devise_token_auth 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +2 -1
  3. data/app/controllers/devise_token_auth/application_controller.rb +13 -0
  4. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +2 -1
  5. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +20 -7
  6. data/app/controllers/devise_token_auth/confirmations_controller.rb +8 -5
  7. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +18 -21
  8. data/app/controllers/devise_token_auth/passwords_controller.rb +9 -3
  9. data/app/controllers/devise_token_auth/sessions_controller.rb +26 -10
  10. data/app/controllers/devise_token_auth/unlocks_controller.rb +3 -2
  11. data/app/models/devise_token_auth/concerns/user.rb +34 -11
  12. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +9 -5
  13. data/app/validators/devise_token_auth_email_validator.rb +9 -1
  14. data/config/locales/ja.yml +12 -0
  15. data/lib/devise_token_auth/engine.rb +5 -2
  16. data/lib/devise_token_auth/rails/routes.rb +6 -5
  17. data/lib/devise_token_auth/version.rb +1 -1
  18. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +11 -5
  19. data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
  20. data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
  21. data/test/controllers/demo_mang_controller_test.rb +37 -8
  22. data/test/controllers/demo_user_controller_test.rb +37 -8
  23. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +19 -7
  24. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +16 -19
  25. data/test/controllers/devise_token_auth/passwords_controller_test.rb +6 -6
  26. data/test/controllers/devise_token_auth/registrations_controller_test.rb +2 -2
  27. data/test/controllers/devise_token_auth/sessions_controller_test.rb +111 -38
  28. data/test/controllers/devise_token_auth/token_validations_controller_test.rb +41 -1
  29. data/test/controllers/devise_token_auth/unlocks_controller_test.rb +28 -6
  30. data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
  31. data/test/dummy/app/controllers/application_controller.rb +2 -6
  32. data/test/dummy/app/controllers/overrides/confirmations_controller.rb +2 -1
  33. data/test/dummy/app/controllers/overrides/passwords_controller.rb +2 -1
  34. data/test/dummy/config/environments/test.rb +6 -2
  35. data/test/dummy/db/schema.rb +5 -5
  36. data/test/dummy/tmp/generators/app/models/user.rb +9 -0
  37. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +11 -5
  38. data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
  39. data/test/models/user_test.rb +22 -0
  40. metadata +94 -94
  41. data/test/dummy/tmp/generators/app/controllers/application_controller.rb +0 -6
  42. data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +0 -56
@@ -42,11 +42,17 @@ DeviseTokenAuth.setup do |config|
42
42
  # config.default_callbacks = true
43
43
 
44
44
  # Makes it possible to change the headers names
45
- # config.headers_names = {:'access-token' => 'access-token',
46
- # :'client' => 'client',
47
- # :'expiry' => 'expiry',
48
- # :'uid' => 'uid',
49
- # :'token-type' => 'token-type' }
45
+ # config.headers_names = {
46
+ # :'authorization' => 'Authorization',
47
+ # :'access-token' => 'access-token',
48
+ # :'client' => 'client',
49
+ # :'expiry' => 'expiry',
50
+ # :'uid' => 'uid',
51
+ # :'token-type' => 'token-type'
52
+ # }
53
+
54
+ # Makes it possible to use custom uid column
55
+ # config.other_uid = "foo"
50
56
 
51
57
  # By default, only Bearer Token authentication is implemented out of the box.
52
58
  # If, however, you wish to integrate with legacy Devise authentication, you can
@@ -11,7 +11,7 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
11
11
  @new_user = create(:user)
12
12
  @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
13
13
  @mail = ActionMailer::Base.deliveries.last
14
- @token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
14
+ @token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
15
15
  @client_config = @mail.body.match(/config=([^&]*)&/)[1]
16
16
 
17
17
  get :show,
@@ -20,7 +20,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
20
20
 
21
21
  test 'yield resource to block on omniauth_success success' do
22
22
  @redirect_url = 'http://ng-token-auth.dev/'
23
- get '/nice_user_auth/facebook',
23
+ post '/nice_user_auth/facebook',
24
24
  params: { auth_origin_url: @redirect_url,
25
25
  omniauth_window_type: 'newWindow' }
26
26
 
