devise_token_auth 1.0.0 → 1.2.2

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -10,6 +10,17 @@ require 'test_helper'
 
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
+
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
 
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -83,6 +88,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
 
+    describe 'using allow_unconfirmed_access_for' do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = nil
+      end
+
+      test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
+        assert response.headers['access-token']
+        assert response.headers['token-type']
+        assert response.headers['client']
+        assert response.headers['expiry']
+        assert response.headers['uid']
+      end
+
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
+
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+    end
+
     describe 'using "+" in email' do
       test 'can use + sign in email addresses' do
         @plus_email = 'ak+testing@gmail.com'
@@ -266,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @data = JSON.parse(response.body)
         @mail = ActionMailer::Base.deliveries.last
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end
@@ -305,7 +345,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -333,7 +373,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -362,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -393,7 +433,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
 
       test 'error should be returned in the response' do
@@ -465,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -572,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -623,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           before do
             DeviseTokenAuth.check_current_password_before_update = :password
             @new_operating_thetan = 1_000_000
-            @email = 'AlternatingCase2@example.com'
+            @email = Faker::Internet.safe_email
           end
 
           after do
@@ -786,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
         @resource.reload
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -17,26 +17,15 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'success' do
         before do
-          @old_sign_in_count      = @existing_user.sign_in_count
-          @old_current_sign_in_at = @existing_user.current_sign_in_at
-          @old_last_sign_in_at    = @existing_user.last_sign_in_at
-          @old_sign_in_ip         = @existing_user.current_sign_in_ip
-          @old_last_sign_in_ip    = @existing_user.last_sign_in_ip
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
 
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: @existing_user.password
-               }
+          post :create, params: @user_session_params
 
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
-
-          @new_sign_in_count      = @resource.sign_in_count
-          @new_current_sign_in_at = @resource.current_sign_in_at
-          @new_last_sign_in_at    = @resource.last_sign_in_at
-          @new_sign_in_ip         = @resource.current_sign_in_ip
-          @new_last_sign_in_ip    = @resource.last_sign_in_ip
         end
 
         test 'request should succeed' do
@@ -47,29 +36,22 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
 
-        describe 'trackable' do
-          test 'sign_in_count incrementns' do
-            assert_equal @old_sign_in_count + 1, @new_sign_in_count
-          end
-
-          test 'current_sign_in_at is updated' do
-            refute @old_current_sign_in_at
-            assert @new_current_sign_in_at
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            post :create, params: @user_session_params
           end
 
-          test 'last_sign_in_at is updated' do
-            refute @old_last_sign_in_at
-            assert @new_last_sign_in_at
+          test 'request should return auth cookie' do
+            assert response.cookies[DeviseTokenAuth.cookie_name]
           end
 
-          test 'sign_in_ip is updated' do
-            refute @old_sign_in_ip
-            assert_equal '0.0.0.0', @new_sign_in_ip
+          test 'request should not include bearer token' do
+            assert_nil response.headers["Authorization"]
           end
 
-          test 'last_sign_in_ip is updated' do
-            refute @old_last_sign_in_ip
-            assert_equal '0.0.0.0', @new_last_sign_in_ip
+          after do
+            DeviseTokenAuth.cookie_enabled = false
           end
         end
 
@@ -79,11 +61,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
             #  to expedite tests! (Default is 10)
             DeviseTokenAuth.max_number_of_devices = 2
             DeviseTokenAuth.change_headers_on_each_request = false
-
-            @user_session_params = {
-              email: @existing_user.email,
-              password: @existing_user.password
-            }
           end
 
           test 'should limit the maximum number of concurrent devices' do
@@ -197,6 +174,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
 
       describe 'unauthed user sign out' do
@@ -315,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Unconfirmed user' do
-      before do
-        @unconfirmed_user = create(:user)
-        post :create, params: { email: @unconfirmed_user.email,
-                                password: @unconfirmed_user.password }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          post :create, params: { email: @unconfirmed_user.email,
+                                  password: @unconfirmed_user.password }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.not_confirmed',
+                              email: @unconfirmed_user.email)]
+        end
       end
+      
+      describe 'With paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          swap Devise, paranoid: true do
+            post :create, params: { email: @unconfirmed_user.email,
+                                    password: @unconfirmed_user.password }
+          end
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'response should contain errors' do
-        assert @data['errors']
-        assert_equal @data['errors'],
-                     [I18n.t('devise_token_auth.sessions.not_confirmed',
-                             email: @unconfirmed_user.email)]
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors that do not leak the existence of the account' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.bad_credentials')]
+        end
       end
     end
 
@@ -380,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Non-existing user' do
-      before do
-        post :create,
-             params: { email: -> { Faker::Internet.email },
-                       password: -> { Faker::Number.number(10) } }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          post :create,
+              params: { email: -> { Faker::Internet.email },
+                        password: -> { Faker::Number.number(10) } }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+        end
       end
 
-      test 'response should contain errors' do
-        assert @data['errors']
+      describe 'With paranoid mode' do
+        before do
+          mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
+          @bcrypt_mock = MiniTest::Mock.new
+          @bcrypt_mock.expect(:call, mock_hash, [Object, String])
+
+          swap Devise, paranoid: true do
+            BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
+              post :create,
+                  params: { email: -> { Faker::Internet.email },
+                            password: -> { Faker::Number.number(10) } }
+            end
+          end
+        end
+        
+        test 'password should be hashed' do
+          @bcrypt_mock.verify
+        end
       end
     end
 
