devise_jwt_auth 0.1.0

data/test/controllers/devise_jwt_auth/unlocks_controller_test.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseJwtAuth::UnlocksControllerTest < ActionController::TestCase
+  describe DeviseJwtAuth::UnlocksController do
+    setup do
+      @request.env['devise.mapping'] = Devise.mappings[:lockable_user]
+    end
+
+    teardown do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+
+    before do
+      @original_lock_strategy = Devise.lock_strategy
+      @original_unlock_strategy = Devise.unlock_strategy
+      @original_maximum_attempts = Devise.maximum_attempts
+      Devise.lock_strategy = :failed_attempts
+      Devise.unlock_strategy = :email
+      Devise.maximum_attempts = 5
+    end
+
+    after do
+      Devise.lock_strategy = @original_lock_strategy
+      Devise.maximum_attempts = @original_maximum_attempts
+      Devise.unlock_strategy = @original_unlock_strategy
+    end
+
+    describe 'Unlocking user' do
+      before do
+        @resource = create(:lockable_user)
+      end
+
+      describe 'request unlock without email' do
+        before do
+          @auth_headers = @resource.create_named_token_pair
+          @new_password = Faker::Internet.password
+
+          post :create
+          @data = JSON.parse(response.body)
+        end
+
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data['errors']
+          assert_equal @data['errors'], [I18n.t('devise_jwt_auth.passwords.missing_email')]
+        end
+      end
+
+      describe 'request unlock' do
+        describe 'unknown user should return 404' do
+          before do
+            post :create, params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_jwt_auth.passwords.user_not_found',
+                                 email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'successfully requested unlock' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @data = JSON.parse(response.body)
+          end
+
+          test 'response should not contain extra data' do
+            assert_nil @data['data']
+          end
+        end
+
+        describe 'case-sensitive email' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @mail = ActionMailer::Base.deliveries.last
+            @resource.reload
+            @data = JSON.parse(response.body)
+
+            @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/unlock_token=(.*)\"/)[1]
+          end
+
+          test 'response should return success status' do
+            assert_equal 200, response.status
+          end
+
+          test 'response should contains message' do
+            assert_equal @data['message'], I18n.t('devise_jwt_auth.unlocks.sended', email: @resource.email)
+          end
+
+          test 'action should send an email' do
+            assert @mail
+          end
+
+          test 'the email should be addressed to the user' do
+            assert_equal @mail.to.first, @resource.email
+          end
+
+          test 'the client config name should fall back to "default"' do
+            assert_equal 'default', @mail_config_name
+          end
+
+          test 'the email body should contain a link with reset token as a query param' do
+            user = LockableUser.unlock_access_by_token(@mail_reset_token)
+            assert_equal user.id, @resource.id
+          end
+
+          describe 'unlock link failure' do
+            test 'response should return 404' do
+              assert_raises(ActionController::RoutingError) do
+                get :show, params: { unlock_token: 'bogus' }
+              end
+            end
+          end
+
+          describe 'password reset link success' do
+            before do
+              get :show, params: { unlock_token: @mail_reset_token }
+
+              @resource.reload
+
+              raw_qs = response.location.split('?')[1]
+              @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+              @access_token   = @qs['access-token']
+              @client         = @qs['client']
+              @client_id      = @qs['client_id']
+              @expiry         = @qs['expiry']
+              @token          = @qs['token']
+              @uid            = @qs['uid']
+              @unlock         = @qs['unlock']
+            end
+
+            test 'respones should have success redirect status' do
+              assert_equal 302, response.status
+            end
+=begin
+            test 'response should contain auth params' do
+              assert @access_token
+              assert @client
+              assert @client_id
+              assert @expiry
+              assert @token
+              assert @uid
+              assert @unlock
+            end
+
+            test 'response auth params should be valid' do
+              assert @resource.valid_token?(@token, @client_id)
+              assert @resource.valid_token?(@access_token, @client)
+            end
+=end
+          end
+        end
+
+        describe 'case-insensitive email' do
+          before do
+            @resource_class = LockableUser
+            @request_params = {
+              email:        @resource.email.upcase
+            }
+          end
+
+          test 'response should return success status if configured' do
+            @resource_class.case_insensitive_keys = [:email]
+            post :create, params: @request_params
+            assert_equal 200, response.status
+          end
+
+          test 'response should return failure status if not configured' do
+            @resource_class.case_insensitive_keys = []
+            post :create, params: @request_params
+            assert_equal 404, response.status
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::ConfirmationsController do
+    before do
+      @redirect_url = Faker::Internet.url
+      @new_user = create(:user)
+
+      # generate + send email
+      @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
+
+      @mail = ActionMailer::Base.deliveries.last
+      @confirmation_path = @mail.body.match(/localhost([^\"]*)\"/)[1]
+
+      # visit confirmation link
+      get @confirmation_path
+
+      # reload user from db
+      @new_user.reload
+    end
+
+    test 'user is confirmed' do
+      assert @new_user.confirmed?
+    end
+
+    test 'user can be authenticated via confirmation link' do
+      # hard coded in override controller
+      override_proof_str = '(^^,)'
+
+      # ensure present in redirect URL
+      override_proof_param = URI.unescape(response.headers['Location']
+                                .match(/override_proof=([^&]*)/)[1])
+
+      assert_equal override_proof_str, override_proof_param
+    end
+  end
+end

