devise_token_auth 1.2.0 → 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +2 -1
- data/app/controllers/devise_token_auth/application_controller.rb +13 -0
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +2 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +20 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +8 -5
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +18 -21
- data/app/controllers/devise_token_auth/passwords_controller.rb +9 -3
- data/app/controllers/devise_token_auth/sessions_controller.rb +26 -10
- data/app/controllers/devise_token_auth/unlocks_controller.rb +3 -2
- data/app/models/devise_token_auth/concerns/user.rb +34 -11
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +9 -5
- data/app/validators/devise_token_auth_email_validator.rb +9 -1
- data/config/locales/ja.yml +12 -0
- data/lib/devise_token_auth/engine.rb +5 -2
- data/lib/devise_token_auth/rails/routes.rb +6 -5
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +11 -5
- data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
- data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
- data/test/controllers/demo_mang_controller_test.rb +37 -8
- data/test/controllers/demo_user_controller_test.rb +37 -8
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +19 -7
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +16 -19
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +6 -6
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +2 -2
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +111 -38
- data/test/controllers/devise_token_auth/token_validations_controller_test.rb +41 -1
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +28 -6
- data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
- data/test/dummy/app/controllers/application_controller.rb +2 -6
- data/test/dummy/app/controllers/overrides/confirmations_controller.rb +2 -1
- data/test/dummy/app/controllers/overrides/passwords_controller.rb +2 -1
- data/test/dummy/config/environments/test.rb +6 -2
- data/test/dummy/db/schema.rb +5 -5
- data/test/dummy/tmp/generators/app/models/user.rb +9 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +11 -5
- data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
- data/test/models/user_test.rb +22 -0
- metadata +94 -94
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +0 -6
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +0 -56
@@ -42,11 +42,17 @@ DeviseTokenAuth.setup do |config|
|
|
42
42
|
# config.default_callbacks = true
|
43
43
|
|
44
44
|
# Makes it possible to change the headers names
|
45
|
-
# config.headers_names = {
|
46
|
-
#
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
45
|
+
# config.headers_names = {
|
46
|
+
# :'authorization' => 'Authorization',
|
47
|
+
# :'access-token' => 'access-token',
|
48
|
+
# :'client' => 'client',
|
49
|
+
# :'expiry' => 'expiry',
|
50
|
+
# :'uid' => 'uid',
|
51
|
+
# :'token-type' => 'token-type'
|
52
|
+
# }
|
53
|
+
|
54
|
+
# Makes it possible to use custom uid column
|
55
|
+
# config.other_uid = "foo"
|
50
56
|
|
51
57
|
# By default, only Bearer Token authentication is implemented out of the box.
|
52
58
|
# If, however, you wish to integrate with legacy Devise authentication, you can
|
@@ -11,7 +11,7 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
|
|
11
11
|
@new_user = create(:user)
|
12
12
|
@new_user.send_confirmation_instructions(redirect_url: @redirect_url)
|
13
13
|
@mail = ActionMailer::Base.deliveries.last
|
14
|
-
@token = @mail.body.match(/confirmation_token=([^&]*)
|
14
|
+
@token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
15
15
|
@client_config = @mail.body.match(/config=([^&]*)&/)[1]
|
16
16
|
|
17
17
|
get :show,
|
@@ -20,7 +20,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
|
|
20
20
|
|
21
21
|
test 'yield resource to block on omniauth_success success' do
|
22
22
|
@redirect_url = 'http://ng-token-auth.dev/'
