RubyGems - devise_token_auth - Versions diffs - 1.0.0 → 1.2.2 - Mend

devise_token_auth 1.0.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

data/test/controllers/devise_token_auth/confirmations_controller_test.rb CHANGED Viewed

@@ -11,7 +11,7 @@ require 'test_helper'
 class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::ConfirmationsController do
     def token_and_client_config_from(body)
-      token         = body.match(/confirmation_token=([^&]*)&/)[1]
+      token         = body.match(/confirmation_token=([^&]*)[&"]/)[1]
       client_config = body.match(/config=([^&]*)&/)[1]
       [token, client_config]
     end
@@ -23,6 +23,7 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
         mail = ActionMailer::Base.deliveries.last
         @token, @client_config = token_and_client_config_from(mail.body)
+        @token_params = %w[access-token client client_id config expiry token uid]
       end
       test 'should generate raw token' do
@@ -38,43 +39,190 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
       end
       describe 'success' do
-        before do
-          get :show,
-              params: { confirmation_token: @token,
-                        redirect_url: @redirect_url },
-              xhr: true
-          @resource = assigns(:resource)
-        end
+        describe 'when authenticated' do
+          before do
+            sign_in(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
-        test 'user should now be confirmed' do
-          assert @resource.confirmed?
-        end
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
-        test 'should redirect to success url' do
-          assert_redirected_to(/^#{@redirect_url}/)
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
+          test 'redirect url includes token params' do
+            assert @token_params.all? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
-        test 'the sign_in_count should be 1' do
-          assert @resource.sign_in_count == 1
+        describe 'when unauthenticated' do
+          before do
+            sign_out(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
+          test 'redirect url does not include token params' do
+            refute @token_params.any? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
-        test 'User shoud have the signed in info filled' do
-          assert @resource.current_sign_in_at?
+        describe 'resend confirmation' do
+          describe 'without paranoid mode' do
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
+          end
         end
-        test 'User shoud have the Last checkin filled' do
-          assert @resource.last_sign_in_at?
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+          end
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                @email = 'chester@cheet.ah'
+                post :create,
+                     params: { email: @email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+            test 'response should not contain errors' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
+            end
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+          end
         end
       end
       describe 'failure' do
         test 'user should not be confirmed' do
-          assert_raises(ActionController::RoutingError) do
-            get :show, params: { confirmation_token: 'bogus' }
-          end
+          get :show,
+              params: { confirmation_token: 'bogus',
+                        redirect_url: @redirect_url }
+          assert_redirected_to(/^#{@redirect_url}/)
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end
+        test 'request resend confirmation without email' do
+          post :create, params: { email: nil }, xhr: true
+          assert_equal 401, response.status
+        end
+        test 'user should not be found on resend confirmation request' do
+          post :create, params: { email: 'bogus' }, xhr: true
+          assert_equal 404, response.status
+        end
       end
     end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb CHANGED Viewed

@@ -13,12 +13,12 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
   before do
-    @redirect_url = 'http://ng-token-auth.dev/'
+    @redirect_url = 'https://ng-token-auth.dev/'
   end
   def get_parsed_data_json
     encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(URI.unescape(encoded_json_data))
+    JSON.parse(CGI.unescape(encoded_json_data))
   end
   describe 'success callback' do
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     describe 'with alternate user model' do
       before do
-        get '/mangs/facebook',
+        post '/mangs/facebook',
             params: {
               auth_origin_url: @redirect_url,
               omniauth_window_type: 'newWindow'
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       before do
         @fav_color = 'alizarin crimson'
         @unpermitted_param = 'M. Bison'
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       favorite_color: @fav_color,
                       name: @unpermitted_param,
@@ -155,10 +155,12 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       describe 'with new user' do
         before do
           User.any_instance.expects(:new_record?).returns(true).at_least_once
+          # https://docs.mongodb.com/mongoid/master/tutorials/mongoid-documents/#notes-on-persistence
+          User.any_instance.expects(:save!).returns(true)
         end
         test 'response contains oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
@@ -174,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
         test 'response does not contain oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
@@ -187,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     describe 'using namespaces' do
       before do
-        get '/api/v1/auth/facebook',
+        post '/api/v1/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
@@ -232,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     describe 'with omniauth_window_type=sameWindow' do
       test 'redirects to auth_origin_url with all expected query params' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: '/auth_origin',
                       omniauth_window_type: 'sameWindow' }
@@ -256,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     end
     def get_success(params = {})
-      get '/auth/facebook',
+      post '/auth/facebook',
           params: {
             auth_origin_url: @redirect_url,
             omniauth_window_type: 'newWindow'
@@ -280,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     test 'renders expected data' do
       silence_omniauth do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
@@ -296,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     test 'renders something with no auth_origin_url' do
       silence_omniauth do
-        get '/auth/facebook'
+        post '/auth/facebook'
         follow_all_redirects!
       end
       assert_equal 200, response.status
@@ -315,60 +317,122 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
   describe 'Using redirect_whitelist' do
-    before do
-      @user_email = 'slemp.diggler@sillybandz.gov'
-      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
-        provider: 'facebook',
-        uid: '123545',
-        info: {
-          name: 'chong',
-          email: @user_email
-        }
-      )
-      @good_redirect_url = Faker::Internet.url
-      @bad_redirect_url = Faker::Internet.url
-      DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
-    end
-    teardown do
-      DeviseTokenAuth.redirect_whitelist = nil
-    end
+    describe "newWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
+          }
+        )
+        @good_redirect_url = Faker::Internet.url
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
-    test 'request using non-whitelisted redirect fail' do
-      get '/auth/facebook',
-          params: { auth_origin_url: @bad_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
-      follow_all_redirects!
+      test 'request using non-whitelisted redirect fail' do
+        post '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'newWindow' }
-      data = get_parsed_data_json
-      assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
-                   data['error']
+        follow_all_redirects!
+        data = get_parsed_data_json
+        assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
+                    data['error']
+      end
+      test 'request to whitelisted redirect should succeed' do
+        post '/auth/facebook',
+            params: {
+              auth_origin_url: @good_redirect_url,
+              omniauth_window_type: 'newWindow'
+            }
+        follow_all_redirects!
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        post '/auth/facebook',
+            params: { auth_origin_url: @good_redirect_url,
+                      omniauth_window_type: 'newWindow' }
+        follow_all_redirects!
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
     end
-    test 'request to whitelisted redirect should succeed' do
-      get '/auth/facebook',
-          params: {
-            auth_origin_url: @good_redirect_url,
-            omniauth_window_type: 'newWindow'
+    describe "sameWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
           }
+        )
+        @good_redirect_url = '/auth_origin'
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
-      follow_all_redirects!
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
-    end
+      test 'request using non-whitelisted redirect fail' do
+        post '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'sameWindow' }
-    test 'should support wildcards' do
-      DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-      get '/auth/facebook',
-          params: { auth_origin_url: @good_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+        follow_all_redirects!
-      follow_all_redirects!
+        assert_equal 200, response.status
+        assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
+      end
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
+      test 'request to whitelisted redirect should succeed' do
+        post '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+        follow_all_redirects!
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        post '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+        follow_all_redirects!
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
     end
   end
 end