devise_token_auth 1.0.0 → 1.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/README.md +6 -3
- data/app/controllers/devise_token_auth/application_controller.rb +23 -3
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +24 -11
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +78 -57
- data/app/controllers/devise_token_auth/confirmations_controller.rb +69 -19
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +89 -44
- data/app/controllers/devise_token_auth/passwords_controller.rb +55 -31
- data/app/controllers/devise_token_auth/registrations_controller.rb +33 -40
- data/app/controllers/devise_token_auth/sessions_controller.rb +36 -14
- data/app/controllers/devise_token_auth/unlocks_controller.rb +12 -7
- data/app/models/devise_token_auth/concerns/active_record_support.rb +14 -0
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +31 -0
- data/app/models/devise_token_auth/concerns/user.rb +79 -80
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +12 -5
- data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} +11 -3
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +10 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +52 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +16 -2
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +6 -0
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +17 -2
- data/lib/devise_token_auth/rails/routes.rb +22 -16
- data/lib/devise_token_auth/token_factory.rb +126 -0
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/devise_token_auth.rb +6 -3
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +7 -91
- data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +21 -5
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -8
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
- data/test/controllers/custom/custom_confirmations_controller_test.rb +2 -2
- data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
- data/test/controllers/demo_mang_controller_test.rb +37 -8
- data/test/controllers/demo_user_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +170 -22
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +117 -53
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +299 -122
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +56 -16
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +139 -75
- data/test/controllers/devise_token_auth/token_validations_controller_test.rb +43 -2
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +44 -5
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
- data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
- data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
- data/test/dummy/app/active_record/user.rb +6 -0
- data/test/dummy/app/controllers/application_controller.rb +2 -6
- data/test/dummy/app/controllers/overrides/confirmations_controller.rb +5 -4
- data/test/dummy/app/controllers/overrides/passwords_controller.rb +5 -4
- data/test/dummy/app/controllers/overrides/registrations_controller.rb +1 -1
- data/test/dummy/app/controllers/overrides/sessions_controller.rb +2 -2
- data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/mongoid/lockable_user.rb +38 -0
- data/test/dummy/app/mongoid/mang.rb +46 -0
- data/test/dummy/app/mongoid/only_email_user.rb +33 -0
- data/test/dummy/app/mongoid/scoped_user.rb +50 -0
- data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
- data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
- data/test/dummy/app/mongoid/user.rb +49 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +22 -1
- data/test/dummy/config/boot.rb +4 -0
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/environments/test.rb +6 -2
- data/test/dummy/config/initializers/devise.rb +285 -0
- data/test/dummy/config/initializers/devise_token_auth.rb +35 -4
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
- data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
- data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
- data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
- data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
- data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
- data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +31 -33
- data/test/dummy/tmp/generators/app/models/user.rb +9 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +66 -0
- data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
- data/test/factories/users.rb +3 -2
- data/test/lib/devise_token_auth/blacklist_test.rb +19 -0
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
- data/test/models/concerns/mongoid_support_test.rb +31 -0
