devise_token_auth 0.1.42 → 0.1.43.beta1

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -13,24 +13,30 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   before do
-    @redirect_url = "http://ng-token-auth.dev/"
+    @redirect_url = 'http://ng-token-auth.dev/'
+  end
+
+  def get_parsed_data_json
+    encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
+    JSON.parse(URI.unescape(encoded_json_data))
   end
 
   describe 'success callback' do
     setup do
-      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({
-        :provider => 'facebook',
-        :uid => '123545',
-        :info => {
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
           name: 'chong',
           email: 'chongbong@aol.com'
         }
-      })
+      )
     end
 
     test 'request should pass correct redirect_url' do
       get_success
-      assert_equal @redirect_url, controller.send(:omniauth_params)['auth_origin_url']
+      assert_equal @redirect_url,
+                   controller.send(:omniauth_params)['auth_origin_url']
     end
 
     test 'user should have been created' do
@@ -45,12 +51,14 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'user should be assigned token' do
       get_success
+
       client_id = controller.auth_params[:client_id]
       token = controller.auth_params[:auth_token]
       expiry = controller.auth_params[:expiry]
 
       # the expiry should have been set
-      assert_equal expiry, @resource.tokens[client_id][:expiry]
+      assert_equal expiry, @resource.tokens[client_id]['expiry']
+
       # the token sent down to the client should now be valid
       assert @resource.valid_token?(token, client_id)
     end
@@ -68,7 +76,8 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'should be redirected via valid url' do
       get_success
-      assert_equal 'http://www.example.com/auth/facebook/callback', request.original_url
+      assert_equal 'http://www.example.com/auth/facebook/callback',
+                   request.original_url
     end
 
     describe 'with default user model' do
@@ -86,17 +95,23 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'with alternate user model' do
       before do
-        get_via_redirect '/mangs/facebook', {
-          auth_origin_url: @redirect_url,
-          omniauth_window_type: 'newWindow'
-        }
+        get '/mangs/facebook',
+            params: {
+              auth_origin_url: @redirect_url,
+              omniauth_window_type: 'newWindow'
+            }
+
+        follow_all_redirects!
+
         assert_equal 200, response.status
         @resource = assigns(:resource)
       end
+
       test 'request should determine the correct resource_class' do
         assert_equal 'Mang', controller.send(:omniauth_params)['resource_class']
       end
-        test 'user should be of the correct class' do
+
+      test 'user should be of the correct class' do
         assert_equal Mang, @resource.class
       end
     end
@@ -104,13 +119,14 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     describe 'pass additional params' do
       before do
         @fav_color = 'alizarin crimson'
-        @unpermitted_param = "M. Bison"
-        get_via_redirect '/auth/facebook', {
-          auth_origin_url: @redirect_url,
-          favorite_color: @fav_color,
-          name: @unpermitted_param,
-          omniauth_window_type: 'newWindow'
-        }
+        @unpermitted_param = 'M. Bison'
+        get '/auth/facebook',
+            params: { auth_origin_url: @redirect_url,
+                      favorite_color: @fav_color,
+                      name: @unpermitted_param,
+                      omniauth_window_type: 'newWindow' }
+
+        follow_all_redirects!
 
         @resource = assigns(:resource)
       end
@@ -128,7 +144,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
     end
 
-    describe "oauth registration attr" do
+    describe 'oauth registration attr' do
       after do
         User.any_instance.unstub(:new_record?)
       end
@@ -139,11 +155,11 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response contains oauth_registration attr' do
+          get '/auth/facebook',
+              params: { auth_origin_url: @redirect_url,
+                        omniauth_window_type: 'newWindow' }
 
-          get_via_redirect '/auth/facebook', {
-            auth_origin_url: @redirect_url,
-            omniauth_window_type: 'newWindow'
-          }
+          follow_all_redirects!
 
           assert_equal true, controller.auth_params[:oauth_registration]
         end
@@ -155,25 +171,24 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response does not contain oauth_registration attr' do
+          get '/auth/facebook',
+              params: { auth_origin_url: @redirect_url,
+                        omniauth_window_type: 'newWindow' }
 
-          get_via_redirect '/auth/facebook', {
-            auth_origin_url: @redirect_url,
-            omniauth_window_type: 'newWindow'
-          }
+          follow_all_redirects!
 
           assert_equal false, controller.auth_params.key?(:oauth_registration)
         end
-
       end
-
     end
 
     describe 'using namespaces' do
       before do
-        get_via_redirect '/api/v1/auth/facebook', {
-          auth_origin_url: @redirect_url,
-          omniauth_window_type: 'newWindow'
-        }
+        get '/api/v1/auth/facebook',
+            params: { auth_origin_url: @redirect_url,
+                      omniauth_window_type: 'newWindow' }
+
+        follow_all_redirects!
 