|
23
|
-
|
23
|
+
post '/nice_user_auth/facebook',
|
24
24
|
params: { auth_origin_url: @redirect_url,
|
25
25
|
omniauth_window_type: 'newWindow' }
|
26
26
|
|
@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
|
|
235
235
|
@resource.reload
|
236
236
|
age_token(@resource, @client_id)
|
237
237
|
|
238
|
-
# use
|
238
|
+
# use previous auth header
|
239
239
|
get '/demo/members_only_mang',
|
240
240
|
params: {},
|
241
241
|
headers: @auth_headers
|
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
|
|
244
244
|
@second_user = assigns(:resource)
|
245
245
|
@second_access_token = response.headers['access-token']
|
246
246
|
@second_response_status = response.status
|
247
|
+
|
248
|
+
@resource.reload
|
249
|
+
age_token(@resource, @client_id)
|
250
|
+
|
251
|
+
# use expired auth headers
|
252
|
+
get '/demo/members_only_mang',
|
253
|
+
params: {},
|
254
|
+
headers: @auth_headers
|
255
|
+
|
256
|
+
@third_is_batch_request = assigns(:is_batch_request)
|
257
|
+
@third_user = assigns(:resource)
|
258
|
+
@third_access_token = response.headers['access-token']
|
259
|
+
@third_response_status = response.status
|
247
260
|
end
|
248
261
|
|
249
262
|
it 'should allow the first request through' do
|
250
263
|
assert_equal 200, @first_response_status
|
251
264
|
end
|
252
265
|
|
266
|
+
it 'should allow the second request through' do
|
267
|
+
assert_equal 200, @second_response_status
|
268
|
+
end
|
269
|
+
|
253
270
|
it 'should not allow the second request through' do
|
254
|
-
assert_equal 401, @
|
271
|
+
assert_equal 401, @third_response_status
|
255
272
|
end
|
256
273
|
|
257
274
|
it 'should not treat first request as batch request' do
|
275
|
+
refute @first_is_batch_request
|
276
|
+
end
|
277
|
+
|
278
|
+
it 'should not treat second request as batch request' do
|
258
279
|
refute @second_is_batch_request
|
259
280
|
end
|
260
281
|
|
282
|
+
it 'should not treat third request as batch request' do
|
283
|
+
refute @third_is_batch_request
|
284
|
+
end
|
285
|
+
|
261
286
|
it 'should return auth headers from the first request' do
|
262
287
|
assert @first_access_token
|
263
288
|
end
|
264
289
|
|
265
|
-
it 'should
|
266
|
-
|
290
|
+
it 'should return auth headers from the second request' do
|
291
|
+
assert @second_access_token
|
267
292
|
end
|
268
293
|
|
269
|
-
it 'should not return auth headers from the
|
270
|
-
refute @
|
294
|
+
it 'should not return auth headers from the third request' do
|
295
|
+
refute @third_access_token
|
271
296
|
end
|
272
297
|
|
273
298
|
it 'should define user during first request' do
|
274
299
|
assert @first_user
|
275
300
|
end
|
276
301
|
|
277
|
-
it 'should
|
278
|
-
|
302
|
+
it 'should define user during second request' do
|
303
|
+
assert @second_user
|
304
|
+
end
|
305
|
+
|
306
|
+
it 'should not define user during third request' do
|
307
|
+
refute @third_user
|
279
308
|
end
|
280
309
|
end
|
281
310
|
end
|
@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
|
|
265
265
|
@resource.reload
|
266
266
|
age_token(@resource, @client_id)
|
267
267
|
|
268
|
-
# use
|
268
|
+
# use previous auth header
|
269
269
|
get '/demo/members_only',
|
270
270
|
params: {},
|
271
271
|
headers: @auth_headers
|
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
|
|
274
274
|
@second_user = assigns(:resource)
|
275
275
|
@second_access_token = response.headers['access-token']
|
276
276
|
@second_response_status = response.status
|
277
|
+
|
278
|
+
@resource.reload
|
279
|
+
age_token(@resource, @client_id)
|
280
|
+
|
281
|
+
# use expired auth headers
|
282
|
+
get '/demo/members_only_mang',
|
283
|
+
params: {},
|
284
|
+
headers: @auth_headers
|
285
|
+
|
286
|
+
@third_is_batch_request = assigns(:is_batch_request)
|
287
|
+
@third_user = assigns(:resource)
|
288
|
+
@third_access_token = response.headers['access-token']
|
