devise_token_auth 1.0.0 → 1.1.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (126) hide show
  1. checksums.yaml +5 -5
  2. data/README.md +4 -2
  3. data/app/controllers/devise_token_auth/application_controller.rb +2 -3
  4. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +11 -12
  5. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +41 -57
  6. data/app/controllers/devise_token_auth/confirmations_controller.rb +63 -20
  7. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +77 -29
  8. data/app/controllers/devise_token_auth/passwords_controller.rb +44 -30
  9. data/app/controllers/devise_token_auth/registrations_controller.rb +33 -40
  10. data/app/controllers/devise_token_auth/sessions_controller.rb +5 -5
  11. data/app/controllers/devise_token_auth/unlocks_controller.rb +4 -4
  12. data/app/models/devise_token_auth/concerns/active_record_support.rb +14 -0
  13. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  14. data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
  15. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +31 -0
  16. data/app/models/devise_token_auth/concerns/user.rb +51 -70
  17. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +6 -3
  18. data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} +2 -2
  19. data/config/locales/da-DK.yml +2 -0
  20. data/config/locales/de.yml +2 -0
  21. data/config/locales/en.yml +7 -0
  22. data/config/locales/es.yml +2 -0
  23. data/config/locales/fr.yml +2 -0
  24. data/config/locales/he.yml +52 -0
  25. data/config/locales/it.yml +2 -0
  26. data/config/locales/ja.yml +4 -2
  27. data/config/locales/ko.yml +51 -0
  28. data/config/locales/nl.yml +2 -0
  29. data/config/locales/pl.yml +6 -3
  30. data/config/locales/pt-BR.yml +2 -0
  31. data/config/locales/pt.yml +6 -3
  32. data/config/locales/ro.yml +2 -0
  33. data/config/locales/ru.yml +2 -0
  34. data/config/locales/sq.yml +2 -0
  35. data/config/locales/sv.yml +2 -0
  36. data/config/locales/uk.yml +2 -0
  37. data/config/locales/vi.yml +2 -0
  38. data/config/locales/zh-CN.yml +2 -0
  39. data/config/locales/zh-HK.yml +2 -0
  40. data/config/locales/zh-TW.yml +2 -0
  41. data/lib/devise_token_auth/blacklist.rb +2 -0
  42. data/lib/devise_token_auth/controllers/helpers.rb +5 -9
  43. data/lib/devise_token_auth/engine.rb +7 -1
  44. data/lib/devise_token_auth/rails/routes.rb +16 -11
  45. data/lib/devise_token_auth/token_factory.rb +126 -0
  46. data/lib/devise_token_auth/url.rb +3 -0
  47. data/lib/devise_token_auth/version.rb +1 -1
  48. data/lib/devise_token_auth.rb +6 -3
  49. data/lib/generators/devise_token_auth/USAGE +1 -1
  50. data/lib/generators/devise_token_auth/install_generator.rb +7 -91
  51. data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
  52. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
  53. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +10 -0
  54. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -8
  55. data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
  56. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
  57. data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
  58. data/test/controllers/demo_user_controller_test.rb +2 -2
  59. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +83 -19
  60. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +109 -42
  61. data/test/controllers/devise_token_auth/passwords_controller_test.rb +227 -102
  62. data/test/controllers/devise_token_auth/registrations_controller_test.rb +34 -7
  63. data/test/controllers/devise_token_auth/sessions_controller_test.rb +0 -38
  64. data/test/controllers/devise_token_auth/token_validations_controller_test.rb +2 -1
  65. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  66. data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
  67. data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
  68. data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
