devise_token_auth 1.0.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (134) hide show
  1. checksums.yaml +5 -5
  2. data/README.md +6 -3
  3. data/app/controllers/devise_token_auth/application_controller.rb +23 -3
  4. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +24 -11
  5. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +78 -57
  6. data/app/controllers/devise_token_auth/confirmations_controller.rb +69 -19
  7. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +89 -44
  8. data/app/controllers/devise_token_auth/passwords_controller.rb +55 -31
  9. data/app/controllers/devise_token_auth/registrations_controller.rb +33 -40
  10. data/app/controllers/devise_token_auth/sessions_controller.rb +36 -14
  11. data/app/controllers/devise_token_auth/unlocks_controller.rb +12 -7
  12. data/app/models/devise_token_auth/concerns/active_record_support.rb +14 -0
  13. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  14. data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
  15. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +31 -0
  16. data/app/models/devise_token_auth/concerns/user.rb +79 -80
  17. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +12 -5
  18. data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} +11 -3
  19. data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
  20. data/config/locales/da-DK.yml +2 -0
  21. data/config/locales/de.yml +2 -0
  22. data/config/locales/en.yml +10 -0
  23. data/config/locales/es.yml +2 -0
  24. data/config/locales/fr.yml +2 -0
  25. data/config/locales/he.yml +52 -0
  26. data/config/locales/it.yml +2 -0
  27. data/config/locales/ja.yml +16 -2
  28. data/config/locales/ko.yml +51 -0
  29. data/config/locales/nl.yml +2 -0
  30. data/config/locales/pl.yml +6 -3
  31. data/config/locales/pt-BR.yml +2 -0
  32. data/config/locales/pt.yml +6 -3
  33. data/config/locales/ro.yml +2 -0
  34. data/config/locales/ru.yml +2 -0
  35. data/config/locales/sq.yml +2 -0
  36. data/config/locales/sv.yml +2 -0
  37. data/config/locales/uk.yml +2 -0
  38. data/config/locales/vi.yml +2 -0
  39. data/config/locales/zh-CN.yml +2 -0
  40. data/config/locales/zh-HK.yml +2 -0
  41. data/config/locales/zh-TW.yml +2 -0
  42. data/lib/devise_token_auth/blacklist.rb +6 -0
  43. data/lib/devise_token_auth/controllers/helpers.rb +5 -9
  44. data/lib/devise_token_auth/engine.rb +17 -2
  45. data/lib/devise_token_auth/rails/routes.rb +22 -16
  46. data/lib/devise_token_auth/token_factory.rb +126 -0
  47. data/lib/devise_token_auth/url.rb +3 -0
  48. data/lib/devise_token_auth/version.rb +1 -1
  49. data/lib/devise_token_auth.rb +6 -3
  50. data/lib/generators/devise_token_auth/USAGE +1 -1
  51. data/lib/generators/devise_token_auth/install_generator.rb +7 -91
  52. data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
  53. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
  54. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +21 -5
  55. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -8
  56. data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
  57. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
  58. data/test/controllers/custom/custom_confirmations_controller_test.rb +2 -2
  59. data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
  60. data/test/controllers/demo_mang_controller_test.rb +37 -8
  61. data/test/controllers/demo_user_controller_test.rb +39 -10
  62. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +170 -22
  63. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +117 -53
  64. data/test/controllers/devise_token_auth/passwords_controller_test.rb +299 -122
  65. data/test/controllers/devise_token_auth/registrations_controller_test.rb +56 -16
  66. data/test/controllers/devise_token_auth/sessions_controller_test.rb +139 -75
  67. data/test/controllers/devise_token_auth/token_validations_controller_test.rb +43 -2
  68. data/test/controllers/devise_token_auth/unlocks_controller_test.rb +44 -5
  69. data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
