devise_token_auth 0.1.28.beta6 → 0.1.28.beta7

data/test/controllers/demo_user_controller_test.rb

@@ -0,0 +1,262 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DemoUserControllerTest < ActionDispatch::IntegrationTest
+  describe DemoUserController do
+    describe "Token access" do
+      before do
+        @user = users(:confirmed_email_user)
+        @user.skip_confirmation!
+        @user.save!
+
+        @auth_headers = @user.create_new_auth_token
+
+        @token     = @auth_headers['access-token']
+        @client_id = @auth_headers['client']
+        @expiry    = @auth_headers['expiry']
+      end
+
+      describe 'successful request' do
+        before do
+          # ensure that request is not treated as batch request
+          age_token(@user, @client_id)
+
+          get '/demo/members_only', {}, @auth_headers
+
+          @resp_token       = response.headers['access-token']
+          @resp_client_id   = response.headers['client']
+          @resp_expiry      = response.headers['expiry']
+          @resp_uid         = response.headers['uid']
+        end
+
+        describe 'devise mappings' do
+          it 'should define current_user' do
+            assert_equal @user, @controller.current_user
+          end
+
+          it 'should define user_signed_in?' do
+            assert @controller.user_signed_in?
+          end
+
+          it 'should not define current_mang' do
+            refute_equal @user, @controller.current_mang
+          end
+        end
+
+        it 'should return success status' do
+          assert_equal 200, response.status
+        end
+
+        it 'should receive new token after successful request' do
+          refute_equal @token, @resp_token
+        end
+
+        it 'should preserve the client id from the first request' do
+          assert_equal @client_id, @resp_client_id
+        end
+
+        it "should return the user's uid in the auth header" do
+          assert_equal @user.uid, @resp_uid
+        end
+
+        it 'should not treat this request as a batch request' do
+          refute assigns(:is_batch_request)
+        end
+
+        describe 'subsequent requests' do
+          before do
+            @user.reload
+            # ensure that request is not treated as batch request
+            age_token(@user, @client_id)
+
+            get '/demo/members_only', {}, @auth_headers.merge({'access-token' => @resp_token})
+          end
+
+          it 'should not treat this request as a batch request' do
+            refute assigns(:is_batch_request)
+          end
+
+          it "should allow a new request to be made using new token" do
+            assert_equal 200, response.status
+          end
+        end
+      end
+
+      describe 'failed request' do
+        before do
+          get '/demo/members_only', {}, @auth_headers.merge({'access-token' => "bogus"})
+        end
+
+        it 'should not return any auth headers' do
+          refute response.headers['access-token']
+        end
+
+        it 'should return error: unauthorized status' do
+          assert_equal 401, response.status
+        end
+      end
+
+      describe 'disable change_headers_on_each_request' do
+        before do
+          DeviseTokenAuth.change_headers_on_each_request = false
+          @user.reload
+          age_token(@user, @client_id)
+
+          get '/demo/members_only', {}, @auth_headers
+
+          @first_is_batch_request = assigns(:is_batch_request)
+          @first_user = assigns(:user).dup
+          @first_access_token = response.headers['access-token']
+          @first_response_status = response.status
+
+          @user.reload
+          age_token(@user, @client_id)
+
+          # use expired auth header
+          get '/demo/members_only', {}, @auth_headers
+
+          @second_is_batch_request = assigns(:is_batch_request)
+          @second_user = assigns(:user).dup
+          @second_access_token = response.headers['access-token']
+          @second_response_status = response.status
+        end
+
+        after do
+          DeviseTokenAuth.change_headers_on_each_request = true
+        end
+
+        it 'should allow the first request through' do
+          assert_equal 200, @first_response_status
+        end
+
+        it 'should allow the second request through' do
+          assert_equal 200, @second_response_status
+        end
+
+        it 'should return auth headers from the first request' do
+          assert @first_access_token
+        end
+
+        it 'should not treat either requests as batch requests' do
+          refute @first_is_batch_request
+          refute @second_is_batch_request
+        end
+
+        it 'should return auth headers from the second request' do
+          assert @second_access_token
+        end
+
+        it 'should define user during first request' do
+          assert @first_user
+        end
+
+        it 'should define user during second request' do
+          assert @second_user
+        end
+      end
+
+      describe 'batch requests' do
+        describe 'success' do
+          before do
+            age_token(@user, @client_id)
+            #request.headers.merge!(@auth_headers)
+
+            get '/demo/members_only', {}, @auth_headers
+
+            @first_is_batch_request = assigns(:is_batch_request)
+            @first_user = assigns(:user)
+            @first_access_token = response.headers['access-token']
+
+            get '/demo/members_only', {}, @auth_headers
+
+            @second_is_batch_request = assigns(:is_batch_request)
+            @second_user = assigns(:user)
+            @second_access_token = response.headers['access-token']
+          end
+
+          it 'should allow both requests through' do
+            assert_equal 200, response.status
+          end
+
+          it 'should not treat the first request as a batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should treat the second request as a batch request' do
+            assert @second_is_batch_request
+          end
+
+          it 'should return access token for first (non-batch) request' do
+            assert @first_access_token
+          end
+
+          it 'should NOT return auth headers for second (batched) requests' do
+            refute @second_access_token
+          end
+        end
+
+        describe 'time out' do
+          before do
+            @user.reload
+            age_token(@user, @client_id)
+
+            get '/demo/members_only', {}, @auth_headers
+
+            @first_is_batch_request = assigns(:is_batch_request)
+            @first_user = assigns(:user).dup
+            @first_access_token = response.headers['access-token']
+            @first_response_status = response.status
+
+            @user.reload
+            age_token(@user, @client_id)
+
+            # use expired auth header
+            get '/demo/members_only', {}, @auth_headers
+
+            @second_is_batch_request = assigns(:is_batch_request)
+            @second_user = assigns(:user)
+            @second_access_token = response.headers['access-token']
+            @second_response_status = response.status
+          end
+
+          it 'should allow the first request through' do
+            assert_equal 200, @first_response_status
+          end
+
+          it 'should not allow the second request through' do
+            assert_equal 401, @second_response_status
+          end
+
+          it 'should not treat first request as batch request' do
+            refute @secord_is_batch_request
+          end
+
+          it 'should return auth headers from the first request' do
+            assert @first_access_token
+          end
+
+          it 'should not treat second request as batch request' do
+            refute @secord_is_batch_request
+          end
+
+          it 'should not return auth headers from the second request' do
+            refute @second_access_token
+          end
+
+          it 'should define user during first request' do
+            assert @first_user
+          end
+
+          it 'should not define user during second request' do
+            refute @second_user
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/auth_controller_test.rb

