devise_token_auth 1.0.0 → 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/README.md +6 -3
- data/app/controllers/devise_token_auth/application_controller.rb +23 -3
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +24 -11
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +78 -57
- data/app/controllers/devise_token_auth/confirmations_controller.rb +69 -19
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +89 -44
- data/app/controllers/devise_token_auth/passwords_controller.rb +55 -31
- data/app/controllers/devise_token_auth/registrations_controller.rb +33 -40
- data/app/controllers/devise_token_auth/sessions_controller.rb +36 -14
- data/app/controllers/devise_token_auth/unlocks_controller.rb +12 -7
- data/app/models/devise_token_auth/concerns/active_record_support.rb +14 -0
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +31 -0
- data/app/models/devise_token_auth/concerns/user.rb +79 -80
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +12 -5
- data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} +11 -3
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +10 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +52 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +16 -2
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +6 -0
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +17 -2
- data/lib/devise_token_auth/rails/routes.rb +22 -16
- data/lib/devise_token_auth/token_factory.rb +126 -0
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/devise_token_auth.rb +6 -3
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +7 -91
- data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +21 -5
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -8
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
- data/test/controllers/custom/custom_confirmations_controller_test.rb +2 -2
- data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
- data/test/controllers/demo_mang_controller_test.rb +37 -8
- data/test/controllers/demo_user_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +170 -22
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +117 -53
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +299 -122
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +56 -16
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +139 -75
- data/test/controllers/devise_token_auth/token_validations_controller_test.rb +43 -2
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +44 -5
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
- data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
- data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
- data/test/dummy/app/active_record/user.rb +6 -0
- data/test/dummy/app/controllers/application_controller.rb +2 -6
- data/test/dummy/app/controllers/overrides/confirmations_controller.rb +5 -4
- data/test/dummy/app/controllers/overrides/passwords_controller.rb +5 -4
- data/test/dummy/app/controllers/overrides/registrations_controller.rb +1 -1
- data/test/dummy/app/controllers/overrides/sessions_controller.rb +2 -2
- data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/mongoid/lockable_user.rb +38 -0
- data/test/dummy/app/mongoid/mang.rb +46 -0
- data/test/dummy/app/mongoid/only_email_user.rb +33 -0
- data/test/dummy/app/mongoid/scoped_user.rb +50 -0
- data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
- data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
- data/test/dummy/app/mongoid/user.rb +49 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +22 -1
- data/test/dummy/config/boot.rb +4 -0
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/environments/test.rb +6 -2
- data/test/dummy/config/initializers/devise.rb +285 -0
- data/test/dummy/config/initializers/devise_token_auth.rb +35 -4
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
- data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
- data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
- data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
- data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
- data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
- data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +31 -33
- data/test/dummy/tmp/generators/app/models/user.rb +9 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +66 -0
- data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
- data/test/factories/users.rb +3 -2
- data/test/lib/devise_token_auth/blacklist_test.rb +19 -0
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
- data/test/models/concerns/mongoid_support_test.rb +31 -0
