deviseOne 1.0.0

data/test/integration/lockable_test.rb

@@ -0,0 +1,239 @@
+require 'test_helper'
+
+class LockTest < ActionDispatch::IntegrationTest
+
+  def visit_user_unlock_with_token(unlock_token)
+    visit user_unlock_path(unlock_token: unlock_token)
+  end
+
+  def send_unlock_request
+    user = create_user(locked: true)
+    ActionMailer::Base.deliveries.clear
+
+    visit new_user_session_path
+    click_link "Didn't receive unlock instructions?"
+
+    Devise.stubs(:friendly_token).returns("abcdef")
+    fill_in 'email', with: user.email
+    click_button 'Resend unlock instructions'
+  end
+
+  test 'user should be able to request a new unlock token' do
+    send_unlock_request
+
+    assert_template 'sessions/new'
+    assert_contain 'You will receive an email with instructions for how to unlock your account in a few minutes'
+
+    mail = ActionMailer::Base.deliveries.last
+    assert_equal 1, ActionMailer::Base.deliveries.size
+    assert_equal ['please-change-me@config-initializers-devise.com'], mail.from
+    assert_match user_unlock_path(unlock_token: 'abcdef'), mail.body.encoded
+  end
+
+  test 'user should receive the instructions from a custom mailer' do
+    User.any_instance.stubs(:devise_mailer).returns(Users::Mailer)
+
+    send_unlock_request
+
+    assert_equal ['custom@example.com'], ActionMailer::Base.deliveries.first.from
+  end
+
+  test 'unlocked user should not be able to request a unlock token' do
+    user = create_user(locked: false)
+    ActionMailer::Base.deliveries.clear
+
+    visit new_user_session_path
+    click_link "Didn't receive unlock instructions?"
+
+    fill_in 'email', with: user.email
+    click_button 'Resend unlock instructions'
+
+    assert_template 'unlocks/new'
+    assert_contain 'not locked'
+    assert_equal 0, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit "/admin_area/sign_in"
+
+    assert_raise Webrat::NotFoundError do
+      click_link "Didn't receive unlock instructions?"
+    end
+
+    assert_raise NameError do
+      visit new_admin_unlock_path
+    end
+
+    assert_raise ActionController::RoutingError do
+      visit "/admin_area/unlock/new"
+    end
+  end
+
+  test 'user with invalid unlock token should not be able to unlock an account' do
+    visit_user_unlock_with_token('invalid_token')
+
+    assert_response :success
+    assert_current_url '/users/unlock?unlock_token=invalid_token'
+    assert_have_selector '#error_explanation'
+    assert_contain /Unlock token(.*)invalid/
+  end
+
+  test "locked user should be able to unlock account" do
+    user = create_user
+    raw  = user.lock_access!
+    visit_user_unlock_with_token(raw)
+
+    assert_current_url "/users/sign_in"
+    assert_contain 'Your account has been unlocked successfully. Please sign in to continue.'
+    assert_not user.reload.access_locked?
+  end
+
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(locked: true)
+    user.failed_attempts = User.maximum_attempts + 1
+    user.save!
+
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(password: "invalid")
+    assert_contain 'Your account is locked.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
+  test 'error message is configurable by resource name' do
+    store_translations :en, devise: {
+        failure: {user: {locked: "You are locked!"}}
+    } do
+
+      user = create_user(locked: true)
+      user.failed_attempts = User.maximum_attempts + 1
+      user.save!
+
+      sign_in_as_user(password: "invalid")
+      assert_contain "You are locked!"
+    end
+  end
+
+  test "user should not be able to sign in when locked" do
+    store_translations :en, devise: {
+        failure: {user: {locked: "You are locked!"}}
+    } do
+
+      user = create_user(locked: true)
+      user.failed_attempts = User.maximum_attempts + 1
+      user.save!
+
+      sign_in_as_user(password: "123456")
+      assert_contain "You are locked!"