  69. data/test/dummy/app/active_record/user.rb +6 -0
  70. data/test/dummy/app/controllers/overrides/confirmations_controller.rb +3 -3
  71. data/test/dummy/app/controllers/overrides/passwords_controller.rb +3 -3
  72. data/test/dummy/app/controllers/overrides/registrations_controller.rb +1 -1
  73. data/test/dummy/app/controllers/overrides/sessions_controller.rb +2 -2
  74. data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
  75. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  76. data/test/dummy/app/mongoid/lockable_user.rb +38 -0
  77. data/test/dummy/app/mongoid/mang.rb +46 -0
  78. data/test/dummy/app/mongoid/only_email_user.rb +33 -0
  79. data/test/dummy/app/mongoid/scoped_user.rb +50 -0
  80. data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
  81. data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
  82. data/test/dummy/app/mongoid/user.rb +49 -0
  83. data/test/dummy/app/views/layouts/application.html.erb +0 -2
  84. data/test/dummy/config/application.rb +22 -1
  85. data/test/dummy/config/boot.rb +4 -0
  86. data/test/dummy/config/environments/development.rb +0 -10
  87. data/test/dummy/config/environments/production.rb +0 -16
  88. data/test/dummy/config/initializers/devise.rb +285 -0
  89. data/test/dummy/config/initializers/devise_token_auth.rb +35 -4
  90. data/test/dummy/config/initializers/figaro.rb +1 -1
  91. data/test/dummy/config/initializers/omniauth.rb +1 -0
  92. data/test/dummy/config/routes.rb +2 -0
  93. data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
  94. data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
  95. data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
  96. data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
  97. data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
  98. data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
  99. data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
  100. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  101. data/test/dummy/db/schema.rb +26 -28
  102. data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +9 -0
  103. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
  104. data/test/dummy/tmp/generators/db/migrate/20210126004321_devise_token_auth_create_azpire_v1_human_resource_users.rb +49 -0
  105. data/test/factories/users.rb +3 -2
  106. data/test/lib/devise_token_auth/blacklist_test.rb +11 -0
  107. data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
  108. data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
  109. data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
  110. data/test/lib/devise_token_auth/url_test.rb +2 -2
  111. data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
  112. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
  113. data/test/models/concerns/mongoid_support_test.rb +31 -0
  114. data/test/models/concerns/tokens_serialization_test.rb +104 -0
  115. data/test/models/confirmable_user_test.rb +35 -0
  116. data/test/models/only_email_user_test.rb +0 -8
  117. data/test/models/user_test.rb +1 -33
  118. data/test/test_helper.rb +13 -3
  119. metadata +125 -32
  120. data/config/initializers/devise.rb +0 -198
  121. data/test/dummy/config/initializers/assets.rb +0 -10
  122. data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
  123. data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
  124. /data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
  125. /data/test/dummy/app/{models → active_record}/mang.rb +0 -0
  126. /data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
@@ -155,6 +155,8 @@ class OmniauthTest < ActionDispatch::IntegrationTest
155
155
  describe 'with new user' do
156
156
  before do
157
157
  User.any_instance.expects(:new_record?).returns(true).at_least_once
158
+ # https://docs.mongodb.com/mongoid/master/tutorials/mongoid-documents/#notes-on-persistence
159
+ User.any_instance.expects(:save!).returns(true)
158
160
  end
159
161
 