@@ -477,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
 
       describe 'locked user' do
-        before do
-          @locked_user = create(:lockable_user, :locked)
-          post :create,
-               params: { email: @locked_user.email,
-                         password: @locked_user.password }
-          @data = JSON.parse(response.body)
-        end
+        describe 'Without paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            post :create,
+                params: { email: @locked_user.email,
+                          password: @locked_user.password }
+            @data = JSON.parse(response.body)
+          end
 
-        test 'request should fail' do
-          assert_equal 401, response.status
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+          end
         end
 
-        test 'response should contain errors' do
-          assert @data['errors']
-          assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+        describe 'With paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            swap Devise, paranoid: true do
+              post :create,
+                  params: { email: @locked_user.email,
+                            password: @locked_user.password }
+            end
+            @data = JSON.parse(response.body)
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors that do not leak the existence of the account' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
+          end
         end
       end
 

data/test/controllers/devise_token_auth/token_validations_controller_test.rb

@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
       @token     = @auth_headers['access-token']
       @client_id = @auth_headers['client']
       @expiry    = @auth_headers['expiry']
-
+      @authorization_header = @auth_headers.slice('Authorization')
       # ensure that request is not treated as batch request
       age_token(@resource, @client_id)
     end
 
+    describe 'using only Authorization header' do
+      describe 'using valid Authorization header' do
+        before do
+          get '/auth/validate_token', params: {}, headers: @authorization_header
+        end
+
+        test 'token valid' do
+          assert_equal 200, response.status
+        end
+      end
+
+      describe 'using invalid Authorization header' do
+        describe 'with invalid base64' do
+          before do
+            get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
+          end
+
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+
+        describe 'with valid base64' do
+          before do
+            valid_base64 = Base64.strict_encode64({
+              "access-token": 'invalidtoken',
+              "token-type": 'Bearer',
+              "client": 'client',
+              "expiry": '1234567'
+            }.to_json)
+            get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
+          end
+
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+      end
+    end
+
     describe 'vanilla user' do
       before do
         get '/auth/validate_token', params: {}, headers: @auth_headers
@@ -47,7 +87,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
 
     describe 'with invalid user' do
       before do
-        @resource.update_column :email, 'invalid'
+        @resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
+        @resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
       end
 
       test 'request should raise invalid model error' do

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
 
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -68,13 +68,32 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
           end
         end
 
-        describe 'successfully requested unlock' do
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'should always return success' do
+            assert_equal 200, response.status
+          end
+
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
+          end
+        end
+
+        describe 'successfully requested unlock without paranoid mode' do
           before do
             post :create, params: { email: @resource.email }
 
@@ -86,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'successfully requested unlock with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: @resource.email }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'should always return success' do
+            assert_equal 200, response.status
+          end
+
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
+          end
+        end
+
         describe 'case-sensitive email' do
           before do
             post :create, params: { email: @resource.email }

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
       override_proof_str = '(^^,)'
 
       # ensure present in redirect URL
-      override_proof_param = URI.unescape(response.headers['Location']
+      override_proof_param = CGI.unescape(response.headers['Location']
                                 .match(/override_proof=([^&]*)&/)[1])
 
       assert_equal override_proof_str, override_proof_param

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -25,7 +25,7 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe
 
       @favorite_color = 'gray'
 
-      get '/evil_user_auth/facebook',
+      post '/evil_user_auth/facebook',
           params: {
             auth_origin_url: Faker::Internet.url,
             favorite_color: @favorite_color,

data/test/dummy/app/active_record/confirmable_user.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ConfirmableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable,
+         :validatable, :confirmable
+  DeviseTokenAuth.send_confirmation_email = true
+  include DeviseTokenAuth::Concerns::User
+  DeviseTokenAuth.send_confirmation_email = false
+end

data/test/dummy/app/{models → active_record}/scoped_user.rb

@@ -3,7 +3,7 @@
 class ScopedUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable,
-         :confirmable, :omniauthable
+         :recoverable, :rememberable,
+         :validatable, :confirmable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unconfirmable_user.rb

@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable,
-         :trackable, :validatable,
-         :omniauthable
+         :validatable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unregisterable_user.rb

@@ -2,8 +2,8 @@
 
 class UnregisterableUser < ActiveRecord::Base
   # Include default devise modules.
-  devise :database_authenticatable,
-         :recoverable, :trackable, :validatable,
-         :confirmable, :omniauthable
+  devise :database_authenticatable, :recoverable,
+         :validatable, :confirmable,
+         :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/active_record/user.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class User < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+  include FavoriteColor
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -8,11 +8,7 @@ class ApplicationController < ActionController::Base
   protected
 
   def configure_permitted_parameters
-    permitted_parameters = devise_parameter_sanitizer.instance_values['permitted']
-    permitted_parameters[:sign_up] << :operating_thetan
-    permitted_parameters[:sign_up] << :favorite_color
-    permitted_parameters[:account_update] << :operating_thetan
-    permitted_parameters[:account_update] << :favorite_color
-    permitted_parameters[:account_update] << :current_password
+    devise_parameter_sanitizer.permit(:sign_up, keys: [:operating_thetan, :favorite_color])
+    devise_parameter_sanitizer.permit(:account_update, keys: [:operating_thetan, :favorite_color, :current_password])
   end
 end