- data/test/models/concerns/tokens_serialization_test.rb +104 -0
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/models/only_email_user_test.rb +0 -8
- data/test/models/user_test.rb +13 -23
- data/test/test_helper.rb +45 -4
- metadata +190 -97
- data/config/initializers/devise.rb +0 -198
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
- /data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
- /data/test/dummy/app/{models → active_record}/mang.rb +0 -0
- /data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
@@ -10,6 +10,17 @@ require 'test_helper'
|
|
10
10
|
|
11
11
|
class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
|
12
12
|
describe DeviseTokenAuth::RegistrationsController do
|
13
|
+
|
14
|
+
def mock_registration_params
|
15
|
+
{
|
16
|
+
email: Faker::Internet.email,
|
17
|
+
password: 'secret123',
|
18
|
+
password_confirmation: 'secret123',
|
19
|
+
confirm_success_url: Faker::Internet.url,
|
20
|
+
unpermitted_param: '(x_x)'
|
21
|
+
}
|
22
|
+
end
|
23
|
+
|
13
24
|
describe 'Validate non-empty body' do
|
14
25
|
before do
|
15
26
|
# need to post empty data
|
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
41
52
|
@mails_sent = ActionMailer::Base.deliveries.count
|
42
53
|
|
43
54
|
post '/auth',
|
44
|
-
params:
|
45
|
-
email: Faker::Internet.email,
|
46
|
-
password: 'secret123',
|
47
|
-
password_confirmation: 'secret123',
|
48
|
-
confirm_success_url: Faker::Internet.url,
|
49
|
-
unpermitted_param: '(x_x)'
|
50
|
-
}
|
55
|
+
params: mock_registration_params
|
51
56
|
|
52
57
|
@resource = assigns(:resource)
|
53
58
|
@data = JSON.parse(response.body)
|
@@ -83,6 +88,41 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
83
88
|
end
|
84
89
|
end
|
85
90
|
|
91
|
+
describe 'using allow_unconfirmed_access_for' do
|
92
|
+
before do
|
93
|
+
@original_duration = Devise.allow_unconfirmed_access_for
|
94
|
+
Devise.allow_unconfirmed_access_for = nil
|
95
|
+
end
|
96
|
+
|
97
|
+
test 'auth headers were returned in response' do
|
98
|
+
post '/auth', params: mock_registration_params
|
99
|
+
assert response.headers['access-token']
|
100
|
+
assert response.headers['token-type']
|
101
|
+
assert response.headers['client']
|
102
|
+
assert response.headers['expiry']
|
103
|
+
assert response.headers['uid']
|
104
|
+
end
|
105
|
+
|
106
|
+
describe 'using auth cookie' do
|
107
|
+
before do
|
108
|
+
DeviseTokenAuth.cookie_enabled = true
|
109
|
+
end
|
110
|
+
|
111
|
+
test 'auth cookie was returned in response' do
|
112
|
+
post '/auth', params: mock_registration_params
|
113
|
+
assert response.cookies[DeviseTokenAuth.cookie_name]
|
114
|
+
end
|
115
|
+
|
116
|
+
after do
|
117
|
+
DeviseTokenAuth.cookie_enabled = false
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
121
|
+
after do
|
122
|
+
Devise.allow_unconfirmed_access_for = @original_duration
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
86
126
|
describe 'using "+" in email' do
|
87
127
|
test 'can use + sign in email addresses' do
|
88
128
|
@plus_email = 'ak+testing@gmail.com'
|
@@ -266,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
266
306
|
@data = JSON.parse(response.body)
|
267
307
|
@mail = ActionMailer::Base.deliveries.last
|
268
308
|
|
269
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
309
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
270
310
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
271
311
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
272
312
|
end
|
@@ -305,7 +345,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
305
345
|
end
|
306
346
|
|
307
347
|
test 'user should not have been created' do
|
308
|
-
|
348
|
+
refute @resource.persisted?
|
309
349
|
end
|
310
350
|
|
311
351
|
test 'error should be returned in the response' do
|
@@ -333,7 +373,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
333
373
|
end
|
334
374
|
|
335
375
|
test 'user should not have been created' do
|
336
|
-
|
376
|
+
refute @resource.persisted?
|
337
377
|
end
|
338
378
|
|
339
379
|
test 'error should be returned in the response' do
|
@@ -362,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
362
402
|
end
|
363
403
|
|
364
404
|
test 'user should have been created' do
|
365
|
-
|
405
|
+
refute @resource.persisted?
|
366
406
|
end
|
367
407
|
|
368
408
|
test 'error should be returned in the response' do
|
@@ -393,7 +433,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
393
433
|
end
|
394
434
|
|
395
435
|
test 'user should have been created' do
|
396
|
-
|
436
|
+
refute @resource.persisted?
