devise_token_auth 1.1.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/devise_token_auth/application_controller.rb +10 -2
  3. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
  4. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
  5. data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
  6. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
  7. data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
  8. data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
  9. data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
  10. data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
  11. data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
  12. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  13. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
  14. data/app/models/devise_token_auth/concerns/user.rb +9 -10
  15. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
  16. data/app/validators/devise_token_auth_email_validator.rb +1 -1
  17. data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
  18. data/config/locales/da-DK.yml +2 -0
  19. data/config/locales/de.yml +2 -0
  20. data/config/locales/en.yml +5 -0
  21. data/config/locales/es.yml +2 -0
  22. data/config/locales/fr.yml +2 -0
  23. data/config/locales/he.yml +2 -0
  24. data/config/locales/it.yml +2 -0
  25. data/config/locales/ja.yml +3 -1
  26. data/config/locales/ko.yml +51 -0
  27. data/config/locales/nl.yml +2 -0
  28. data/config/locales/pl.yml +6 -3
  29. data/config/locales/pt-BR.yml +2 -0
  30. data/config/locales/pt.yml +6 -3
  31. data/config/locales/ro.yml +2 -0
  32. data/config/locales/ru.yml +2 -0
  33. data/config/locales/sq.yml +2 -0
  34. data/config/locales/sv.yml +2 -0
  35. data/config/locales/uk.yml +2 -0
  36. data/config/locales/vi.yml +2 -0
  37. data/config/locales/zh-CN.yml +2 -0
  38. data/config/locales/zh-HK.yml +2 -0
  39. data/config/locales/zh-TW.yml +2 -0
  40. data/lib/devise_token_auth/blacklist.rb +5 -1
  41. data/lib/devise_token_auth/controllers/helpers.rb +5 -9
  42. data/lib/devise_token_auth/engine.rb +11 -1
  43. data/lib/devise_token_auth/rails/routes.rb +15 -10
  44. data/lib/devise_token_auth/url.rb +3 -0
  45. data/lib/devise_token_auth/version.rb +1 -1
  46. data/lib/generators/devise_token_auth/USAGE +1 -1
  47. data/lib/generators/devise_token_auth/install_generator.rb +4 -4
  48. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
  49. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
  50. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
  51. data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
  52. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
  53. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
  54. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
  55. data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
  56. data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
  57. data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
  58. data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
  59. data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
  60. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  61. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  62. data/test/dummy/app/views/layouts/application.html.erb +0 -2
  63. data/test/dummy/config/application.rb +0 -1
  64. data/test/dummy/config/environments/development.rb +0 -10
  65. data/test/dummy/config/environments/production.rb +0 -16
  66. data/test/dummy/config/initializers/figaro.rb +1 -1
  67. data/test/dummy/config/initializers/omniauth.rb +1 -0
  68. data/test/dummy/config/routes.rb +2 -0
  69. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  70. data/test/dummy/db/schema.rb +26 -1
  71. data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
  72. data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
  73. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
  74. data/test/factories/users.rb +2 -1
  75. data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
  76. data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
  77. data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
  78. data/test/lib/devise_token_auth/url_test.rb +2 -2
  79. data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
  80. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
  81. data/test/models/concerns/tokens_serialization_test.rb +39 -5
  82. data/test/models/confirmable_user_test.rb +35 -0
  83. data/test/test_helper.rb +35 -4
  84. metadata +27 -14
  85. data/test/dummy/config/initializers/assets.rb +0 -10
  86. data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
  87. data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
@@ -34,12 +34,6 @@ module DeviseTokenAuth
34
34
  class_eval <<-METHODS, __FILE__, __LINE__ + 1
35
35
  def authenticate_#{group_name}!(favourite=nil, opts={})
36
36
  unless #{group_name}_signed_in?
37
- mappings = #{mappings}
38
- mappings.unshift mappings.delete(favourite.to_sym) if favourite
39
- mappings.each do |mapping|
40
- set_user_by_token(mapping)
41
- end
42
-
43
37
  unless current_#{group_name}
44
38
  render_authenticate_error
45
39
  end
@@ -47,12 +41,14 @@ module DeviseTokenAuth
47
41
  end
48
42
 
49
43
  def #{group_name}_signed_in?
50
- #{mappings}.any? do |mapping|
51
- set_user_by_token(mapping)
52
- end
44
+ !!current_#{group_name}
53
45
  end
54
46
 