- data/test/models/concerns/tokens_serialization_test.rb +104 -0
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/models/only_email_user_test.rb +0 -8
- data/test/models/user_test.rb +13 -23
- data/test/test_helper.rb +45 -4
- metadata +190 -97
- data/config/initializers/devise.rb +0 -198
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
- /data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
- /data/test/dummy/app/{models → active_record}/mang.rb +0 -0
- /data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
@@ -10,6 +10,17 @@ require 'test_helper'
|
|
10
10
|
|
11
11
|
class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
|
12
12
|
describe DeviseTokenAuth::RegistrationsController do
|
13
|
+
|
14
|
+
def mock_registration_params
|
15
|
+
{
|
16
|
+
email: Faker::Internet.email,
|
17
|
+
password: 'secret123',
|
18
|
+
password_confirmation: 'secret123',
|
19
|
+
confirm_success_url: Faker::Internet.url,
|
20
|
+
unpermitted_param: '(x_x)'
|
21
|
+
}
|
22
|
+
end
|
23
|
+
|
13
24
|
describe 'Validate non-empty body' do
|
14
25
|
before do
|
15
26
|
# need to post empty data
|
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
41
52
|
@mails_sent = ActionMailer::Base.deliveries.count
|
42
53
|
|
43
54
|
post '/auth',
|
44
|
-
params:
|
45
|
-
email: Faker::Internet.email,
|
46
|
-
password: 'secret123',
|
47
|
-
password_confirmation: 'secret123',
|
48
|
-
confirm_success_url: Faker::Internet.url,
|
49
|
-
unpermitted_param: '(x_x)'
|
50
|
-
}
|
55
|
+
params: mock_registration_params
|
51
56
|
|
52
57
|
@resource = assigns(:resource)
|
53
58
|
@data = JSON.parse(response.body)
|
@@ -83,6 +88,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
83
88
|
end
|
84
89
|
end
|
85
90
|
|
91
|
+
describe 'using allow_unconfirmed_access_for' do
|
92
|
+
before do
|
93
|
+
@original_duration = Devise.allow_unconfirmed_access_for
|
94
|
+
Devise.allow_unconfirmed_access_for = nil
|
95
|
+
end
|
96
|
+
|
97
|
+
test 'auth headers were returned in response' do
|
98
|
+
post '/auth', params: mock_registration_params
|
99
|
+
assert response.headers['access-token']
|
100
|
+
assert response.headers['token-type']
|
101
|
+
assert response.headers['client']
|
102
|
+
assert response.headers['expiry']
|
103
|
+
assert response.headers['uid']
|
104
|
+
end
|
105
|
+
|
106
|
+
describe 'using auth cookie' do
|
107
|
+
before do
|
108
|
+
DeviseTokenAuth.cookie_enabled = true
|
109
|
+
end
|
110
|
+
|
111
|
+
test 'auth cookie was returned in response' do
|
112
|
+
post '/auth', params: mock_registration_params
|
113
|
+
assert response.cookies[DeviseTokenAuth.cookie_name]
|
114
|
+
end
|
115
|
+
|
116
|
+
after do
|
117
|
+
DeviseTokenAuth.cookie_enabled = false
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
121
|
+
after do
|
122
|
+
Devise.allow_unconfirmed_access_for = @original_duration
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
86
126
|
describe 'using "+" in email' do
|
87
127
|
test 'can use + sign in email addresses' do
|
88
128
|
@plus_email = 'ak+testing@gmail.com'
|
@@ -266,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
266
306
|
@data = JSON.parse(response.body)
|
267
307
|
@mail = ActionMailer::Base.deliveries.last
|
268
308
|
|
269
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
309
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
270
310
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
271
311
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
272
312
|
end
|
@@ -305,7 +345,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
305
345
|
end
|
306
346
|
|
307
347
|
test 'user should not have been created' do
|
308
|
-
|
348
|
+
refute @resource.persisted?
|
309
349
|
end
|
310
350
|
|
311
351
|
test 'error should be returned in the response' do
|
@@ -333,7 +373,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
333
373
|
end
|
334
374
|
|
335
375
|
test 'user should not have been created' do
|
336
|
-
|
376
|
+
refute @resource.persisted?
|
337
377
|
end
|
338
378
|
|
339
379
|
test 'error should be returned in the response' do
|
@@ -362,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
362
402
|
end
|
363
403
|
|
364
404
|
test 'user should have been created' do
|
365
|
-
|
405
|
+
refute @resource.persisted?
|
366
406
|
end
|
367
407
|
|
368
408
|
test 'error should be returned in the response' do
|
@@ -393,7 +433,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
393
433
|
end
|
394
434
|
|
395
435
|
test 'user should have been created' do
|
396
|
-
|
436
|
+
refute @resource.persisted?