|
397
437
|
end
|
398
438
|
|
399
439
|
test 'error should be returned in the response' do
|
@@ -465,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
465
505
|
# test valid update param
|
466
506
|
@resource_class = User
|
467
507
|
@new_operating_thetan = 1_000_000
|
468
|
-
@email =
|
508
|
+
@email = Faker::Internet.safe_email
|
469
509
|
@request_params = {
|
470
510
|
operating_thetan: @new_operating_thetan,
|
471
511
|
email: @email
|
@@ -572,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
572
612
|
# test valid update param
|
573
613
|
@resource_class = User
|
574
614
|
@new_operating_thetan = 1_000_000
|
575
|
-
@email =
|
615
|
+
@email = Faker::Internet.safe_email
|
576
616
|
@request_params = {
|
577
617
|
operating_thetan: @new_operating_thetan,
|
578
618
|
email: @email
|
@@ -623,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
623
663
|
before do
|
624
664
|
DeviseTokenAuth.check_current_password_before_update = :password
|
625
665
|
@new_operating_thetan = 1_000_000
|
626
|
-
@email =
|
666
|
+
@email = Faker::Internet.safe_email
|
627
667
|
end
|
628
668
|
|
629
669
|
after do
|
@@ -786,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
786
826
|
|
787
827
|
@resource.reload
|
788
828
|
|
789
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
829
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
790
830
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
791
831
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
792
832
|
end
|
@@ -17,26 +17,15 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
17
17
|
|
18
18
|
describe 'success' do
|
19
19
|
before do
|
20
|
-
@
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
@old_last_sign_in_ip = @existing_user.last_sign_in_ip
|
20
|
+
@user_session_params = {
|
21
|
+
email: @existing_user.email,
|
22
|
+
password: @existing_user.password
|
23
|
+
}
|
25
24
|
|
26
|
-
post :create,
|
27
|
-
params: {
|
28
|
-
email: @existing_user.email,
|
29
|
-
password: @existing_user.password
|
30
|
-
}
|
25
|
+
post :create, params: @user_session_params
|
31
26
|
|
32
27
|
@resource = assigns(:resource)
|
33
28
|
@data = JSON.parse(response.body)
|
34
|
-
|
35
|
-
@new_sign_in_count = @resource.sign_in_count
|
36
|
-
@new_current_sign_in_at = @resource.current_sign_in_at
|
37
|
-
@new_last_sign_in_at = @resource.last_sign_in_at
|
38
|
-
@new_sign_in_ip = @resource.current_sign_in_ip
|
39
|
-
@new_last_sign_in_ip = @resource.last_sign_in_ip
|
40
29
|
end
|
41
30
|
|
42
31
|
test 'request should succeed' do
|
@@ -47,29 +36,22 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
47
36
|
assert_equal @existing_user.email, @data['data']['email']
|
48
37
|
end
|
49
38
|
|
50
|
-
describe '
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
test 'current_sign_in_at is updated' do
|
56
|
-
refute @old_current_sign_in_at
|
57
|
-
assert @new_current_sign_in_at
|
39
|
+
describe 'using auth cookie' do
|
40
|
+
before do
|
41
|
+
DeviseTokenAuth.cookie_enabled = true
|
42
|
+
post :create, params: @user_session_params
|
58
43
|
end
|
59
44
|
|
60
|
-
test '
|
61
|
-
|
62
|
-
assert @new_last_sign_in_at
|
45
|
+
test 'request should return auth cookie' do
|
46
|
+
assert response.cookies[DeviseTokenAuth.cookie_name]
|
63
47
|
end
|
64
48
|
|
65
|
-
test '
|
66
|
-
|
67
|
-
assert_equal '0.0.0.0', @new_sign_in_ip
|
49
|
+
test 'request should not include bearer token' do