@@ -104,7 +104,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   describe 'alternate user model' do
     describe 'from api to provider' do
       before do
-        get_via_redirect '/bong/facebook', {
+        get_via_redirect '/mangs/facebook', {
           auth_origin_url: @redirect_url
         }
 

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -12,14 +12,19 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
       before do
         @new_user = users(:unconfirmed_email_user)
         @new_user.send_confirmation_instructions
-        @mail  = ActionMailer::Base.deliveries.last
-        @token = @mail.body.match(/confirmation_token=(.*)\"/)[1]
+        @mail          = ActionMailer::Base.deliveries.last
+        @token         = @mail.body.match(/confirmation_token=(.*)\"/)[1]
+        @client_config = @mail.body.match(/config=(.*)\&/)[1]
       end
 
       test 'should generate raw token' do
         assert @token
       end
 
+      test "should include config name as 'default' in confirmation link" do
+        assert_equal "default", @client_config
+      end
+
       test "should store token hash in user" do
         assert @new_user.confirmation_token
       end
@@ -61,16 +66,24 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
       end
 
       before do
-        @new_user = mangs(:unconfirmed_email_user)
-        @new_user.send_confirmation_instructions
-        @mail  = ActionMailer::Base.deliveries.last
-        @token = @mail.body.match(/confirmation_token=(.*)\"/)[1]
+        @config_name = "altUser"
+        @new_user    = mangs(:unconfirmed_email_user)
+
+        @new_user.send_confirmation_instructions(client_config: @config_name)
+
+        @mail          = ActionMailer::Base.deliveries.last
+        @token         = @mail.body.match(/confirmation_token=(.*)\"/)[1]
+        @client_config = @mail.body.match(/config=(.*)\&/)[1]
       end
 
       test 'should generate raw token' do
         assert @token
       end
 
+      test "should include config name in confirmation link" do
+        assert_equal @config_name, @client_config
+      end
+
       test "should store token hash in user" do
         assert @new_user.confirmation_token
       end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -24,18 +24,15 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           @mail = ActionMailer::Base.deliveries.last
           @user.reload
 
