RubyGems - devise_token_auth - Versions diffs - 0.1.32.beta10 → 0.1.32 - Mend

devise_token_auth 0.1.32.beta10 → 0.1.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

data/test/controllers/custom/custom_token_validations_controller_test.rb ADDED

@@ -0,0 +1,29 @@
+require 'test_helper'
+class Custom::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe Custom::TokenValidationsController do
+    before do
+      @resource = nice_users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+      @auth_headers = @resource.create_new_auth_token
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+    test "yield resource to block on validate_token success" do
+      get '/nice_user_auth/validate_token', {}, @auth_headers
+      assert @controller.validate_token_block_called?, "validate_token failed to yield resource to provided block"
+    end
+  end
+end

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED

@@ -14,16 +14,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @redirect_url = 'http://ng-token-auth.dev'
       end
-      describe 'request password reset' do
-        test 'unknown user should return 404' do
+      describe 'not email should return 401' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
           xhr :post, :create, {
-            email:        'chester@cheet.ah',
             redirect_url: @redirect_url
           }
+          @data = JSON.parse(response.body)
+        end
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")]
+        end
+      end
+      describe 'not redirect_url should return 401' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
+          xhr :post, :create, {
+            email:        'chester@cheet.ah',
+          }
+          @data = JSON.parse(response.body)
+        end
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
+        end
+      end
+      describe 'request password reset' do
+        describe 'unknown user should return 404' do
+          before do
+            xhr :post, :create, {
+              email:        'chester@cheet.ah',
+              redirect_url: @redirect_url
+            }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
-          assert_equal 404, response.status
+          test 'errors should be returned' do
+            assert @data["errors"]
+            assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.user_not_found", email: 'chester@cheet.ah')]
+          end
         end
         describe 'case-sensitive email' do
           before do
             xhr :post, :create, {
@@ -33,6 +82,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             @mail = ActionMailer::Base.deliveries.last
             @resource.reload
+            @data = JSON.parse(response.body)
             @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
             @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
@@ -43,6 +93,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             assert_equal 200, response.status
           end
+          test 'response should contains message' do
+            assert_equal @data["message"], I18n.t("devise_token_auth.passwords.sended", email: @resource.email)
+          end
           test 'action should send an email' do
             assert @mail
           end
@@ -68,13 +122,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
           describe 'password reset link failure' do
-            test 'request should not be authorized' do
-              assert_raises(ActionController::RoutingError) {
-                xhr :get, :edit, {
+            test 'respone should return 404' do
+              xhr :get, :edit, {
                   reset_password_token: 'bogus',
                   redirect_url: @mail_redirect_url
-                }
               }
+              assert_equal 404, response.status
             end
           end
@@ -203,6 +257,66 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           assert_equal 403, response.status
         end
+        test "request to non-whitelisted redirect should return error message" do
+          xhr :post, :create, {
+            email:        @resource.email,
+            redirect_url: @bad_redirect_url
+          }
+          @data = JSON.parse(response.body)
+          assert @data["errors"]
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @bad_redirect_url)]
+        end
+      end
+      describe "change password with current password required" do
+        before do
+          DeviseTokenAuth.check_current_password_before_update = :password
+        end
+        after do
+          DeviseTokenAuth.check_current_password_before_update = false
+        end
+        describe 'success' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+            @resource.update password: 'secret123', password_confirmation: 'secret123'
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password,
+              current_password: 'secret123'
+            }
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+          test "request should be successful" do
+            assert_equal 200, response.status
+          end
+        end
+        describe 'current password mismatch error' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            request.headers.merge!(@auth_headers)
+            @new_password = Faker::Internet.password
+            xhr :put, :update, {
+              password: @new_password,
+              password_confirmation: @new_password,
+              current_password: 'not_very_secret321'
+            }
+          end
+          test 'response should fail unauthorized' do
+            assert_equal 422, response.status
+          end
+        end
       end
       describe "change password" do
@@ -217,6 +331,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               password_confirmation: @new_password
             }
+            @data = JSON.parse(response.body)
             @resource.reload
           end
@@ -224,6 +339,11 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             assert_equal 200, response.status
           end
+          test "request should return success message" do
+            assert @data["data"]["message"]
+            assert_equal @data["data"]["message"], I18n.t("devise_token_auth.passwords.successfully_updated")
+          end
           test "new password should authenticate user" do
             assert @resource.valid_password?(@new_password)
           end
@@ -327,9 +447,38 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource.reload
       end
+    end
+    describe 'unconfirmable user' do
+      setup do
+        @request.env['devise.mapping'] = Devise.mappings[:unconfirmable_user]
+      end
+      teardown do
+        @request.env['devise.mapping'] = Devise.mappings[:user]
+      end
+      before do
+        @resource = unconfirmable_users(:user)
+        @redirect_url = 'http://ng-token-auth.dev'
+        xhr :post, :create, {
+          email:        @resource.email,
+          redirect_url: @redirect_url
+        }
-      test 'unconfirmed email user should now be confirmed' do
-        assert @resource.confirmed_at
+        @mail = ActionMailer::Base.deliveries.last
+        @resource.reload
+        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        xhr :get, :edit, {
+          reset_password_token: @mail_reset_token,
+          redirect_url: @mail_redirect_url
+        }
+        @resource.reload
       end
     end