         @resource = assigns(:resource)
       end
@@ -196,7 +211,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         get_success(omniauth_window_type: 'inAppBrowser')
         assert_expected_data_in_new_window
       end
-
     end
 
     describe 'with omniauth_window_type=newWindow' do
@@ -207,19 +221,20 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     end
 
     def assert_expected_data_in_new_window
-      data_json = @response.body.match(/var data \= (.+)\;/)[1]
-      data = ActiveSupport::JSON.decode(data_json)
+      data = get_parsed_data_json
       expected_data = @resource.as_json.merge(controller.auth_params.as_json)
       expected_data = ActiveSupport::JSON.decode(expected_data.to_json)
-      assert_equal(expected_data.merge("message" => "deliverCredentials"), data)
+      assert_equal(expected_data.merge('message' => 'deliverCredentials'), data)
     end
 
     describe 'with omniauth_window_type=sameWindow' do
       test 'redirects to auth_origin_url with all expected query params' do
-        get_via_redirect '/auth/facebook', {
-          auth_origin_url: '/auth_origin',
-          omniauth_window_type: 'sameWindow'
-        }
+        get '/auth/facebook',
+            params: { auth_origin_url: '/auth_origin',
+                      omniauth_window_type: 'sameWindow' }
+
+        follow_all_redirects!
+
         assert_equal 200, response.status
 
         # We have been forwarded to a url with all the expected
@@ -228,21 +243,26 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         # Assert that a uid was passed along.  We have to assume
         # that the rest of the values were as well, as we don't
         # have access to @resource in this test anymore
-        assert(uid = controller.params['uid'], "No uid found")
+        assert(controller.params['uid'], 'No uid found')
 
         # check that all the auth stuff is there
-        [:auth_token, :client_id, :uid, :expiry, :config].each do |key|
+        %i[auth_token client_id uid expiry config].each do |key|
           assert(controller.params.key?(key), "No value for #{key.inspect}")
         end
       end
     end
 
     def get_success(params = {})
-      get_via_redirect '/auth/facebook', {
-        auth_origin_url: @redirect_url,
-        omniauth_window_type: 'newWindow'
-      }.merge(params)
+      get '/auth/facebook',
+          params: {
+            auth_origin_url: @redirect_url,
+            omniauth_window_type: 'newWindow'
+          }.merge(params)
+
+      follow_all_redirects!
+
       assert_equal 200, response.status
+
       @resource = assigns(:resource)
     end
   end
@@ -250,38 +270,40 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   describe 'failure callback' do
     setup do
       OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
-      OmniAuth.config.on_failure = Proc.new { |env|
+      OmniAuth.config.on_failure = proc { |env|
         OmniAuth::FailureEndpoint.new(env).redirect_to_failure
       }
     end
 
     test 'renders expected data' do
-      get_via_redirect '/auth/facebook', {
-        auth_origin_url: @redirect_url,
-        omniauth_window_type: 'newWindow'
-      }
+      get '/auth/facebook',
+          params: { auth_origin_url: @redirect_url,
+                    omniauth_window_type: 'newWindow' }
+
+      follow_all_redirects!
+
       assert_equal 200, response.status
 
-      data_json = @response.body.match(/var data \= (.+)\;/)[1]
-      data = ActiveSupport::JSON.decode(data_json)
+      data = get_parsed_data_json
 
-      assert_equal({"error"=>"invalid_credentials", "message"=>"authFailure"}, data)
+      assert_equal({ 'error' => 'invalid_credentials', 'message' => 'authFailure' }, data)
     end
 
     test 'renders something with no auth_origin_url' do
-      get_via_redirect '/auth/facebook'
+      get '/auth/facebook'
+      follow_all_redirects!
       assert_equal 200, response.status
-      assert_select "body", "invalid_credentials"
+      assert_select 'body', 'invalid_credentials'
     end
   end
 
   describe 'User with only :database_authenticatable and :registerable included' do
     test 'OnlyEmailUser should not be able to use OAuth' do
-      assert_raises(ActionController::RoutingError) {
-        get_via_redirect '/only_email_auth/facebook', {
-          auth_origin_url: @redirect_url
-        }
-      }
+      assert_raises(ActionController::RoutingError) do
+        get '/only_email_auth/facebook',
+            params: { auth_origin_url: @redirect_url }
+        follow_all_redirects!
+      end
     end
   end
 