@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
235
235
  @resource.reload
236
236
  age_token(@resource, @client_id)
237
237
 
238
- # use expired auth header
238
+ # use previous auth header
239
239
  get '/demo/members_only_mang',
240
240
  params: {},
241
241
  headers: @auth_headers
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
244
244
  @second_user = assigns(:resource)
245
245
  @second_access_token = response.headers['access-token']
246
246
  @second_response_status = response.status
247
+
248
+ @resource.reload
249
+ age_token(@resource, @client_id)
250
+
251
+ # use expired auth headers
252
+ get '/demo/members_only_mang',
253
+ params: {},
254
+ headers: @auth_headers
255
+
256
+ @third_is_batch_request = assigns(:is_batch_request)
257
+ @third_user = assigns(:resource)
258
+ @third_access_token = response.headers['access-token']
259
+ @third_response_status = response.status
247
260
  end
248
261
 
249
262
  it 'should allow the first request through' do
250
263
  assert_equal 200, @first_response_status
251
264
  end
252
265
 
266
+ it 'should allow the second request through' do
267
+ assert_equal 200, @second_response_status
268
+ end
269
+
253
270
  it 'should not allow the second request through' do
254
- assert_equal 401, @second_response_status
271
+ assert_equal 401, @third_response_status
255
272
  end
256
273
 
257
274
  it 'should not treat first request as batch request' do
275
+ refute @first_is_batch_request
276
+ end
277
+
278
+ it 'should not treat second request as batch request' do
258
279
  refute @second_is_batch_request
259
280
  end
260
281
 
282
+ it 'should not treat third request as batch request' do
283
+ refute @third_is_batch_request
284
+ end
285
+
261
286
  it 'should return auth headers from the first request' do
262
287
  assert @first_access_token
263
288
  end
264
289
 
265
- it 'should not treat second request as batch request' do
266
- refute @second_is_batch_request
290
+ it 'should return auth headers from the second request' do
291
+ assert @second_access_token
267
292
  end
268
293
 
269
- it 'should not return auth headers from the second request' do
270
- refute @second_access_token
294
+ it 'should not return auth headers from the third request' do
295
+ refute @third_access_token
271
296
  end
272
297
 
273
298
  it 'should define user during first request' do
274
299
  assert @first_user
275
300
  end
276
301
 
277
- it 'should not define user during second request' do
278
- refute @second_user
302
+ it 'should define user during second request' do
303
+ assert @second_user
304
+ end
305
+
306
+ it 'should not define user during third request' do
307
+ refute @third_user
279
308
  end
280
309
  end
281
310
  end
@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
265
265
  @resource.reload
266
266
  age_token(@resource, @client_id)
267
267
 
268
- # use expired auth header
268
+ # use previous auth header
269
269
  get '/demo/members_only',
270
270
  params: {},
271
271
  headers: @auth_headers
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
274
274
  @second_user = assigns(:resource)
275
275
  @second_access_token = response.headers['access-token']
276
276
  @second_response_status = response.status
277
+
278
+ @resource.reload
279
+ age_token(@resource, @client_id)
280
+
281
+ # use expired auth headers
282
+ get '/demo/members_only_mang',
283
+ params: {},
284
+ headers: @auth_headers
285
+
286
+ @third_is_batch_request = assigns(:is_batch_request)
287
+ @third_user = assigns(:resource)
288
+ @third_access_token = response.headers['access-token']
289
+ @third_response_status = response.status
277
290
  end
278
291
 
279
292
  it 'should allow the first request through' do
280
293
  assert_equal 200, @first_response_status
281
294
  end
282
295
 
296
+ it 'should allow the second request through' do
297
+ assert_equal 200, @second_response_status
298
+ end
299
+
283
300
  it 'should not allow the second request through' do
284
- assert_equal 401, @second_response_status
301
+ assert_equal 401, @third_response_status
285
302
  end
286
303
 