|
50
|
+
assert_nil response.headers["Authorization"]
|
68
51
|
end
|
69
52
|
|
70
|
-
|
71
|
-
|
72
|
-
assert_equal '0.0.0.0', @new_last_sign_in_ip
|
53
|
+
after do
|
54
|
+
DeviseTokenAuth.cookie_enabled = false
|
73
55
|
end
|
74
56
|
end
|
75
57
|
|
@@ -79,11 +61,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
79
61
|
# to expedite tests! (Default is 10)
|
80
62
|
DeviseTokenAuth.max_number_of_devices = 2
|
81
63
|
DeviseTokenAuth.change_headers_on_each_request = false
|
82
|
-
|
83
|
-
@user_session_params = {
|
84
|
-
email: @existing_user.email,
|
85
|
-
password: @existing_user.password
|
86
|
-
}
|
87
64
|
end
|
88
65
|
|
89
66
|
test 'should limit the maximum number of concurrent devices' do
|
@@ -197,6 +174,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
197
174
|
test 'session was destroyed' do
|
198
175
|
assert_equal true, @controller.reset_session_called
|
199
176
|
end
|
177
|
+
|
178
|
+
describe 'using auth cookie' do
|
179
|
+
before do
|
180
|
+
DeviseTokenAuth.cookie_enabled = true
|
181
|
+
@auth_token = @existing_user.create_new_auth_token
|
182
|
+
@controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
|
183
|
+
end
|
184
|
+
|
185
|
+
test 'auth cookie was destroyed' do
|
186
|
+
assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
|
187
|
+
delete :destroy, format: :json
|
188
|
+
assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
|
189
|
+
end
|
190
|
+
|
191
|
+
after do
|
192
|
+
DeviseTokenAuth.cookie_enabled = false
|
193
|
+
end
|
194
|
+
end
|
200
195
|
end
|
201
196
|
|
202
197
|
describe 'unauthed user sign out' do
|
@@ -315,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
315
310
|
end
|
316
311
|
|
317
312
|
describe 'Unconfirmed user' do
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
313
|
+
describe 'Without paranoid mode' do
|
314
|
+
before do
|
315
|
+
@unconfirmed_user = create(:user)
|
316
|
+
post :create, params: { email: @unconfirmed_user.email,
|
317
|
+
password: @unconfirmed_user.password }
|
318
|
+
@resource = assigns(:resource)
|
319
|
+
@data = JSON.parse(response.body)
|
320
|
+
end
|
325
321
|
|
326
|
-
|
327
|
-
|
322
|
+
test 'request should fail' do
|
323
|
+
assert_equal 401, response.status
|
324
|
+
end
|
325
|
+
|
326
|
+
test 'response should contain errors' do
|
327
|
+
assert @data['errors']
|
328
|
+
assert_equal @data['errors'],
|
329
|
+
[I18n.t('devise_token_auth.sessions.not_confirmed',
|
330
|
+
email: @unconfirmed_user.email)]
|
331
|
+
end
|
328
332
|
end
|
333
|
+
|
334
|
+
describe 'With paranoid mode' do
|
335
|
+
before do
|
336
|
+
@unconfirmed_user = create(:user)
|
337
|
+
swap Devise, paranoid: true do
|
338
|
+
post :create, params: { email: @unconfirmed_user.email,
|
339
|
+
password: @unconfirmed_user.password }
|
340
|
+
end
|
341
|
+
@resource = assigns(:resource)
|
342
|
+
@data = JSON.parse(response.body)
|
343
|
+
end
|
329
344
|
|
330
|
-
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
345
|
+
test 'request should fail' do
|
346
|
+
assert_equal 401, response.status
|
347
|
+
end
|
348
|
+
|
349
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
350
|
+
assert @data['errors']
|
351
|
+
assert_equal @data['errors'],
|
352
|
+
[I18n.t('devise_token_auth.sessions.bad_credentials')]
|
353
|
+
end
|
335
354
|
end
|
336
355
|
end
|
337
356
|
|
@@ -380,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