@@ -306,36 +328,40 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     end
 
     test 'request using non-whitelisted redirect fail' do
-      get_via_redirect '/auth/facebook',
-                       auth_origin_url: @bad_redirect_url,
-                       omniauth_window_type: 'newWindow'
+      get '/auth/facebook',
+          params: { auth_origin_url: @bad_redirect_url,
+                    omniauth_window_type: 'newWindow' }
 
-      data_json = @response.body.match(/var data \= (.+)\;/)[1]
-      data = ActiveSupport::JSON.decode(data_json)
-      assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
+      follow_all_redirects!
+
+      data = get_parsed_data_json
+      assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
                    data['error']
     end
 
     test 'request to whitelisted redirect should succeed' do
-      get_via_redirect '/auth/facebook',
-                       auth_origin_url: @good_redirect_url,
-                       omniauth_window_type: 'newWindow'
+      get '/auth/facebook',
+          params: {
+            auth_origin_url: @good_redirect_url,
+            omniauth_window_type: 'newWindow'
+          }
 
-      data_json = @response.body.match(/var data \= (.+)\;/)[1]
-      data = ActiveSupport::JSON.decode(data_json)
+      follow_all_redirects!
+
+      data = get_parsed_data_json
       assert_equal @user_email, data['email']
     end
 
     test 'should support wildcards' do
       DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-      get_via_redirect '/auth/facebook',
-                       auth_origin_url: @good_redirect_url,
-                       omniauth_window_type: 'newWindow'
+      get '/auth/facebook',
+          params: { auth_origin_url: @good_redirect_url,
+                    omniauth_window_type: 'newWindow' }
+
+      follow_all_redirects!
 
-      data_json = @response.body.match(/var data \= (.+)\;/)[1]
-      data = ActiveSupport::JSON.decode(data_json)
+      data = get_parsed_data_json
       assert_equal @user_email, data['email']
     end
-
   end
 end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -8,7 +8,7 @@ require 'test_helper'
 
 class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::PasswordsController do
-    describe "Password reset" do
+    describe 'Password reset' do
       before do
         @resource = users(:confirmed_email_user)
         @redirect_url = 'http://ng-token-auth.dev'
@@ -19,18 +19,19 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           @auth_headers = @resource.create_new_auth_token
           @new_password = Faker::Internet.password
 
-          xhr :post, :create, {
-            redirect_url: @redirect_url
-          }
+          post :create,
+               params: { redirect_url: @redirect_url }
           @data = JSON.parse(response.body)
         end
 
         test 'response should fail' do
           assert_equal 401, response.status
         end
+
         test 'error message should be returned' do
-          assert @data["errors"]
-          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")]
+          assert @data['errors']
+          assert_equal @data['errors'],
+                       [I18n.t('devise_token_auth.passwords.missing_email')]
         end
       end
 
@@ -39,62 +40,62 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           @auth_headers = @resource.create_new_auth_token
           @new_password = Faker::Internet.password
 
-          xhr :post, :create, {
-            email:        'chester@cheet.ah',
-          }
+          post :create,
+               params: { email: 'chester@cheet.ah' }
           @data = JSON.parse(response.body)
         end
 
         test 'response should fail' do
           assert_equal 401, response.status
         end
+
         test 'error message should be returned' do
-          assert @data["errors"]
-          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
+          assert @data['errors']
+          assert_equal @data['errors'],
+                       [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
         end
       end
 
       describe 'request password reset' do
         describe 'unknown user should return 404' do
           before do
-            xhr :post, :create, {
-              email:        'chester@cheet.ah',
-              redirect_url: @redirect_url
-            }
+            post :create,
+                 params: { email: 'chester@cheet.ah',
+                           redirect_url: @redirect_url }
             @data = JSON.parse(response.body)
           end
+
           test 'unknown user should return 404' do
             assert_equal 404, response.status
           end
 
           test 'errors should be returned' do
-            assert @data["errors"]
-            assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.user_not_found", email: 'chester@cheet.ah')]
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.user_not_found',
+                                 email: 'chester@cheet.ah')]
           end
         end
 
         describe 'successfully requested password reset' do
           before do
-            xhr :post, :create, {
-              email:        @resource.email,
-              redirect_url: @redirect_url
-            }
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @redirect_url }
 
