RubyGems - devise_token_auth - Versions diffs - 0.1.32.beta10 → 0.1.32 - Mend

devise_token_auth 0.1.32.beta10 → 0.1.32

Files changed (59) hide show

data/test/controllers/custom/custom_token_validations_controller_test.rb ADDED

@@ -0,0 +1,29 @@
+require 'test_helper'
+class Custom::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe Custom::TokenValidationsController do
+    before do
+      @resource = nice_users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+      @auth_headers = @resource.create_new_auth_token
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+    test "yield resource to block on validate_token success" do
+      get '/nice_user_auth/validate_token', {}, @auth_headers
+      assert @controller.validate_token_block_called?, "validate_token failed to yield resource to provided block"
+    end
+  end
+end

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED

@@ -14,16 +14,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @redirect_url = 'http://ng-token-auth.dev'
       end
-      describe 'request password reset' do
-        test 'unknown user should return 404' do
+      describe 'not email should return 401' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
           xhr :post, :create, {
-            email:        'chester@cheet.ah',
             redirect_url: @redirect_url
           }
+          @data = JSON.parse(response.body)
+        end
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")]
+        end
+      end
+      describe 'not redirect_url should return 401' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
+          xhr :post, :create, {
+            email:        'chester@cheet.ah',
+          }
+          @data = JSON.parse(response.body)
+        end
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
+        end
+      end
+      describe 'request password reset' do
+        describe 'unknown user should return 404' do
+          before do
+            xhr :post, :create, {
+              email:        'chester@cheet.ah',
+              redirect_url: @redirect_url
+            }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
-          assert_equal 404, response.status
+          test 'errors should be returned' do
+            assert @data["errors"]
+            assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.user_not_found", email: 'chester@cheet.ah')]
+          end
         end
         describe 'case-sensitive email' do
           before do
             xhr :post, :create, {
@@ -33,6 +82,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             @mail = ActionMailer::Base.deliveries.last
             @resource.reload
+            @data = JSON.parse(response.body)
             @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
             @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
@@ -43,6 +93,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             assert_equal 200, response.status
           end
+          test 'response should contains message' do
+            assert_equal @data["message"], I18n.t("devise_token_auth.passwords.sended", email: @resource.email)
+          end
           test 'action should send an email' do
             assert @mail
           end
@@ -68,13 +122,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
           describe 'password reset link failure' do
-            test 'request should not be authorized' do
-              assert_raises(ActionController::RoutingError) {
-                xhr :get, :edit, {
+            test 'respone should return 404' do
+              xhr :get, :edit, {
                   reset_password_token: 'bogus',
                   redirect_url: @mail_redirect_url
-                }
               }
+              assert_equal 404, response.status
             end
           end
@@ -203,6 +257,66 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           assert_equal 403, response.status
         end
+        test "request to non-whitelisted redirect should return error message" do
+          xhr :post, :create, {
+            email:        @resource.email,
+            redirect_url: @bad_redirect_url
+          }
+          @data = JSON.parse(response.body)
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @bad_redirect_url)]
+        end
+      end
+      describe "change password with current password required" do
+        before do
+          DeviseTokenAuth.check_current_password_before_update = :password
+        end
+        after do
+          DeviseTokenAuth.check_current_password_before_update = false
+        end
+        describe 'success' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+            @resource.update password: 'secret123', password_confirmation: 'secret123'
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password,
+              current_password: 'secret123'
+            }
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+          test "request should be successful" do
+            assert_equal 200, response.status
+          end
+        end
+        describe 'current password mismatch error' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password,
+              current_password: 'not_very_secret321'
+            }
+          end
+          test 'response should fail unauthorized' do
+            assert_equal 422, response.status
+          end
+        end
       end
       describe "change password" do
@@ -217,6 +331,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               password_confirmation: @new_password
             }
+            @data = JSON.parse(response.body)
             @resource.reload
           end
@@ -224,6 +339,11 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             assert_equal 200, response.status
           end
+          test "request should return success message" do
+            assert @data["data"]["message"]
+            assert_equal @data["data"]["message"], I18n.t("devise_token_auth.passwords.successfully_updated")
+          end
           test "new password should authenticate user" do
             assert @resource.valid_password?(@new_password)
           end
@@ -327,9 +447,38 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource.reload
       end
+    end
+    describe 'unconfirmable user' do
+      setup do
+        @request.env['devise.mapping'] = Devise.mappings[:unconfirmable_user]
+      end
+      teardown do
+        @request.env['devise.mapping'] = Devise.mappings[:user]
+      end
+      before do
+        @resource = unconfirmable_users(:user)
+        @redirect_url = 'http://ng-token-auth.dev'
+        xhr :post, :create, {
+          email:        @resource.email,
+          redirect_url: @redirect_url
+        }
-      test 'unconfirmed email user should now be confirmed' do
-        assert @resource.confirmed_at
+        @mail = ActionMailer::Base.deliveries.last
+        @resource.reload
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        xhr :get, :edit, {
+          reset_password_token: @mail_reset_token,
+          redirect_url: @mail_redirect_url
+        }
+        @resource.reload
       end
     end

