devise_token_auth_multi_email 0.9.4 → 0.9.5

data/test/controllers/devise_token_auth/multi_email_passwords_controller_test.rb

@@ -0,0 +1,247 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify the PasswordsController works correctly with a MultiEmailUser —
+# a model that uses :multi_email_authenticatable from the devise-multi_email gem.
+#
+# Password reset for multi-email users works via the uid column (synced with the
+# primary email by the sync_uid before_save callback) so the standard password
+# reset flow applies.  The reset token is sent to the user's primary email address
+# via the emails association.
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and its route
+# are not available in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailPasswordsControllerTest < ActionDispatch::IntegrationTest
+  RESET_PASSWORD = 'NewPassword123!'
+
+  describe 'MultiEmailUser passwords' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # Create a confirmed MultiEmailUser through the endpoint, confirm it, and
+    # return the user record and email address used.
+    def create_confirmed_user(email: nil)
+      email ||= Faker::Internet.unique.email
+      post '/multi_email_auth', params: registration_params(email: email)
+      assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+      user = assigns(:resource)
+      user.confirm
+      [user, email]
+    end
+
+    before do
+      @redirect_url = 'http://ng-token-auth.dev'
+      @user, @email = create_confirmed_user
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — missing email
+    # -----------------------------------------------------------------------
+    describe 'missing email param' do
+      before do
+        post '/multi_email_auth/password', params: { redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'missing email error is returned' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.passwords.missing_email')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — missing redirect_url
+    # -----------------------------------------------------------------------
+    describe 'missing redirect_url param' do
+      before do
+        post '/multi_email_auth/password', params: { email: @email }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'missing redirect_url error is returned' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.passwords.missing_redirect_url')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — unknown email (without paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'unknown email without paranoid mode' do
+      before do
+        post '/multi_email_auth/password',
+             params: { email: 'unknown@example.com', redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails with 404' do
+        assert_equal 404, response.status
+      end
+
+      test 'user not found error is returned' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.passwords.user_not_found',
+                              email: 'unknown@example.com')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — unknown email (with paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'unknown email with paranoid mode' do
+      before do
+        swap Devise, paranoid: true do
+          post '/multi_email_auth/password',
+               params: { email: 'unknown@example.com', redirect_url: @redirect_url }
+          @data = JSON.parse(response.body)
+        end
+      end
+
+      test 'request returns 200 to hide existence' do
+        assert_equal 200, response.status
+      end
+
+      test 'paranoid success message is returned' do
+        assert_equal I18n.t('devise_token_auth.passwords.sended_paranoid'),
+                     @data['message']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — successful password reset request
+    # -----------------------------------------------------------------------
+    describe 'successful password reset request' do
+      before do
+        @mail_count = ActionMailer::Base.deliveries.count
+
+        post '/multi_email_auth/password',
+             params: { email: @email, redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+        @mail = ActionMailer::Base.deliveries.last
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'success message is returned' do
+        assert_equal I18n.t('devise_token_auth.passwords.sended', email: @email),
+                     @data['message']
+      end
+
+      test 'response does not include extra data' do
+        assert_nil @data['data']
+      end
+
+      test 'a password reset email is sent' do
+        assert_equal @mail_count + 1, ActionMailer::Base.deliveries.count
+      end
+
+      test 'email is addressed to the user' do
+        assert_equal @email, @mail['to'].to_s
+      end
+
+      test 'email body includes a reset password token' do
+        assert @mail.body.match(/reset_password_token=/)
+      end
+
+      test 'email body includes the redirect URL' do
+        assert @mail.body.match(/redirect_url=/)
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create — successful request with paranoid mode
+    # -----------------------------------------------------------------------
+    describe 'successful password reset request with paranoid mode' do
+      before do
+        swap Devise, paranoid: true do
+          post '/multi_email_auth/password',
+               params: { email: @email, redirect_url: @redirect_url }
+          @data = JSON.parse(response.body)
+        end
+      end
+
+      test 'request returns 200' do
+        assert_equal 200, response.status
+      end
+
+      test 'paranoid success message is returned' do
+        assert_equal I18n.t('devise_token_auth.passwords.sended_paranoid'),