data/test/controllers/devise_token_auth/registrations_controller_test.rb CHANGED

@@ -129,8 +129,38 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           confirm_success_url: @bad_redirect_url,
           unpermitted_param: '(x_x)'
         }
+        @data = JSON.parse(response.body)
         assert_equal 403, response.status
+        assert @data["errors"]
+        assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @bad_redirect_url)]
+      end
+    end
+    describe 'failure if not redirecturl' do
+      test "request should fail if not redirect_url" do
+        post '/auth', {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          unpermitted_param: '(x_x)'
+        }
+        assert_equal 403, response.status
+      end
+      test "request to non-whitelisted redirect should fail" do
+        post '/auth', {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          unpermitted_param: '(x_x)'
+        }
+        @data = JSON.parse(response.body)
+        assert @data["errors"]
+        assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
       end
     end
@@ -297,6 +327,35 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
+    describe 'missing email' do
+      before do
+        post '/auth', {
+          password: "secret123",
+          password_confirmation: "secret123",
+          confirm_success_url: Faker::Internet.url
+        }
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+      test "request should not be successful" do
+        assert_equal 403, response.status
+      end
+      test "user should not have been created" do
+        assert_nil @resource.id
+      end
+      test "error should be returned in the response" do
+        assert @data['errors'].length
+      end
+      test "full_messages should be included in error hash" do
+        assert @data['errors']['full_messages'].length
+      end
+    end
     describe "Mismatched passwords" do
       before do
         post '/auth', {
@@ -375,6 +434,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           assert_equal 200, response.status
         end
+        test "message should be returned" do
+          assert @data["message"]
+          assert_equal @data["message"], I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @existing_user.uid)
+        end
         test "existing user should be deleted" do
           refute User.where(id: @existing_user.id).first
         end
@@ -389,6 +452,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         test 'request returns 404 (not found) status' do
           assert_equal 404, response.status
         end
+        test 'error should be returned' do
+          assert @data['errors'].length
+          assert_equal @data['errors'], [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")]
+        end
       end
     end
@@ -404,89 +472,207 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           age_token(@existing_user, @client_id)
         end
-        describe "success" do
-          before do
-            # test valid update param
-            @resource_class = User
-            @new_operating_thetan = 1000000
-            @email = "AlternatingCase2@example.com"
-            @request_params = {
-              operating_thetan: @new_operating_thetan,
-              email: @email
-            }
+        describe "without password check" do
+          describe "success" do
+            before do
+              # test valid update param
+              @resource_class = User
+              @new_operating_thetan = 1000000
+              @email = "AlternatingCase2@example.com"
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
+            test "Case sensitive attributes update" do
+              @resource_class.case_insensitive_keys = []
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @new_operating_thetan, @existing_user.operating_thetan
+              assert_equal @email, @existing_user.email
+              assert_equal @email, @existing_user.uid
+            end
+            test "Case insensitive attributes update" do
+              @resource_class.case_insensitive_keys = [:email]
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @new_operating_thetan, @existing_user.operating_thetan
+              assert_equal @email.downcase, @existing_user.email
+              assert_equal @email.downcase, @existing_user.uid
+            end
+            test "Supply current password" do
+              @request_params.merge!(
+                current_password: "secret123",
+                email: "new.email@example.com",
+              )
+              put "/auth", @request_params, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+              assert_equal @existing_user.email, "new.email@example.com"
+            end
           end
-          test "Request was successful" do
-            put "/auth", @request_params, @auth_headers
-            assert_equal 200, response.status
-          end
+          describe 'validate non-empty body' do
+            before do
+              # get the email so we can check it wasn't updated
+              @email = @existing_user.email
+              put '/auth', {}, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+            end
+            test 'request should fail' do
+              assert_equal 422, response.status
+            end
+            test 'returns error message' do
+              assert_not_empty @data['errors']
+            end
-          test "Case sensitive attributes update" do
-            @resource_class.case_insensitive_keys = []
-            put "/auth", @request_params, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
-            assert_equal @new_operating_thetan, @existing_user.operating_thetan