data/test/controllers/devise_token_auth/registrations_controller_test.rb CHANGED

@@ -129,8 +129,38 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           confirm_success_url: @bad_redirect_url,
           unpermitted_param: '(x_x)'
         }
+        @data = JSON.parse(response.body)
         assert_equal 403, response.status
+        assert @data["errors"]
+        assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @bad_redirect_url)]
+      end
+    end
+    describe 'failure if not redirecturl' do
+      test "request should fail if not redirect_url" do
+        post '/auth', {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          unpermitted_param: '(x_x)'
+        }
+        assert_equal 403, response.status
+      end
+      test "request to non-whitelisted redirect should fail" do
+        post '/auth', {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          unpermitted_param: '(x_x)'
+        }
+        @data = JSON.parse(response.body)
+        assert @data["errors"]
+        assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
       end
     end
@@ -297,6 +327,35 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
+    describe 'missing email' do
+      before do
+        post '/auth', {
+          password: "secret123",
+          password_confirmation: "secret123",
+          confirm_success_url: Faker::Internet.url
+        }
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+      test "request should not be successful" do
+        assert_equal 403, response.status
+      end
+      test "user should not have been created" do
+        assert_nil @resource.id
+      end
+      test "error should be returned in the response" do
+        assert @data['errors'].length
+      end
+      test "full_messages should be included in error hash" do
+        assert @data['errors']['full_messages'].length
+      end
+    end
     describe "Mismatched passwords" do
       before do
         post '/auth', {
@@ -375,6 +434,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           assert_equal 200, response.status
         end
+        test "message should be returned" do
+          assert @data["message"]
+          assert_equal @data["message"], I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @existing_user.uid)
+        end
         test "existing user should be deleted" do
           refute User.where(id: @existing_user.id).first
         end
@@ -389,6 +452,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         test 'request returns 404 (not found) status' do
           assert_equal 404, response.status
         end
+        test 'error should be returned' do
+          assert @data['errors'].length
+          assert_equal @data['errors'], [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")]
+        end
       end
     end
@@ -404,89 +472,207 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           age_token(@existing_user, @client_id)
         end
-        describe "success" do
-          before do
-            # test valid update param
-            @resource_class = User
-            @new_operating_thetan = 1000000
-            @email = "AlternatingCase2@example.com"
-            @request_params = {
-              operating_thetan: @new_operating_thetan,
-              email: @email
-            }
+        describe "without password check" do
+          describe "success" do
+            before do
+              # test valid update param
+              @resource_class = User
+              @new_operating_thetan = 1000000
+              @email = "AlternatingCase2@example.com"
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
+            test "Case sensitive attributes update" do
+              @resource_class.case_insensitive_keys = []
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @new_operating_thetan, @existing_user.operating_thetan
+              assert_equal @email, @existing_user.email
+              assert_equal @email, @existing_user.uid
+            end
+            test "Case insensitive attributes update" do
+              @resource_class.case_insensitive_keys = [:email]
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @new_operating_thetan, @existing_user.operating_thetan
+              assert_equal @email.downcase, @existing_user.email
+              assert_equal @email.downcase, @existing_user.uid
+            end
+            test "Supply current password" do
+              @request_params.merge!(
+                current_password: "secret123",
+                email: "new.email@example.com",
+              )
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @existing_user.email, "new.email@example.com"
+            end
           end
-          test "Request was successful" do
-            put "/auth", @request_params, @auth_headers
-            assert_equal 200, response.status
-          end
+          describe 'validate non-empty body' do
+            before do
+              # get the email so we can check it wasn't updated
+              @email = @existing_user.email
+              put '/auth', {}, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+            end
+            test 'request should fail' do
+              assert_equal 422, response.status
+            end
+            test 'returns error message' do
+              assert_not_empty @data['errors']
+            end
-          test "Case sensitive attributes update" do
