
+
   test 'should be active without confirmation when confirmation is not required' do
     user = create_user
     user.instance_eval { def confirmation_required?; false end }
@@ -218,4 +218,21 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert user.reload.active?
   end
+
+  test 'should find a user to send email instructions for the user confirm it\'s email by authentication_keys' do
+    swap Devise, :authentication_keys => [:username, :email] do
+      user = create_user
+      confirm_user = User.send_confirmation_instructions(:email => user.email, :username => user.username)
+      assert_equal confirm_user, user
+    end
+  end
+
+  test 'should require all confirmation_keys' do
+    swap Devise, :confirmation_keys => [:username, :email] do
+      user = create_user
+      confirm_user = User.send_confirmation_instructions(:email => user.email)
+      assert_not confirm_user.persisted?
+      assert_equal "can't be blank", confirm_user.errors[:username].join
+    end
+  end
 end

data/test/models/encryptable_test.rb

@@ -31,7 +31,7 @@ class EncryptableTest < ActiveSupport::TestCase
 
   test 'should generate a base64 hash using SecureRandom for password salt' do
     swap_with_encryptor Admin, :sha1 do
-      ActiveSupport::SecureRandom.expects(:base64).with(44).returns('friendly_token')
+      ActiveSupport::SecureRandom.expects(:base64).with(15).returns('friendly_token')
       assert_equal 'friendly_token', create_admin.password_salt
     end
   end

data/test/models/lockable_test.rb

@@ -55,7 +55,7 @@ class LockableTest < ActiveSupport::TestCase
     assert_not user.active?
   end
 
-  test "should unlock an user by cleaning locked_at, falied_attempts and unlock_token" do
+  test "should unlock a user by cleaning locked_at, falied_attempts and unlock_token" do
     user = create_user
     user.lock_access!
     assert_not_nil user.reload.locked_at
@@ -67,12 +67,6 @@ class LockableTest < ActiveSupport::TestCase
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test 'should not unlock an unlocked user' do
-    user = create_user
-    assert_not user.unlock_access!
-    assert_match "was not locked", user.errors[:email].join
-  end
-
   test "new user should not be locked and should have zero failed_attempts" do
     assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
@@ -141,7 +135,7 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should find and unlock an user automatically' do
+  test 'should find and unlock a user automatically' do
     user = create_user
     user.lock_access!
     locked_user = User.unlock_access_by_token(user.unlock_token)
@@ -186,13 +180,13 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should require all authentication_keys' do
-    swap Devise, :authentication_keys => [:username, :email] do
-      user = create_user
-      unlock_user = User.send_unlock_instructions(:email => user.email)
-      assert_not unlock_user.persisted?
-      assert_equal "can't be blank", unlock_user.errors[:username].join
-    end
+  test 'should require all unlock_keys' do
+      swap Devise, :unlock_keys => [:username, :email] do
+          user = create_user
+          unlock_user = User.send_unlock_instructions(:email => user.email)
+          assert_not unlock_user.persisted?
+          assert_equal "can't be blank", unlock_user.errors[:username].join
+      end
   end
 
   test 'should not be able to send instructions if the user is not locked' do
@@ -201,4 +195,31 @@ class LockableTest < ActiveSupport::TestCase
     assert_not user.access_locked?
     assert_equal 'was not locked', user.errors[:email].join
   end
+
+  test 'should unlock account if lock has expired and increase attempts on failure' do
+    swap Devise, :unlock_in => 1.minute do
+      user = create_user
+      user.confirm!
+
+      user.failed_attempts = 2
+      user.locked_at = 2.minutes.ago
+
+      user.valid_for_authentication? { false }
+      assert_equal 1, user.failed_attempts
+    end
+  end
+
+  test 'should unlock account if lock has expired on success' do
+    swap Devise, :unlock_in => 1.minute do
+      user = create_user
+      user.confirm!
+
+      user.failed_attempts = 2
+      user.locked_at = 2.minutes.ago
+
+      user.valid_for_authentication? { true }
+      assert_equal 0, user.failed_attempts
+      assert_nil user.locked_at
+    end
+  end
 end

data/test/models/recoverable_test.rb

@@ -85,7 +85,7 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_not reset_password_user.persisted?
     assert_equal "not found", reset_password_user.errors[:email].join
   end
-  
+
   test 'should find a user to send instructions by authentication_keys' do
     swap Devise, :authentication_keys => [:username, :email] do
       user = create_user
@@ -93,14 +93,14 @@ class RecoverableTest < ActiveSupport::TestCase
       assert_equal reset_password_user, user
     end
   end
-  
-  test 'should require all authentication_keys' do
-    swap Devise, :authentication_keys => [:username, :email] do
-      user = create_user
-      reset_password_user = User.send_reset_password_instructions(:email => user.email)
-      assert_not reset_password_user.persisted?
-      assert_equal "can't be blank", reset_password_user.errors[:username].join
-    end
+
+  test 'should require all reset_password_keys' do
+      swap Devise, :reset_password_keys => [:username, :email] do
+          user = create_user
+          reset_password_user = User.send_reset_password_instructions(:email => user.email)
+          assert_not reset_password_user.persisted?
+          assert_equal "can't be blank", reset_password_user.errors[:username].join
+      end
   end
 
   test 'should reset reset_password_token before send the reset instructions email' do
@@ -125,18 +125,27 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal reset_password_user, user
   end
 