55
47
  def current_#{group_name}(favourite=nil)
48
+ @current_#{group_name} ||= set_group_user_by_token(favourite)
49
+ end
50
+
51
+ def set_group_user_by_token(favourite)
56
52
  mappings = #{mappings}
57
53
  mappings.unshift mappings.delete(favourite.to_sym) if favourite
58
54
  mappings.each do |mapping|
@@ -25,7 +25,12 @@ module DeviseTokenAuth
25
25
  :remove_tokens_after_password_reset,
26
26
  :default_callbacks,
27
27
  :headers_names,
28
- :bypass_sign_in
28
+ :cookie_enabled,
29
+ :cookie_name,
30
+ :cookie_attributes,
31
+ :bypass_sign_in,
32
+ :send_confirmation_email,
33
+ :require_client_password_reset_token
29
34
 
30
35
  self.change_headers_on_each_request = true
31
36
  self.max_number_of_devices = 10
@@ -45,7 +50,12 @@ module DeviseTokenAuth
45
50
  'expiry': 'expiry',
46
51
  'uid': 'uid',
47
52
  'token-type': 'token-type' }
53
+ self.cookie_enabled = false
54
+ self.cookie_name = 'auth_cookie'
55
+ self.cookie_attributes = {}
48
56
  self.bypass_sign_in = true
57
+ self.send_confirmation_email = false
58
+ self.require_client_password_reset_token = false
49
59
 
50
60
  def self.setup(&block)
51
61
  yield self
@@ -8,26 +8,31 @@ module ActionDispatch::Routing
8
8
  opts[:skip] ||= []
9
9
 
10
10
  # check for ctrl overrides, fall back to defaults
11
- sessions_ctrl = opts[:controllers][:sessions] || 'devise_token_auth/sessions'
12
- registrations_ctrl = opts[:controllers][:registrations] || 'devise_token_auth/registrations'
13
- passwords_ctrl = opts[:controllers][:passwords] || 'devise_token_auth/passwords'
14
- confirmations_ctrl = opts[:controllers][:confirmations] || 'devise_token_auth/confirmations'
15
- token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_token_auth/token_validations'
16
- omniauth_ctrl = opts[:controllers][:omniauth_callbacks] || 'devise_token_auth/omniauth_callbacks'
17
- unlocks_ctrl = opts[:controllers][:unlocks] || 'devise_token_auth/unlocks'
11
+ sessions_ctrl = opts[:controllers].delete(:sessions) || 'devise_token_auth/sessions'
12
+ registrations_ctrl = opts[:controllers].delete(:registrations) || 'devise_token_auth/registrations'
13
+ passwords_ctrl = opts[:controllers].delete(:passwords) || 'devise_token_auth/passwords'
14
+ confirmations_ctrl = opts[:controllers].delete(:confirmations) || 'devise_token_auth/confirmations'
15
+ token_validations_ctrl = opts[:controllers].delete(:token_validations) || 'devise_token_auth/token_validations'
16
+ omniauth_ctrl = opts[:controllers].delete(:omniauth_callbacks) || 'devise_token_auth/omniauth_callbacks'
17
+ unlocks_ctrl = opts[:controllers].delete(:unlocks) || 'devise_token_auth/unlocks'
18
+
19
+ # check for resource override
20
+ route = opts[:as] || resource.pluralize.underscore.gsub('/', '_')
18
21
 
19
22
  # define devise controller mappings
20
- controllers = { sessions: sessions_ctrl,
23
+ controllers = opts[:controllers].merge(
24
+ sessions: sessions_ctrl,
21
25
  registrations: registrations_ctrl,
22
26
  passwords: passwords_ctrl,
23
- confirmations: confirmations_ctrl }
27
+ confirmations: confirmations_ctrl
28
+ )
24
29
 
25
30
  controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
26
31
 
27
32
  # remove any unwanted devise modules
28
33
  opts[:skip].each{ |item| controllers.delete(item) }
29
34
 
30
- devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
35
+ devise_for route.to_sym,
31
36
  class_name: resource,
32
37
  module: :devise,
33
38
  path: opts[:at].to_s,
@@ -11,6 +11,9 @@ module DeviseTokenAuth::Url
11
11
  query = [uri.query, params.to_query].reject(&:blank?).join('&')
12
12
  res += "?#{query}"
13
13
  res += "##{uri.fragment}" if uri.fragment
14
+ # repeat any query params after the fragment to deal with Angular eating any pre fragment query params, used
15
+ # in the reset password redirect url
16
+ res += "?#{query}" if uri.fragment
14
17
 