|
397
437
|
end
|
398
438
|
|
399
439
|
test 'error should be returned in the response' do
|
@@ -465,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
465
505
|
# test valid update param
|
466
506
|
@resource_class = User
|
467
507
|
@new_operating_thetan = 1_000_000
|
468
|
-
@email =
|
508
|
+
@email = Faker::Internet.safe_email
|
469
509
|
@request_params = {
|
470
510
|
operating_thetan: @new_operating_thetan,
|
471
511
|
email: @email
|
@@ -572,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
572
612
|
# test valid update param
|
573
613
|
@resource_class = User
|
574
614
|
@new_operating_thetan = 1_000_000
|
575
|
-
@email =
|
615
|
+
@email = Faker::Internet.safe_email
|
576
616
|
@request_params = {
|
577
617
|
operating_thetan: @new_operating_thetan,
|
578
618
|
email: @email
|
@@ -623,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
623
663
|
before do
|
624
664
|
DeviseTokenAuth.check_current_password_before_update = :password
|
625
665
|
@new_operating_thetan = 1_000_000
|
626
|
-
@email =
|
666
|
+
@email = Faker::Internet.safe_email
|
627
667
|
end
|
628
668
|
|
629
669
|
after do
|
@@ -786,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
786
826
|
|
787
827
|
@resource.reload
|
788
828
|
|
789
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
829
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
790
830
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
791
831
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
792
832
|
end
|
@@ -17,26 +17,15 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
17
17
|
|
18
18
|
describe 'success' do
|
19
19
|
before do
|
20
|
-
@
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
@old_last_sign_in_ip = @existing_user.last_sign_in_ip
|
20
|
+
@user_session_params = {
|
21
|
+
email: @existing_user.email,
|
22
|
+
password: @existing_user.password
|
23
|
+
}
|
25
24
|
|
26
|
-
post :create,
|
27
|
-
params: {
|
28
|
-
email: @existing_user.email,
|
29
|
-
password: @existing_user.password
|
30
|
-
}
|
25
|
+
post :create, params: @user_session_params
|
31
26
|
|
32
27
|
@resource = assigns(:resource)
|
33
28
|
@data = JSON.parse(response.body)
|
34
|
-
|
35
|
-
@new_sign_in_count = @resource.sign_in_count
|
36
|
-
@new_current_sign_in_at = @resource.current_sign_in_at
|
37
|
-
@new_last_sign_in_at = @resource.last_sign_in_at
|
38
|
-
@new_sign_in_ip = @resource.current_sign_in_ip
|
39
|
-
@new_last_sign_in_ip = @resource.last_sign_in_ip
|
40
29
|
end
|
41
30
|
|
42
31
|
test 'request should succeed' do
|
@@ -47,29 +36,22 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
47
36
|
assert_equal @existing_user.email, @data['data']['email']
|
48
37
|
end
|
49
38
|
|
50
|
-
describe '
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
test 'current_sign_in_at is updated' do
|
56
|
-
refute @old_current_sign_in_at
|
57
|
-
assert @new_current_sign_in_at
|
39
|
+
describe 'using auth cookie' do
|
40
|
+
before do
|
41
|
+
DeviseTokenAuth.cookie_enabled = true
|
42
|
+
post :create, params: @user_session_params
|
58
43
|
end
|
59
44
|
|
60
|
-
test '
|
61
|
-
|
62
|
-
assert @new_last_sign_in_at
|
45
|
+
test 'request should return auth cookie' do
|
46
|
+
assert response.cookies[DeviseTokenAuth.cookie_name]
|
63
47
|
end
|
64
48
|
|
65
|
-
test '
|
66
|
-
|
67
|
-
assert_equal '0.0.0.0', @new_sign_in_ip
|
49
|
+
test 'request should not include bearer token' do