289
|
+
@third_response_status = response.status
|
277
290
|
end
|
278
291
|
|
279
292
|
it 'should allow the first request through' do
|
280
293
|
assert_equal 200, @first_response_status
|
281
294
|
end
|
282
295
|
|
296
|
+
it 'should allow the second request through' do
|
297
|
+
assert_equal 200, @second_response_status
|
298
|
+
end
|
299
|
+
|
283
300
|
it 'should not allow the second request through' do
|
284
|
-
assert_equal 401, @
|
301
|
+
assert_equal 401, @third_response_status
|
285
302
|
end
|
286
303
|
|
287
304
|
it 'should not treat first request as batch request' do
|
305
|
+
refute @first_is_batch_request
|
306
|
+
end
|
307
|
+
|
308
|
+
it 'should not treat second request as batch request' do
|
288
309
|
refute @second_is_batch_request
|
289
310
|
end
|
290
311
|
|
312
|
+
it 'should not treat third request as batch request' do
|
313
|
+
refute @third_is_batch_request
|
314
|
+
end
|
315
|
+
|
291
316
|
it 'should return auth headers from the first request' do
|
292
317
|
assert @first_access_token
|
293
318
|
end
|
294
319
|
|
295
|
-
it 'should
|
296
|
-
|
320
|
+
it 'should return auth headers from the second request' do
|
321
|
+
assert @second_access_token
|
297
322
|
end
|
298
323
|
|
299
|
-
it 'should not return auth headers from the
|
300
|
-
refute @
|
324
|
+
it 'should not return auth headers from the third request' do
|
325
|
+
refute @third_access_token
|
301
326
|
end
|
302
327
|
|
303
328
|
it 'should define user during first request' do
|
304
329
|
assert @first_user
|
305
330
|
end
|
306
331
|
|
307
|
-
it 'should
|
308
|
-
|
332
|
+
it 'should define user during second request' do
|
333
|
+
assert @second_user
|
334
|
+
end
|
335
|
+
|
336
|
+
it 'should not define user during third request' do
|
337
|
+
refute @third_user
|
309
338
|
end
|
310
339
|
end
|
311
340
|
end
|
@@ -11,7 +11,7 @@ require 'test_helper'
|
|
11
11
|
class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
12
12
|
describe DeviseTokenAuth::ConfirmationsController do
|
13
13
|
def token_and_client_config_from(body)
|
14
|
-
token = body.match(/confirmation_token=([^&]*)
|
14
|
+
token = body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
15
15
|
client_config = body.match(/config=([^&]*)&/)[1]
|
16
16
|
[token, client_config]
|
17
17
|
end
|
@@ -171,21 +171,30 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
171
171
|
test 'response should contain message' do
|
172
172
|
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
|
173
173
|
end
|
174
|
+
|
175
|
+
test 'response should return success status' do
|
176
|
+
assert_equal 200, response.status
|
177
|
+
end
|
174
178
|
end
|
175
179
|
|
176
180
|
describe 'on failure' do
|
177
181
|
before do
|
178
182
|
swap Devise, paranoid: true do
|
183
|
+
@email = 'chester@cheet.ah'
|
179
184
|
post :create,
|
180
|
-
params: { email:
|
185
|
+
params: { email: @email,
|
181
186
|
redirect_url: @redirect_url },
|
182
187
|
xhr: true
|
183
188
|
@data = JSON.parse(response.body)
|
184
189
|
end
|
185
190
|
end
|
186
191
|
|
187
|
-
test 'response should contain errors' do
|
188
|
-
assert_equal @data['
|
192
|
+
test 'response should not contain errors' do
|
193
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
|
194
|
+
end
|
195
|
+
|
196
|
+
test 'response should return success status' do
|
197
|
+
assert_equal 200, response.status
|
189
198
|
end
|
190
199
|
end
|
191
200
|
end
|
@@ -193,9 +202,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
193
202
|
|
194
203
|
describe 'failure' do
|
195
204
|
test 'user should not be confirmed' do
|
196
|
-
|
197
|
-
|
198
|
-
|
205
|
+
get :show,
|
206
|
+
params: { confirmation_token: 'bogus',
|
207
|
+
redirect_url: @redirect_url }
|
208
|
+
|
209
|
+
assert_redirected_to(/^#{@redirect_url}/)
|
210
|
+
|
199
211
|
@resource = assigns(:resource)
|
200
212
|
refute @resource.confirmed?