160
162
  test 'response contains oauth_registration attr' do
@@ -315,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
315
317
  end
316
318
 
317
319
  describe 'Using redirect_whitelist' do
318
- before do
319
- @user_email = 'slemp.diggler@sillybandz.gov'
320
- OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
321
- provider: 'facebook',
322
- uid: '123545',
323
- info: {
324
- name: 'chong',
325
- email: @user_email
326
- }
327
- )
328
- @good_redirect_url = Faker::Internet.url
329
- @bad_redirect_url = Faker::Internet.url
330
- DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
331
- end
332
320
 
333
- teardown do
334
- DeviseTokenAuth.redirect_whitelist = nil
335
- end
321
+ describe "newWindow" do
322
+ before do
323
+ @user_email = 'slemp.diggler@sillybandz.gov'
324
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
325
+ provider: 'facebook',
326
+ uid: '123545',
327
+ info: {
328
+ name: 'chong',
329
+ email: @user_email
330
+ }
331
+ )
332
+ @good_redirect_url = Faker::Internet.url
333
+ @bad_redirect_url = Faker::Internet.url
334
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
335
+ end
336
336
 
337
- test 'request using non-whitelisted redirect fail' do
338
- get '/auth/facebook',
339
- params: { auth_origin_url: @bad_redirect_url,
340
- omniauth_window_type: 'newWindow' }
337
+ teardown do
338
+ DeviseTokenAuth.redirect_whitelist = nil
339
+ end
341
340
 
342
- follow_all_redirects!
341
+ test 'request using non-whitelisted redirect fail' do
342
+ get '/auth/facebook',
343
+ params: { auth_origin_url: @bad_redirect_url,
344
+ omniauth_window_type: 'newWindow' }
343
345
 
344
- data = get_parsed_data_json
345
- assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
346
- data['error']
346
+ follow_all_redirects!
347
+
348
+ data = get_parsed_data_json
349
+ assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
350
+ data['error']
351
+ end
352
+
353
+ test 'request to whitelisted redirect should succeed' do
354
+ get '/auth/facebook',
355
+ params: {
356
+ auth_origin_url: @good_redirect_url,
357
+ omniauth_window_type: 'newWindow'
358
+ }
359
+
360
+ follow_all_redirects!
361
+
362
+ data = get_parsed_data_json
363
+ assert_equal @user_email, data['email']
364
+ end
365
+
366
+ test 'should support wildcards' do
367
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
368
+ get '/auth/facebook',
369
+ params: { auth_origin_url: @good_redirect_url,
370
+ omniauth_window_type: 'newWindow' }
371
+
372
+ follow_all_redirects!
373
+
374
+ data = get_parsed_data_json
375
+ assert_equal @user_email, data['email']
376
+ end
347
377
  end
348
378
 
349
- test 'request to whitelisted redirect should succeed' do
350
- get '/auth/facebook',
351
- params: {
352
- auth_origin_url: @good_redirect_url,
353
- omniauth_window_type: 'newWindow'
379
+ describe "sameWindow" do
380
+ before do
381
+ @user_email = 'slemp.diggler@sillybandz.gov'
382
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
383
+ provider: 'facebook',
384
+ uid: '123545',
385
+ info: {
386
+ name: 'chong',
387
+ email: @user_email
354
388
  }
389
+ )
390
+ @good_redirect_url = '/auth_origin'
391
+ @bad_redirect_url = Faker::Internet.url
392
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
393
+ end
355
394
 
356
- follow_all_redirects!
395
+ teardown do
396
+ DeviseTokenAuth.redirect_whitelist = nil
397
+ end
357
398
 
358
- data = get_parsed_data_json
359
- assert_equal @user_email, data['email']
360
- end
399
+ test 'request using non-whitelisted redirect fail' do
400
+ get '/auth/facebook',
401
+ params: { auth_origin_url: @bad_redirect_url,
402
+ omniauth_window_type: 'sameWindow' }
361
403
 
362
- test 'should support wildcards' do
363
- DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
364
- get '/auth/facebook',
365
- params: { auth_origin_url: @good_redirect_url,
366
- omniauth_window_type: 'newWindow' }
404
+ follow_all_redirects!
405
+
406
+ assert_equal 200, response.status
407
+ assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
408
+ end
409
+
410
+ test 'request to whitelisted redirect should succeed' do
411
+ get '/auth/facebook',
412
+ params: {
413
+ auth_origin_url: '/auth_origin',
414
+ omniauth_window_type: 'sameWindow'
415
+ }
416
+
417
+ follow_all_redirects!
418
+
419
+ assert_equal 200, response.status
420
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
421
+ end
422
+
423
+ test 'should support wildcards' do
424
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
425
+ get '/auth/facebook',
426
+ params: {
427
+ auth_origin_url: '/auth_origin',
428
+ omniauth_window_type: 'sameWindow'
429
+ }
430
+
431
+ follow_all_redirects!
432
+
433
+ assert_equal 200, response.status
434
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
435
+ end
367
436
 