|
50
|
+
assert_nil response.headers["Authorization"]
|
68
51
|
end
|
69
52
|
|
70
|
-
|
71
|
-
|
72
|
-
assert_equal '0.0.0.0', @new_last_sign_in_ip
|
53
|
+
after do
|
54
|
+
DeviseTokenAuth.cookie_enabled = false
|
73
55
|
end
|
74
56
|
end
|
75
57
|
|
@@ -79,11 +61,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
79
61
|
# to expedite tests! (Default is 10)
|
80
62
|
DeviseTokenAuth.max_number_of_devices = 2
|
81
63
|
DeviseTokenAuth.change_headers_on_each_request = false
|
82
|
-
|
83
|
-
@user_session_params = {
|
84
|
-
email: @existing_user.email,
|
85
|
-
password: @existing_user.password
|
86
|
-
}
|
87
64
|
end
|
88
65
|
|
89
66
|
test 'should limit the maximum number of concurrent devices' do
|
@@ -197,6 +174,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
197
174
|
test 'session was destroyed' do
|
198
175
|
assert_equal true, @controller.reset_session_called
|
199
176
|
end
|
177
|
+
|
178
|
+
describe 'using auth cookie' do
|
179
|
+
before do
|
180
|
+
DeviseTokenAuth.cookie_enabled = true
|
181
|
+
@auth_token = @existing_user.create_new_auth_token
|
182
|
+
@controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
|
183
|
+
end
|
184
|
+
|
185
|
+
test 'auth cookie was destroyed' do
|
186
|
+
assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
|
187
|
+
delete :destroy, format: :json
|
188
|
+
assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
|
189
|
+
end
|
190
|
+
|
191
|
+
after do
|
192
|
+
DeviseTokenAuth.cookie_enabled = false
|
193
|
+
end
|
194
|
+
end
|
200
195
|
end
|
201
196
|
|
202
197
|
describe 'unauthed user sign out' do
|
@@ -315,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
315
310
|
end
|
316
311
|
|
317
312
|
describe 'Unconfirmed user' do
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
313
|
+
describe 'Without paranoid mode' do
|
314
|
+
before do
|
315
|
+
@unconfirmed_user = create(:user)
|
316
|
+
post :create, params: { email: @unconfirmed_user.email,
|
317
|
+
password: @unconfirmed_user.password }
|
318
|
+
@resource = assigns(:resource)
|
319
|
+
@data = JSON.parse(response.body)
|
320
|
+
end
|
325
321
|
|
326
|
-
|
327
|
-
|
322
|
+
test 'request should fail' do
|
323
|
+
assert_equal 401, response.status
|
324
|
+
end
|
325
|
+
|
326
|
+
test 'response should contain errors' do
|
327
|
+
assert @data['errors']
|
328
|
+
assert_equal @data['errors'],
|
329
|
+
[I18n.t('devise_token_auth.sessions.not_confirmed',
|
330
|
+
email: @unconfirmed_user.email)]
|
331
|
+
end
|
328
332
|
end
|
333
|
+
|
334
|
+
describe 'With paranoid mode' do
|
335
|
+
before do
|
336
|
+
@unconfirmed_user = create(:user)
|
337
|
+
swap Devise, paranoid: true do
|
338
|
+
post :create, params: { email: @unconfirmed_user.email,
|
339
|
+
password: @unconfirmed_user.password }
|
340
|
+
end
|
341
|
+
@resource = assigns(:resource)
|
342
|
+
@data = JSON.parse(response.body)
|
343
|
+
end
|
329
344
|
|
330
|
-
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
345
|
+
test 'request should fail' do
|
346
|
+
assert_equal 401, response.status
|
347
|
+
end
|
348
|
+
|
349
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
350
|
+
assert @data['errors']
|
351
|
+
assert_equal @data['errors'],
|
352
|
+
[I18n.t('devise_token_auth.sessions.bad_credentials')]
|
353
|
+
end
|
335
354
|
end
|
336
355
|
end
|
337
356
|
|
@@ -380,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