287
304
  it 'should not treat first request as batch request' do
305
+ refute @first_is_batch_request
306
+ end
307
+
308
+ it 'should not treat second request as batch request' do
288
309
  refute @second_is_batch_request
289
310
  end
290
311
 
312
+ it 'should not treat third request as batch request' do
313
+ refute @third_is_batch_request
314
+ end
315
+
291
316
  it 'should return auth headers from the first request' do
292
317
  assert @first_access_token
293
318
  end
294
319
 
295
- it 'should not treat second request as batch request' do
296
- refute @second_is_batch_request
320
+ it 'should return auth headers from the second request' do
321
+ assert @second_access_token
297
322
  end
298
323
 
299
- it 'should not return auth headers from the second request' do
300
- refute @second_access_token
324
+ it 'should not return auth headers from the third request' do
325
+ refute @third_access_token
301
326
  end
302
327
 
303
328
  it 'should define user during first request' do
304
329
  assert @first_user
305
330
  end
306
331
 
307
- it 'should not define user during second request' do
308
- refute @second_user
332
+ it 'should define user during second request' do
333
+ assert @second_user
334
+ end
335
+
336
+ it 'should not define user during third request' do
337
+ refute @third_user
309
338
  end
310
339
  end
311
340
  end
@@ -11,7 +11,7 @@ require 'test_helper'
11
11
  class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
12
12
  describe DeviseTokenAuth::ConfirmationsController do
13
13
  def token_and_client_config_from(body)
14
- token = body.match(/confirmation_token=([^&]*)&/)[1]
14
+ token = body.match(/confirmation_token=([^&]*)[&"]/)[1]
15
15
  client_config = body.match(/config=([^&]*)&/)[1]
16
16
  [token, client_config]
17
17
  end
@@ -171,21 +171,30 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
171
171
  test 'response should contain message' do
172
172
  assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
173
173
  end
174
+
175
+ test 'response should return success status' do
176
+ assert_equal 200, response.status
177
+ end
174
178
  end
175
179
 
176
180
  describe 'on failure' do
177
181
  before do
178
182
  swap Devise, paranoid: true do
183
+ @email = 'chester@cheet.ah'
179
184
  post :create,
180
- params: { email: 'chester@cheet.ah',
185
+ params: { email: @email,
181
186
  redirect_url: @redirect_url },
182
187
  xhr: true
183
188
  @data = JSON.parse(response.body)
184
189
  end
185
190
  end
186
191
 
187
- test 'response should contain errors' do
188
- assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
192
+ test 'response should not contain errors' do
193
+ assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
194
+ end
195
+
196
+ test 'response should return success status' do
197
+ assert_equal 200, response.status
189
198
  end
190
199
  end
191
200
  end
@@ -193,9 +202,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
193
202
 
194
203
  describe 'failure' do
195
204
  test 'user should not be confirmed' do
196
- assert_raises(ActionController::RoutingError) do
197
- get :show, params: { confirmation_token: 'bogus' }
198
- end
205
+ get :show,
206
+ params: { confirmation_token: 'bogus',
207
+ redirect_url: @redirect_url }
208
+
209
+ assert_redirected_to(/^#{@redirect_url}/)
210
+
199
211
  @resource = assigns(:resource)
200
212
  refute @resource.confirmed?
201
213
  end
@@ -13,7 +13,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
13
13
  end
14
14
 
15
15
  before do
16
- @redirect_url = 'http://ng-token-auth.dev/'
16
+ @redirect_url = 'https://ng-token-auth.dev/'
17
17
  end
18
18
 
19
19
  def get_parsed_data_json
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
98
98
 
99
99
  describe 'with alternate user model' do
100
100
  before do
101
- get '/mangs/facebook',
101
+ post '/mangs/facebook',
102
102
  params: {
103
103
  auth_origin_url: @redirect_url,
104
104
  omniauth_window_type: 'newWindow'
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
123
123
  before do
124
124
  @fav_color = 'alizarin crimson'
125
125
  @unpermitted_param = 'M. Bison'
126
- get '/auth/facebook',
126
+ post '/auth/facebook',
127
127
  params: { auth_origin_url: @redirect_url,
128
128
  favorite_color: @fav_color,
129
129
  name: @unpermitted_param,
@@ -160,7 +160,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
160
160
  end
161
161
 
