devise_token_auth 0.1.43 → 1.2.0

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -8,6 +10,17 @@ require 'test_helper'
 
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
+
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -39,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
 
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -81,6 +88,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
 
+    describe 'using allow_unconfirmed_access_for' do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = nil
+      end
+
+      test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
+        assert response.headers['access-token']
+        assert response.headers['token-type']
+        assert response.headers['client']
+        assert response.headers['expiry']
+        assert response.headers['uid']
+      end
+
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
+
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+    end
+
     describe 'using "+" in email' do
       test 'can use + sign in email addresses' do
         @plus_email = 'ak+testing@gmail.com'
@@ -177,7 +219,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
         @mail = ActionMailer::Base.deliveries.last
-        @sent_redirect_url = URI.decode(@mail.body.match(/redirect_url=([^&]*)(&|\")/)[1])
+        @sent_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)(&|\")/)[1])
       end
 
       teardown do
@@ -303,7 +345,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -331,7 +373,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -360,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -374,7 +416,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
     describe 'Existing users' do
       before do
-        @existing_user = users(:confirmed_email_user)
+        @existing_user = create(:user, :confirmed)
 
         post '/auth',
              params: { email: @existing_user.email,
@@ -391,7 +433,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -402,7 +444,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
     describe 'Destroy user account' do
       describe 'success' do
         before do
-          @existing_user = users(:confirmed_email_user)
+          @existing_user = create(:user, :confirmed)
           @auth_headers  = @existing_user.create_new_auth_token
           @client_id     = @auth_headers['client']
 
@@ -449,7 +491,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
     describe 'Update user account' do
       describe 'existing user' do
         before do
-          @existing_user = users(:confirmed_email_user)
+          @existing_user = create(:user, :confirmed)
           @auth_headers  = @existing_user.create_new_auth_token
           @client_id     = @auth_headers['client']
 
@@ -463,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -497,13 +539,13 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
             end
 
             test 'Supply current password' do
-              @request_params[:current_password] = 'secret123'
-              @request_params[:email] = 'new.email@example.com'
+              @request_params[:current_password] = @existing_user.password
+              @request_params[:email] = @existing_user.email
 
               put '/auth', params: @request_params, headers: @auth_headers
               @data = JSON.parse(response.body)
               @existing_user.reload
-              assert_equal @existing_user.email, 'new.email@example.com'
+              assert_equal @existing_user.email, @request_params[:email]
             end
           end
 
@@ -570,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -621,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           before do
             DeviseTokenAuth.check_current_password_before_update = :password
             @new_operating_thetan = 1_000_000
-            @email = 'AlternatingCase2@example.com'
+            @email = Faker::Internet.safe_email
           end
 
           after do
@@ -666,7 +708,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
       describe 'invalid user' do
         before do
-          @existing_user = users(:confirmed_email_user)
+          @existing_user = create(:user, :confirmed)
           @auth_headers  = @existing_user.create_new_auth_token
           @client_id     = @auth_headers['client']
 
@@ -703,7 +745,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
     describe 'Ouath user has existing email' do
       before do
-        @existing_user = users(:duplicate_email_facebook_user)
+        @existing_user = create(:user, :facebook, :confirmed)
 
         post '/auth',
              params: { email: @existing_user.email,

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -10,33 +12,20 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::SessionsController do
     describe 'Confirmed user' do
       before do
-        @existing_user = users(:confirmed_email_user)
-        @existing_user.skip_confirmation!
-        @existing_user.save!
+        @existing_user = create(:user, :with_nickname, :confirmed)
       end
 
       describe 'success' do
         before do
-          @old_sign_in_count      = @existing_user.sign_in_count
-          @old_current_sign_in_at = @existing_user.current_sign_in_at
-          @old_last_sign_in_at    = @existing_user.last_sign_in_at
-          @old_sign_in_ip         = @existing_user.current_sign_in_ip
-          @old_last_sign_in_ip    = @existing_user.last_sign_in_ip
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
 
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: 'secret123'
-               }
+          post :create, params: @user_session_params
 
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
-
-          @new_sign_in_count      = @resource.sign_in_count
-          @new_current_sign_in_at = @resource.current_sign_in_at
-          @new_last_sign_in_at    = @resource.last_sign_in_at
-          @new_sign_in_ip         = @resource.current_sign_in_ip
-          @new_last_sign_in_ip    = @resource.last_sign_in_ip
         end
 
         test 'request should succeed' do
@@ -47,29 +36,63 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
 
