devise_token_auth 1.2.0 → 1.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -1
- data/app/controllers/devise_token_auth/application_controller.rb +13 -0
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +2 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +20 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +8 -5
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +18 -21
- data/app/controllers/devise_token_auth/passwords_controller.rb +9 -3
- data/app/controllers/devise_token_auth/sessions_controller.rb +26 -10
- data/app/controllers/devise_token_auth/unlocks_controller.rb +3 -2
- data/app/models/devise_token_auth/concerns/user.rb +34 -11
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +9 -5
- data/app/validators/devise_token_auth_email_validator.rb +9 -1
- data/config/locales/ja.yml +12 -0
- data/lib/devise_token_auth/engine.rb +5 -2
- data/lib/devise_token_auth/rails/routes.rb +6 -5
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +11 -5
- data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
- data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +1 -1
- data/test/controllers/demo_mang_controller_test.rb +37 -8
- data/test/controllers/demo_user_controller_test.rb +37 -8
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +19 -7
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +16 -19
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +6 -6
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +2 -2
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +111 -38
- data/test/controllers/devise_token_auth/token_validations_controller_test.rb +41 -1
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +28 -6
- data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +1 -1
- data/test/dummy/app/controllers/application_controller.rb +2 -6
- data/test/dummy/app/controllers/overrides/confirmations_controller.rb +2 -1
- data/test/dummy/app/controllers/overrides/passwords_controller.rb +2 -1
- data/test/dummy/config/environments/test.rb +6 -2
- data/test/dummy/db/schema.rb +5 -5
- data/test/dummy/tmp/generators/app/models/user.rb +9 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +11 -5
- data/test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb +49 -0
- data/test/models/user_test.rb +22 -0
- metadata +94 -94
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +0 -6
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +0 -56
@@ -42,11 +42,17 @@ DeviseTokenAuth.setup do |config|
|
|
42
42
|
# config.default_callbacks = true
|
43
43
|
|
44
44
|
# Makes it possible to change the headers names
|
45
|
-
# config.headers_names = {
|
46
|
-
#
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
45
|
+
# config.headers_names = {
|
46
|
+
# :'authorization' => 'Authorization',
|
47
|
+
# :'access-token' => 'access-token',
|
48
|
+
# :'client' => 'client',
|
49
|
+
# :'expiry' => 'expiry',
|
50
|
+
# :'uid' => 'uid',
|
51
|
+
# :'token-type' => 'token-type'
|
52
|
+
# }
|
53
|
+
|
54
|
+
# Makes it possible to use custom uid column
|
55
|
+
# config.other_uid = "foo"
|
50
56
|
|
51
57
|
# By default, only Bearer Token authentication is implemented out of the box.
|
52
58
|
# If, however, you wish to integrate with legacy Devise authentication, you can
|
@@ -11,7 +11,7 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
|
|
11
11
|
@new_user = create(:user)
|
12
12
|
@new_user.send_confirmation_instructions(redirect_url: @redirect_url)
|
13
13
|
@mail = ActionMailer::Base.deliveries.last
|
14
|
-
@token = @mail.body.match(/confirmation_token=([^&]*)
|
14
|
+
@token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
15
15
|
@client_config = @mail.body.match(/config=([^&]*)&/)[1]
|
16
16
|
|
17
17
|
get :show,
|
@@ -20,7 +20,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
|
|
20
20
|
|
21
21
|
test 'yield resource to block on omniauth_success success' do
|
22
22
|