+    end
+  end
+
+  test 'user should be able to request a new unlock token via XML request' do
+    user = create_user(locked: true)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(format: 'xml'), user: {email: user.email}
+    assert_response :success
+    assert_equal response.body, {}.to_xml
+    assert_equal 1, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked user should not be able to request a unlock token via XML request' do
+    user = create_user(locked: false)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(format: 'xml'), user: {email: user.email}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+    assert_equal 0, ActionMailer::Base.deliveries.size
+  end
+
+  test 'user with valid unlock token should be able to unlock account via XML request' do
+    user = create_user()
+    raw  = user.lock_access!
+    assert user.access_locked?
+    get user_unlock_path(format: 'xml', unlock_token: raw)
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+
+  test 'user with invalid unlock token should not be able to unlock the account via XML request' do
+    get user_unlock_path(format: 'xml', unlock_token: 'invalid_token')
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test "when using json to ask a unlock request, should not return the user" do
+    user = create_user(locked: true)
+    post user_unlock_path(format: "json", user: {email: user.email})
+    assert_response :success
+    assert_equal response.body, {}.to_json
+  end
+
+  test "in paranoid mode, when trying to unlock an user that exists it should not say that it exists if it is locked" do
+    swap Devise, paranoid: true do
+      user = create_user(locked: true)
+
+      visit new_user_session_path
+      click_link "Didn't receive unlock instructions?"
+
+      fill_in 'email', with: user.email
+      click_button 'Resend unlock instructions'
+
+      assert_current_url "/users/sign_in"
+      assert_contain "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+    end
+  end
+
+  test "in paranoid mode, when trying to unlock an user that exists it should not say that it exists if it is not locked" do
+    swap Devise, paranoid: true do
+      user = create_user(locked: false)
+
+      visit new_user_session_path
+      click_link "Didn't receive unlock instructions?"
+
+      fill_in 'email', with: user.email
+      click_button 'Resend unlock instructions'
+
+      assert_current_url "/users/sign_in"
+      assert_contain "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+    end
+  end
+
+  test "in paranoid mode, when trying to unlock an user that does not exists it should not say that it does not exists" do
+    swap Devise, paranoid: true do
+      visit new_user_session_path
+      click_link "Didn't receive unlock instructions?"
+
+      fill_in 'email', with: "arandomemail@hotmail.com"
+      click_button 'Resend unlock instructions'
+
+      assert_not_contain "1 error prohibited this user from being saved:"
+      assert_not_contain "Email not found"
+      assert_current_url "/users/sign_in"
+
+      assert_contain "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+
+    end
+  end
+
+  test "in paranoid mode, when locking a user that exists it should not say that the user was locked" do
+    swap Devise, paranoid: true, maximum_attempts: 1 do
+      user = create_user(locked: false)
+
+      visit new_user_session_path
+      fill_in 'email', with: user.email
+      fill_in 'password', with: "abadpassword"
+      click_button 'Log in'
+
+      fill_in 'email', with: user.email
+      fill_in 'password', with: "abadpassword"
+      click_button 'Log in'
+
+      assert_current_url "/users/sign_in"
+      assert_not_contain "locked"
+    end
+  end
+
+end

data/test/integration/omniauthable_test.rb

@@ -0,0 +1,133 @@
+require 'test_helper'
+
+
+class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
+  FACEBOOK_INFO = {
+    "id" => '12345',
+    "link" => 'http://facebook.com/josevalim',
+    "email" => 'user@example.com',
+    "first_name" => 'Jose',
+    "last_name" => 'Valim',
+    "website" => 'http://blog.plataformatec.com.br'
+  }
+
+  setup do
+    OmniAuth.config.test_mode = true
+    OmniAuth.config.mock_auth[:facebook] = {
+      "uid" => '12345',
+      "provider" => 'facebook',
+      "user_info" => {"nickname" => 'josevalim'},
+      "credentials" => {"token" => 'plataformatec'},
+      "extra" => {"user_hash" => FACEBOOK_INFO}
+    }
+  end
+
+  teardown do
+    OmniAuth.config.test_mode = false
+  end
+
+  def stub_action!(name)
+    Users::OmniauthCallbacksController.class_eval do
+      alias_method :__old_facebook, :facebook
+      alias_method :facebook, name
+    end
+    yield
+  ensure
+    Users::OmniauthCallbacksController.class_eval do
+      alias_method :facebook, :__old_facebook
+    end
+  end
+
+  test "can access omniauth.auth in the env hash" do
+    visit "/users/sign_in"
+    click_link "Sign in with Facebook"
+
+    json = ActiveSupport::JSON.decode(response.body)
+
+    assert_equal "12345",         json["uid"]
+    assert_equal "facebook",      json["provider"]
+    assert_equal "josevalim",     json["user_info"]["nickname"]
+    assert_equal FACEBOOK_INFO,   json["extra"]["user_hash"]
+    assert_equal "plataformatec", json["credentials"]["token"]
+  end
+
+  test "cleans up session on sign up" do
+    assert_no_difference "User.count" do
+      visit "/users/sign_in"
+      click_link "Sign in with Facebook"
+    end
+
+    assert session["devise.facebook_data"]
+
+    assert_difference "User.count" do
+      visit "/users/sign_up"
+      fill_in "Password", with: "12345678"
+      fill_in "Password confirmation", with: "12345678"
+      click_button "Sign up"
+    end
+
+    assert_current_url "/"
+    assert_contain "You have signed up successfully."