-            @resource_class.case_insensitive_keys = []
-            put "/auth", @request_params, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
-            assert_equal @new_operating_thetan, @existing_user.operating_thetan
-            assert_equal @email, @existing_user.email
-            assert_equal @email, @existing_user.uid
+            test 'return error status' do
+              assert_equal 'error', @data['status']
+            end
+            test 'user should not have been saved' do
+              assert_equal @email, @existing_user.email
+            end
           end
-          test "Case insensitive attributes update" do
-            @resource_class.case_insensitive_keys = [:email]
-            put "/auth", @request_params, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
-            assert_equal @new_operating_thetan, @existing_user.operating_thetan
-            assert_equal @email.downcase, @existing_user.email
-            assert_equal @email.downcase, @existing_user.uid
+          describe "error" do
+            before do
+              # test invalid update param
+              @new_operating_thetan = "blegh"
+              put "/auth", {
+                operating_thetan: @new_operating_thetan
+              }, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+            end
+            test "Request was NOT successful" do
+              assert_equal 403, response.status
+            end
+            test "Errors were provided with response" do
+              assert @data["errors"].length
+            end
           end
         end
-        describe 'validate non-empty body' do
+        describe "with password check for password update only" do
           before do
-            # get the email so we can check it wasn't updated
-            @email = @existing_user.email
-            put '/auth', {}, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
+            DeviseTokenAuth.check_current_password_before_update = :password
           end
-          test 'request should fail' do
-            assert_equal 422, response.status
+          after do
+            DeviseTokenAuth.check_current_password_before_update = false
           end
-          test 'returns error message' do
-            assert_not_empty @data['errors']
+          describe "success without password update" do
+            before do
+              # test valid update param
+              @resource_class = User
+              @new_operating_thetan = 1000000
+              @email = "AlternatingCase2@example.com"
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
           end
-          test 'return error status' do
-            assert_equal 'error', @data['status']
+          describe "success with password update" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                password: 'the_new_secret456',
+                password_confirmation: 'the_new_secret456',
+                current_password: 'secret123'
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
           end
-          test 'user should not have been saved' do
-            assert_equal @email, @existing_user.email
+          describe "error with password mismatch" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                password: 'the_new_secret456',
+                password_confirmation: 'the_new_secret456',
+                current_password: 'not_so_secret321'
+              }
+            end
+            test "Request was NOT successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 403, response.status
+            end
           end
         end
-        describe "error" do
+        describe "with password check for all attributes" do
           before do
-            # test invalid update param
-            @new_operating_thetan = "blegh"
-            put "/auth", {
-              operating_thetan: @new_operating_thetan
-            }, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
+            DeviseTokenAuth.check_current_password_before_update = :password
+            @new_operating_thetan = 1000000
+            @email = "AlternatingCase2@example.com"
           end
-          test "Request was NOT successful" do
-            assert_equal 403, response.status
+          after do
+            DeviseTokenAuth.check_current_password_before_update = false
           end
-          test "Errors were provided with response" do
-            assert @data["errors"].length
+          describe "success with password update" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email,
+                current_password: 'secret123'
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
+          end
+          describe "error with password mismatch" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email,
+                current_password: 'not_so_secret321'
+              }
+            end
+            test "Request was NOT successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 403, response.status
+            end
           end
         end
       end
@@ -515,6 +701,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           assert_equal 404, response.status
         end
+        test "error should be returned" do
+          assert @data["errors"].length
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.user_not_found")]
+        end
         test "User should not be updated" do
           refute_equal @new_operating_thetan, @existing_user.operating_thetan
         end