  70. data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
  71. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  72. data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
  73. data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
  74. data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
  75. data/test/dummy/app/active_record/user.rb +6 -0
  76. data/test/dummy/app/controllers/application_controller.rb +2 -6
  77. data/test/dummy/app/controllers/overrides/confirmations_controller.rb +5 -4
  78. data/test/dummy/app/controllers/overrides/passwords_controller.rb +5 -4
  79. data/test/dummy/app/controllers/overrides/registrations_controller.rb +1 -1
  80. data/test/dummy/app/controllers/overrides/sessions_controller.rb +2 -2
  81. data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
  82. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  83. data/test/dummy/app/mongoid/lockable_user.rb +38 -0
  84. data/test/dummy/app/mongoid/mang.rb +46 -0
  85. data/test/dummy/app/mongoid/only_email_user.rb +33 -0
  86. data/test/dummy/app/mongoid/scoped_user.rb +50 -0
  87. data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
  88. data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
  89. data/test/dummy/app/mongoid/user.rb +49 -0
  90. data/test/dummy/app/views/layouts/application.html.erb +0 -2
  91. data/test/dummy/config/application.rb +22 -1
  92. data/test/dummy/config/boot.rb +4 -0
  93. data/test/dummy/config/environments/development.rb +0 -10
  94. data/test/dummy/config/environments/production.rb +0 -16
  95. data/test/dummy/config/environments/test.rb +6 -2
  96. data/test/dummy/config/initializers/devise.rb +285 -0
  97. data/test/dummy/config/initializers/devise_token_auth.rb +35 -4
  98. data/test/dummy/config/initializers/figaro.rb +1 -1
  99. data/test/dummy/config/initializers/omniauth.rb +1 -0
  100. data/test/dummy/config/routes.rb +2 -0
  101. data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
  102. data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
  103. data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
  104. data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
  105. data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
  106. data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
  107. data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
  108. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  109. data/test/dummy/db/schema.rb +31 -33
  110. data/test/dummy/tmp/generators/app/models/user.rb +9 -0
  111. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +66 -0
  112. data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
  113. data/test/factories/users.rb +3 -2
  114. data/test/lib/devise_token_auth/blacklist_test.rb +19 -0
  115. data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
  116. data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
  117. data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
  118. data/test/lib/devise_token_auth/url_test.rb +2 -2
  119. data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
  120. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
  121. data/test/models/concerns/mongoid_support_test.rb +31 -0
  122. data/test/models/concerns/tokens_serialization_test.rb +104 -0
  123. data/test/models/confirmable_user_test.rb +35 -0
  124. data/test/models/only_email_user_test.rb +0 -8
  125. data/test/models/user_test.rb +13 -23
  126. data/test/test_helper.rb +45 -4
  127. metadata +190 -97
  128. data/config/initializers/devise.rb +0 -198
  129. data/test/dummy/config/initializers/assets.rb +0 -10
  130. data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
  131. data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
  132. /data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
  133. /data/test/dummy/app/{models → active_record}/mang.rb +0 -0
  134. /data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
@@ -10,6 +10,17 @@ require 'test_helper'
10
10
 