-        describe 'trackable' do
-          test 'sign_in_count incrementns' do
-            assert_equal @old_sign_in_count + 1, @new_sign_in_count
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
           end
 
-          test 'current_sign_in_at is updated' do
-            refute @old_current_sign_in_at
-            assert @new_current_sign_in_at
+          test 'request should return auth cookie' do
+            post :create, params: @user_session_params
+            assert response.cookies[DeviseTokenAuth.cookie_name]
           end
 
-          test 'last_sign_in_at is updated' do
-            refute @old_last_sign_in_at
-            assert @new_last_sign_in_at
+          after do
+            DeviseTokenAuth.cookie_enabled = false
           end
+        end
 
-          test 'sign_in_ip is updated' do
-            refute @old_sign_in_ip
-            assert_equal '0.0.0.0', @new_sign_in_ip
+        describe "with multiple clients and headers don't change in each request" do
+          before do
+            # Set the max_number_of_devices to a lower number
+            #  to expedite tests! (Default is 10)
+            DeviseTokenAuth.max_number_of_devices = 2
+            DeviseTokenAuth.change_headers_on_each_request = false
           end
 
-          test 'last_sign_in_ip is updated' do
-            refute @old_last_sign_in_ip
-            assert_equal '0.0.0.0', @new_last_sign_in_ip
+          test 'should limit the maximum number of concurrent devices' do
+            # increment the number of devices until the maximum is exceeded
+            1.upto(DeviseTokenAuth.max_number_of_devices + 1).each do |n|
+              initial_tokens = @existing_user.reload.tokens
+
+              assert_equal(
+                [n, DeviseTokenAuth.max_number_of_devices].min,
+                @existing_user.reload.tokens.length
+              )
+
+              # Already have the max number of devices
+              post :create, params: @user_session_params
+
+              # A session for a new device maintains the max number of concurrent devices
+              refute_equal initial_tokens, @existing_user.reload.tokens
+            end
+          end
+
+          test 'should drop old tokens when max number of devices is exceeded' do
+            1.upto(DeviseTokenAuth.max_number_of_devices).each do |n|
+              post :create, params: @user_session_params
+            end
+
+            oldest_token, _ = @existing_user.reload.tokens \
+                                .min_by { |cid, v| v[:expiry] || v['expiry'] }
+
+            post :create, params: @user_session_params
+
+            assert_not_includes @existing_user.reload.tokens.keys, oldest_token
+          end
+
+          after do
+            DeviseTokenAuth.max_number_of_devices = 10
+            DeviseTokenAuth.change_headers_on_each_request = true
           end
         end
       end
@@ -78,7 +101,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         before do
           get :new,
               params: { nickname: @existing_user.nickname,
-                        password: 'secret123' }
+                        password: @existing_user.password }
           @data = JSON.parse(response.body)
         end
 
@@ -95,7 +118,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         before do
           request.headers.merge!(
             'email' => @existing_user.email,
-            'password' => 'secret123'
+            'password' => @existing_user.password
           )
 
           head :create
@@ -111,7 +134,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         before do
           post :create,
                params: { nickname: @existing_user.nickname,
-                         password: 'secret123' }
+                         password: @existing_user.password }
           @data = JSON.parse(response.body)
         end
 
@@ -147,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
 
       describe 'unauthed user sign out' do
@@ -223,7 +264,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           @resource_class = User
           @request_params = {
             email: @existing_user.email.upcase,
-            password: 'secret123'
+            password: @existing_user.password
           }
         end
 
@@ -246,7 +287,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           @request_params = {
             # adding whitespace before and after email
             email: " #{@existing_user.email}  ",
-            password: 'secret123'
+            password: @existing_user.password
           }
         end
 
@@ -266,9 +307,9 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
     describe 'Unconfirmed user' do
       before do
-        @unconfirmed_user = users(:unconfirmed_email_user)
+        @unconfirmed_user = create(:user)
         post :create, params: { email: @unconfirmed_user.email,
-                                password: 'secret123' }
+                                password: @unconfirmed_user.password }
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
       end
@@ -289,10 +330,10 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       before do
         @original_duration = Devise.allow_unconfirmed_access_for
         Devise.allow_unconfirmed_access_for = 3.days
-        @recent_unconfirmed_user = users(:recent_unconfirmed_email_user)
+        @recent_unconfirmed_user = create(:user)
         post :create,
              params: { email: @recent_unconfirmed_user.email,
-                       password: 'secret123' }
+                       password: @recent_unconfirmed_user.password }
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
       end
@@ -312,20 +353,14 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
     describe 'Unconfirmed user with expired unconfirmed access' do
       before do
-        @original_duration = Devise.allow_unconfirmed_access_for
-        Devise.allow_unconfirmed_access_for = 3.days
-        @unconfirmed_user = users(:unconfirmed_email_user)
+        @unconfirmed_user = create(:user, :unconfirmed)
         post :create,
              params: { email: @unconfirmed_user.email,
-                       password: 'secret123' }
+                       password: @unconfirmed_user.password }
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
       end
 