380
399
|
end
|
381
400
|
|
382
401
|
describe 'Non-existing user' do
|
383
|
-
|
384
|
-
|
385
|
-
|
386
|
-
|
387
|
-
|
388
|
-
|
389
|
-
|
402
|
+
describe 'Without paranoid mode' do
|
403
|
+
before do
|
404
|
+
post :create,
|
405
|
+
params: { email: -> { Faker::Internet.email },
|
406
|
+
password: -> { Faker::Number.number(10) } }
|
407
|
+
@resource = assigns(:resource)
|
408
|
+
@data = JSON.parse(response.body)
|
409
|
+
end
|
390
410
|
|
391
|
-
|
392
|
-
|
411
|
+
test 'request should fail' do
|
412
|
+
assert_equal 401, response.status
|
413
|
+
end
|
414
|
+
|
415
|
+
test 'response should contain errors' do
|
416
|
+
assert @data['errors']
|
417
|
+
end
|
393
418
|
end
|
394
419
|
|
395
|
-
|
396
|
-
|
420
|
+
describe 'With paranoid mode' do
|
421
|
+
before do
|
422
|
+
mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
|
423
|
+
@bcrypt_mock = MiniTest::Mock.new
|
424
|
+
@bcrypt_mock.expect(:call, mock_hash, [Object, String])
|
425
|
+
|
426
|
+
swap Devise, paranoid: true do
|
427
|
+
BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
|
428
|
+
post :create,
|
429
|
+
params: { email: -> { Faker::Internet.email },
|
430
|
+
password: -> { Faker::Number.number(10) } }
|
431
|
+
end
|
432
|
+
end
|
433
|
+
end
|
434
|
+
|
435
|
+
test 'password should be hashed' do
|
436
|
+
@bcrypt_mock.verify
|
437
|
+
end
|
397
438
|
end
|
398
439
|
end
|
399
440
|
|
@@ -477,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
477
518
|
end
|
478
519
|
|
479
520
|
describe 'locked user' do
|
480
|
-
|
481
|
-
|
482
|
-
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
|
521
|
+
describe 'Without paranoid mode' do
|
522
|
+
before do
|
523
|
+
@locked_user = create(:lockable_user, :locked)
|
524
|
+
post :create,
|
525
|
+
params: { email: @locked_user.email,
|
526
|
+
password: @locked_user.password }
|
527
|
+
@data = JSON.parse(response.body)
|
528
|
+
end
|
487
529
|
|
488
|
-
|
489
|
-
|
530
|
+
test 'request should fail' do
|
531
|
+
assert_equal 401, response.status
|
532
|
+
end
|
533
|
+
|
534
|
+
test 'response should contain errors' do
|
535
|
+
assert @data['errors']
|
536
|
+
assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
|
537
|
+
end
|
490
538
|
end
|
491
539
|
|
492
|
-
|
493
|
-
|
494
|
-
|
540
|
+
describe 'With paranoid mode' do
|
541
|
+
before do
|
542
|
+
@locked_user = create(:lockable_user, :locked)
|
543
|
+
swap Devise, paranoid: true do
|
544
|
+
post :create,
|
545
|
+
params: { email: @locked_user.email,
|
546
|
+
password: @locked_user.password }
|
547
|
+
end
|
548
|
+
@data = JSON.parse(response.body)
|
549
|
+
end
|
550
|
+
|
551
|
+
test 'request should fail' do
|
552
|
+
assert_equal 401, response.status
|
553
|
+
end
|
554
|
+
|
555
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
556
|
+
assert @data['errors']
|
557
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
|
558
|
+
end
|
495
559
|
end
|
496
560
|
end
|
497
561
|
|
@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
|
|
18
18
|
@token = @auth_headers['access-token']
|
19
19
|
@client_id = @auth_headers['client']
|
20
20
|
@expiry = @auth_headers['expiry']
|
21
|
-
|
21
|
+
@authorization_header = @auth_headers.slice('Authorization')
|
22
22
|
# ensure that request is not treated as batch request
|
23
23
|
age_token(@resource, @client_id)
|
24
24
|
end
|
25
25
|
|
26
|
+
describe 'using only Authorization header' do