368
- follow_all_redirects!
369
437
 
370
- data = get_parsed_data_json
371
- assert_equal @user_email, data['email']
372
438
  end
439
+
373
440
  end
374
441
  end
@@ -41,22 +41,46 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
41
41
  before do
42
42
  @auth_headers = @resource.create_new_auth_token
43
43
  @new_password = Faker::Internet.password
44
-
45
- post :create,
46
- params: { email: 'chester@cheet.ah' }
47
- @data = JSON.parse(response.body)
48
44
  end
49
45
 
50
- test 'response should fail' do
51
- assert_equal 401, response.status
46
+ describe 'for create' do
47
+ before do
48
+ post :create,
49
+ params: { email: 'chester@cheet.ah' }
50
+ @data = JSON.parse(response.body)
51
+ end
52
+
53
+ test 'response should fail' do
54
+ assert_equal 401, response.status
55
+ end
56
+
57
+ test 'error message should be returned' do
58
+ assert @data['errors']
59
+ assert_equal(
60
+ @data['errors'],
61
+ [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
62
+ )
63
+ end
52
64
  end
53
65
 
54
- test 'error message should be returned' do
55
- assert @data['errors']
56
- assert_equal(
57
- @data['errors'],
58
- [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
59
- )
66
+ describe 'for edit' do
67
+ before do
68
+ get_reset_token
69
+ get :edit, params: { reset_password_token: @mail_reset_token}
70
+ @data = JSON.parse(response.body)
71
+ end
72
+
73
+ test 'response should fail' do
74
+ assert_equal 401, response.status
75
+ end
76
+
77
+ test 'error message should be returned' do
78
+ assert @data['errors']
79
+ assert_equal(
80
+ @data['errors'],
81
+ [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
82
+ )
83
+ end
60
84
  end
61
85
  end
62
86
 
@@ -215,10 +239,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
215
239
  end
216
240
  end
217
241
 
218
- describe 'Cheking reset_password_token' do
242
+ describe 'Checking reset_password_token' do
219
243
  before do
220
244
  post :create, params: {
221
- email: @resource.email,
245
+ email: @resource.email,
222
246
  redirect_url: @redirect_url
223
247
  }
224
248
 
@@ -235,14 +259,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
235
259
  assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
236
260
  end
237
261
 
238
- test 'reset_password_token should be rewritten by origin mail_reset_token' do
262
+ test 'reset_password_token should not be rewritten by origin mail_reset_token' do
239
263
  get :edit, params: {
240
264
  reset_password_token: @mail_reset_token,
241
265
  redirect_url: @mail_redirect_url
242
266
  }
243
267
  @resource.reload
244
268
 
245
- assert_equal @mail_reset_token, @resource.reset_password_token
269
+ assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
246
270
  end
247
271
 
248
272
  test 'response should return success status' do
@@ -254,26 +278,6 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
254
278
  assert_equal 302, response.status
255
279
  end
256
280
 
257
- test 'reset_password_token should be valid only one first time' do
258
- get :edit, params: {
259
- reset_password_token: @mail_reset_token,
260
- redirect_url: @mail_redirect_url
261
- }
262
-
263
- @resource.reload
264
- assert_equal @mail_reset_token, @resource.reset_password_token
265
-
266
- assert_raises(ActionController::RoutingError) {
267
- get :edit, params: {
268
- reset_password_token: @mail_reset_token,
269
- redirect_url: @mail_redirect_url
270
- }
271
- }
272
-
273
- @resource.reload
274
- assert_equal @mail_reset_token, @resource.reset_password_token
275
- end
276
-
277
281
  test 'reset_password_sent_at should be valid' do
278
282
  assert_equal @resource.reset_password_period_valid?, true
279
283
 