-            assert_equal @email, @existing_user.email
-            assert_equal @email, @existing_user.uid
+            test 'return error status' do
+              assert_equal 'error', @data['status']
+            end
+            test 'user should not have been saved' do
+              assert_equal @email, @existing_user.email
+            end
           end
-          test "Case insensitive attributes update" do
-            @resource_class.case_insensitive_keys = [:email]
-            put "/auth", @request_params, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
-            assert_equal @new_operating_thetan, @existing_user.operating_thetan
-            assert_equal @email.downcase, @existing_user.email
-            assert_equal @email.downcase, @existing_user.uid
+          describe "error" do
+            before do
+              # test invalid update param
+              @new_operating_thetan = "blegh"
+              put "/auth", {
+                operating_thetan: @new_operating_thetan
+              }, @auth_headers
+              @data = JSON.parse(response.body)
+              @existing_user.reload
+            end
+            test "Request was NOT successful" do
+              assert_equal 403, response.status
+            end
+            test "Errors were provided with response" do
+              assert @data["errors"].length
+            end
           end
         end
-        describe 'validate non-empty body' do
+        describe "with password check for password update only" do
           before do
-            # get the email so we can check it wasn't updated
-            @email = @existing_user.email
-            put '/auth', {}, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
+            DeviseTokenAuth.check_current_password_before_update = :password
           end
-          test 'request should fail' do
-            assert_equal 422, response.status
+          after do
+            DeviseTokenAuth.check_current_password_before_update = false
           end
-          test 'returns error message' do
-            assert_not_empty @data['errors']
+          describe "success without password update" do
+            before do
+              # test valid update param
+              @resource_class = User
+              @new_operating_thetan = 1000000
+              @email = "AlternatingCase2@example.com"
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
           end
-          test 'return error status' do
-            assert_equal 'error', @data['status']
+          describe "success with password update" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                password: 'the_new_secret456',
+                password_confirmation: 'the_new_secret456',
+                current_password: 'secret123'
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
           end
-          test 'user should not have been saved' do
-            assert_equal @email, @existing_user.email
+          describe "error with password mismatch" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                password: 'the_new_secret456',
+                password_confirmation: 'the_new_secret456',
+                current_password: 'not_so_secret321'
+              }
+            end
+            test "Request was NOT successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 403, response.status
+            end
           end
         end
-        describe "error" do
+        describe "with password check for all attributes" do
           before do
-            # test invalid update param
-            @new_operating_thetan = "blegh"
-            put "/auth", {
-              operating_thetan: @new_operating_thetan
-            }, @auth_headers
-            @data = JSON.parse(response.body)
-            @existing_user.reload
+            DeviseTokenAuth.check_current_password_before_update = :password
+            @new_operating_thetan = 1000000
+            @email = "AlternatingCase2@example.com"
           end
-          test "Request was NOT successful" do
-            assert_equal 403, response.status
+          after do
+            DeviseTokenAuth.check_current_password_before_update = false
           end
-          test "Errors were provided with response" do
-            assert @data["errors"].length
+          describe "success with password update" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email,
+                current_password: 'secret123'
+              }
+            end
+            test "Request was successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 200, response.status
+            end
+          end
+          describe "error with password mismatch" do
+            before do
+              @existing_user.update password: 'secret123', password_confirmation: 'secret123'
+              @request_params = {
+                operating_thetan: @new_operating_thetan,
+                email: @email,
+                current_password: 'not_so_secret321'
+              }
+            end
+            test "Request was NOT successful" do
+              put "/auth", @request_params, @auth_headers
+              assert_equal 403, response.status
+            end
           end
         end
       end
@@ -515,6 +701,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           assert_equal 404, response.status
         end
+        test "error should be returned" do
+          assert @data["errors"].length
+          assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.user_not_found")]
+        end
         test "User should not be updated" do
           refute_equal @new_operating_thetan, @existing_user.operating_thetan
         end