@redirect_url = 'http://ng-token-auth.dev/'
|
23
|
-
|
23
|
+
post '/nice_user_auth/facebook',
|
24
24
|
params: { auth_origin_url: @redirect_url,
|
25
25
|
omniauth_window_type: 'newWindow' }
|
26
26
|
|
@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
|
|
235
235
|
@resource.reload
|
236
236
|
age_token(@resource, @client_id)
|
237
237
|
|
238
|
-
# use
|
238
|
+
# use previous auth header
|
239
239
|
get '/demo/members_only_mang',
|
240
240
|
params: {},
|
241
241
|
headers: @auth_headers
|
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
|
|
244
244
|
@second_user = assigns(:resource)
|
245
245
|
@second_access_token = response.headers['access-token']
|
246
246
|
@second_response_status = response.status
|
247
|
+
|
248
|
+
@resource.reload
|
249
|
+
age_token(@resource, @client_id)
|
250
|
+
|
251
|
+
# use expired auth headers
|
252
|
+
get '/demo/members_only_mang',
|
253
|
+
params: {},
|
254
|
+
headers: @auth_headers
|
255
|
+
|
256
|
+
@third_is_batch_request = assigns(:is_batch_request)
|
257
|
+
@third_user = assigns(:resource)
|
258
|
+
@third_access_token = response.headers['access-token']
|
259
|
+
@third_response_status = response.status
|
247
260
|
end
|
248
261
|
|
249
262
|
it 'should allow the first request through' do
|
250
263
|
assert_equal 200, @first_response_status
|
251
264
|
end
|
252
265
|
|
266
|
+
it 'should allow the second request through' do
|
267
|
+
assert_equal 200, @second_response_status
|
268
|
+
end
|
269
|
+
|
253
270
|
it 'should not allow the second request through' do
|
254
|
-
assert_equal 401, @
|
271
|
+
assert_equal 401, @third_response_status
|
255
272
|
end
|
256
273
|
|
257
274
|
it 'should not treat first request as batch request' do
|
275
|
+
refute @first_is_batch_request
|
276
|
+
end
|
277
|
+
|
278
|
+
it 'should not treat second request as batch request' do
|
258
279
|
refute @second_is_batch_request
|
259
280
|
end
|
260
281
|
|
282
|
+
it 'should not treat third request as batch request' do
|
283
|
+
refute @third_is_batch_request
|
284
|
+
end
|
285
|
+
|
261
286
|
it 'should return auth headers from the first request' do
|
262
287
|
assert @first_access_token
|
263
288
|
end
|
264
289
|
|
265
|
-
it 'should
|
266
|
-
|
290
|
+
it 'should return auth headers from the second request' do
|
291
|
+
assert @second_access_token
|
267
292
|
end
|
268
293
|
|
269
|
-
it 'should not return auth headers from the
|
270
|
-
refute @
|
294
|
+
it 'should not return auth headers from the third request' do
|
295
|
+
refute @third_access_token
|
271
296
|
end
|
272
297
|
|
273
298
|
it 'should define user during first request' do
|
274
299
|
assert @first_user
|
275
300
|
end
|
276
301
|
|
277
|
-
it 'should
|
278
|
-
|
302
|
+
it 'should define user during second request' do
|
303
|
+
assert @second_user
|
304
|
+
end
|
305
|
+
|
306
|
+
it 'should not define user during third request' do
|
307
|
+
refute @third_user
|
279
308
|
end
|
280
309
|
end
|
281
310
|
end
|
@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
|
|
265
265
|
@resource.reload
|
266
266
|
age_token(@resource, @client_id)
|
267
267
|
|
268
|
-
# use
|
268
|
+
# use previous auth header
|
269
269
|
get '/demo/members_only',
|
270
270
|
params: {},
|
271
271
|
headers: @auth_headers
|
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
|
|
274
274
|
@second_user = assigns(:resource)
|
275
275
|
@second_access_token = response.headers['access-token']
|
276
276
|
@second_response_status = response.status
|
277
|
+
|
278
|
+
@resource.reload
|
279
|
+
age_token(@resource, @client_id)
|
280
|
+
|
281
|
+
# use expired auth headers
|
282
|
+
get '/demo/members_only_mang',
|
283
|
+
params: {},
|
284
|
+
headers: @auth_headers
|
285
|
+
|
286
|
+
@third_is_batch_request = assigns(:is_batch_request)
|
287
|
+
@third_user = assigns(:resource)
|
288
|
+
@third_access_token = response.headers['access-token']