|
27
|
+
describe 'using valid Authorization header' do
|
28
|
+
before do
|
29
|
+
get '/auth/validate_token', params: {}, headers: @authorization_header
|
30
|
+
end
|
31
|
+
|
32
|
+
test 'token valid' do
|
33
|
+
assert_equal 200, response.status
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
describe 'using invalid Authorization header' do
|
38
|
+
describe 'with invalid base64' do
|
39
|
+
before do
|
40
|
+
get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
|
41
|
+
end
|
42
|
+
|
43
|
+
test 'returns access denied' do
|
44
|
+
assert_equal 401, response.status
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
describe 'with valid base64' do
|
49
|
+
before do
|
50
|
+
valid_base64 = Base64.strict_encode64({
|
51
|
+
"access-token": 'invalidtoken',
|
52
|
+
"token-type": 'Bearer',
|
53
|
+
"client": 'client',
|
54
|
+
"expiry": '1234567'
|
55
|
+
}.to_json)
|
56
|
+
get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
|
57
|
+
end
|
58
|
+
|
59
|
+
test 'returns access denied' do
|
60
|
+
assert_equal 401, response.status
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
26
66
|
describe 'vanilla user' do
|
27
67
|
before do
|
28
68
|
get '/auth/validate_token', params: {}, headers: @auth_headers
|
@@ -47,7 +87,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
|
|
47
87
|
|
48
88
|
describe 'with invalid user' do
|
49
89
|
before do
|
50
|
-
@resource.update_column
|
90
|
+
@resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
|
91
|
+
@resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
|
51
92
|
end
|
52
93
|
|
53
94
|
test 'request should raise invalid model error' do
|
@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
57
57
|
end
|
58
58
|
|
59
59
|
describe 'request unlock' do
|
60
|
-
describe '
|
60
|
+
describe 'without paranoid mode' do
|
61
61
|
before do
|
62
62
|
post :create, params: { email: 'chester@cheet.ah' }
|
63
63
|
@data = JSON.parse(response.body)
|
@@ -68,13 +68,32 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
68
68
|
|
69
69
|
test 'errors should be returned' do
|
70
70
|
assert @data['errors']
|
71
|
-
assert_equal @data['errors'],
|
72
|
-
|
73
|
-
email: 'chester@cheet.ah')]
|
71
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
|
72
|
+
email: 'chester@cheet.ah')]
|
74
73
|
end
|
75
74
|
end
|
76
75
|
|
77
|
-
describe '
|
76
|
+
describe 'with paranoid mode' do
|
77
|
+
before do
|
78
|
+
swap Devise, paranoid: true do
|
79
|
+
post :create, params: { email: 'chester@cheet.ah' }
|
80
|
+
@data = JSON.parse(response.body)
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
test 'should always return success' do
|
85
|
+
assert_equal 200, response.status
|
86
|
+
end
|
87
|
+
|
88
|
+
test 'errors should not be returned' do
|
89
|
+
assert @data['success']
|
90
|
+
assert_equal \
|
91
|
+
@data['message'],
|
92
|
+
I18n.t('devise_token_auth.unlocks.sended_paranoid')
|
93
|
+
end
|
94
|
+
end
|
95
|
+
|
96
|
+
describe 'successfully requested unlock without paranoid mode' do
|
78
97
|
before do
|
79
98
|
post :create, params: { email: @resource.email }
|
80
99
|
|
@@ -86,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
86
105
|
end
|
87
106
|
end
|
88
107
|
|
108
|
+
describe 'successfully requested unlock with paranoid mode' do
|
109
|
+
before do
|
110
|
+
swap Devise, paranoid: true do
|
111
|
+
post :create, params: { email: @resource.email }