+    assert_contain "Hello User user@example.com"
+    assert_not session["devise.facebook_data"]
+  end
+
+  test "cleans up session on cancel" do
+    assert_no_difference "User.count" do
+      visit "/users/sign_in"
+      click_link "Sign in with Facebook"
+    end
+
+    assert session["devise.facebook_data"]
+    visit "/users/cancel"
+    assert !session["devise.facebook_data"]
+  end
+
+  test "cleans up session on sign in" do
+    assert_no_difference "User.count" do
+      visit "/users/sign_in"
+      click_link "Sign in with Facebook"
+    end
+
+    assert session["devise.facebook_data"]
+    sign_in_as_user
+    assert !session["devise.facebook_data"]
+  end
+
+  test "sign in and send remember token if configured" do
+    visit "/users/sign_in"
+    click_link "Sign in with Facebook"
+    assert_nil warden.cookies["remember_user_token"]
+
+    stub_action!(:sign_in_facebook) do
+      create_user
+      visit "/users/sign_in"
+      click_link "Sign in with Facebook"
+      assert warden.authenticated?(:user)
+      assert warden.cookies["remember_user_token"]
+    end
+  end
+
+  test "generates a proper link when SCRIPT_NAME is set" do
+    header 'SCRIPT_NAME', '/q'
+    visit "/users/sign_in"
+    assert_select "a", href: "/q/users/auth/facebook"
+  end
+
+  test "handles callback error parameter according to the specification" do
+    OmniAuth.config.mock_auth[:facebook] = :access_denied
+    visit "/users/auth/facebook/callback?error=access_denied"
+    assert_current_url "/users/sign_in"
+    assert_contain 'Could not authenticate you from Facebook because "Access denied".'
+  end
+
+  test "handles other exceptions from OmniAuth" do
+    OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
+
+    visit "/users/sign_in"
+    click_link "Sign in with Facebook"
+
+    assert_current_url "/users/sign_in"
+    assert_contain 'Could not authenticate you from Facebook because "Invalid credentials".'
+  end
+end

data/test/integration/recoverable_test.rb

@@ -0,0 +1,334 @@
+require 'test_helper'
+
+class PasswordTest < ActionDispatch::IntegrationTest
+
+  def visit_new_password_path
+    visit new_user_session_path
+    click_link 'Forgot your password?'
+  end
+
+  def request_forgot_password(&block)
+    visit_new_password_path
+    assert_response :success
+    assert_not warden.authenticated?(:user)
+
+    fill_in 'email', with: 'user@test.com'
+    yield if block_given?
+
+    Devise.stubs(:friendly_token).returns("abcdef")
+    click_button 'Send me reset password instructions'
+  end
+
+  def reset_password(options={}, &block)
+    unless options[:visit] == false
+      visit edit_user_password_path(reset_password_token: options[:reset_password_token] || "abcdef")
+      assert_response :success
+    end
+
+    fill_in 'New password', with: '987654321'
+    fill_in 'Confirm new password', with: '987654321'
+    yield if block_given?