+          @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+          @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
           @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
-          @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)&amp;/)[1])
         end
 
         test 'response should return success status' do
           assert_equal 200, response.status
         end
 
-        test 'action should save password_reset_redirect_url to user table' do
-          assert_equal @redirect_url, @user.reset_password_redirect_url
-        end
-
         test 'action should send an email' do
           assert @mail
         end
@@ -48,6 +45,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           assert_equal @redirect_url, @mail_redirect_url
         end
 
+        test 'the client config name should fall back to "default"' do
+          assert_equal 'default', @mail_config_name
+        end
+
         test 'the email body should contain a link with reset token as a query param' do
           user = User.reset_password_by_token({
             reset_password_token: @mail_reset_token
@@ -184,8 +185,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @mail = ActionMailer::Base.deliveries.last
         @user.reload
 
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
         @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)&amp;/)[1])
       end
 
       test 'response should return success status' do
@@ -214,8 +216,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @mail = ActionMailer::Base.deliveries.last
         @user.reload
 
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
         @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)&amp;/)[1])
 
         xhr :get, :edit, {
           reset_password_token: @mail_reset_token,
@@ -229,5 +232,30 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         assert @user.confirmed_at
       end
     end
+
+    describe 'alternate user type' do
+      before do
+        @user         = users(:confirmed_email_user)
+        @redirect_url = 'http://ng-token-auth.dev'
+        @config_name  = "altUser"
+
+        xhr :post, :create, {
+          email:        @user.email,
+          redirect_url: @redirect_url,
+          config_name:  @config_name
+        }
+
+        @mail = ActionMailer::Base.deliveries.last
+        @user.reload
+
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+      end
+
+      test 'config_name param is included in the confirmation email link' do
+        assert_equal @config_name, @mail_config_name
+      end
+    end
   end
 end

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -39,10 +39,6 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
         assert @data['data']['email']
       end
 
-      test "confirm_success_url be allowed by strong params" do
-        assert @data['data']['confirm_success_url']
-      end
-
       test "new user should receive confirmation email" do
         assert_equal @user.email, @mail['to'].to_s
       end
@@ -54,21 +50,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
 
     describe "Adding extra params" do
       before do
+        @redirect_url     = Faker::Internet.url
+        @operating_thetan = 2
+
         xhr :post, :create, {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "secret123",
-          confirm_success_url: Faker::Internet.url,
-          operating_thetan: 2
+          confirm_success_url: @redirect_url,
+          favorite_color: @fav_color,
+          operating_thetan: @operating_thetan
         }
 
         @user = assigns(:resource)
         @data = JSON.parse(response.body)
         @mail = ActionMailer::Base.deliveries.last
+
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      end
+
+      test 'redirect_url is included as param in email' do
+        assert_equal @redirect_url, @mail_redirect_url
+      end
+
+      test "additional sign_up params should be considered" do
+        assert_equal @operating_thetan, @user.operating_thetan
+      end
+
+      test 'config_name param is included in the confirmation email link' do
+        assert @mail_config_name
       end
 
-      test "Additional sign_up params should be considered" do
-        assert_equal 2, @user.operating_thetan
+      test "client config name falls back to 'default'" do
+        assert_equal "default", @mail_config_name
       end
     end
 
@@ -334,5 +350,42 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
         refute Mang.where(id: @user.id).first
       end
     end
+
+
+    describe "Passing client config name" do
+      setup do
+        @request.env['devise.mapping'] = Devise.mappings[:mang]
+      end
+
+      teardown do
+        @request.env['devise.mapping'] = Devise.mappings[:user]
+      end
+
+      before do
+        @config_name = 'altUser'
+
+        xhr :post, :create, {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          confirm_success_url: Faker::Internet.url,
+          config_name: @config_name
+        }
+
+        @user = assigns(:resource)
+        @data = JSON.parse(response.body)
+        @mail = ActionMailer::Base.deliveries.last
+
+        @user.reload
+
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      end
+
+      test 'config_name param is included in the confirmation email link' do
+        assert_equal @config_name, @mail_config_name
+      end
+    end
   end
 end