-  test 'should a new record with errors if no reset_password_token is found' do
+  test 'should return a new record with errors if no reset_password_token is found' do
     reset_password_user = User.reset_password_by_token(:reset_password_token => 'invalid_token')
     assert_not reset_password_user.persisted?
     assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
   end
 
-  test 'should a new record with errors if reset_password_token is blank' do
+  test 'should return a new record with errors if reset_password_token is blank' do
     reset_password_user = User.reset_password_by_token(:reset_password_token => '')
     assert_not reset_password_user.persisted?
     assert_match "can't be blank", reset_password_user.errors[:reset_password_token].join
   end
 
+  test 'should return a new record with errors if password is blank' do
+    user = create_user
+    user.send :generate_reset_password_token!
+
+    reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token, :password => '')
+    assert_not reset_password_user.errors.empty?
+    assert_match "can't be blank", reset_password_user.errors[:password].join
+  end
+
   test 'should reset successfully user password given the new password and confirmation' do
     user = create_user
     old_password = user.password

data/test/models/token_authenticatable_test.rb

@@ -27,6 +27,12 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test 'should return nil when authenticating an invalid user by authentication token' do
+    if DEVISE_ORM == :mongoid
+      raise 'There is an incompatibility between Devise and Mongoid'  <<
+            ' that makes this test break. For more information, check' <<
+            ' this issue: https://github.com/mongoid/mongoid/issues/725'
+    end
+
     user = create_user
     user.ensure_authentication_token!
     user.confirm!
@@ -34,4 +40,16 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-end
+  test 'should not be subject to injection' do
+    user1 = create_user
+    user1.ensure_authentication_token!
+    user1.confirm!
+
+    user2 = create_user
+    user2.ensure_authentication_token!
+    user2.confirm!
+
+    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
+    assert_nil user
+  end
+end

data/test/models_test.rb

@@ -47,6 +47,13 @@ class ActiveRecordTest < ActiveSupport::TestCase
     assert_equal module_constants, (Admin.included_modules & module_constants).reverse
   end
 
+  test 'raise error on invalid module' do
+    assert_raise NameError do
+      # Mix valid an invalid modules.
+      Configurable.class_eval { devise :database_authenticatable, :doesnotexit }
+    end
+  end
+
   test 'set a default value for stretches' do
     assert_equal 15, Configurable.stretches
   end

data/test/omniauth/test_helpers_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class OmniAuthTestHelpersTest < ActiveSupport::TestCase
+  test "Assert that stub! raises deprecation error" do
+    assert_raises Devise::OmniAuth::TestHelpers::DeprecationError do
+      Devise::OmniAuth::TestHelpers.stub!
+    end
+  end
+
+  test "Assert that reset_stubs! raises deprecation error" do
+    assert_raises Devise::OmniAuth::TestHelpers::DeprecationError do
+      Devise::OmniAuth::TestHelpers.reset_stubs!
+    end
+  end
+
+  test "Assert that short_circuit_authorizers! warns about deprecation" do
+    Devise::OmniAuth::TestHelpers.short_circuit_authorizers!
+    assert ::OmniAuth.config.test_mode
+  end
+
+  test "Assert that unshort_circuit_authorizers! warns about deprecation" do
+    Devise::OmniAuth::TestHelpers.unshort_circuit_authorizers!
+    assert ! ::OmniAuth.config.test_mode
+  end
+end

data/test/omniauth/url_helpers_test.rb

@@ -44,4 +44,11 @@ class OmniAuthRoutesTest < ActionController::TestCase
     assert_equal "/users/auth/open_id",
                   @controller.omniauth_authorize_path(:user, :open_id)
   end
+
+  test 'should set script name in the path if present' do
+    @request.env['SCRIPT_NAME'] = '/q'
+
+    assert_equal "/q/users/auth/facebook",
+                 @controller.omniauth_authorize_path(:user, :facebook)
+  end
 end

data/test/rails_app/Rakefile

@@ -0,0 +1,10 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+Rails.application.load_tasks

data/test/rails_app/app/controllers/application_controller.rb

@@ -3,7 +3,6 @@
 
 class ApplicationController < ActionController::Base
   protect_from_forgery
-
   before_filter :current_user
   before_filter :authenticate_user!, :if => :devise_controller?
 end

data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -4,4 +4,11 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     session["devise.facebook_data"] = data["extra"]["user_hash"]
     render :json => data
   end
+
+  def sign_in_facebook
+    user = User.find_by_email('user@test.com')
+    user.remember_me = true
+    sign_in user
+    render :text => ""
+  end
 end

data/test/rails_app/app/views/admins/index.html.erb

@@ -0,0 +1 @@
+Welcome Admin!

data/test/rails_app/app/views/admins/sessions/new.html.erb

@@ -0,0 +1,2 @@
+Welcome to "sessions/new" view!
+<%= render :file => "devise/sessions/new" %>