15
18
  res
16
19
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module DeviseTokenAuth
4
- VERSION = '1.1.2'.freeze
4
+ VERSION = '1.2.0'.freeze
5
5
  end
@@ -8,7 +8,7 @@ Arguments:
8
8
  # 'User'
9
9
  MOUNT_PATH # The path at which to mount the authentication routes. Default is
10
10
  # 'auth'. More detail documentation is here:
11
- # https://github.com/lynndylanhurley/devise_token_auth#usage-tldr
11
+ # https://devise-token-auth.gitbook.io/devise-token-auth/usage
12
12
 
13
13
  Example:
14
14
  rails generate devise_token_auth:install User auth
@@ -26,7 +26,7 @@ module DeviseTokenAuth
26
26
  inclusion = 'include DeviseTokenAuth::Concerns::User'
27
27
  unless parse_file_for_line(fname, inclusion)
28
28
 
29
- active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
29
+ active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
30
30
  inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
31
31
  # Include default devise modules.
32
32
  devise :database_authenticatable, :registerable,
@@ -75,12 +75,12 @@ module DeviseTokenAuth
75
75
  ActiveRecord::Base.connection.select_value('SELECT VERSION()')
76
76
  end
77
77
 
78
- def rails5?
79
- Rails.version.start_with? '5'
78
+ def rails_5_or_newer?
79
+ Rails::VERSION::MAJOR >= 5
80
80
  end
81
81
 
82
82
  def primary_key_type
83
- primary_key_string if rails5?
83
+ primary_key_string if rails_5_or_newer?
84
84
  end
85
85
 
86
86
  def primary_key_string
@@ -29,9 +29,9 @@ module DeviseTokenAuth
29
29
  field :tokens, type: Hash, default: {}
30
30
 
31
31
  # Include default devise modules. Others available are:
32
- # :confirmable, :lockable, :timeoutable and :omniauthable
32
+ # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
33
33
  devise :database_authenticatable, :registerable,
34
- :recoverable, :rememberable, :trackable, :validatable
34
+ :recoverable, :rememberable, :validatable
35
35
  include DeviseTokenAuth::Concerns::User
36
36
 
37
37
  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
@@ -52,4 +52,9 @@ DeviseTokenAuth.setup do |config|
52
52
  # If, however, you wish to integrate with legacy Devise authentication, you can
53
53
  # do so by enabling this flag. NOTE: This feature is highly experimental!
54
54
  # config.enable_standard_devise_support = false
55
+
56
+ # By default DeviseTokenAuth will not send confirmation email, even when including
57
+ # devise confirmable module. If you want to use devise confirmable module and
58
+ # send email, set it to true. (This is a setting for compatibility)
59
+ # config.send_confirmation_email = true
55
60
  end
@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
44
44
  add_index :<%= table_name %>, [:uid, :provider], unique: true
45
45
  add_index :<%= table_name %>, :reset_password_token, unique: true
46
46
  add_index :<%= table_name %>, :confirmation_token, unique: true
47
- # add_index :<%= table_name %>, :unlock_token, unique: true
47
+ # add_index :<%= table_name %>, :unlock_token, unique: true
48
48
  end
49
49
  end
@@ -2,8 +2,8 @@
2
2
 
3
3
  class <%= user_class %> < ActiveRecord::Base
4
4
  # Include default devise modules. Others available are:
5
- # :confirmable, :lockable, :timeoutable and :omniauthable
5
+ # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
6
6
  devise :database_authenticatable, :registerable,
7
- :recoverable, :rememberable, :trackable, :validatable
7
+ :recoverable, :rememberable, :validatable
8
8
  include DeviseTokenAuth::Concerns::User
9
9
  end
@@ -43,9 +43,9 @@ class <%= user_class %>
43
43
  field :tokens, type: Hash, default: {}
44
44
 
45
45
  # Include default devise modules. Others available are:
46
- # :confirmable, :lockable, :timeoutable and :omniauthable
46
+ # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
47
47
  devise :database_authenticatable, :registerable,
48
- :recoverable, :rememberable, :trackable, :validatable
48
+ :recoverable, :rememberable, :validatable
49
49
  include DeviseTokenAuth::Concerns::User
50
50
 
51
51
  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
53
53
  assert @resource.confirmed?
54
54
  end
55
55
 
56
+ test 'should save the authentication token' do
57
+ assert @resource.reload.tokens.present?
58
+ end
59
+
56
60
  test 'should redirect to success url' do
57
61
  assert_redirected_to(/^#{@redirect_url}/)
58
62
  end
@@ -88,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
88
92
  end
89
93
 