             @data = JSON.parse(response.body)
           end
 
           test 'response should not contain extra data' do
-            assert_nil @data["data"]
+            assert_nil @data['data']
           end
         end
 
-
         describe 'case-sensitive email' do
           before do
-            xhr :post, :create, {
-              email:        @resource.email,
-              redirect_url: @redirect_url
-            }
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @redirect_url }
 
             @mail = ActionMailer::Base.deliveries.last
             @resource.reload
@@ -110,7 +111,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
 
           test 'response should contains message' do
-            assert_equal @data["message"], I18n.t("devise_token_auth.passwords.sended", email: @resource.email)
+            assert_equal @data['message'], I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
           end
 
           test 'action should send an email' do
@@ -130,41 +131,39 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
 
           test 'the email body should contain a link with reset token as a query param' do
-            user = User.reset_password_by_token({
-              reset_password_token: @mail_reset_token
-            })
+            user = User.reset_password_by_token(reset_password_token: @mail_reset_token)
 
             assert_equal user.id, @resource.id
           end
 
           describe 'password reset link failure' do
             test 'response should return 404' do
-              assert_raises(ActionController::RoutingError) {
-                xhr :get, :edit, {
-                  reset_password_token: "bogus",
-                  redirect_url: @mail_redirect_url
-                }
-              }
+              assert_raises(ActionController::RoutingError) do
+                get :edit,
+                    params: { reset_password_token: 'bogus',
+                              redirect_url: @mail_redirect_url }
+              end
             end
           end
 
           describe 'password reset link success' do
             before do
-              xhr :get, :edit, {
-                reset_password_token: @mail_reset_token,
-                redirect_url: @mail_redirect_url
-              }
+              get :edit,
+                  params: { reset_password_token: @mail_reset_token,
+                            redirect_url: @mail_redirect_url }
 
               @resource.reload
 
               raw_qs = response.location.split('?')[1]
               @qs = Rack::Utils.parse_nested_query(raw_qs)
 
-              @client_id      = @qs["client_id"]
-              @expiry         = @qs["expiry"]
-              @reset_password = @qs["reset_password"]
-              @token          = @qs["token"]
-              @uid            = @qs["uid"]
+              @access_token   = @qs['access-token']
+              @client_id      = @qs['client_id']
+              @client         = @qs['client']
+              @expiry         = @qs['expiry']
+              @reset_password = @qs['reset_password']
+              @token          = @qs['token']
+              @uid            = @qs['uid']
             end
 
             test 'respones should have success redirect status' do
@@ -172,6 +171,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             end
 
             test 'response should contain auth params' do
+              assert @access_token
+              assert @client
               assert @client_id
               assert @expiry
               assert @reset_password
@@ -181,9 +182,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
             test 'response auth params should be valid' do
               assert @resource.valid_token?(@token, @client_id)
+              assert @resource.valid_token?(@access_token, @client)
             end
           end
-
         end
 
         describe 'case-insensitive email' do
@@ -197,13 +198,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
           test 'response should return success status if configured' do
             @resource_class.case_insensitive_keys = [:email]
-            xhr :post, :create, @request_params
+            post :create, params: @request_params
             assert_equal 200, response.status
           end
 
           test 'response should return failure status if not configured' do
             @resource_class.case_insensitive_keys = []
-            xhr :post, :create, @request_params
+            post :create, params: @request_params
             assert_equal 404, response.status
           end
         end
@@ -216,10 +217,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
           DeviseTokenAuth.default_password_reset_url = @redirect_url
 
-          xhr :post, :create, {
-            email:        @resource.email,
-            redirect_url: @redirect_url
-          }
+          post :create,
+               params: { email: @resource.email,
+                         redirect_url: @redirect_url }
 
           @mail = ActionMailer::Base.deliveries.last
           @resource.reload
@@ -256,36 +256,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           DeviseTokenAuth.redirect_whitelist = nil
         end
 