380
399
|
end
|
381
400
|
|
382
401
|
describe 'Non-existing user' do
|
383
|
-
|
384
|
-
|
385
|
-
|
386
|
-
|
387
|
-
|
388
|
-
|
389
|
-
|
402
|
+
describe 'Without paranoid mode' do
|
403
|
+
before do
|
404
|
+
post :create,
|
405
|
+
params: { email: -> { Faker::Internet.email },
|
406
|
+
password: -> { Faker::Number.number(10) } }
|
407
|
+
@resource = assigns(:resource)
|
408
|
+
@data = JSON.parse(response.body)
|
409
|
+
end
|
390
410
|
|
391
|
-
|
392
|
-
|
411
|
+
test 'request should fail' do
|
412
|
+
assert_equal 401, response.status
|
413
|
+
end
|
414
|
+
|
415
|
+
test 'response should contain errors' do
|
416
|
+
assert @data['errors']
|
417
|
+
end
|
393
418
|
end
|
394
419
|
|
395
|
-
|
396
|
-
|
420
|
+
describe 'With paranoid mode' do
|
421
|
+
before do
|
422
|
+
mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
|
423
|
+
@bcrypt_mock = MiniTest::Mock.new
|
424
|
+
@bcrypt_mock.expect(:call, mock_hash, [Object, String])
|
425
|
+
|
426
|
+
swap Devise, paranoid: true do
|
427
|
+
BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
|
428
|
+
post :create,
|
429
|
+
params: { email: -> { Faker::Internet.email },
|
430
|
+
password: -> { Faker::Number.number(10) } }
|
431
|
+
end
|
432
|
+
end
|
433
|
+
end
|
434
|
+
|
435
|
+
test 'password should be hashed' do
|
436
|
+
@bcrypt_mock.verify
|
437
|
+
end
|
397
438
|
end
|
398
439
|
end
|
399
440
|
|
@@ -477,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
477
518
|
end
|
478
519
|
|
479
520
|
describe 'locked user' do
|
480
|
-
|
481
|
-
|
482
|
-
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
|
521
|
+
describe 'Without paranoid mode' do
|
522
|
+
before do
|
523
|
+
@locked_user = create(:lockable_user, :locked)
|
524
|
+
post :create,
|
525
|
+
params: { email: @locked_user.email,
|
526
|
+
password: @locked_user.password }
|
527
|
+
@data = JSON.parse(response.body)
|
528
|
+
end
|
487
529
|
|
488
|
-
|
489
|
-
|
530
|
+
test 'request should fail' do
|
531
|
+
assert_equal 401, response.status
|
532
|
+
end
|
533
|
+
|
534
|
+
test 'response should contain errors' do
|
535
|
+
assert @data['errors']
|
536
|
+
assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
|
537
|
+
end
|
490
538
|
end
|
491
539
|
|
492
|
-
|
493
|
-
|
494
|
-
|
540
|
+
describe 'With paranoid mode' do
|
541
|
+
before do
|
542
|
+
@locked_user = create(:lockable_user, :locked)
|
543
|
+
swap Devise, paranoid: true do
|
544
|
+
post :create,
|
545
|
+
params: { email: @locked_user.email,
|
546
|
+
password: @locked_user.password }
|
547
|
+
end
|
548
|
+
@data = JSON.parse(response.body)
|
549
|
+
end
|
550
|
+
|
551
|
+
test 'request should fail' do
|
552
|
+
assert_equal 401, response.status
|
553
|
+
end
|
554
|
+
|
555
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
556
|
+
assert @data['errors']
|
557
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
|
558
|
+
end
|
495
559
|
end
|
496
560
|
end
|
497
561
|
|
@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
|
|
18
18
|
@token = @auth_headers['access-token']
|
19
19
|
@client_id = @auth_headers['client']
|
20
20
|
@expiry = @auth_headers['expiry']
|
21
|
-
|
21
|
+
@authorization_header = @auth_headers.slice('Authorization')
|
22
22
|
# ensure that request is not treated as batch request
|
23
23
|
age_token(@resource, @client_id)
|
24
24
|
end
|
25
25
|
|
26
|
+
describe 'using only Authorization header' do