@@ -283,7 +287,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
283
287
  }
284
288
 
285
289
  @resource.reload
286
- assert_equal @mail_reset_token, @resource.reset_password_token
290
+ assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
287
291
  end
288
292
 
289
293
  test 'reset_password_sent_at should be expired' do
@@ -354,8 +358,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
354
358
 
355
359
  describe 'Using redirect_whitelist' do
356
360
  before do
357
- @resource = create(:user, :confirmed)
358
- @good_redirect_url = Faker::Internet.url
361
+ @good_redirect_url = @redirect_url
359
362
  @bad_redirect_url = Faker::Internet.url
360
363
  DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
361
364
  end
@@ -364,31 +367,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
364
367
  DeviseTokenAuth.redirect_whitelist = nil
365
368
  end
366
369
 
367
- test 'request to whitelisted redirect should be successful' do
368
- post :create,
369
- params: { email: @resource.email,
370
- redirect_url: @good_redirect_url }
370
+ describe 'for create' do
371
+ test 'request to whitelisted redirect should be successful' do
372
+ post :create,
373
+ params: { email: @resource.email,
374
+ redirect_url: @good_redirect_url }
371
375
 
372
- assert_equal 200, response.status
373
- end
376
+ assert_equal 200, response.status
377
+ end
374
378
 
375
- test 'request to non-whitelisted redirect should fail' do
376
- post :create,
377
- params: { email: @resource.email,
378
- redirect_url: @bad_redirect_url }
379
+ test 'request to non-whitelisted redirect should fail' do
380
+ post :create,
381
+ params: { email: @resource.email,
382
+ redirect_url: @bad_redirect_url }
383
+
384
+ assert_equal 422, response.status
385
+ end
386
+
387
+ test 'request to non-whitelisted redirect should return error message' do
388
+ post :create,
389
+ params: { email: @resource.email,
390
+ redirect_url: @bad_redirect_url }
379
391
 
380
- assert_equal 422, response.status
392
+ @data = JSON.parse(response.body)
393
+ assert @data['errors']
394
+ assert_equal @data['errors'],
395
+ [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
396
+ redirect_url: @bad_redirect_url)]
397
+ end
381
398
  end
382
- test 'request to non-whitelisted redirect should return error message' do
383
- post :create,
384
- params: { email: @resource.email,
385
- redirect_url: @bad_redirect_url }
386
399
 
387
- @data = JSON.parse(response.body)
388
- assert @data['errors']
389
- assert_equal @data['errors'],
390
- [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
391
- redirect_url: @bad_redirect_url)]
400
+ describe 'for edit' do
401
+ before do
402
+ @auth_headers = @resource.create_new_auth_token
403
+ @new_password = Faker::Internet.password
404
+
405
+ get_reset_token
406
+ end
407
+
408
+ test 'request to whitelisted redirect should be successful' do
409
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @good_redirect_url }
410
+
411
+ assert_equal 302, response.status
412
+ end
413
+
414
+ test 'request to non-whitelisted redirect should fail' do
415
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
416
+
417
+ assert_equal 422, response.status
418
+ end
419
+
420
+ test 'request to non-whitelisted redirect should return error message' do
421
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
422
+
423
+ @data = JSON.parse(response.body)
424
+ assert @data['errors']
425
+ assert_equal @data['errors'],
426
+ [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
427
+ redirect_url: @bad_redirect_url)]
428
+ end
392
429
  end
393
430
  end
394
431
 
@@ -403,6 +440,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
403
440
 
404
441
  describe 'success' do
405
442
  before do
443
+ DeviseTokenAuth.require_client_password_reset_token = false
406
444
  @auth_headers = @resource.create_new_auth_token
407
445
  request.headers.merge!(@auth_headers)
408
446
  @new_password = Faker::Internet.password
@@ -467,6 +505,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
467
505
 