|
112
|
+
@data = JSON.parse(response.body)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
test 'should always return success' do
|
117
|
+
assert_equal 200, response.status
|
118
|
+
end
|
119
|
+
|
120
|
+
test 'errors should not be returned' do
|
121
|
+
assert @data['success']
|
122
|
+
assert_equal \
|
123
|
+
@data['message'],
|
124
|
+
I18n.t('devise_token_auth.unlocks.sended_paranoid')
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
89
128
|
describe 'case-sensitive email' do
|
90
129
|
before do
|
91
130
|
post :create, params: { email: @resource.email }
|
@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
|
|
38
38
|
override_proof_str = '(^^,)'
|
39
39
|
|
40
40
|
# ensure present in redirect URL
|
41
|
-
override_proof_param =
|
41
|
+
override_proof_param = CGI.unescape(response.headers['Location']
|
42
42
|
.match(/override_proof=([^&]*)&/)[1])
|
43
43
|
|
44
44
|
assert_equal override_proof_str, override_proof_param
|
@@ -25,7 +25,7 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe
|
|
25
25
|
|
26
26
|
@favorite_color = 'gray'
|
27
27
|
|
28
|
-
|
28
|
+
post '/evil_user_auth/facebook',
|
29
29
|
params: {
|
30
30
|
auth_origin_url: Faker::Internet.url,
|
31
31
|
favorite_color: @favorite_color,
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
class ConfirmableUser < ActiveRecord::Base
|
4
|
+
# Include default devise modules.
|
5
|
+
devise :database_authenticatable, :registerable,
|
6
|
+
:recoverable, :rememberable,
|
7
|
+
:validatable, :confirmable
|
8
|
+
DeviseTokenAuth.send_confirmation_email = true
|
9
|
+
include DeviseTokenAuth::Concerns::User
|
10
|
+
DeviseTokenAuth.send_confirmation_email = false
|
11
|
+
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
class ScopedUser < ActiveRecord::Base
|
4
4
|
# Include default devise modules.
|
5
5
|
devise :database_authenticatable, :registerable,
|
6
|
-
:recoverable, :rememberable,
|
7
|
-
:confirmable, :omniauthable
|
6
|
+
:recoverable, :rememberable,
|
7
|
+
:validatable, :confirmable, :omniauthable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
|
|
4
4
|
# Include default devise modules.
|
5
5
|
devise :database_authenticatable, :registerable,
|
6
6
|
:recoverable, :rememberable,
|
7
|
-
:
|
8
|
-
:omniauthable
|
7
|
+
:validatable, :omniauthable
|
9
8
|
include DeviseTokenAuth::Concerns::User
|
10
9
|
end
|
@@ -2,8 +2,8 @@
|
|
2
2
|
|
3
3
|
class UnregisterableUser < ActiveRecord::Base
|
4
4
|
# Include default devise modules.
|
5
|
-
devise :database_authenticatable,
|
6
|
-
:
|
7
|
-
:
|
5
|
+
devise :database_authenticatable, :recoverable,
|
6
|
+
:validatable, :confirmable,
|
7
|
+
:omniauthable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -8,11 +8,7 @@ class ApplicationController < ActionController::Base
|
|
8
8
|
protected
|
9
9
|
|
10
10
|
def configure_permitted_parameters
|
11
|
-
|
12
|
-
|
13
|
-
permitted_parameters[:sign_up] << :favorite_color
|
14
|
-
permitted_parameters[:account_update] << :operating_thetan
|
15
|
-
permitted_parameters[:account_update] << :favorite_color
|
16
|
-
permitted_parameters[:account_update] << :current_password
|
11
|
+
devise_parameter_sanitizer.permit(:sign_up, keys: [:operating_thetan, :favorite_color])
|
12
|
+
devise_parameter_sanitizer.permit(:account_update, keys: [:operating_thetan, :favorite_color, :current_password])
|
17
13
|
end
|
18
14
|
end
|