+    click_button 'Change my password'
+  end
+
+  test 'reset password with email of different case should succeed when email is in the list of case insensitive keys' do
+    create_user(email: 'Foo@Bar.com')
+
+    request_forgot_password do
+      fill_in 'email', with: 'foo@bar.com'
+    end
+
+    assert_current_url '/users/sign_in'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
+  end
+
+  test 'reset password with email should send an email from a custom mailer' do
+    create_user(email: 'Foo@Bar.com')
+
+    User.any_instance.stubs(:devise_mailer).returns(Users::Mailer)
+    request_forgot_password do
+      fill_in 'email', with: 'foo@bar.com'
+    end
+
+    mail = ActionMailer::Base.deliveries.last
+    assert_equal ['custom@example.com'], mail.from
+    assert_match edit_user_password_path(reset_password_token: 'abcdef'), mail.body.encoded
+  end
+
+  test 'reset password with email of different case should fail when email is NOT the list of case insensitive keys' do
+    swap Devise, case_insensitive_keys: [] do
+      create_user(email: 'Foo@Bar.com')
+
+      request_forgot_password do
+        fill_in 'email', with: 'foo@bar.com'
+      end
+
+      assert_response :success
+      assert_current_url '/users/password'
+      assert_have_selector "input[type=email][value='foo@bar.com']"
+      assert_contain 'not found'
+    end
+  end
+
+  test 'reset password with email with extra whitespace should succeed when email is in the list of strip whitespace keys' do
+    create_user(email: 'foo@bar.com')
+
+    request_forgot_password do
+      fill_in 'email', with: ' foo@bar.com '
+    end
+
+    assert_current_url '/users/sign_in'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
+  end
+
+  test 'reset password with email with extra whitespace should fail when email is NOT the list of strip whitespace keys' do
+    swap Devise, strip_whitespace_keys: [] do
+      create_user(email: 'foo@bar.com')
+
+      request_forgot_password do
+        fill_in 'email', with: ' foo@bar.com '
+      end
+
+      assert_response :success
+      assert_current_url '/users/password'
+      assert_have_selector "input[type=email][value=' foo@bar.com ']"
+      assert_contain 'not found'
+    end
+  end
+
+  test 'authenticated user should not be able to visit forgot password page' do
+    sign_in_as_user
+    assert warden.authenticated?(:user)
+
+    get new_user_password_path
+
+    assert_response :redirect
+    assert_redirected_to root_path
+  end
+
+  test 'not authenticated user should be able to request a forgot password' do
+    create_user
+    request_forgot_password
+
+    assert_current_url '/users/sign_in'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
+  end
+
+  test 'not authenticated user with invalid email should receive an error message' do
+    request_forgot_password do
+      fill_in 'email', with: 'invalid.test@test.com'
+    end
+
+    assert_response :success
+    assert_current_url '/users/password'
+    assert_have_selector "input[type=email][value='invalid.test@test.com']"
+    assert_contain 'not found'
+  end
+
+  test 'authenticated user should not be able to visit edit password page' do
+    sign_in_as_user
+    get edit_user_password_path
+    assert_response :redirect
+    assert_redirected_to root_path
+    assert warden.authenticated?(:user)
+  end
+
+  test 'not authenticated user without a reset password token should not be able to visit the page' do
+    get edit_user_password_path
+    assert_response :redirect
+    assert_redirected_to "/users/sign_in"
+  end
+
+  test 'not authenticated user with invalid reset password token should not be able to change their password' do
+    user = create_user
+    reset_password reset_password_token: 'invalid_reset_password'
+
+    assert_response :success
+    assert_current_url '/users/password'
+    assert_have_selector '#error_explanation'
+    assert_contain /Reset password token(.*)invalid/
+    assert_not user.reload.valid_password?('987654321')
+  end
+
+  test 'not authenticated user with valid reset password token but invalid password should not be able to change their password' do
+    user = create_user
+    request_forgot_password
+    reset_password do
+      fill_in 'Confirm new password', with: 'other_password'
+    end
+
+    assert_response :success
+    assert_current_url '/users/password'
+    assert_have_selector '#error_explanation'
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
+    assert_not user.reload.valid_password?('987654321')
+  end
+
+  test 'not authenticated user with valid data should be able to change their password' do
+    user = create_user
+    request_forgot_password
+    reset_password
+
+    assert_current_url '/'
+    assert_contain 'Your password has been changed successfully. You are now signed in.'