-      after do
-        Devise.allow_unconfirmed_access_for = @original_duration
-      end
-
       test 'request should fail' do
         assert_equal 401, response.status
       end
@@ -363,13 +398,11 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
 
       before do
-        @existing_user = mangs(:confirmed_email_user)
-        @existing_user.skip_confirmation!
-        @existing_user.save!
+        @existing_user = create(:mang_user, :confirmed)
 
         post :create,
              params: { email: @existing_user.email,
-                       password: 'secret123' }
+                       password: @existing_user.password }
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -394,12 +427,11 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
 
       before do
-        @existing_user = only_email_users(:user)
-        @existing_user.save!
+        @existing_user = create(:only_email_user)
 
         post :create,
              params: { email: @existing_user.email,
-                       password: 'secret123' }
+                       password: @existing_user.password }
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -437,10 +469,10 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'locked user' do
         before do
-          @locked_user = lockable_users(:locked_user)
+          @locked_user = create(:lockable_user, :locked)
           post :create,
                params: { email: @locked_user.email,
-                         password: 'secret123' }
+                         password: @locked_user.password }
           @data = JSON.parse(response.body)
         end
 
@@ -456,7 +488,7 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'unlocked user with bad password' do
         before do
-          @unlocked_user = lockable_users(:unlocked_user)
+          @unlocked_user = create(:lockable_user)
           post :create,
                params: { email: @unlocked_user.email,
                          password: 'bad-password' }

data/test/controllers/devise_token_auth/token_validations_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -9,9 +11,7 @@ require 'test_helper'
 class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::TokenValidationsController do
     before do
-      @resource = users(:confirmed_email_user)
-      @resource.skip_confirmation!
-      @resource.save!
+      @resource = create(:user, :confirmed)
 
       @auth_headers = @resource.create_new_auth_token
 
@@ -45,6 +45,20 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
       end
     end
 
+    describe 'with invalid user' do
+      before do
+        @resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
+        @resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
+      end
+
+      test 'request should raise invalid model error' do
+        error = assert_raises DeviseTokenAuth::Errors::InvalidModel do
+          get '/auth/validate_token', params: {}, headers: @auth_headers
+        end
+        assert_equal(error.message, "Cannot set auth token in invalid model. Errors: [\"Email is not an email\"]")
+      end
+    end
+
     describe 'failure' do
       before do
         get '/api/v1/auth/validate_token',
@@ -66,9 +80,7 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
 
   describe 'using namespaces with unused resource' do
     before do
-      @resource = scoped_users(:confirmed_email_user)
-      @resource.skip_confirmation!
-      @resource.save!
+      @resource = create(:scoped_user, :confirmed)
 
       @auth_headers = @resource.create_new_auth_token
 

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -33,7 +35,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
     describe 'Unlocking user' do
       before do
-        @resource = lockable_users(:unlocked_user)
+        @resource = create(:lockable_user)
       end
 
       describe 'request unlock without email' do
@@ -55,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
 
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -66,9 +68,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
           end
         end
 

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -7,10 +9,12 @@ require 'test_helper'
 #  was the appropriate message delivered in the json payload?
 
 class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
   describe Overrides::ConfirmationsController do
     before do
       @redirect_url = Faker::Internet.url
-      @new_user = evil_users(:unconfirmed_email_user)
+      @new_user = create(:user)
 
       # generate + send email
       @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
@@ -34,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
       override_proof_str = '(^^,)'
 
       # ensure present in redirect URL
-      override_proof_param = URI.unescape(response.headers['Location']
+      override_proof_param = CGI.unescape(response.headers['Location']
                                 .match(/override_proof=([^&]*)&/)[1])
 
       assert_equal override_proof_str, override_proof_param

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -7,8 +9,10 @@ require 'test_helper'
 #  was the appropriate message delivered in the json payload?
 
 class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
   describe Overrides::OmniauthCallbacksController do
-    setup do
+    before do
       OmniAuth.config.test_mode = true
       OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
         provider: 'facebook',