162
162
  test 'response contains oauth_registration attr' do
163
- get '/auth/facebook',
163
+ post '/auth/facebook',
164
164
  params: { auth_origin_url: @redirect_url,
165
165
  omniauth_window_type: 'newWindow' }
166
166
 
@@ -176,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
176
176
  end
177
177
 
178
178
  test 'response does not contain oauth_registration attr' do
179
- get '/auth/facebook',
179
+ post '/auth/facebook',
180
180
  params: { auth_origin_url: @redirect_url,
181
181
  omniauth_window_type: 'newWindow' }
182
182
 
@@ -189,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
189
189
 
190
190
  describe 'using namespaces' do
191
191
  before do
192
- get '/api/v1/auth/facebook',
192
+ post '/api/v1/auth/facebook',
193
193
  params: { auth_origin_url: @redirect_url,
194
194
  omniauth_window_type: 'newWindow' }
195
195
 
@@ -234,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
234
234
 
235
235
  describe 'with omniauth_window_type=sameWindow' do
236
236
  test 'redirects to auth_origin_url with all expected query params' do
237
- get '/auth/facebook',
237
+ post '/auth/facebook',
238
238
  params: { auth_origin_url: '/auth_origin',
239
239
  omniauth_window_type: 'sameWindow' }
240
240
 
@@ -258,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
258
258
  end
259
259
 
260
260
  def get_success(params = {})
261
- get '/auth/facebook',
261
+ post '/auth/facebook',
262
262
  params: {
263
263
  auth_origin_url: @redirect_url,
264
264
  omniauth_window_type: 'newWindow'
@@ -282,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
282
282
 
283
283
  test 'renders expected data' do
284
284
  silence_omniauth do
285
- get '/auth/facebook',
285
+ post '/auth/facebook',
286
286
  params: { auth_origin_url: @redirect_url,
287
287
  omniauth_window_type: 'newWindow' }
288
288
 
@@ -298,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
298
298
 
299
299
  test 'renders something with no auth_origin_url' do
300
300
  silence_omniauth do
301
- get '/auth/facebook'
301
+ post '/auth/facebook'
302
302
  follow_all_redirects!
303
303
  end
304
304
  assert_equal 200, response.status
@@ -339,7 +339,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
339
339
  end
340
340
 
341
341
  test 'request using non-whitelisted redirect fail' do
342
- get '/auth/facebook',
342
+ post '/auth/facebook',
343
343
  params: { auth_origin_url: @bad_redirect_url,
344
344
  omniauth_window_type: 'newWindow' }
345
345
 
@@ -351,7 +351,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
351
351
  end
352
352
 
353
353
  test 'request to whitelisted redirect should succeed' do
354
- get '/auth/facebook',
354
+ post '/auth/facebook',
355
355
  params: {
356
356
  auth_origin_url: @good_redirect_url,
357
357
  omniauth_window_type: 'newWindow'
@@ -365,7 +365,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
365
365
 
366
366
  test 'should support wildcards' do
367
367
  DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
368
- get '/auth/facebook',
368
+ post '/auth/facebook',
369
369
  params: { auth_origin_url: @good_redirect_url,
370
370
  omniauth_window_type: 'newWindow' }
371
371
 
@@ -397,7 +397,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
397
397
  end
398
398
 
399
399
  test 'request using non-whitelisted redirect fail' do
400
- get '/auth/facebook',
400
+ post '/auth/facebook',
401
401
  params: { auth_origin_url: @bad_redirect_url,
402
402
  omniauth_window_type: 'sameWindow' }
403
403
 
@@ -408,7 +408,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
408
408
  end
409
409
 