|
289
|
+
@third_response_status = response.status
|
277
290
|
end
|
278
291
|
|
279
292
|
it 'should allow the first request through' do
|
280
293
|
assert_equal 200, @first_response_status
|
281
294
|
end
|
282
295
|
|
296
|
+
it 'should allow the second request through' do
|
297
|
+
assert_equal 200, @second_response_status
|
298
|
+
end
|
299
|
+
|
283
300
|
it 'should not allow the second request through' do
|
284
|
-
assert_equal 401, @
|
301
|
+
assert_equal 401, @third_response_status
|
285
302
|
end
|
286
303
|
|
287
304
|
it 'should not treat first request as batch request' do
|
305
|
+
refute @first_is_batch_request
|
306
|
+
end
|
307
|
+
|
308
|
+
it 'should not treat second request as batch request' do
|
288
309
|
refute @second_is_batch_request
|
289
310
|
end
|
290
311
|
|
312
|
+
it 'should not treat third request as batch request' do
|
313
|
+
refute @third_is_batch_request
|
314
|
+
end
|
315
|
+
|
291
316
|
it 'should return auth headers from the first request' do
|
292
317
|
assert @first_access_token
|
293
318
|
end
|
294
319
|
|
295
|
-
it 'should
|
296
|
-
|
320
|
+
it 'should return auth headers from the second request' do
|
321
|
+
assert @second_access_token
|
297
322
|
end
|
298
323
|
|
299
|
-
it 'should not return auth headers from the
|
300
|
-
refute @
|
324
|
+
it 'should not return auth headers from the third request' do
|
325
|
+
refute @third_access_token
|
301
326
|
end
|
302
327
|
|
303
328
|
it 'should define user during first request' do
|
304
329
|
assert @first_user
|
305
330
|
end
|
306
331
|
|
307
|
-
it 'should
|
308
|
-
|
332
|
+
it 'should define user during second request' do
|
333
|
+
assert @second_user
|
334
|
+
end
|
335
|
+
|
336
|
+
it 'should not define user during third request' do
|
337
|
+
refute @third_user
|
309
338
|
end
|
310
339
|
end
|
311
340
|
end
|
@@ -11,7 +11,7 @@ require 'test_helper'
|
|
11
11
|
class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
12
12
|
describe DeviseTokenAuth::ConfirmationsController do
|
13
13
|
def token_and_client_config_from(body)
|
14
|
-
token = body.match(/confirmation_token=([^&]*)
|
14
|
+
token = body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
15
15
|
client_config = body.match(/config=([^&]*)&/)[1]
|
16
16
|
[token, client_config]
|
17
17
|
end
|
@@ -171,21 +171,30 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
171
171
|
test 'response should contain message' do
|
172
172
|
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
|
173
173
|
end
|
174
|
+
|
175
|
+
test 'response should return success status' do
|
176
|
+
assert_equal 200, response.status
|
177
|
+
end
|
174
178
|
end
|
175
179
|
|
176
180
|
describe 'on failure' do
|
177
181
|
before do
|
178
182
|
swap Devise, paranoid: true do
|
183
|
+
@email = 'chester@cheet.ah'
|
179
184
|
post :create,
|
180
|
-
params: { email:
|
185
|
+
params: { email: @email,
|
181
186
|
redirect_url: @redirect_url },
|
182
187
|
xhr: true
|
183
188
|
@data = JSON.parse(response.body)
|
184
189
|
end
|
185
190
|
end
|
186
191
|
|
187
|
-
test 'response should contain errors' do
|
188
|
-
assert_equal @data['
|
192
|
+
test 'response should not contain errors' do
|
193
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
|
194
|
+
end
|
195
|
+
|
196
|
+
test 'response should return success status' do
|
197
|
+
assert_equal 200, response.status
|
189
198
|
end
|
190
199
|
end
|
191
200
|
end
|
@@ -193,9 +202,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
193
202
|
|
194
203
|
describe 'failure' do
|
195
204
|
test 'user should not be confirmed' do
|
196
|
-
|
197
|
-
|
198
|
-
|
205
|
+
get :show,
|
206
|
+
params: { confirmation_token: 'bogus',
|
207
|
+
redirect_url: @redirect_url }
|
208
|
+
|
209
|
+
assert_redirected_to(/^#{@redirect_url}/)
|
210
|
+
|
199
211
|
@resource = assigns(:resource)
|
200
212
|
refute @resource.confirmed?