11
11
  class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
12
12
  describe DeviseTokenAuth::RegistrationsController do
13
+
14
+ def mock_registration_params
15
+ {
16
+ email: Faker::Internet.email,
17
+ password: 'secret123',
18
+ password_confirmation: 'secret123',
19
+ confirm_success_url: Faker::Internet.url,
20
+ unpermitted_param: '(x_x)'
21
+ }
22
+ end
23
+
13
24
  describe 'Validate non-empty body' do
14
25
  before do
15
26
  # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
41
52
  @mails_sent = ActionMailer::Base.deliveries.count
42
53
 
43
54
  post '/auth',
44
- params: {
45
- email: Faker::Internet.email,
46
- password: 'secret123',
47
- password_confirmation: 'secret123',
48
- confirm_success_url: Faker::Internet.url,
49
- unpermitted_param: '(x_x)'
50
- }
55
+ params: mock_registration_params
51
56
 
52
57
  @resource = assigns(:resource)
53
58
  @data = JSON.parse(response.body)
@@ -83,6 +88,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
83
88
  end
84
89
  end
85
90
 
91
+ describe 'using allow_unconfirmed_access_for' do
92
+ before do
93
+ @original_duration = Devise.allow_unconfirmed_access_for
94
+ Devise.allow_unconfirmed_access_for = nil
95
+ end
96
+
97
+ test 'auth headers were returned in response' do
98
+ post '/auth', params: mock_registration_params
99
+ assert response.headers['access-token']
100
+ assert response.headers['token-type']
101
+ assert response.headers['client']
102
+ assert response.headers['expiry']
103
+ assert response.headers['uid']
104
+ end
105
+
106
+ describe 'using auth cookie' do
107
+ before do
108
+ DeviseTokenAuth.cookie_enabled = true
109
+ end
110
+
111
+ test 'auth cookie was returned in response' do
112
+ post '/auth', params: mock_registration_params
113
+ assert response.cookies[DeviseTokenAuth.cookie_name]
114
+ end
115
+
116
+ after do
117
+ DeviseTokenAuth.cookie_enabled = false
118
+ end
119
+ end
120
+
121
+ after do
122
+ Devise.allow_unconfirmed_access_for = @original_duration
123
+ end
124
+ end
125
+
86
126
  describe 'using "+" in email' do
87
127
  test 'can use + sign in email addresses' do
88
128
  @plus_email = 'ak+testing@gmail.com'
@@ -266,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
266
306
  @data = JSON.parse(response.body)
267
307
  @mail = ActionMailer::Base.deliveries.last
268
308
 
269
- @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
309
+ @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
270
310
  @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
271
311
  @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
272
312
  end
@@ -305,7 +345,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
305
345
  end
306
346
 
307
347
  test 'user should not have been created' do
308
- assert_nil @resource.id
348
+ refute @resource.persisted?
309
349
  end
310
350
 
311
351
  test 'error should be returned in the response' do
@@ -333,7 +373,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
333
373
  end
334
374
 
335
375
  test 'user should not have been created' do
336
- assert_nil @resource.id
376
+ refute @resource.persisted?
337
377
  end
338
378
 
339
379
  test 'error should be returned in the response' do
@@ -362,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
362
402
  end
363
403
 
364
404
  test 'user should have been created' do
365
- assert_nil @resource.id
405
+ refute @resource.persisted?
366
406
  end
367
407
 
368
408
  test 'error should be returned in the response' do
@@ -393,7 +433,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
393
433
  end
394
434
 
395
435
  test 'user should have been created' do
396
- assert_nil @resource.id
436
+ refute @resource.persisted?
397
437
  end
398
438
 
399
439
  test 'error should be returned in the response' do
@@ -465,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
465
505
  # test valid update param
466
506
  @resource_class = User
467
507
  @new_operating_thetan = 1_000_000
468
- @email = 'AlternatingCase2@example.com'
508
+ @email = Faker::Internet.safe_email
469
509
  @request_params = {
470
510
  operating_thetan: @new_operating_thetan,
471
511
  email: @email
@@ -572,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
572
612
  # test valid update param
573
613
  @resource_class = User
574
614
  @new_operating_thetan = 1_000_000
575
- @email = 'AlternatingCase2@example.com'
615
+ @email = Faker::Internet.safe_email
576
616
  @request_params = {
577
617
  operating_thetan: @new_operating_thetan,
578
618
  email: @email
@@ -623,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
623
663
  before do
624
664
  DeviseTokenAuth.check_current_password_before_update = :password
625
665
  @new_operating_thetan = 1_000_000
626
- @email = 'AlternatingCase2@example.com'
666
+ @email = Faker::Internet.safe_email
627
667
  end
628
668
 
629
669
  after do
@@ -786,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
786
826
 
787
827
  @resource.reload
788
828
 
789
- @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
829
+ @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
790
830
  @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
791
831
  @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
792
832
  end
@@ -17,26 +17,15 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
17
17
 
18
18
  describe 'success' do
19
19
  before do
20
- @old_sign_in_count = @existing_user.sign_in_count
21
- @old_current_sign_in_at = @existing_user.current_sign_in_at
22
- @old_last_sign_in_at = @existing_user.last_sign_in_at
23
- @old_sign_in_ip = @existing_user.current_sign_in_ip
24
- @old_last_sign_in_ip = @existing_user.last_sign_in_ip
20
+ @user_session_params = {
21
+ email: @existing_user.email,
22
+ password: @existing_user.password
23
+ }
25
24
 
26
- post :create,
27
- params: {
28
- email: @existing_user.email,
29
- password: @existing_user.password
30
- }
25
+ post :create, params: @user_session_params
31
26
 