410
410
  test 'request to whitelisted redirect should succeed' do
411
- get '/auth/facebook',
411
+ post '/auth/facebook',
412
412
  params: {
413
413
  auth_origin_url: '/auth_origin',
414
414
  omniauth_window_type: 'sameWindow'
@@ -422,7 +422,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
422
422
 
423
423
  test 'should support wildcards' do
424
424
  DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
425
- get '/auth/facebook',
425
+ post '/auth/facebook',
426
426
  params: {
427
427
  auth_origin_url: '/auth_origin',
428
428
  omniauth_window_type: 'sameWindow'
@@ -433,9 +433,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
433
433
  assert_equal 200, response.status
434
434
  assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
435
435
  end
436
-
437
-
438
436
  end
439
-
440
437
  end
441
438
  end
@@ -116,14 +116,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
116
116
  end
117
117
  end
118
118
 
119
- test 'unknown user should return 404' do
120
- assert_equal 404, response.status
119
+ test 'response should return success status' do
120
+ assert_equal 200, response.status
121
121
  end
122
122
 
123
- test 'errors should be returned' do
124
- assert @data['errors']
125
- assert_equal @data['errors'],
126
- [I18n.t('devise_token_auth.passwords.sended_paranoid')]
123
+ test 'response should contain message' do
124
+ assert_equal \
125
+ @data['message'],
126
+ I18n.t('devise_token_auth.passwords.sended_paranoid')
127
127
  end
128
128
  end
129
129
  end
@@ -306,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
306
306
  @data = JSON.parse(response.body)
307
307
  @mail = ActionMailer::Base.deliveries.last
308
308
 
309
- @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
309
+ @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
310
310
  @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
311
311
  @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
312
312
  end
@@ -826,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
826
826
 
827
827
  @resource.reload
828
828
 
829
- @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
829
+ @mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
830
830
  @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
831
831
  @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
832
832
  end
@@ -39,13 +39,17 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
39
39
  describe 'using auth cookie' do
40
40
  before do
41
41
  DeviseTokenAuth.cookie_enabled = true
42
+ post :create, params: @user_session_params
42
43
  end
43
44
 
44
45
  test 'request should return auth cookie' do
45
- post :create, params: @user_session_params
46
46
  assert response.cookies[DeviseTokenAuth.cookie_name]
47
47
  end
48
48
 
49
+ test 'request should not include bearer token' do
50
+ assert_nil response.headers["Authorization"]
51
+ end
52
+
49
53
  after do
50
54
  DeviseTokenAuth.cookie_enabled = false
51
55
  end
@@ -306,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
306
310
  end
307
311
 
308
312
  describe 'Unconfirmed user' do
309
- before do
310
- @unconfirmed_user = create(:user)
311
- post :create, params: { email: @unconfirmed_user.email,
312
- password: @unconfirmed_user.password }
313
- @resource = assigns(:resource)
314
- @data = JSON.parse(response.body)
315
- end
313
+ describe 'Without paranoid mode' do
314
+ before do
315
+ @unconfirmed_user = create(:user)
316
+ post :create, params: { email: @unconfirmed_user.email,
317
+ password: @unconfirmed_user.password }
318
+ @resource = assigns(:resource)
319
+ @data = JSON.parse(response.body)
320
+ end
316
321
 
317
- test 'request should fail' do
318
- assert_equal 401, response.status
322
+ test 'request should fail' do
323
+ assert_equal 401, response.status
324
+ end
325
+
326
+ test 'response should contain errors' do
327
+ assert @data['errors']
328
+ assert_equal @data['errors'],
329
+ [I18n.t('devise_token_auth.sessions.not_confirmed',
330
+ email: @unconfirmed_user.email)]
331
+ end
319
332
  end
333
+
334
+ describe 'With paranoid mode' do
335
+ before do
336
+ @unconfirmed_user = create(:user)
337
+ swap Devise, paranoid: true do
338
+ post :create, params: { email: @unconfirmed_user.email,
339
+ password: @unconfirmed_user.password }
340
+ end
341
+ @resource = assigns(:resource)
342
+ @data = JSON.parse(response.body)
343
+ end
320
344
 