|
201
213
|
end
|
@@ -13,7 +13,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
13
13
|
end
|
14
14
|
|
15
15
|
before do
|
16
|
-
@redirect_url = '
|
16
|
+
@redirect_url = 'https://ng-token-auth.dev/'
|
17
17
|
end
|
18
18
|
|
19
19
|
def get_parsed_data_json
|
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
98
98
|
|
99
99
|
describe 'with alternate user model' do
|
100
100
|
before do
|
101
|
-
|
101
|
+
post '/mangs/facebook',
|
102
102
|
params: {
|
103
103
|
auth_origin_url: @redirect_url,
|
104
104
|
omniauth_window_type: 'newWindow'
|
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
123
123
|
before do
|
124
124
|
@fav_color = 'alizarin crimson'
|
125
125
|
@unpermitted_param = 'M. Bison'
|
126
|
-
|
126
|
+
post '/auth/facebook',
|
127
127
|
params: { auth_origin_url: @redirect_url,
|
128
128
|
favorite_color: @fav_color,
|
129
129
|
name: @unpermitted_param,
|
@@ -160,7 +160,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
160
160
|
end
|
161
161
|
|
162
162
|
test 'response contains oauth_registration attr' do
|
163
|
-
|
163
|
+
post '/auth/facebook',
|
164
164
|
params: { auth_origin_url: @redirect_url,
|
165
165
|
omniauth_window_type: 'newWindow' }
|
166
166
|
|
@@ -176,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
176
176
|
end
|
177
177
|
|
178
178
|
test 'response does not contain oauth_registration attr' do
|
179
|
-
|
179
|
+
post '/auth/facebook',
|
180
180
|
params: { auth_origin_url: @redirect_url,
|
181
181
|
omniauth_window_type: 'newWindow' }
|
182
182
|
|
@@ -189,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
189
189
|
|
190
190
|
describe 'using namespaces' do
|
191
191
|
before do
|
192
|
-
|
192
|
+
post '/api/v1/auth/facebook',
|
193
193
|
params: { auth_origin_url: @redirect_url,
|
194
194
|
omniauth_window_type: 'newWindow' }
|
195
195
|
|
@@ -234,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
234
234
|
|
235
235
|
describe 'with omniauth_window_type=sameWindow' do
|
236
236
|
test 'redirects to auth_origin_url with all expected query params' do
|
237
|
-
|
237
|
+
post '/auth/facebook',
|
238
238
|
params: { auth_origin_url: '/auth_origin',
|
239
239
|
omniauth_window_type: 'sameWindow' }
|
240
240
|
|
@@ -258,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
258
258
|
end
|
259
259
|
|
260
260
|
def get_success(params = {})
|
261
|
-
|
261
|
+
post '/auth/facebook',
|
262
262
|
params: {
|
263
263
|
auth_origin_url: @redirect_url,
|
264
264
|
omniauth_window_type: 'newWindow'
|
@@ -282,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
282
282
|
|
283
283
|
test 'renders expected data' do
|
284
284
|
silence_omniauth do
|
285
|
-
|
285
|
+
post '/auth/facebook',
|
286
286
|
params: { auth_origin_url: @redirect_url,
|
287
287
|
omniauth_window_type: 'newWindow' }
|
288
288
|
|
@@ -298,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
298
298
|
|
299
299
|
test 'renders something with no auth_origin_url' do
|
300
300
|
silence_omniauth do
|
301
|
-
|
301
|
+
post '/auth/facebook'
|
302
302
|
follow_all_redirects!
|
303
303
|
end
|
304
304
|
assert_equal 200, response.status
|
@@ -339,7 +339,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
339
339
|
end
|
340
340
|
|
341
341
|
test 'request using non-whitelisted redirect fail' do
|
342
|
-
|
342
|
+
post '/auth/facebook',
|
343
343
|
params: { auth_origin_url: @bad_redirect_url,
|
344
344
|
omniauth_window_type: 'newWindow' }
|
345
345
|
|
@@ -351,7 +351,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
351
351
|
end
|
352
352
|
|
353
353
|
test 'request to whitelisted redirect should succeed' do
|
354
|
-
|
354
|
+
post '/auth/facebook',
|
355
355
|
params: {
|
356
356
|
auth_origin_url: @good_redirect_url,
|
357
357
|
omniauth_window_type: 'newWindow'
|
@@ -365,7 +365,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
365
365
|
|
366
366
|
test 'should support wildcards' do
|
367
367
|
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
368
|
-
|
368
|
+
post '/auth/facebook',
|
369
369
|
params: { auth_origin_url: @good_redirect_url,