|
201
213
|
end
|
@@ -13,7 +13,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
13
13
|
end
|
14
14
|
|
15
15
|
before do
|
16
|
-
@redirect_url = '
|
16
|
+
@redirect_url = 'https://ng-token-auth.dev/'
|
17
17
|
end
|
18
18
|
|
19
19
|
def get_parsed_data_json
|
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
98
98
|
|
99
99
|
describe 'with alternate user model' do
|
100
100
|
before do
|
101
|
-
|
101
|
+
post '/mangs/facebook',
|
102
102
|
params: {
|
103
103
|
auth_origin_url: @redirect_url,
|
104
104
|
omniauth_window_type: 'newWindow'
|
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
123
123
|
before do
|
124
124
|
@fav_color = 'alizarin crimson'
|
125
125
|
@unpermitted_param = 'M. Bison'
|
126
|
-
|
126
|
+
post '/auth/facebook',
|
127
127
|
params: { auth_origin_url: @redirect_url,
|
128
128
|
favorite_color: @fav_color,
|
129
129
|
name: @unpermitted_param,
|
@@ -160,7 +160,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
160
160
|
end
|
161
161
|
|
162
162
|
test 'response contains oauth_registration attr' do
|
163
|
-
|
163
|
+
post '/auth/facebook',
|
164
164
|
params: { auth_origin_url: @redirect_url,
|
165
165
|
omniauth_window_type: 'newWindow' }
|
166
166
|
|
@@ -176,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
176
176
|
end
|
177
177
|
|
178
178
|
test 'response does not contain oauth_registration attr' do
|
179
|
-
|
179
|
+
post '/auth/facebook',
|
180
180
|
params: { auth_origin_url: @redirect_url,
|
181
181
|
omniauth_window_type: 'newWindow' }
|
182
182
|
|
@@ -189,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
189
189
|
|
190
190
|
describe 'using namespaces' do
|
191
191
|
before do
|
192
|
-
|
192
|
+
post '/api/v1/auth/facebook',
|
193
193
|
params: { auth_origin_url: @redirect_url,
|
194
194
|
omniauth_window_type: 'newWindow' }
|
195
195
|
|
@@ -234,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
234
234
|
|
235
235
|
describe 'with omniauth_window_type=sameWindow' do
|
236
236
|
test 'redirects to auth_origin_url with all expected query params' do
|
237
|
-
|
237
|
+
post '/auth/facebook',
|
238
238
|
params: { auth_origin_url: '/auth_origin',
|
239
239
|
omniauth_window_type: 'sameWindow' }
|
240
240
|
|
@@ -258,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
258
258
|
end
|
259
259
|
|
260
260
|
def get_success(params = {})
|
261
|
-
|
261
|
+
post '/auth/facebook',
|
262
262
|
params: {
|
263
263
|
auth_origin_url: @redirect_url,
|
264
264
|
omniauth_window_type: 'newWindow'
|
@@ -282,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
282
282
|
|
283
283
|
test 'renders expected data' do
|
284
284
|
silence_omniauth do
|
285
|
-
|
285
|
+
post '/auth/facebook',
|
286
286
|
params: { auth_origin_url: @redirect_url,
|
287
287
|
omniauth_window_type: 'newWindow' }
|
288
288
|
|
@@ -298,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
298
298
|
|
299
299
|
test 'renders something with no auth_origin_url' do
|
300
300
|
silence_omniauth do
|
301
|
-
|
301
|
+
post '/auth/facebook'
|
302
302
|
follow_all_redirects!
|
303
303
|
end
|
304
304
|
assert_equal 200, response.status
|
@@ -339,7 +339,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
339
339
|
end
|
340
340
|
|
341
341
|
test 'request using non-whitelisted redirect fail' do
|
342
|
-
|
342
|
+
post '/auth/facebook',
|
343
343
|
params: { auth_origin_url: @bad_redirect_url,
|
344
344
|
omniauth_window_type: 'newWindow' }
|
345
345
|
|
@@ -351,7 +351,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
351
351
|
end
|
352
352
|
|
353
353
|
test 'request to whitelisted redirect should succeed' do
|
354
|
-
|
354
|
+
post '/auth/facebook',
|
355
355
|
params: {
|
356
356
|
auth_origin_url: @good_redirect_url,
|
357
357
|
omniauth_window_type: 'newWindow'
|
@@ -365,7 +365,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
365
365
|
|
366
366
|
test 'should support wildcards' do
|
367
367
|
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
368
|
-
|
368
|
+
post '/auth/facebook',
|
369
369
|
params: { auth_origin_url: @good_redirect_url,
|
370
370
|
