devise_token_auth 0.1.28 → 0.1.29.beta1

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -0,0 +1,44 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::ConfirmationsController do
+    before do
+      @redirect_url = Faker::Internet.url
+      @new_user     = evil_users(:unconfirmed_email_user)
+
+      # generate + send email
+      @new_user.send_confirmation_instructions({
+        redirect_url: @redirect_url
+      })
+
+      @mail              = ActionMailer::Base.deliveries.last
+      @confirmation_path = @mail.body.match(/localhost([^\"]*)\"/)[1]
+
+      # visit confirmation link
+      get @confirmation_path
+
+      # reload user from db
+      @new_user.reload
+    end
+
+    test "user is confirmed" do
+      assert @new_user.confirmed?
+    end
+
+    test "user can be authenticated via confirmation link" do
+      # hard coded in override controller
+      override_proof_str = "(^^,)"
+
+      # ensure present in redirect URL
+      override_proof_param = URI.unescape(response.headers["Location"].match(/override_proof=([^&]*)&/)[1])
+
+      assert_equal override_proof_str, override_proof_param
+    end
+  end
+end

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -0,0 +1,44 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::OmniauthCallbacksController do
+    setup do
+      OmniAuth.config.test_mode = true
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({
+        :provider => 'facebook',
+        :uid => '123545',
+        :info => {
+          name: 'chong',
+          email: 'chongbong@aol.com'
+        }
+      })
+
+      @favorite_color = "gray"
+
+      get_via_redirect '/evil_user_auth/facebook', {
+        auth_origin_url: Faker::Internet.url,
+        favorite_color: @favorite_color
+      }
+
+      @user = assigns(:user)
+    end
+
+    test 'request is successful' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal @user.nickname, Overrides::OmniauthCallbacksController::DEFAULT_NICKNAME
+    end
+
+    test 'whitelisted param was allowed' do
+      assert_equal @favorite_color, @user.favorite_color
+    end
+  end
+end

data/test/controllers/overrides/passwords_controller_test.rb

@@ -0,0 +1,62 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::PasswordsController do
+    before do
+      @user = evil_users(:confirmed_email_user)
+      @redirect_url = Faker::Internet.url
+
+      post "/evil_user_auth/password", {
+        email:        @user.email,
+        redirect_url: @redirect_url
+      }
+
+      @mail = ActionMailer::Base.deliveries.last
+      @user.reload
+
+      @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+
+      get '/evil_user_auth/password/edit', {
+        reset_password_token: @mail_reset_token,
+        redirect_url: @mail_redirect_url
+      }
+
+      @user.reload
+
+      raw_qs = response.location.split('?')[1]
+      @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+      @client_id      = @qs["client_id"]
+      @expiry         = @qs["expiry"]
+      @reset_password = @qs["reset_password"]
+      @token          = @qs["token"]
+      @uid            = @qs["uid"]
+      @override_proof = @qs["override_proof"]
+    end
+
+    test 'respones should have success redirect status' do
+      assert_equal 302, response.status
+    end
+
+    test 'response should contain auth params + override proof' do
+      assert @client_id
+      assert @expiry
+      assert @reset_password
+      assert @token
+      assert @uid
+      assert @override_proof
+    end
+
+    test 'override proof is correct' do
+      assert_equal @override_proof, Overrides::PasswordsController::OVERRIDE_PROOF
+    end
+  end
+end

data/test/controllers/overrides/registrations_controller_test.rb

@@ -0,0 +1,40 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::RegistrationsController do
+    setup do
+      @existing_user  = evil_users(:confirmed_email_user)
+      @auth_headers   = @existing_user.create_new_auth_token
+      @client_id      = @auth_headers['client']
+      @favorite_color = "pink"
+
+
+      # ensure request is not treated as batch request
+      age_token(@existing_user, @client_id)
+
+      # test valid update param
+      @new_operating_thetan = 1000000
+
+      put '/evil_user_auth', {
+        favorite_color: @favorite_color
+      }, @auth_headers
+
+      @data = JSON.parse(response.body)
+      @existing_user.reload
+    end
+
+    test 'user was updated' do
+      assert_equal @favorite_color, @existing_user.favorite_color
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF, @data["override_proof"]
+    end
+  end
+end

data/test/controllers/overrides/sessions_controller_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::RegistrationsController do
+    before do
+      @existing_user = evil_users(:confirmed_email_user)
+      @existing_user.skip_confirmation!
+      @existing_user.save!
+
+      post '/evil_user_auth/sign_in', {
+        email: @existing_user.email,
+        password: 'secret123'
+      }
+
+      @user = assigns(:user)
+      @data = JSON.parse(response.body)
+    end
+
+    test "request should succeed" do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF, @data['override_proof']
+    end
+  end
+end

data/test/controllers/overrides/token_validations_controller_test.rb

@@ -0,0 +1,38 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::TokenValidationsController do
+    before do
+      @user = evil_users(:confirmed_email_user)
+      @user.skip_confirmation!
+      @user.save!
+
+      @auth_headers = @user.create_new_auth_token
+
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+
+      # ensure that request is not treated as batch request
+      age_token(@user, @client_id)
+
+      get '/evil_user_auth/validate_token', {}, @auth_headers
+
+      @resp = JSON.parse(response.body)
+    end
+
+    test "token valid" do
+      assert_equal 200, response.status
+    end
+
+    test "controller was overridden" do
+      assert_equal Overrides::TokenValidationsController::OVERRIDE_PROOF, @resp["override_proof"]
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/confirmations_controller.rb