|
27
|
+
describe 'using valid Authorization header' do
|
28
|
+
before do
|
29
|
+
get '/auth/validate_token', params: {}, headers: @authorization_header
|
30
|
+
end
|
31
|
+
|
32
|
+
test 'token valid' do
|
33
|
+
assert_equal 200, response.status
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
describe 'using invalid Authorization header' do
|
38
|
+
describe 'with invalid base64' do
|
39
|
+
before do
|
40
|
+
get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
|
41
|
+
end
|
42
|
+
|
43
|
+
test 'returns access denied' do
|
44
|
+
assert_equal 401, response.status
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
describe 'with valid base64' do
|
49
|
+
before do
|
50
|
+
valid_base64 = Base64.strict_encode64({
|
51
|
+
"access-token": 'invalidtoken',
|
52
|
+
"token-type": 'Bearer',
|
53
|
+
"client": 'client',
|
54
|
+
"expiry": '1234567'
|
55
|
+
}.to_json)
|
56
|
+
get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
|
57
|
+
end
|
58
|
+
|
59
|
+
test 'returns access denied' do
|
60
|
+
assert_equal 401, response.status
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
26
66
|
describe 'vanilla user' do
|
27
67
|
before do
|
28
68
|
get '/auth/validate_token', params: {}, headers: @auth_headers
|
@@ -47,7 +87,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
|
|
47
87
|
|
48
88
|
describe 'with invalid user' do
|
49
89
|
before do
|
50
|
-
@resource.update_column
|
90
|
+
@resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
|
91
|
+
@resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
|
51
92
|
end
|
52
93
|
|
53
94
|
test 'request should raise invalid model error' do
|
@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
57
57
|
end
|
58
58
|
|
59
59
|
describe 'request unlock' do
|
60
|
-
describe '
|
60
|
+
describe 'without paranoid mode' do
|
61
61
|
before do
|
62
62
|
post :create, params: { email: 'chester@cheet.ah' }
|
63
63
|
@data = JSON.parse(response.body)
|
@@ -68,13 +68,32 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
68
68
|
|
69
69
|
test 'errors should be returned' do
|
70
70
|
assert @data['errors']
|
71
|
-
assert_equal @data['errors'],
|
72
|
-
|
73
|
-
email: 'chester@cheet.ah')]
|
71
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
|
72
|
+
email: 'chester@cheet.ah')]
|
74
73
|
end
|
75
74
|
end
|
76
75
|
|
77
|
-
describe '
|
76
|
+
describe 'with paranoid mode' do
|
77
|
+
before do
|
78
|
+
swap Devise, paranoid: true do
|
79
|
+
post :create, params: { email: 'chester@cheet.ah' }
|
80
|
+
@data = JSON.parse(response.body)
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
test 'should always return success' do
|
85
|
+
assert_equal 200, response.status
|
86
|
+
end
|
87
|
+
|
88
|
+
test 'errors should not be returned' do
|
89
|
+
assert @data['success']
|
90
|
+
assert_equal \
|
91
|
+
@data['message'],
|
92
|
+
I18n.t('devise_token_auth.unlocks.sended_paranoid')
|
93
|
+
end
|
94
|
+
end
|
95
|
+
|
96
|
+
describe 'successfully requested unlock without paranoid mode' do
|
78
97
|
before do
|
79
98
|
post :create, params: { email: @resource.email }
|
80
99
|
|
@@ -86,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
|
|
86
105
|
end
|
87
106
|
end
|
88
107
|
|
108
|
+
describe 'successfully requested unlock with paranoid mode' do
|
109
|
+
before do
|
110
|
+
swap Devise, paranoid: true do
|
111
|
+
post :create, params: { email: @resource.email }