90
94
  describe 'resend confirmation' do
91
- before do
92
- post :create,
93
- params: { email: @new_user.email,
94
- redirect_url: @redirect_url },
95
- xhr: true
96
- @resource = assigns(:resource)
97
-
98
- @mail = ActionMailer::Base.deliveries.last
99
- @token, @client_config = token_and_client_config_from(@mail.body)
100
- end
101
-
102
- test 'user should not be confirmed' do
103
- assert_nil @resource.confirmed_at
95
+ describe 'without paranoid mode' do
96
+
97
+ describe 'on success' do
98
+ before do
99
+ post :create,
100
+ params: { email: @new_user.email,
101
+ redirect_url: @redirect_url },
102
+ xhr: true
103
+ @resource = assigns(:resource)
104
+ @data = JSON.parse(response.body)
105
+ @mail = ActionMailer::Base.deliveries.last
106
+ @token, @client_config = token_and_client_config_from(@mail.body)
107
+ end
108
+
109
+ test 'user should not be confirmed' do
110
+ assert_nil @resource.confirmed_at
111
+ end
112
+
113
+ test 'should generate raw token' do
114
+ assert @token
115
+ assert_equal @new_user.confirmation_token, @token
116
+ end
117
+
118
+ test 'user should receive confirmation email' do
119
+ assert_equal @resource.email, @mail['to'].to_s
120
+ end
121
+
122
+ test 'response should contain message' do
123
+ assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
124
+ end
125
+ end
126
+
127
+ describe 'on failure' do
128
+ before do
129
+ post :create,
130
+ params: { email: 'chester@cheet.ah',
131
+ redirect_url: @redirect_url },
132
+ xhr: true
133
+ @data = JSON.parse(response.body)
134
+ end
135
+
136
+ test 'response should contain errors' do
137
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
138
+ end
139
+ end
104
140
  end
141
+ end
105
142
 
106
- test 'should generate raw token' do
107
- assert @token
108
- assert_equal @new_user.confirmation_token, @token
143
+ describe 'with paranoid mode' do
144
+ describe 'on success' do
145
+ before do
146
+ swap Devise, paranoid: true do
147
+ post :create,
148
+ params: { email: @new_user.email,
149
+ redirect_url: @redirect_url },
150
+ xhr: true
151
+ @resource = assigns(:resource)
152
+ @data = JSON.parse(response.body)
153
+ @mail = ActionMailer::Base.deliveries.last
154
+ @token, @client_config = token_and_client_config_from(@mail.body)
155
+ end
156
+ end
157
+
158
+ test 'user should not be confirmed' do
159
+ assert_nil @resource.confirmed_at
160
+ end
161
+
162
+ test 'should generate raw token' do
163
+ assert @token
164
+ assert_equal @new_user.confirmation_token, @token
165
+ end
166
+
167
+ test 'user should receive confirmation email' do
168
+ assert_equal @resource.email, @mail['to'].to_s
169
+ end
170
+
171
+ test 'response should contain message' do
172
+ assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
173
+ end
109
174
  end
110
175
 
111
- test 'user should receive confirmation email' do
112
- assert_equal @resource.email, @mail['to'].to_s
176
+ describe 'on failure' do
177
+ before do
178
+ swap Devise, paranoid: true do
179
+ post :create,
180
+ params: { email: 'chester@cheet.ah',
181
+ redirect_url: @redirect_url },
182
+ xhr: true
183
+ @data = JSON.parse(response.body)
184
+ end
185
+ end
186
+
187
+ test 'response should contain errors' do
188
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
189
+ end
113
190
  end
114
-
115
191
  end
116
192
  end
117
193
 
@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
18
18
 
19
19
  def get_parsed_data_json
20
20
  encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
21
- JSON.parse(URI.unescape(encoded_json_data))
21
+ JSON.parse(CGI.unescape(encoded_json_data))
22
22
  end
23
23
 
24
24
  describe 'success callback' do
@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
317
317
  end
318
318
 
319
319
  describe 'Using redirect_whitelist' do
320
- before do
321
- @user_email = 'slemp.diggler@sillybandz.gov'
322
- OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
323
- provider: 'facebook',
324
- uid: '123545',
325
- info: {
326
- name: 'chong',
327
- email: @user_email
328
- }
329
- )
330
- @good_redirect_url = Faker::Internet.url
331
- @bad_redirect_url = Faker::Internet.url
332
- DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
333
- end
334
320
 