@@ -0,0 +1,32 @@
+module Overrides
+  class ConfirmationsController < DeviseTokenAuth::ConfirmationsController
+    def show
+      @user = resource_class.confirm_by_token(params[:confirmation_token])
+
+      if @user and @user.id
+        # create client id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @user.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        @user.save!
+
+        redirect_to(@user.build_auth_url(params[:redirect_url], {
+          token:                        token,
+          client_id:                    client_id,
+          account_confirmation_success: true,
+          config:                       params[:config],
+          override_proof:               "(^^,)"
+        }))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/omniauth_callbacks_controller.rb

@@ -0,0 +1,14 @@
+module Overrides
+  class OmniauthCallbacksController < DeviseTokenAuth::OmniauthCallbacksController
+    DEFAULT_NICKNAME = "stimpy"
+
+    def assign_provider_attrs(user, auth_hash)
+      user.assign_attributes({
+        nickname: DEFAULT_NICKNAME,
+        name:     auth_hash['info']['name'],
+        image:    auth_hash['info']['image'],
+        email:    auth_hash['info']['email']
+      })
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/passwords_controller.rb

@@ -0,0 +1,39 @@
+module Overrides
+  class PasswordsController < DeviseTokenAuth::PasswordsController
+    OVERRIDE_PROOF = "(^^,)"
+
+    # this is where users arrive after visiting the email confirmation link
+    def edit
+      @user = resource_class.reset_password_by_token({
+        reset_password_token: resource_params[:reset_password_token]
+      })
+
+      if @user and @user.id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @user.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        # ensure that user is confirmed
+        @user.skip_confirmation! unless @user.confirmed_at
+
+        @user.save!
+
+        redirect_to(@user.build_auth_url(params[:redirect_url], {
+          token:          token,
+          client_id:      client_id,
+          reset_password: true,
+          config:         params[:config],
+          override_proof: OVERRIDE_PROOF
+        }))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/registrations_controller.rb

@@ -0,0 +1,27 @@
+module Overrides
+  class RegistrationsController < DeviseTokenAuth::RegistrationsController
+    OVERRIDE_PROOF = "(^^,)"
+
+    def update
+      if @user
+        if @user.update_attributes(account_update_params)
+          render json: {
+            status: 'success',
+            data:   @user.as_json,
+            override_proof: OVERRIDE_PROOF
+          }
+        else
+          render json: {
+            status: 'error',
+            errors: @user.errors
+          }, status: 403
+        end
+      else
+        render json: {
+          status: 'error',
+          errors: ["User not found."]
+        }, status: 404
+      end
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/sessions_controller.rb

@@ -0,0 +1,43 @@
+module Overrides
+  class SessionsController < DeviseTokenAuth::SessionsController
+    OVERRIDE_PROOF = "(^^,)"
+
+    def create
+      @user = resource_class.find_by_email(resource_params[:email])
+
+      if @user and valid_params? and @user.valid_password?(resource_params[:password]) and @user.confirmed?
+        # create client id
+        @client_id = SecureRandom.urlsafe_base64(nil, false)
+        @token     = SecureRandom.urlsafe_base64(nil, false)
+
+        @user.tokens[@client_id] = {
+          token: BCrypt::Password.create(@token),
+          expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+        }
+        @user.save
+
+        render json: {
+          data: @user.as_json(except: [
+            :tokens, :created_at, :updated_at
+          ]),
+          override_proof: OVERRIDE_PROOF
+        }
+
+      elsif @user and not @user.confirmed?
+        render json: {
+          success: false,
+          errors: [
+            "A confirmation email was sent to your account at #{@user.email}. "+
+            "You must follow the instructions in the email before your account "+
+            "can be activated"
+          ]
+        }, status: 401
+
+      else
+        render json: {
+          errors: ["Invalid login credentials. Please try again."]
+        }, status: 401
+      end
+    end
+  end
+end

data/test/dummy/app/controllers/overrides/token_validations_controller.rb

@@ -0,0 +1,23 @@
+module Overrides
+  class TokenValidationsController < DeviseTokenAuth::TokenValidationsController
+    OVERRIDE_PROOF = '(^^,)'
+
+    def validate_token
+      # @user will have been set by set_user_by_token concern
+      if @user
+        render json: {
+          success: true,
+          data: @user.as_json(except: [
+            :tokens, :created_at, :updated_at
+          ]),
+          override_proof: OVERRIDE_PROOF
+        }
+      else
+        render json: {
+          success: false,
+          errors: ["Invalid login credentials"]
+        }, status: 401
+      end
+    end
+  end
+end