|
370
370
|
omniauth_window_type: 'newWindow' }
|
371
371
|
|
@@ -397,7 +397,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
397
397
|
end
|
398
398
|
|
399
399
|
test 'request using non-whitelisted redirect fail' do
|
400
|
-
|
400
|
+
post '/auth/facebook',
|
401
401
|
params: { auth_origin_url: @bad_redirect_url,
|
402
402
|
omniauth_window_type: 'sameWindow' }
|
403
403
|
|
@@ -408,7 +408,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
408
408
|
end
|
409
409
|
|
410
410
|
test 'request to whitelisted redirect should succeed' do
|
411
|
-
|
411
|
+
post '/auth/facebook',
|
412
412
|
params: {
|
413
413
|
auth_origin_url: '/auth_origin',
|
414
414
|
omniauth_window_type: 'sameWindow'
|
@@ -422,7 +422,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
422
422
|
|
423
423
|
test 'should support wildcards' do
|
424
424
|
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
425
|
-
|
425
|
+
post '/auth/facebook',
|
426
426
|
params: {
|
427
427
|
auth_origin_url: '/auth_origin',
|
428
428
|
omniauth_window_type: 'sameWindow'
|
@@ -433,9 +433,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
433
433
|
assert_equal 200, response.status
|
434
434
|
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
435
435
|
end
|
436
|
-
|
437
|
-
|
438
436
|
end
|
439
|
-
|
440
437
|
end
|
441
438
|
end
|
@@ -116,14 +116,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
|
|
116
116
|
end
|
117
117
|
end
|
118
118
|
|
119
|
-
test '
|
120
|
-
assert_equal
|
119
|
+
test 'response should return success status' do
|
120
|
+
assert_equal 200, response.status
|
121
121
|
end
|
122
122
|
|
123
|
-
test '
|
124
|
-
|
125
|
-
|
126
|
-
|
123
|
+
test 'response should contain message' do
|
124
|
+
assert_equal \
|
125
|
+
@data['message'],
|
126
|
+
I18n.t('devise_token_auth.passwords.sended_paranoid')
|
127
127
|
end
|
128
128
|
end
|
129
129
|
end
|
@@ -306,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
306
306
|
@data = JSON.parse(response.body)
|
307
307
|
@mail = ActionMailer::Base.deliveries.last
|
308
308
|
|
309
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
309
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
310
310
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
311
311
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
312
312
|
end
|
@@ -826,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
826
826
|
|
827
827
|
@resource.reload
|
828
828
|
|
829
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
829
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
830
830
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
831
831
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
832
832
|
end
|
@@ -39,13 +39,17 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
39
39
|
describe 'using auth cookie' do
|
40
40
|
before do
|
41
41
|
DeviseTokenAuth.cookie_enabled = true
|
42
|
+
post :create, params: @user_session_params
|
42
43
|
end
|
43
44
|
|
44
45
|
test 'request should return auth cookie' do
|
45
|
-
post :create, params: @user_session_params
|
46
46
|
assert response.cookies[DeviseTokenAuth.cookie_name]
|
47
47
|
end
|
48
48
|
|
49
|
+
test 'request should not include bearer token' do
|
50
|
+
assert_nil response.headers["Authorization"]
|
51
|
+
end
|
52
|
+
|
49
53
|
after do
|
50
54
|
DeviseTokenAuth.cookie_enabled = false
|
51
55
|
end
|
@@ -306,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
306
310
|
end
|
307
311
|
|
308
312
|
describe 'Unconfirmed user' do
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
313
|
+
describe 'Without paranoid mode' do
|
314
|
+
before do
|
315
|
+
@unconfirmed_user = create(:user)
|
316
|
+
post :create, params: { email: @unconfirmed_user.email,
|
317
|
+
password: @unconfirmed_user.password }
|
318
|
+
@resource = assigns(:resource)
|
319
|
+
@data = JSON.parse(response.body)
|
320
|
+
end
|
316
321
|
|
317
|
-
|
318
|
-
|
322
|
+
test 'request should fail' do
|
323
|
+
assert_equal 401, response.status
|
324
|
+
end
|
325
|
+
|
326
|
+
test 'response should contain errors' do