+    assert user.reload.valid_password?('987654321')
+  end
+
+  test 'after entering invalid data user should still be able to change their password' do
+    user = create_user
+    request_forgot_password
+
+    reset_password {  fill_in 'Confirm new password', with: 'other_password' }
+    assert_response :success
+    assert_have_selector '#error_explanation'
+    assert_not user.reload.valid_password?('987654321')
+
+    reset_password visit: false
+    assert_contain 'Your password has been changed successfully.'
+    assert user.reload.valid_password?('987654321')
+  end
+
+  test 'sign in user automatically after changing its password' do
+    create_user
+    request_forgot_password
+    reset_password
+
+    assert warden.authenticated?(:user)
+  end
+
+  test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
+    [:none, :time].each do |strategy|
+      swap Devise, unlock_strategy: strategy do
+        user = create_user(locked: true)
+        request_forgot_password
+        reset_password
+
+        assert_contain 'Your password has been changed successfully.'
+        assert_not_contain 'You are now signed in.'
+        assert_equal new_user_session_path, @request.path
+        assert !warden.authenticated?(:user)
+      end
+    end
+  end
+
+  test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :email' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user(locked: true)
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert !user.reload.access_locked?
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'unlocks and signs in locked user automatically after changing it\'s password if unlock strategy is :both' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user(locked: true)
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert !user.reload.access_locked?
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'reset password request with valid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(format: 'xml'), user: {email: "user@test.com"}
+    assert_response :success
+    assert_equal response.body, { }.to_xml
+  end
+
+  test 'reset password request with invalid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(format: 'xml'), user: {email: "invalid.test@test.com"}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'reset password request with invalid E-Mail in XML format should return empty and valid response' do
+    swap Devise, paranoid: true do
+      create_user
+      post user_password_path(format: 'xml'), user: {email: "invalid@test.com"}
+      assert_response :success
+      assert_equal response.body, { }.to_xml
+    end
+  end
+
+  test 'change password with valid parameters in XML format should return valid response' do
+    create_user
+    request_forgot_password
+    put user_password_path(format: 'xml'), user: {
+      reset_password_token: 'abcdef', password: '987654321', password_confirmation: '987654321'
+    }
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'change password with invalid token in XML format should return invalid response' do
+    create_user
+    request_forgot_password
+    put user_password_path(format: 'xml'), user: {reset_password_token: 'invalid.token', password: '987654321', password_confirmation: '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'change password with invalid new password in XML format should return invalid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(format: 'xml'), user: {reset_password_token: user.reload.reset_password_token, password: '', password_confirmation: '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test "when using json requests to ask a confirmable request, should not return the object" do
+    user = create_user(confirm: false)
+
+    post user_password_path(format: :json), user: { email: user.email }
+
+    assert_response :success
+    assert_equal response.body, "{}"
+  end
+
+  test "when in paranoid mode and with an invalid e-mail, asking to reset a password should display a message that does not indicates that the e-mail does not exists in the database" do
+    swap Devise, paranoid: true do
+      visit_new_password_path
+      fill_in "email", with: "arandomemail@test.com"
+      click_button 'Send me reset password instructions'
+
+      assert_not_contain "1 error prohibited this user from being saved:"
+      assert_not_contain "Email not found"
+      assert_contain "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      assert_current_url "/users/sign_in"
+    end
+  end
+
+  test "when in paranoid mode and with a valid e-mail, asking to reset password should display a message that does not indicates that the email exists in the database and redirect to the failure route" do
+    swap Devise, paranoid: true do
+      user = create_user
+      visit_new_password_path
+      fill_in 'email', with: user.email
+      click_button 'Send me reset password instructions'
+
+      assert_contain "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      assert_current_url "/users/sign_in"
+    end
+  end
+
+  test "after recovering a password, should set failed attempts to 0" do
+    user = create_user
+    user.update_attribute(:failed_attempts, 10)
+
+    assert_equal 10, user.failed_attempts
+    request_forgot_password
+    reset_password
+
+    assert warden.authenticated?(:user)
+    user.reload
+    assert_equal 0, user.failed_attempts
+  end
+end