-        test "request to whitelisted redirect should be successful" do
-          xhr :post, :create, {
-            email:        @resource.email,
-            redirect_url: @good_redirect_url
-          }
+        test 'request to whitelisted redirect should be successful' do
+          post :create,
+               params: { email: @resource.email,
+                         redirect_url: @good_redirect_url }
 
           assert_equal 200, response.status
         end
 
-        test "request to non-whitelisted redirect should fail" do
-          xhr :post, :create, {
-            email:        @resource.email,
-            redirect_url: @bad_redirect_url
-          }
+        test 'request to non-whitelisted redirect should fail' do
+          post :create,
+               params: { email: @resource.email,
+                         redirect_url: @bad_redirect_url }
 
           assert_equal 422, response.status
         end
-        test "request to non-whitelisted redirect should return error message" do
-          xhr :post, :create, {
-            email:        @resource.email,
-            redirect_url: @bad_redirect_url
-          }
+        test 'request to non-whitelisted redirect should return error message' do
+          post :create,
+               params: { email: @resource.email,
+                         redirect_url: @bad_redirect_url }
 
           @data = JSON.parse(response.body)
-          assert @data["errors"]
-          assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @bad_redirect_url)]
+          assert @data['errors']
+          assert_equal @data['errors'],
+                       [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
+                               redirect_url: @bad_redirect_url)]
         end
       end
 
-      describe "change password with current password required" do
+      describe 'change password with current password required' do
         before do
           DeviseTokenAuth.check_current_password_before_update = :password
         end
@@ -301,56 +300,59 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             @new_password = Faker::Internet.password
             @resource.update password: 'secret123', password_confirmation: 'secret123'
 
-            xhr :put, :update, {
-              password: @new_password,
-              password_confirmation: @new_password,
-              current_password: 'secret123'
-            }
+            put :update,
+                params: { password: @new_password,
+                          password_confirmation: @new_password,
+                          current_password: 'secret123' }
 
             @data = JSON.parse(response.body)
             @resource.reload
           end
 
-          test "request should be successful" do
+          test 'request should be successful' do
             assert_equal 200, response.status
           end
         end
 
         describe 'success with after password reset' do
           before do
-            xhr :post, :create, {
-              email:        @resource.email,
-              redirect_url: @redirect_url
-            }
+            # create a new password reset request
+            post :create, params: { email: @resource.email,
+                                    redirect_url: @redirect_url }
 
             @mail = ActionMailer::Base.deliveries.last
             @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
             @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
 
-            xhr :get, :edit, {
-              reset_password_token: @mail_reset_token,
-              redirect_url: @mail_redirect_url
-            }
+            # confirm via password reset email link
+            get :edit, params: { reset_password_token: @mail_reset_token,
+                                 redirect_url: @mail_redirect_url }
+
+            @resource.reload
+            @allow_password_change_after_reset = @resource.allow_password_change
 
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
 
-            xhr :put, :update, {
-              password: @new_password,
-              password_confirmation: @new_password
-            }
+            put :update, params: { password: @new_password,
+                                   password_confirmation: @new_password }
 
             @data = JSON.parse(response.body)
+            @resource.reload
             @allow_password_change = @resource.allow_password_change
             @resource.reload
           end
 
-          test "request should be successful" do
+          test 'request should be successful' do
             assert_equal 200, response.status
           end
 
-          test "sets allow_password_change false" do
+          test 'changes allow_password_change to true on reset' do
+            assert_equal true, @allow_password_change_after_reset
+          end
+
+          test 'sets allow_password_change false' do
             assert_equal false, @allow_password_change
           end
         end
@@ -361,11 +363,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
 
-            xhr :put, :update, {
-              password: @new_password,
-              password_confirmation: @new_password,
-              current_password: 'not_very_secret321'
-            }
+            put :update, params: { password: @new_password,
+                                   password_confirmation: @new_password,
+                                   current_password: 'not_very_secret321' }
           end
 
           test 'response should fail unauthorized' do
@@ -374,32 +374,31 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         end
       end
 
-      describe "change password" do
+      describe 'change password' do
         describe 'success' do
           before do
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
 
-            xhr :put, :update, {
-              password: @new_password,
-              password_confirmation: @new_password
-            }
+            put :update, params: { password: @new_password,
+                                   password_confirmation: @new_password }
 
             @data = JSON.parse(response.body)
             @resource.reload
           end
 
-          test "request should be successful" do
+          test 'request should be successful' do
             assert_equal 200, response.status
           end
 