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::OmniauthCallbacksController do
+    before do
+      OmniAuth.config.test_mode = true
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
+          name: 'chong',
+          email: 'chongbong@aol.com'
+        }
+      )
+
+      @favorite_color = 'gray'
+
+      get '/evil_user_auth/facebook',
+          params: {
+            auth_origin_url: Faker::Internet.url,
+            favorite_color: @favorite_color,
+            omniauth_window_type: 'newWindow'
+          }
+
+      follow_all_redirects!
+
+      @resource = assigns(:resource)
+    end
+
+    test 'request is successful' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal @resource.nickname,
+                   Overrides::OmniauthCallbacksController::DEFAULT_NICKNAME
+    end
+
+    test 'whitelisted param was allowed' do
+      assert_equal @favorite_color, @resource.favorite_color
+    end
+  end
+end

data/test/controllers/overrides/passwords_controller_test.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::PasswordsController do
+    before do
+      @resource = create(:user, :confirmed)
+
+      post '/evil_user_auth/password',
+           params: {
+             email: @resource.email,
+             redirect_url: Faker::Internet.url
+           }
+
+      mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+
+      mail_reset_token  = mail.body.match(/reset_password_token=(.*)\"/)[1]
+      mail_redirect_url = CGI.unescape(mail.body.match(/redirect_url=([^&]*)&/)[1])
+
+      get '/evil_user_auth/password/edit',
+          params: {
+            reset_password_token: mail_reset_token,
+            redirect_url: mail_redirect_url
+          }
+
+      @resource.reload
+
+      _, raw_query_string = response.location.split('?')
+      @query_string = Rack::Utils.parse_nested_query(raw_query_string)
+    end
+
+    test 'response should have success redirect status' do
+      assert_equal 302, response.status
+    end
+
+    test 'response should contain auth params + override proof' do
+      # TODO: remove access-token and keep uid?
+      assert @query_string['access-token']
+      # assert @query_string['client']
+      # assert @query_string['client_id']
+      # assert @query_string['expiry']
+      assert @query_string['override_proof']
+      assert @query_string['reset_password']
+      # assert @query_string['token']
+      # assert @query_string['uid']
+    end
+
+    test 'override proof is correct' do
+      assert_equal(
+        @query_string['override_proof'],
+        Overrides::PasswordsController::OVERRIDE_PROOF
+      )
+    end
+  end
+end

data/test/controllers/overrides/refresh_token_controller_test.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RefreshTokenControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::RefreshTokenController do
+    before do
+      @resource = create(:user, :confirmed)
+      @auth_headers = get_cookie_header(DeviseJwtAuth.refresh_token_name,
+                                          @resource.create_refresh_token
+      )
+
+      get '/evil_user_auth/refresh_token',
+          params: {},
+          headers: @auth_headers
+
+      @resp = JSON.parse(response.body)
+    end
+
+    test 'response valid' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::RefreshTokenController::OVERRIDE_PROOF,
+                   @resp['override_proof']
+    end
+  end
+end

data/test/controllers/overrides/registrations_controller_test.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::RegistrationsController do
+    describe 'Succesful Registration update' do
+      before do
+        @existing_user  = create(:user, :confirmed)
+        @auth_headers = @existing_user.create_named_token_pair
+
+        # @client_id      = @auth_headers['client']
+        @favorite_color = 'pink'
+
+        # ensure request is not treated as batch request
+        # age_token(@existing_user, @client_id)
+
+        # test valid update param
+        @new_operating_thetan = 1_000_000
+
+        put '/evil_user_auth',
+            params: { favorite_color: @favorite_color },
+            headers: @auth_headers
+
+        @data = JSON.parse(response.body)
+        @existing_user.reload
+      end
+
+      test 'user was updated' do
+        assert_equal @favorite_color, @existing_user.favorite_color
+      end
+
+      test 'controller was overridden' do
+        assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF,
+                     @data['override_proof']
+      end
+    end
+  end
+end