omniauth_window_type: 'newWindow' }
|
371
371
|
|
@@ -397,7 +397,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
397
397
|
end
|
398
398
|
|
399
399
|
test 'request using non-whitelisted redirect fail' do
|
400
|
-
|
400
|
+
post '/auth/facebook',
|
401
401
|
params: { auth_origin_url: @bad_redirect_url,
|
402
402
|
omniauth_window_type: 'sameWindow' }
|
403
403
|
|
@@ -408,7 +408,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
408
408
|
end
|
409
409
|
|
410
410
|
test 'request to whitelisted redirect should succeed' do
|
411
|
-
|
411
|
+
post '/auth/facebook',
|
412
412
|
params: {
|
413
413
|
auth_origin_url: '/auth_origin',
|
414
414
|
omniauth_window_type: 'sameWindow'
|
@@ -422,7 +422,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
422
422
|
|
423
423
|
test 'should support wildcards' do
|
424
424
|
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
425
|
-
|
425
|
+
post '/auth/facebook',
|
426
426
|
params: {
|
427
427
|
auth_origin_url: '/auth_origin',
|
428
428
|
omniauth_window_type: 'sameWindow'
|
@@ -433,9 +433,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
433
433
|
assert_equal 200, response.status
|
434
434
|
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
435
435
|
end
|
436
|
-
|
437
|
-
|
438
436
|
end
|
439
|
-
|
440
437
|
end
|
441
438
|
end
|
@@ -116,14 +116,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
|
|
116
116
|
end
|
117
117
|
end
|
118
118
|
|
119
|
-
test '
|
120
|
-
assert_equal
|
119
|
+
test 'response should return success status' do
|
120
|
+
assert_equal 200, response.status
|
121
121
|
end
|
122
122
|
|
123
|
-
test '
|
124
|
-
|
125
|
-
|
126
|
-
|
123
|
+
test 'response should contain message' do
|
124
|
+
assert_equal \
|
125
|
+
@data['message'],
|
126
|
+
I18n.t('devise_token_auth.passwords.sended_paranoid')
|
127
127
|
end
|
128
128
|
end
|
129
129
|
end
|
@@ -306,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
306
306
|
@data = JSON.parse(response.body)
|
307
307
|
@mail = ActionMailer::Base.deliveries.last
|
308
308
|
|
309
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
309
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
310
310
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
311
311
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
312
312
|
end
|
@@ -826,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
|
|
826
826
|
|
827
827
|
@resource.reload
|
828
828
|
|
829
|
-
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)
|
829
|
+
@mail_reset_token = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
|
830
830
|
@mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
|
831
831
|
@mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
|
832
832
|
end
|
@@ -39,13 +39,17 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
39
39
|
describe 'using auth cookie' do
|
40
40
|
before do
|
41
41
|
DeviseTokenAuth.cookie_enabled = true
|
42
|
+
post :create, params: @user_session_params
|
42
43
|
end
|
43
44
|
|
44
45
|
test 'request should return auth cookie' do
|
45
|
-
post :create, params: @user_session_params
|
46
46
|
assert response.cookies[DeviseTokenAuth.cookie_name]
|
47
47
|
end
|
48
48
|
|
49
|
+
test 'request should not include bearer token' do
|
50
|
+
assert_nil response.headers["Authorization"]
|
51
|
+
end
|
52
|
+
|
49
53
|
after do
|
50
54
|
DeviseTokenAuth.cookie_enabled = false
|
51
55
|
end
|
@@ -306,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
306
310
|
end
|
307
311
|
|
308
312
|
describe 'Unconfirmed user' do
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
313
|
+
describe 'Without paranoid mode' do
|
314
|
+
before do
|
315
|
+
@unconfirmed_user = create(:user)
|
316
|
+
post :create, params: { email: @unconfirmed_user.email,
|
317
|
+
password: @unconfirmed_user.password }
|
318
|
+
@resource = assigns(:resource)
|
319
|
+
@data = JSON.parse(response.body)
|
320
|
+
end
|
316
321
|
|
317
|
-
|
318
|
-
|
322
|
+
test 'request should fail' do
|
323
|
+
assert_equal 401, response.status
|
324
|
+
end
|
325
|
+
|
326
|
+
test 'response should contain errors' do