32
27
  @resource = assigns(:resource)
33
28
  @data = JSON.parse(response.body)
34
-
35
- @new_sign_in_count = @resource.sign_in_count
36
- @new_current_sign_in_at = @resource.current_sign_in_at
37
- @new_last_sign_in_at = @resource.last_sign_in_at
38
- @new_sign_in_ip = @resource.current_sign_in_ip
39
- @new_last_sign_in_ip = @resource.last_sign_in_ip
40
29
  end
41
30
 
42
31
  test 'request should succeed' do
@@ -47,29 +36,22 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
47
36
  assert_equal @existing_user.email, @data['data']['email']
48
37
  end
49
38
 
50
- describe 'trackable' do
51
- test 'sign_in_count incrementns' do
52
- assert_equal @old_sign_in_count + 1, @new_sign_in_count
53
- end
54
-
55
- test 'current_sign_in_at is updated' do
56
- refute @old_current_sign_in_at
57
- assert @new_current_sign_in_at
39
+ describe 'using auth cookie' do
40
+ before do
41
+ DeviseTokenAuth.cookie_enabled = true
42
+ post :create, params: @user_session_params
58
43
  end
59
44
 
60
- test 'last_sign_in_at is updated' do
61
- refute @old_last_sign_in_at
62
- assert @new_last_sign_in_at
45
+ test 'request should return auth cookie' do
46
+ assert response.cookies[DeviseTokenAuth.cookie_name]
63
47
  end
64
48
 
65
- test 'sign_in_ip is updated' do
66
- refute @old_sign_in_ip
67
- assert_equal '0.0.0.0', @new_sign_in_ip
49
+ test 'request should not include bearer token' do
50
+ assert_nil response.headers["Authorization"]
68
51
  end
69
52
 
70
- test 'last_sign_in_ip is updated' do
71
- refute @old_last_sign_in_ip
72
- assert_equal '0.0.0.0', @new_last_sign_in_ip
53
+ after do
54
+ DeviseTokenAuth.cookie_enabled = false
73
55
  end
74
56
  end
75
57
 
@@ -79,11 +61,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
79
61
  # to expedite tests! (Default is 10)
80
62
  DeviseTokenAuth.max_number_of_devices = 2
81
63
  DeviseTokenAuth.change_headers_on_each_request = false
82
-
83
- @user_session_params = {
84
- email: @existing_user.email,
85
- password: @existing_user.password
86
- }
87
64
  end
88
65
 
89
66
  test 'should limit the maximum number of concurrent devices' do
@@ -197,6 +174,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
197
174
  test 'session was destroyed' do
198
175
  assert_equal true, @controller.reset_session_called
199
176
  end
177
+
178
+ describe 'using auth cookie' do
179
+ before do
180
+ DeviseTokenAuth.cookie_enabled = true
181
+ @auth_token = @existing_user.create_new_auth_token
182
+ @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
183
+ end
184
+
185
+ test 'auth cookie was destroyed' do
186
+ assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
187
+ delete :destroy, format: :json
188
+ assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
189
+ end
190
+
191
+ after do
192
+ DeviseTokenAuth.cookie_enabled = false
193
+ end
194
+ end
200
195
  end
201
196
 
202
197
  describe 'unauthed user sign out' do
@@ -315,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
315
310
  end
316
311
 
317
312
  describe 'Unconfirmed user' do
318
- before do
319
- @unconfirmed_user = create(:user)
320
- post :create, params: { email: @unconfirmed_user.email,
321
- password: @unconfirmed_user.password }
322
- @resource = assigns(:resource)
323
- @data = JSON.parse(response.body)
324
- end
313
+ describe 'Without paranoid mode' do
314
+ before do
315
+ @unconfirmed_user = create(:user)
316
+ post :create, params: { email: @unconfirmed_user.email,
317
+ password: @unconfirmed_user.password }
318
+ @resource = assigns(:resource)
319
+ @data = JSON.parse(response.body)
320
+ end
325
321
 