|
112
|
+
@data = JSON.parse(response.body)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
test 'should always return success' do
|
117
|
+
assert_equal 200, response.status
|
118
|
+
end
|
119
|
+
|
120
|
+
test 'errors should not be returned' do
|
121
|
+
assert @data['success']
|
122
|
+
assert_equal \
|
123
|
+
@data['message'],
|
124
|
+
I18n.t('devise_token_auth.unlocks.sended_paranoid')
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
89
128
|
describe 'case-sensitive email' do
|
90
129
|
before do
|
91
130
|
post :create, params: { email: @resource.email }
|
@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
|
|
38
38
|
override_proof_str = '(^^,)'
|
39
39
|
|
40
40
|
# ensure present in redirect URL
|
41
|
-
override_proof_param =
|
41
|
+
override_proof_param = CGI.unescape(response.headers['Location']
|
42
42
|
.match(/override_proof=([^&]*)&/)[1])
|
43
43
|
|
44
44
|
assert_equal override_proof_str, override_proof_param
|
@@ -25,7 +25,7 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe
|
|
25
25
|
|
26
26
|
@favorite_color = 'gray'
|
27
27
|
|
28
|
-
|
28
|
+
post '/evil_user_auth/facebook',
|
29
29
|
params: {
|
30
30
|
auth_origin_url: Faker::Internet.url,
|
31
31
|
favorite_color: @favorite_color,
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
class ConfirmableUser < ActiveRecord::Base
|
4
|
+
# Include default devise modules.
|
5
|
+
devise :database_authenticatable, :registerable,
|
6
|
+
:recoverable, :rememberable,
|
7
|
+
:validatable, :confirmable
|
8
|
+
DeviseTokenAuth.send_confirmation_email = true
|
9
|
+
include DeviseTokenAuth::Concerns::User
|
10
|
+
DeviseTokenAuth.send_confirmation_email = false
|
11
|
+
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
class ScopedUser < ActiveRecord::Base
|
4
4
|
# Include default devise modules.
|
5
5
|
devise :database_authenticatable, :registerable,
|
6
|
-
:recoverable, :rememberable,
|
7
|
-
:confirmable, :omniauthable
|
6
|
+
:recoverable, :rememberable,
|
7
|
+
:validatable, :confirmable, :omniauthable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
|
|
4
4
|
# Include default devise modules.
|
5
5
|
devise :database_authenticatable, :registerable,
|
6
6
|
:recoverable, :rememberable,
|
7
|
-
:
|
8
|
-
:omniauthable
|
7
|
+
:validatable, :omniauthable
|
9
8
|
include DeviseTokenAuth::Concerns::User
|
10
9
|
end
|
@@ -2,8 +2,8 @@
|
|
2
2
|
|
3
3
|
class UnregisterableUser < ActiveRecord::Base
|
4
4
|
# Include default devise modules.
|
5
|
-
devise :database_authenticatable,
|
6
|
-
:
|
7
|
-
:
|
5
|
+
devise :database_authenticatable, :recoverable,
|
6
|
+
:validatable, :confirmable,
|
7
|
+
:omniauthable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -8,11 +8,7 @@ class ApplicationController < ActionController::Base
|
|
8
8
|
protected
|
9
9
|
|
10
10
|
def configure_permitted_parameters
|
11
|
-
|
12
|
-
|
13
|
-
permitted_parameters[:sign_up] << :favorite_color
|
14
|
-
permitted_parameters[:account_update] << :operating_thetan
|
15
|
-
permitted_parameters[:account_update] << :favorite_color
|
16
|
-
permitted_parameters[:account_update] << :current_password
|
11
|
+
devise_parameter_sanitizer.permit(:sign_up, keys: [:operating_thetan, :favorite_color])
|
12
|
+
devise_parameter_sanitizer.permit(:account_update, keys: [:operating_thetan, :favorite_color, :current_password])
|
17
13
|
end
|
18
14
|
end
|