|
327
|
+
assert @data['errors']
|
328
|
+
assert_equal @data['errors'],
|
329
|
+
[I18n.t('devise_token_auth.sessions.not_confirmed',
|
330
|
+
email: @unconfirmed_user.email)]
|
331
|
+
end
|
319
332
|
end
|
333
|
+
|
334
|
+
describe 'With paranoid mode' do
|
335
|
+
before do
|
336
|
+
@unconfirmed_user = create(:user)
|
337
|
+
swap Devise, paranoid: true do
|
338
|
+
post :create, params: { email: @unconfirmed_user.email,
|
339
|
+
password: @unconfirmed_user.password }
|
340
|
+
end
|
341
|
+
@resource = assigns(:resource)
|
342
|
+
@data = JSON.parse(response.body)
|
343
|
+
end
|
320
344
|
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
345
|
+
test 'request should fail' do
|
346
|
+
assert_equal 401, response.status
|
347
|
+
end
|
348
|
+
|
349
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
350
|
+
assert @data['errors']
|
351
|
+
assert_equal @data['errors'],
|
352
|
+
[I18n.t('devise_token_auth.sessions.bad_credentials')]
|
353
|
+
end
|
326
354
|
end
|
327
355
|
end
|
328
356
|
|
@@ -371,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
371
399
|
end
|
372
400
|
|
373
401
|
describe 'Non-existing user' do
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
|
380
|
-
|
402
|
+
describe 'Without paranoid mode' do
|
403
|
+
before do
|
404
|
+
post :create,
|
405
|
+
params: { email: -> { Faker::Internet.email },
|
406
|
+
password: -> { Faker::Number.number(10) } }
|
407
|
+
@resource = assigns(:resource)
|
408
|
+
@data = JSON.parse(response.body)
|
409
|
+
end
|
381
410
|
|
382
|
-
|
383
|
-
|
411
|
+
test 'request should fail' do
|
412
|
+
assert_equal 401, response.status
|
413
|
+
end
|
414
|
+
|
415
|
+
test 'response should contain errors' do
|
416
|
+
assert @data['errors']
|
417
|
+
end
|
384
418
|
end
|
385
419
|
|
386
|
-
|
387
|
-
|
420
|
+
describe 'With paranoid mode' do
|
421
|
+
before do
|
422
|
+
mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
|
423
|
+
@bcrypt_mock = MiniTest::Mock.new
|
424
|
+
@bcrypt_mock.expect(:call, mock_hash, [Object, String])
|
425
|
+
|
426
|
+
swap Devise, paranoid: true do
|
427
|
+
BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
|
428
|
+
post :create,
|
429
|
+
params: { email: -> { Faker::Internet.email },
|
430
|
+
password: -> { Faker::Number.number(10) } }
|
431
|
+
end
|
432
|
+
end
|
433
|
+
end
|
434
|
+
|
435
|
+
test 'password should be hashed' do
|
436
|
+
@bcrypt_mock.verify
|
437
|
+
end
|
388
438
|
end
|
389
439
|
end
|
390
440
|
|
@@ -468,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
|
|
468
518
|
end
|
469
519
|
|
470
520
|
describe 'locked user' do
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
|
475
|
-
|
476
|
-
|
477
|
-
|
521
|
+
describe 'Without paranoid mode' do
|
522
|
+
before do
|
523
|
+
@locked_user = create(:lockable_user, :locked)
|
524
|
+
post :create,
|
525
|
+
params: { email: @locked_user.email,
|
526
|
+
password: @locked_user.password }
|
527
|
+
@data = JSON.parse(response.body)
|
528
|
+
end
|
478
529
|
|
479
|
-
|
480
|
-
|
530
|
+
test 'request should fail' do
|
531
|
+
assert_equal 401, response.status
|
532
|
+
end
|
533
|
+
|
534
|
+
test 'response should contain errors' do
|
535
|
+
assert @data['errors']
|
536
|
+
assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
|
537
|
+
end
|
481
538
|
end
|
482
539
|
|
483
|
-
|
484
|
-
|
485
|
-
|
540
|
+
describe 'With paranoid mode' do
|
541
|
+
before do
|
542
|
+
@locked_user = create(:lockable_user, :locked)
|
543
|
+
swap Devise, paranoid: true do
|
544
|
+
post :create,
|
545
|
+
params: { email: @locked_user.email,
|
546
|
+
password: @locked_user.password }
|
547
|
+
end
|
548
|
+
@data = JSON.parse(response.body)
|
549
|
+
end
|
550
|
+
|
551
|
+
test 'request should fail' do
|
552
|
+
assert_equal 401, response.status
|
553
|
+
end
|
554
|
+
|
555
|
+
test 'response should contain errors that do not leak the existence of the account' do
|
556
|
+
assert @data['errors']
|
557
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
|
558
|
+
end
|
486
559
|
end
|
487
560
|
end
|
488
561
|
|