326
- test 'request should fail' do
327
- assert_equal 401, response.status
322
+ test 'request should fail' do
323
+ assert_equal 401, response.status
324
+ end
325
+
326
+ test 'response should contain errors' do
327
+ assert @data['errors']
328
+ assert_equal @data['errors'],
329
+ [I18n.t('devise_token_auth.sessions.not_confirmed',
330
+ email: @unconfirmed_user.email)]
331
+ end
328
332
  end
333
+
334
+ describe 'With paranoid mode' do
335
+ before do
336
+ @unconfirmed_user = create(:user)
337
+ swap Devise, paranoid: true do
338
+ post :create, params: { email: @unconfirmed_user.email,
339
+ password: @unconfirmed_user.password }
340
+ end
341
+ @resource = assigns(:resource)
342
+ @data = JSON.parse(response.body)
343
+ end
329
344
 
330
- test 'response should contain errors' do
331
- assert @data['errors']
332
- assert_equal @data['errors'],
333
- [I18n.t('devise_token_auth.sessions.not_confirmed',
334
- email: @unconfirmed_user.email)]
345
+ test 'request should fail' do
346
+ assert_equal 401, response.status
347
+ end
348
+
349
+ test 'response should contain errors that do not leak the existence of the account' do
350
+ assert @data['errors']
351
+ assert_equal @data['errors'],
352
+ [I18n.t('devise_token_auth.sessions.bad_credentials')]
353
+ end
335
354
  end
336
355
  end
337
356
 
@@ -380,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
380
399
  end
381
400
 
382
401
  describe 'Non-existing user' do
383
- before do
384
- post :create,
385
- params: { email: -> { Faker::Internet.email },
386
- password: -> { Faker::Number.number(10) } }
387
- @resource = assigns(:resource)
388
- @data = JSON.parse(response.body)
389
- end
402
+ describe 'Without paranoid mode' do
403
+ before do
404
+ post :create,
405
+ params: { email: -> { Faker::Internet.email },
406
+ password: -> { Faker::Number.number(10) } }
407
+ @resource = assigns(:resource)
408
+ @data = JSON.parse(response.body)
409
+ end
390
410
 
391
- test 'request should fail' do
392
- assert_equal 401, response.status
411
+ test 'request should fail' do
412
+ assert_equal 401, response.status
413
+ end
414
+
415
+ test 'response should contain errors' do
416
+ assert @data['errors']
417
+ end
393
418
  end
394
419
 
395
- test 'response should contain errors' do
396
- assert @data['errors']
420
+ describe 'With paranoid mode' do
421
+ before do
422
+ mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
423
+ @bcrypt_mock = MiniTest::Mock.new
424
+ @bcrypt_mock.expect(:call, mock_hash, [Object, String])
425
+
426
+ swap Devise, paranoid: true do
427
+ BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
428
+ post :create,
429
+ params: { email: -> { Faker::Internet.email },
430
+ password: -> { Faker::Number.number(10) } }
431
+ end
432
+ end
433
+ end
434
+
435
+ test 'password should be hashed' do
436
+ @bcrypt_mock.verify
437
+ end
397
438
  end
398
439
  end
399
440
 
@@ -477,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
477
518
  end
478
519
 
479
520
  describe 'locked user' do
480
- before do
481
- @locked_user = create(:lockable_user, :locked)
482
- post :create,
483
- params: { email: @locked_user.email,
484
- password: @locked_user.password }
485
- @data = JSON.parse(response.body)
486
- end
521
+ describe 'Without paranoid mode' do
522
+ before do
523
+ @locked_user = create(:lockable_user, :locked)
524
+ post :create,
525
+ params: { email: @locked_user.email,
526
+ password: @locked_user.password }
527
+ @data = JSON.parse(response.body)
528
+ end
487
529
 
488
- test 'request should fail' do
489
- assert_equal 401, response.status
530
+ test 'request should fail' do
531
+ assert_equal 401, response.status
532
+ end
533
+
534
+ test 'response should contain errors' do
535
+ assert @data['errors']
536
+ assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
537
+ end
490
538
  end
491
539
 
