RubyGems - devise_token_auth - Versions diffs - 1.1.2 → 1.2.0 - Mend

devise_token_auth 1.1.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED Viewed

@@ -85,37 +85,89 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
       describe 'request password reset' do
-        describe 'unknown user should return 404' do
-          before do
-            post :create,
-                 params: { email: 'chester@cheet.ah',
-                           redirect_url: @redirect_url }
-            @data = JSON.parse(response.body)
-          end
+        describe 'unknown user' do
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: 'chester@cheet.ah',
+                             redirect_url: @redirect_url }
+              @data = JSON.parse(response.body)
+            end
-          test 'unknown user should return 404' do
-            assert_equal 404, response.status
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.user_not_found',
+                      email: 'chester@cheet.ah')]
+            end
           end
-          test 'errors should be returned' do
-            assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.sended_paranoid')]
+            end
           end
         end
         describe 'successfully requested password reset' do
-          before do
-            post :create,
-                 params: { email: @resource.email,
-                           redirect_url: @redirect_url }
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: @resource.email,
+                             redirect_url: @redirect_url }
-            @data = JSON.parse(response.body)
+              @data = JSON.parse(response.body)
+            end
+            test 'response should not contain extra data' do
+              assert_nil @data['data']
+            end
+            test 'response should contains message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
+            end
           end
-          test 'response should not contain extra data' do
-            assert_nil @data['data']
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @resource.email,
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
+            end
           end
         end
@@ -239,10 +291,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
-        describe 'Cheking reset_password_token' do
+        describe 'Checking reset_password_token' do
           before do
             post :create, params: {
-              email:        @resource.email,
+              email: @resource.email,
               redirect_url: @redirect_url
             }
@@ -440,6 +492,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         describe 'success' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -504,6 +557,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         describe 'current password mismatch error' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -520,7 +574,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
       describe 'change password' do
-        describe 'success' do
+        describe 'using reset token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @redirect_url = 'http://client-app.dev'
+            get_reset_token
+            edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
+            get :edit, params: query_parts
+          end
+          test 'request should be redirect' do
+            assert_equal 302, response.status
+          end
+          test 'request should redirect to correct redirect url' do
+            host = URI.parse(response.location).host
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
+            assert_equal 'client-app.dev', host
+            assert_equal @mail_reset_token, query_parts['reset_password_token']
+            assert_equal 1, query_parts.keys.size
+          end
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
+        describe 'with valid headers' do
           before do
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
@@ -567,19 +649,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
-        describe 'unauthorized user' do
+        describe 'without valid headers' do
           before do
-            @auth_headers = @resource.create_new_auth_token
-            @new_password = Faker::Internet.password
+            @resource.create_new_auth_token
+            new_password = Faker::Internet.password
-            put :update, params: { password: @new_password,
-                                   password_confirmation: @new_password }
+            put :update, params: { password: new_password,
+                                   password_confirmation: new_password }
           end
           test 'response should fail' do
             assert_equal 401, response.status
           end
         end
+        describe 'with valid reset password token' do
+          before do
+            reset_password_token = @resource.send_reset_password_instructions
+            @new_password = Faker::Internet.password
+            @params = { password: @new_password,
+                        password_confirmation: @new_password,
+                        reset_password_token: reset_password_token }
+          end
+          describe 'with require_client_password_reset_token disabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = false
+              put :update, params: @params
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+            test 'request should be not be successful' do
+              assert_equal 401, response.status
+            end
+          end
+          describe 'with require_client_password_reset_token enabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = true
+              put :update, params: @params
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+            test 'request should be successful' do
+              assert_equal 200, response.status
+            end
+            test 'request should return success message' do
+              assert @data['message']
+              assert_equal @data['message'],
+                           I18n.t('devise_token_auth.passwords.successfully_updated')
+            end
+            test 'new password should authenticate user' do
+              assert @resource.valid_password?(@new_password)
+            end
+            teardown do
+              DeviseTokenAuth.require_client_password_reset_token = false
+            end
+          end
+        end
+        describe 'with invalid reset password token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @resource.update reset_password_token: 'koskoskoskos'
+            put :update, params: @params
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+          test 'new password should not authenticate user' do
+            assert !@resource.valid_password?(@new_password)
+          end
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
       end
     end

data/test/controllers/devise_token_auth/registrations_controller_test.rb CHANGED Viewed

@@ -10,6 +10,17 @@ require 'test_helper'
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -87,17 +92,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       before do
         @original_duration = Devise.allow_unconfirmed_access_for
         Devise.allow_unconfirmed_access_for = nil
-        post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
       end
       test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
         assert response.headers['access-token']
         assert response.headers['token-type']
         assert response.headers['client']
@@ -105,6 +103,21 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         assert response.headers['uid']
       end
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
       after do
         Devise.allow_unconfirmed_access_for = @original_duration
       end
@@ -492,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -599,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -650,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           before do
             DeviseTokenAuth.check_current_password_before_update = :password
             @new_operating_thetan = 1_000_000
-            @email = 'AlternatingCase2@example.com'
+            @email = Faker::Internet.safe_email
           end
           after do

data/test/controllers/devise_token_auth/sessions_controller_test.rb CHANGED Viewed

@@ -17,11 +17,12 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       describe 'success' do
         before do
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: @existing_user.password
-               }
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
+          post :create, params: @user_session_params
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
@@ -35,17 +36,27 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+          end
+          test 'request should return auth cookie' do
+            post :create, params: @user_session_params
+            assert response.cookies[DeviseTokenAuth.cookie_name]
+          end
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number
             #  to expedite tests! (Default is 10)
             DeviseTokenAuth.max_number_of_devices = 2
             DeviseTokenAuth.change_headers_on_each_request = false
-            @user_session_params = {
-              email: @existing_user.email,
-              password: @existing_user.password
-            }
           end
           test 'should limit the maximum number of concurrent devices' do
@@ -159,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
       describe 'unauthed user sign out' do

data/test/controllers/devise_token_auth/unlocks_controller_test.rb CHANGED Viewed

@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -68,9 +68,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
+          end
+        end
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
           end
         end