-          test "request should return success message" do
-            assert @data["message"]
-            assert_equal @data["message"], I18n.t("devise_token_auth.passwords.successfully_updated")
+          test 'request should return success message' do
+            assert @data['message']
+            assert_equal @data['message'],
+                         I18n.t('devise_token_auth.passwords.successfully_updated')
           end
 
-          test "new password should authenticate user" do
+          test 'new password should authenticate user' do
             assert @resource.valid_password?(@new_password)
           end
         end
@@ -410,10 +409,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
 
-            xhr :put, :update, {
-              password: 'chong',
-              password_confirmation: 'bong'
-            }
+            put :update, params: { password: 'chong',
+                                   password_confirmation: 'bong' }
           end
 
           test 'response should fail' do
@@ -426,10 +423,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             @auth_headers = @resource.create_new_auth_token
             @new_password = Faker::Internet.password
 
-            xhr :put, :update, {
-              password: @new_password,
-              password_confirmation: @new_password
-            }
+            put :update, params: { password: @new_password,
+                                   password_confirmation: @new_password }
           end
 
           test 'response should fail' do
@@ -439,7 +434,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
     end
 
-    describe "Alternate user class" do
+    describe 'Alternate user class' do
       setup do
         @request.env['devise.mapping'] = Devise.mappings[:mang]
       end
@@ -452,10 +447,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource = mangs(:confirmed_email_user)
         @redirect_url = 'http://ng-token-auth.dev'
 
-        xhr :post, :create, {
-          email:        @resource.email,
-          redirect_url: @redirect_url
-        }
+        post :create, params: { email: @resource.email,
+                                redirect_url: @redirect_url }
 
         @mail = ActionMailer::Base.deliveries.last
         @resource.reload
@@ -470,9 +463,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       test 'the email body should contain a link with reset token as a query param' do
-        user = Mang.reset_password_by_token({
-          reset_password_token: @mail_reset_token
-        })
+        user = Mang.reset_password_by_token(reset_password_token: @mail_reset_token)
 
         assert_equal user.id, @resource.id
       end
@@ -483,10 +474,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource = users(:unconfirmed_email_user)
         @redirect_url = 'http://ng-token-auth.dev'
 
-        xhr :post, :create, {
-          email:        @resource.email,
-          redirect_url: @redirect_url
-        }
+        post :create, params: { email: @resource.email,
+                                redirect_url: @redirect_url }
 
         @mail = ActionMailer::Base.deliveries.last
         @resource.reload
@@ -495,14 +484,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
         @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
 
-        xhr :get, :edit, {
-          reset_password_token: @mail_reset_token,
-          redirect_url: @mail_redirect_url
-        }
+        get :edit, params: { reset_password_token: @mail_reset_token,
+                             redirect_url: @mail_redirect_url }
 
         @resource.reload
       end
     end
+
     describe 'unconfirmable user' do
       setup do
         @request.env['devise.mapping'] = Devise.mappings[:unconfirmable_user]
@@ -516,10 +504,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource = unconfirmable_users(:user)
         @redirect_url = 'http://ng-token-auth.dev'
 
-        xhr :post, :create, {
-          email:        @resource.email,
-          redirect_url: @redirect_url
-        }
+        post :create, params: { email: @resource.email,
+                                redirect_url: @redirect_url }
 
         @mail = ActionMailer::Base.deliveries.last
         @resource.reload
@@ -528,10 +514,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
         @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
 
-        xhr :get, :edit, {
-          reset_password_token: @mail_reset_token,
-          redirect_url: @mail_redirect_url
-        }
+        get :edit, params: { reset_password_token: @mail_reset_token,
+                             redirect_url: @mail_redirect_url }
 
         @resource.reload
       end
@@ -539,15 +523,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
     describe 'alternate user type' do
       before do
-        @resource         = users(:confirmed_email_user)
+        @resource = users(:confirmed_email_user)
         @redirect_url = 'http://ng-token-auth.dev'
-        @config_name  = "altUser"
+        @config_name  = 'altUser'
 
-        xhr :post, :create, {
-          email:        @resource.email,
-          redirect_url: @redirect_url,
-          config_name:  @config_name
-        }
+        post :create, params: { email: @resource.email,
+                                redirect_url: @redirect_url,
+                                config_name: @config_name }
 
         @mail = ActionMailer::Base.deliveries.last
         @resource.reload