492
- test 'response should contain errors' do
493
- assert @data['errors']
494
- assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
540
+ describe 'With paranoid mode' do
541
+ before do
542
+ @locked_user = create(:lockable_user, :locked)
543
+ swap Devise, paranoid: true do
544
+ post :create,
545
+ params: { email: @locked_user.email,
546
+ password: @locked_user.password }
547
+ end
548
+ @data = JSON.parse(response.body)
549
+ end
550
+
551
+ test 'request should fail' do
552
+ assert_equal 401, response.status
553
+ end
554
+
555
+ test 'response should contain errors that do not leak the existence of the account' do
556
+ assert @data['errors']
557
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
558
+ end
495
559
  end
496
560
  end
497
561
 
@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
18
18
  @token = @auth_headers['access-token']
19
19
  @client_id = @auth_headers['client']
20
20
  @expiry = @auth_headers['expiry']
21
-
21
+ @authorization_header = @auth_headers.slice('Authorization')
22
22
  # ensure that request is not treated as batch request
23
23
  age_token(@resource, @client_id)
24
24
  end
25
25
 
26
+ describe 'using only Authorization header' do
27
+ describe 'using valid Authorization header' do
28
+ before do
29
+ get '/auth/validate_token', params: {}, headers: @authorization_header
30
+ end
31
+
32
+ test 'token valid' do
33
+ assert_equal 200, response.status
34
+ end
35
+ end
36
+
37
+ describe 'using invalid Authorization header' do
38
+ describe 'with invalid base64' do
39
+ before do
40
+ get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
41
+ end
42
+
43
+ test 'returns access denied' do
44
+ assert_equal 401, response.status
45
+ end
46
+ end
47
+
48
+ describe 'with valid base64' do
49
+ before do
50
+ valid_base64 = Base64.strict_encode64({
51
+ "access-token": 'invalidtoken',
52
+ "token-type": 'Bearer',
53
+ "client": 'client',
54
+ "expiry": '1234567'
55
+ }.to_json)
56
+ get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
57
+ end
58
+
59
+ test 'returns access denied' do
60
+ assert_equal 401, response.status
61
+ end
62
+ end
63
+ end
64
+ end
65
+
26
66
  describe 'vanilla user' do
27
67
  before do
28
68
  get '/auth/validate_token', params: {}, headers: @auth_headers
@@ -47,7 +87,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
47
87
 
48
88
  describe 'with invalid user' do
49
89
  before do
50
- @resource.update_column :email, 'invalid'
90
+ @resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
91
+ @resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
51
92
  end
52
93
 
53
94
  test 'request should raise invalid model error' do
@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
57
57
  end
58
58
 
59
59
  describe 'request unlock' do
60
- describe 'unknown user should return 404' do
60
+ describe 'without paranoid mode' do
61
61
  before do
62
62
  post :create, params: { email: 'chester@cheet.ah' }
63
63
  @data = JSON.parse(response.body)
@@ -68,13 +68,32 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
68
68
 
69
69
  test 'errors should be returned' do
70
70
  assert @data['errors']
71
- assert_equal @data['errors'],
72
- [I18n.t('devise_token_auth.passwords.user_not_found',
73
- email: 'chester@cheet.ah')]
71
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
72
+ email: 'chester@cheet.ah')]
74
73
  end
75
74
  end
76
75
 
77
- describe 'successfully requested unlock' do
76
+ describe 'with paranoid mode' do
77
+ before do
78
+ swap Devise, paranoid: true do
79
+ post :create, params: { email: 'chester@cheet.ah' }
80
+ @data = JSON.parse(response.body)
81
+ end
82
+ end
83
+
84
+ test 'should always return success' do
85
+ assert_equal 200, response.status
86
+ end
87
+
88
+ test 'errors should not be returned' do
89
+ assert @data['success']
90
+ assert_equal \
91
+ @data['message'],
92
+ I18n.t('devise_token_auth.unlocks.sended_paranoid')
93
+ end
94
+ end
95
+
96
+ describe 'successfully requested unlock without paranoid mode' do
78
97
  before do
79
98
  post :create, params: { email: @resource.email }
80
99
 
@@ -86,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
86
105
  end
87
106
  end
88
107
 