321
- test 'response should contain errors' do
322
- assert @data['errors']
323
- assert_equal @data['errors'],
324
- [I18n.t('devise_token_auth.sessions.not_confirmed',
325
- email: @unconfirmed_user.email)]
345
+ test 'request should fail' do
346
+ assert_equal 401, response.status
347
+ end
348
+
349
+ test 'response should contain errors that do not leak the existence of the account' do
350
+ assert @data['errors']
351
+ assert_equal @data['errors'],
352
+ [I18n.t('devise_token_auth.sessions.bad_credentials')]
353
+ end
326
354
  end
327
355
  end
328
356
 
@@ -371,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
371
399
  end
372
400
 
373
401
  describe 'Non-existing user' do
374
- before do
375
- post :create,
376
- params: { email: -> { Faker::Internet.email },
377
- password: -> { Faker::Number.number(10) } }
378
- @resource = assigns(:resource)
379
- @data = JSON.parse(response.body)
380
- end
402
+ describe 'Without paranoid mode' do
403
+ before do
404
+ post :create,
405
+ params: { email: -> { Faker::Internet.email },
406
+ password: -> { Faker::Number.number(10) } }
407
+ @resource = assigns(:resource)
408
+ @data = JSON.parse(response.body)
409
+ end
381
410
 
382
- test 'request should fail' do
383
- assert_equal 401, response.status
411
+ test 'request should fail' do
412
+ assert_equal 401, response.status
413
+ end
414
+
415
+ test 'response should contain errors' do
416
+ assert @data['errors']
417
+ end
384
418
  end
385
419
 
386
- test 'response should contain errors' do
387
- assert @data['errors']
420
+ describe 'With paranoid mode' do
421
+ before do
422
+ mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
423
+ @bcrypt_mock = MiniTest::Mock.new
424
+ @bcrypt_mock.expect(:call, mock_hash, [Object, String])
425
+
426
+ swap Devise, paranoid: true do
427
+ BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
428
+ post :create,
429
+ params: { email: -> { Faker::Internet.email },
430
+ password: -> { Faker::Number.number(10) } }
431
+ end
432
+ end
433
+ end
434
+
435
+ test 'password should be hashed' do
436
+ @bcrypt_mock.verify
437
+ end
388
438
  end
389
439
  end
390
440
 
@@ -468,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
468
518
  end
469
519
 
470
520
  describe 'locked user' do
471
- before do
472
- @locked_user = create(:lockable_user, :locked)
473
- post :create,
474
- params: { email: @locked_user.email,
475
- password: @locked_user.password }
476
- @data = JSON.parse(response.body)
477
- end
521
+ describe 'Without paranoid mode' do
522
+ before do
523
+ @locked_user = create(:lockable_user, :locked)
524
+ post :create,
525
+ params: { email: @locked_user.email,
526
+ password: @locked_user.password }
527
+ @data = JSON.parse(response.body)
528
+ end
478
529
 
479
- test 'request should fail' do
480
- assert_equal 401, response.status
530
+ test 'request should fail' do
531
+ assert_equal 401, response.status
532
+ end
533
+
534
+ test 'response should contain errors' do
535
+ assert @data['errors']
536
+ assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
537
+ end
481
538
  end
482
539
 
483
- test 'response should contain errors' do
484
- assert @data['errors']
485
- assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
540
+ describe 'With paranoid mode' do
541
+ before do
542
+ @locked_user = create(:lockable_user, :locked)
543
+ swap Devise, paranoid: true do
544
+ post :create,
545
+ params: { email: @locked_user.email,
546
+ password: @locked_user.password }
547
+ end
548
+ @data = JSON.parse(response.body)
549
+ end
550
+
551
+ test 'request should fail' do
552
+ assert_equal 401, response.status
553
+ end
554
+
555
+ test 'response should contain errors that do not leak the existence of the account' do
556
+ assert @data['errors']
557
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
558
+ end
486
559
  end
487
560
  end
488
561