|
327
|
+
assert @data['errors']
|
328
|
+
assert_equal @data['errors'],
|
329
|
+
[I18n.t('devise_token_auth.sessions.not_confirmed',
|
330
|
+
email: @unconfirmed_user.email)]
|
331
|
+
end
|
319
332
|
end
|
333
|
+
|
334
|
+
describe 'With paranoid mode' do
|
335
|
+
before do
|
336
|
+
@unconfirmed_user = create(:user)
|
337
|
+
swap Devise, paranoid: true do
|
338
|
+
post :create, params: { email: @unconfirmed_user.email,
|
339
|
+
password: @unconfirmed_user.password }
|
340
|
+
end
|
341
|
+
@resource = assigns(:resource)
|
342
|
+
@data = JSON.parse(response.body)
|
343
|
+
end
|
320
344
|
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
345
|
+
test 'request should fail' do
|
346
|
+
assert_equal 401, response.status
|
347
|
+
end
|
348
|
+
|
349
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
350
|
+
assert @data['errors']
|
351
|
+
assert_equal @data['errors'],
|
352
|
+
[I18n.t('devise_token_auth.sessions.bad_credentials')]
|
353
|
+
end
|
326
354
|
end
|
327
355
|
end
|
328
356
|
|
@@ -371,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
371
399
|
end
|
372
400
|
|
373
401
|
describe 'Non-existing user' do
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
|
380
|
-
|
402
|
+
describe 'Without paranoid mode' do
|
403
|
+
before do
|
404
|
+
post :create,
|
405
|
+
params: { email: -> { Faker::Internet.email },
|
406
|
+
password: -> { Faker::Number.number(10) } }
|
407
|
+
@resource = assigns(:resource)
|
408
|
+
@data = JSON.parse(response.body)
|
409
|
+
end
|
381
410
|
|
382
|
-
|
383
|
-
|
411
|
+
test 'request should fail' do
|
412
|
+
assert_equal 401, response.status
|
413
|
+
end
|
414
|
+
|
415
|
+
test 'response should contain errors' do
|
416
|
+
assert @data['errors']
|
417
|
+
end
|
384
418
|
end
|
385
419
|
|
386
|
-
|
387
|
-
|
420
|
+
describe 'With paranoid mode' do
|
421
|
+
before do
|
422
|
+
mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
|
423
|
+
@bcrypt_mock = MiniTest::Mock.new
|
424
|
+
@bcrypt_mock.expect(:call, mock_hash, [Object, String])
|
425
|
+
|
426
|
+
swap Devise, paranoid: true do
|
427
|
+
BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
|
428
|
+
post :create,
|
429
|
+
params: { email: -> { Faker::Internet.email },
|
430
|
+
password: -> { Faker::Number.number(10) } }
|
431
|
+
end
|
432
|
+
end
|
433
|
+
end
|
434
|
+
|
435
|
+
test 'password should be hashed' do
|
436
|
+
@bcrypt_mock.verify
|
437
|
+
end
|
388
438
|
end
|
389
439
|
end
|
390
440
|
|
@@ -468,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
468
518
|
end
|
469
519
|
|
470
520
|
describe 'locked user' do
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
|
475
|
-
|
476
|
-
|
477
|
-
|
521
|
+
describe 'Without paranoid mode' do
|
522
|
+
before do
|
523
|
+
@locked_user = create(:lockable_user, :locked)
|
524
|
+
post :create,
|
525
|
+
params: { email: @locked_user.email,
|
526
|
+
password: @locked_user.password }
|
527
|
+
@data = JSON.parse(response.body)
|
528
|
+
end
|
478
529
|
|
479
|
-
|
480
|
-
|
530
|
+
test 'request should fail' do
|
531
|
+
assert_equal 401, response.status
|
532
|
+
end
|
533
|
+
|
534
|
+
test 'response should contain errors' do
|
535
|
+
assert @data['errors']
|
536
|
+
assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
|
537
|
+
end
|
481
538
|
end
|
482
539
|
|
483
|
-
|
484
|
-
|
485
|
-
|
540
|
+
describe 'With paranoid mode' do
|
541
|
+
before do
|
542
|
+
@locked_user = create(:lockable_user, :locked)
|
543
|
+
swap Devise, paranoid: true do
|
544
|
+
post :create,
|
545
|
+
params: { email: @locked_user.email,
|
546
|
+
password: @locked_user.password }
|
547
|
+
end
|
548
|
+
@data = JSON.parse(response.body)
|
549
|
+
end
|
550
|
+
|
551
|
+
test 'request should fail' do
|
552
|
+
assert_equal 401, response.status
|
553
|
+
end
|
554
|
+
|
555
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
556
|
+
assert @data['errors']
|
557
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
|
558
|
+
end
|
486
559
|
end
|
487
560
|
end
|
488
561
|
|