108
+ describe 'successfully requested unlock with paranoid mode' do
109
+ before do
110
+ swap Devise, paranoid: true do
111
+ post :create, params: { email: @resource.email }
112
+ @data = JSON.parse(response.body)
113
+ end
114
+ end
115
+
116
+ test 'should always return success' do
117
+ assert_equal 200, response.status
118
+ end
119
+
120
+ test 'errors should not be returned' do
121
+ assert @data['success']
122
+ assert_equal \
123
+ @data['message'],
124
+ I18n.t('devise_token_auth.unlocks.sended_paranoid')
125
+ end
126
+ end
127
+
89
128
  describe 'case-sensitive email' do
90
129
  before do
91
130
  post :create, params: { email: @resource.email }
@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
38
38
  override_proof_str = '(^^,)'
39
39
 
40
40
  # ensure present in redirect URL
41
- override_proof_param = URI.unescape(response.headers['Location']
41
+ override_proof_param = CGI.unescape(response.headers['Location']
42
42
  .match(/override_proof=([^&]*)&/)[1])
43
43
 
44
44
  assert_equal override_proof_str, override_proof_param
@@ -25,7 +25,7 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe
25
25
 
26
26
  @favorite_color = 'gray'
27
27
 
28
- get '/evil_user_auth/facebook',
28
+ post '/evil_user_auth/facebook',
29
29
  params: {
30
30
  auth_origin_url: Faker::Internet.url,
31
31
  favorite_color: @favorite_color,
@@ -0,0 +1,11 @@
1
+ # frozen_string_literal: true
2
+
3
+ class ConfirmableUser < ActiveRecord::Base
4
+ # Include default devise modules.
5
+ devise :database_authenticatable, :registerable,
6
+ :recoverable, :rememberable,
7
+ :validatable, :confirmable
8
+ DeviseTokenAuth.send_confirmation_email = true
9
+ include DeviseTokenAuth::Concerns::User
10
+ DeviseTokenAuth.send_confirmation_email = false
11
+ end
@@ -3,7 +3,7 @@
3
3
  class ScopedUser < ActiveRecord::Base
4
4
  # Include default devise modules.
5
5
  devise :database_authenticatable, :registerable,
6
- :recoverable, :rememberable, :trackable, :validatable,
7
- :confirmable, :omniauthable
6
+ :recoverable, :rememberable,
7
+ :validatable, :confirmable, :omniauthable
8
8
  include DeviseTokenAuth::Concerns::User
9
9
  end
@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
4
4
  # Include default devise modules.
5
5
  devise :database_authenticatable, :registerable,
6
6
  :recoverable, :rememberable,
7
- :trackable, :validatable,
8
- :omniauthable
7
+ :validatable, :omniauthable
9
8
  include DeviseTokenAuth::Concerns::User
10
9
  end
@@ -2,8 +2,8 @@
2
2
 
3
3
  class UnregisterableUser < ActiveRecord::Base
4
4
  # Include default devise modules.
5
- devise :database_authenticatable,
6
- :recoverable, :trackable, :validatable,
7
- :confirmable, :omniauthable
5
+ devise :database_authenticatable, :recoverable,
6
+ :validatable, :confirmable,
7
+ :omniauthable
8
8
  include DeviseTokenAuth::Concerns::User
9
9
  end
@@ -0,0 +1,6 @@
1
+ # frozen_string_literal: true
2
+
3
+ class User < ActiveRecord::Base
4
+ include DeviseTokenAuth::Concerns::User
5
+ include FavoriteColor
6
+ end
@@ -8,11 +8,7 @@ class ApplicationController < ActionController::Base
8
8
  protected
9
9
 
10
10
  def configure_permitted_parameters
11
- permitted_parameters = devise_parameter_sanitizer.instance_values['permitted']
12
- permitted_parameters[:sign_up] << :operating_thetan
13
- permitted_parameters[:sign_up] << :favorite_color
14
- permitted_parameters[:account_update] << :operating_thetan
15
- permitted_parameters[:account_update] << :favorite_color
16
- permitted_parameters[:account_update] << :current_password
11
+ devise_parameter_sanitizer.permit(:sign_up, keys: [:operating_thetan, :favorite_color])
12
+ devise_parameter_sanitizer.permit(:account_update, keys: [:operating_thetan, :favorite_color, :current_password])
17
13
  end
18
14
  end