468
506
  describe 'current password mismatch error' do
469
507
  before do
508
+ DeviseTokenAuth.require_client_password_reset_token = false
470
509
  @auth_headers = @resource.create_new_auth_token
471
510
  request.headers.merge!(@auth_headers)
472
511
  @new_password = Faker::Internet.password
@@ -483,7 +522,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
483
522
  end
484
523
 
485
524
  describe 'change password' do
486
- describe 'success' do
525
+ describe 'using reset token' do
526
+ before do
527
+ DeviseTokenAuth.require_client_password_reset_token = true
528
+ @redirect_url = 'http://client-app.dev'
529
+ get_reset_token
530
+ edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
531
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
532
+ get :edit, params: query_parts
533
+ end
534
+
535
+ test 'request should be redirect' do
536
+ assert_equal 302, response.status
537
+ end
538
+
539
+ test 'request should redirect to correct redirect url' do
540
+ host = URI.parse(response.location).host
541
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
542
+
543
+ assert_equal 'client-app.dev', host
544
+ assert_equal @mail_reset_token, query_parts['reset_password_token']
545
+ assert_equal 1, query_parts.keys.size
546
+ end
547
+
548
+ teardown do
549
+ DeviseTokenAuth.require_client_password_reset_token = false
550
+ end
551
+ end
552
+
553
+ describe 'with valid headers' do
487
554
  before do
488
555
  @auth_headers = @resource.create_new_auth_token
489
556
  request.headers.merge!(@auth_headers)
@@ -509,6 +576,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
509
576
  test 'new password should authenticate user' do
510
577
  assert @resource.valid_password?(@new_password)
511
578
  end
579
+
580
+ test 'reset_password_token should be removed' do
581
+ assert_nil @resource.reset_password_token
582
+ end
512
583
  end
513
584
 
514
585
  describe 'password mismatch error' do
@@ -526,19 +597,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
526
597
  end
527
598
  end
528
599
 
529
- describe 'unauthorized user' do
600
+ describe 'without valid headers' do
530
601
  before do
531
- @auth_headers = @resource.create_new_auth_token
532
- @new_password = Faker::Internet.password
602
+ @resource.create_new_auth_token
603
+ new_password = Faker::Internet.password
533
604
 
534
- put :update, params: { password: @new_password,
535
- password_confirmation: @new_password }
605
+ put :update, params: { password: new_password,
606
+ password_confirmation: new_password }
536
607
  end
537
608
 
538
609
  test 'response should fail' do
539
610
  assert_equal 401, response.status
540
611
  end
541
612
  end
613
+
614
+ describe 'with valid reset password token' do
615
+ before do
616
+ reset_password_token = @resource.send_reset_password_instructions
617
+ @new_password = Faker::Internet.password
618
+ @params = { password: @new_password,
619
+ password_confirmation: @new_password,
620
+ reset_password_token: reset_password_token }
621
+ end
622
+
623
+ describe 'with require_client_password_reset_token disabled' do
624
+ before do
625
+ DeviseTokenAuth.require_client_password_reset_token = false
626
+ put :update, params: @params
627
+
628
+ @data = JSON.parse(response.body)
629
+ @resource.reload
630
+ end
631
+
632
+ test 'request should be not be successful' do
633
+ assert_equal 401, response.status
634
+ end
635
+ end
636
+
637
+ describe 'with require_client_password_reset_token enabled' do
638
+ before do
639
+ DeviseTokenAuth.require_client_password_reset_token = true
640
+ put :update, params: @params
641
+
642
+ @data = JSON.parse(response.body)
643
+ @resource.reload
644
+ end
645
+
646
+ test 'request should be successful' do
647
+ assert_equal 200, response.status
648
+ end
649
+
650
+ test 'request should return success message' do
651
+ assert @data['message']
652
+ assert_equal @data['message'],
653
+ I18n.t('devise_token_auth.passwords.successfully_updated')
654
+ end
655
+
656
+ test 'new password should authenticate user' do
657
+ assert @resource.valid_password?(@new_password)
658
+ end
659
+
660
+ teardown do
661
+ DeviseTokenAuth.require_client_password_reset_token = false
662
+ end
663
+ end
664
+ end
665
+
666
+ describe 'with invalid reset password token' do
667
+ before do
668
+ DeviseTokenAuth.require_client_password_reset_token = true
669
+ @resource.update reset_password_token: 'koskoskoskos'
670
+ put :update, params: @params
671
+ @data = JSON.parse(response.body)
672
+ @resource.reload
673
+ end
674
+
675
+ test 'request should fail' do
676
+ assert_equal 401, response.status
677
+ end
678
+
679
+ test 'new password should not authenticate user' do
680
+ assert !@resource.valid_password?(@new_password)
681
+ end
682
+
683
+ teardown do
684
+ DeviseTokenAuth.require_client_password_reset_token = false
685
+ end
686
+ end
542
687
  end
543
688
  end
544
689
 