+                     @data['message']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Update — successful password change via auth token
+    # -----------------------------------------------------------------------
+    describe 'password update via auth headers' do
+      before do
+        # Request the reset link so the user gets a reset token
+        post '/multi_email_auth/password',
+             params: { email: @email, redirect_url: @redirect_url }
+        assert_equal 200, response.status, "Reset request failed: #{response.body}"
+
+        @reset_mail   = ActionMailer::Base.deliveries.last
+        @reset_token  = @reset_mail.body.match(/reset_password_token=(.*)\"/)[1]
+        @redirect_url_encoded = CGI.unescape(
+          @reset_mail.body.match(/redirect_url=([^&]*)&/)[1]
+        )
+
+        # Follow the edit link to obtain auth headers
+        get '/multi_email_auth/password/edit',
+            params: { reset_password_token: @reset_token, redirect_url: @redirect_url }
+
+        raw_qs  = response.location.split('?')[1]
+        qs      = Rack::Utils.parse_nested_query(raw_qs)
+
+        @auth_headers = {
+          'access-token' => qs['access-token'] || qs['token'],
+          'client'       => qs['client'] || qs['client_id'],
+          'uid'          => qs['uid'],
+          'token-type'   => 'Bearer'
+        }
+
+        # Update to a new password
+        put '/multi_email_auth/password',
+            params: { password: RESET_PASSWORD, password_confirmation: RESET_PASSWORD },
+            headers: @auth_headers
+        @data = JSON.parse(response.body)
+      end
+
+      test 'password update is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'success flag is true' do
+        assert @data['success']
+      end
+
+      test 'user can sign in with new password' do
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: RESET_PASSWORD }
+        assert_equal 200, response.status
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/multi_email_registrations_controller_test.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify devise_token_auth works correctly with a **multi-email**
+# model — one that uses :multi_email_authenticatable from the devise-multi_email gem.
+#
+# With multi_email active on a model:
+#   • Email uniqueness is managed through the emails association/table, NOT by
+#     a column-level validation on the model itself.
+#   • After registration, an email record exists in multi_email_user_emails.
+#   • The user's primary email is accessible via the emails association.
+#   • Duplicate email registration is still rejected (enforced by the emails
+#     table unique index and Devise::MultiEmail's own validation).
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and its
+# devise-multi_email setup are not available in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailRegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe 'MultiEmailUser (with :multi_email_authenticatable)' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # -----------------------------------------------------------------------
+    # Model configuration sanity checks
+    # -----------------------------------------------------------------------
+    describe 'model configuration' do
+      test 'MultiEmailUser has multi_email_association class method' do
+        # Added by Devise::MultiEmail::ParentModelExtensions via :multi_email_authenticatable
+        assert MultiEmailUser.respond_to?(:multi_email_association)
+      end
+
+      test 'MultiEmailUser has the emails association' do
+        assert MultiEmailUser.reflect_on_association(:emails)
+      end
+
+      test 'MultiEmailUser has find_by_email class method' do
+        # Added by Devise::Models::MultiEmailAuthenticatable::ClassMethods
+        assert MultiEmailUser.respond_to?(:find_by_email)
+      end
+
+      test 'MultiEmailUser does NOT carry the concern uniqueness validator' do
+        # email uniqueness is handled by the emails table, not the user model
+        refute MultiEmailUser.validators_on(:email).any? { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+        }
+      end
+
+      test 'MultiEmailUserEmail has email uniqueness validator from EmailValidatable' do
+        # Devise::Models::EmailValidatable is included into MultiEmailUserEmail
+        # automatically by MultiEmailUser's ParentModelExtensions when the
+        # :multi_email_validatable module is set up.
+        #
+        # Ensure MultiEmailUser is loaded to trigger the association setup:
+        MultiEmailUser
+
+        assert MultiEmailUserEmail.validators_on(:email).any? { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+        }, 'Expected UniquenessValidator on MultiEmailUserEmail#email (from EmailValidatable)'
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Successful registration
+    # -----------------------------------------------------------------------
+    describe 'successful registration' do
+      before do
+        @email = Faker::Internet.unique.email
+        post '/multi_email_auth', params: registration_params(email: @email)
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'resource is a MultiEmailUser' do
+        assert_equal MultiEmailUser, @resource.class
+      end
+
+      test 'user is persisted' do
+        assert @resource.id
+      end
+
+      test 'response includes email' do
+        assert @data['data']['email']
+      end
+
+      test 'an email record is created in the emails association' do
+        assert_equal 1, @resource.emails.count
+      end
+
+      test 'primary email record is marked correctly' do
+        email_record = @resource.emails.first
+        assert email_record.primary?