335
- teardown do
336
- DeviseTokenAuth.redirect_whitelist = nil
337
- end
321
+ describe "newWindow" do
322
+ before do
323
+ @user_email = 'slemp.diggler@sillybandz.gov'
324
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
325
+ provider: 'facebook',
326
+ uid: '123545',
327
+ info: {
328
+ name: 'chong',
329
+ email: @user_email
330
+ }
331
+ )
332
+ @good_redirect_url = Faker::Internet.url
333
+ @bad_redirect_url = Faker::Internet.url
334
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
335
+ end
338
336
 
339
- test 'request using non-whitelisted redirect fail' do
340
- get '/auth/facebook',
341
- params: { auth_origin_url: @bad_redirect_url,
342
- omniauth_window_type: 'newWindow' }
337
+ teardown do
338
+ DeviseTokenAuth.redirect_whitelist = nil
339
+ end
343
340
 
344
- follow_all_redirects!
341
+ test 'request using non-whitelisted redirect fail' do
342
+ get '/auth/facebook',
343
+ params: { auth_origin_url: @bad_redirect_url,
344
+ omniauth_window_type: 'newWindow' }
345
345
 
346
- data = get_parsed_data_json
347
- assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
348
- data['error']
346
+ follow_all_redirects!
347
+
348
+ data = get_parsed_data_json
349
+ assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
350
+ data['error']
351
+ end
352
+
353
+ test 'request to whitelisted redirect should succeed' do
354
+ get '/auth/facebook',
355
+ params: {
356
+ auth_origin_url: @good_redirect_url,
357
+ omniauth_window_type: 'newWindow'
358
+ }
359
+
360
+ follow_all_redirects!
361
+
362
+ data = get_parsed_data_json
363
+ assert_equal @user_email, data['email']
364
+ end
365
+
366
+ test 'should support wildcards' do
367
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
368
+ get '/auth/facebook',
369
+ params: { auth_origin_url: @good_redirect_url,
370
+ omniauth_window_type: 'newWindow' }
371
+
372
+ follow_all_redirects!
373
+
374
+ data = get_parsed_data_json
375
+ assert_equal @user_email, data['email']
376
+ end
349
377
  end
350
378
 
351
- test 'request to whitelisted redirect should succeed' do
352
- get '/auth/facebook',
353
- params: {
354
- auth_origin_url: @good_redirect_url,
355
- omniauth_window_type: 'newWindow'
379
+ describe "sameWindow" do
380
+ before do
381
+ @user_email = 'slemp.diggler@sillybandz.gov'
382
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
383
+ provider: 'facebook',
384
+ uid: '123545',
385
+ info: {
386
+ name: 'chong',
387
+ email: @user_email
356
388
  }
389
+ )
390
+ @good_redirect_url = '/auth_origin'
391
+ @bad_redirect_url = Faker::Internet.url
392
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
393
+ end
357
394
 
358
- follow_all_redirects!
395
+ teardown do
396
+ DeviseTokenAuth.redirect_whitelist = nil
397
+ end
359
398
 
360
- data = get_parsed_data_json
361
- assert_equal @user_email, data['email']
362
- end
399
+ test 'request using non-whitelisted redirect fail' do
400
+ get '/auth/facebook',
401
+ params: { auth_origin_url: @bad_redirect_url,
402
+ omniauth_window_type: 'sameWindow' }
363
403
 
364
- test 'should support wildcards' do
365
- DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
366
- get '/auth/facebook',
367
- params: { auth_origin_url: @good_redirect_url,
368
- omniauth_window_type: 'newWindow' }
404
+ follow_all_redirects!
405
+
406
+ assert_equal 200, response.status
407
+ assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
408
+ end
409
+
410
+ test 'request to whitelisted redirect should succeed' do
411
+ get '/auth/facebook',
412
+ params: {
413
+ auth_origin_url: '/auth_origin',
414
+ omniauth_window_type: 'sameWindow'
415
+ }
416
+
417
+ follow_all_redirects!
418
+
419
+ assert_equal 200, response.status
420
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
421
+ end
422
+
423
+ test 'should support wildcards' do
424
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
425
+ get '/auth/facebook',
426
+ params: {
427
+ auth_origin_url: '/auth_origin',
428
+ omniauth_window_type: 'sameWindow'
429
+ }
430
+
431
+ follow_all_redirects!
432
+
433
+ assert_equal 200, response.status
434
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
435
+ end
369
436
 
370
- follow_all_redirects!
371
437
 
372
- data = get_parsed_data_json
373
- assert_equal @user_email, data['email']
374
438
  end
439
+
375
440
  end
376
441
  end