@@ -554,16 +699,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
554
699
  before do
555
700
  @resource = create(:mang_user, :confirmed)
556
701
  @redirect_url = 'http://ng-token-auth.dev'
557
-
558
- post :create, params: { email: @resource.email,
559
- redirect_url: @redirect_url }
560
-
561
- @mail = ActionMailer::Base.deliveries.last
562
- @resource.reload
563
-
564
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
565
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
566
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
702
+ get_reset_token
567
703
  end
568
704
 
569
705
  test 'response should return success status' do
@@ -582,15 +718,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
582
718
  @resource = create(:user)
583
719
  @redirect_url = 'http://ng-token-auth.dev'
584
720
 
585
- post :create, params: { email: @resource.email,
586
- redirect_url: @redirect_url }
587
-
588
- @mail = ActionMailer::Base.deliveries.last
589
- @resource.reload
590
-
591
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
592
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
593
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
721
+ get_reset_token
594
722
 
595
723
  get :edit, params: { reset_password_token: @mail_reset_token,
596
724
  redirect_url: @mail_redirect_url }
@@ -610,17 +738,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
610
738
 
611
739
  before do
612
740
  @resource = unconfirmable_users(:user)
613
- @redirect_url = 'http://ng-token-auth.dev'
614
741
 
615
- post :create, params: { email: @resource.email,
616
- redirect_url: @redirect_url }
617
-
618
- @mail = ActionMailer::Base.deliveries.last
619
- @resource.reload
620
-
621
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
622
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
623
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
742
+ get_reset_token
624
743
 
625
744
  get :edit, params: { reset_password_token: @mail_reset_token,
626
745
  redirect_url: @mail_redirect_url }
@@ -635,21 +754,27 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
635
754
  @redirect_url = 'http://ng-token-auth.dev'
636
755
  @config_name = 'altUser'
637
756
 
638
- post :create, params: { email: @resource.email,
757
+ params = { email: @resource.email,
639
758
  redirect_url: @redirect_url,
640
759
  config_name: @config_name }
641
-
642
- @mail = ActionMailer::Base.deliveries.last
643
- @resource.reload
644
-
645
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
646
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
647
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
760
+ get_reset_token params
648
761
  end
649
762
 
650
763
  test 'config_name param is included in the confirmation email link' do
651
764
  assert_equal @config_name, @mail_config_name
652
765
  end
653
766
  end
767
+
768
+ def get_reset_token(params = nil)
769
+ params ||= { email: @resource.email, redirect_url: @redirect_url }
770
+ post :create, params: params
771
+
772
+ @mail = ActionMailer::Base.deliveries.last
773
+ @resource.reload
774
+
775
+ @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
776
+ @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
777
+ @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
778
+ end
654
779
  end
655
780
  end