+      end
+
+      test 'the email record stores the registered email' do
+        assert_equal @email, @resource.emails.first.email
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Duplicate email registration is rejected
+    # -----------------------------------------------------------------------
+    describe 'duplicate email registration' do
+      before do
+        @email = Faker::Internet.unique.email
+
+        # Register the first user via the endpoint (not factory), since
+        # the gem handles email association creation on save internally.
+        post '/multi_email_auth', params: registration_params(email: @email)
+        assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+
+        # Attempt a duplicate registration
+        post '/multi_email_auth', params: registration_params(email: @email)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is rejected' do
+        assert_equal 422, response.status
+      end
+
+      test 'errors are returned' do
+        assert_not_empty @data['errors']
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/multi_email_sessions_controller_test.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify the SessionsController works correctly with a MultiEmailUser —
+# a model that uses :multi_email_authenticatable from the devise-multi_email gem.
+#
+# Authentication for multi-email users goes through MultiEmailUserEmail records
+# rather than a direct email column.  The ResourceFinder concern detects the
+# multi_email_association class method and delegates to find_by_email so that
+# sign-in lookups correctly traverse the emails association.
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and its route
+# are not available in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailSessionsControllerTest < ActionDispatch::IntegrationTest
+  SIGN_IN_PASSWORD = 'secret123'
+
+  describe 'MultiEmailUser sessions' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              SIGN_IN_PASSWORD,
+        password_confirmation: SIGN_IN_PASSWORD,
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # Create a confirmed MultiEmailUser by registering through the endpoint and
+    # then calling confirm on the resource so the account is immediately active.
+    def create_confirmed_user(email: nil)
+      email ||= Faker::Internet.unique.email
+      post '/multi_email_auth', params: registration_params(email: email)
+      assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+      user = assigns(:resource)
+      user.confirm
+      [user, email]
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign in — confirmed user
+    # -----------------------------------------------------------------------
+    describe 'sign in with confirmed user' do
+      before do
+        @user, @email = create_confirmed_user
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: SIGN_IN_PASSWORD }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'response includes user data' do
+        assert @data['data']
+        assert_equal @email, @data['data']['email']
+      end
+
+      test 'response includes access-token header' do
+        assert response.headers['access-token']
+      end
+
+      test 'response includes client header' do
+        assert response.headers['client']
+      end
+
+      test 'response includes uid header' do
+        assert response.headers['uid']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign in — wrong password
+    # -----------------------------------------------------------------------
+    describe 'sign in with wrong password' do
+      before do
+        @user, @email = create_confirmed_user
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: 'definitely-wrong' }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.sessions.bad_credentials')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign in — unconfirmed user
+    # -----------------------------------------------------------------------
+    describe 'sign in with unconfirmed user' do
+      before do
+        @email = Faker::Internet.unique.email
+        post '/multi_email_auth', params: registration_params(email: @email)
+        assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+        # Do NOT confirm the user.
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: SIGN_IN_PASSWORD }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign in — non-existent email
+    # -----------------------------------------------------------------------
+    describe 'sign in with non-existent email' do
+      before do
+        post '/multi_email_auth/sign_in',
+             params: { email: Faker::Internet.unique.email, password: SIGN_IN_PASSWORD }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign out — authenticated user
+    # -----------------------------------------------------------------------
+    describe 'sign out authenticated user' do
+      before do
+        @user, @email = create_confirmed_user
+
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: SIGN_IN_PASSWORD }
+        assert_equal 200, response.status, "Sign-in failed: #{response.body}"
+
+        @auth_headers = {
+          'access-token' => response.headers['access-token'],
+          'client'       => response.headers['client'],
+          'uid'          => response.headers['uid'],
+          'token-type'   => response.headers['token-type']
+        }
+        @client_id = @auth_headers['client']
+
+        delete '/multi_email_auth/sign_out', headers: @auth_headers
+        @data = JSON.parse(response.body)
+      end
+
+      test 'sign out is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'token is invalidated' do
+        @user.reload
+        assert_nil @user.tokens[@client_id]
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Sign out — unauthenticated user
+    # -----------------------------------------------------------------------
+    describe 'sign out without authentication' do
+      before do
+        delete '/multi_email_auth/sign_out'
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails with 404' do
+        assert_equal 404, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.sessions.user_not_found')],
+                     @data['errors']
+      end
+    end
+  end
+end