devise_token_auth_multitenancy 1.1.3.alpha1

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
+  describe DeviseTokenAuth::UnlocksController do
+    setup do
+      @request.env['devise.mapping'] = Devise.mappings[:lockable_user]
+    end
+
+    teardown do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+
+    before do
+      @original_lock_strategy = Devise.lock_strategy
+      @original_unlock_strategy = Devise.unlock_strategy
+      @original_maximum_attempts = Devise.maximum_attempts
+      Devise.lock_strategy = :failed_attempts
+      Devise.unlock_strategy = :email
+      Devise.maximum_attempts = 5
+    end
+
+    after do
+      Devise.lock_strategy = @original_lock_strategy
+      Devise.maximum_attempts = @original_maximum_attempts
+      Devise.unlock_strategy = @original_unlock_strategy
+    end
+
+    describe 'Unlocking user' do
+      before do
+        @resource = create(:lockable_user)
+      end
+
+      describe 'request unlock without email' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
+
+          post :create
+          @data = JSON.parse(response.body)
+        end
+
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data['errors']
+          assert_equal @data['errors'], [I18n.t('devise_token_auth.passwords.missing_email')]
+        end
+      end
+
+      describe 'request unlock' do
+        describe 'unknown user should return 404' do
+          before do
+            post :create, params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.user_not_found',
+                                 email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'successfully requested unlock' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @data = JSON.parse(response.body)
+          end
+
+          test 'response should not contain extra data' do
+            assert_nil @data['data']
+          end
+        end
+
+        describe 'case-sensitive email' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @mail = ActionMailer::Base.deliveries.last
+            @resource.reload
+            @data = JSON.parse(response.body)
+
+            @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/unlock_token=(.*)\"/)[1]
+          end
+
+          test 'response should return success status' do
+            assert_equal 200, response.status
+          end
+
+          test 'response should contains message' do
+            assert_equal @data['message'], I18n.t('devise_token_auth.unlocks.sended', email: @resource.email)
+          end
+
+          test 'action should send an email' do
+            assert @mail
+          end
+
+          test 'the email should be addressed to the user' do
+            assert_equal @mail.to.first, @resource.email
+          end
+
+          test 'the client config name should fall back to "default"' do
+            assert_equal 'default', @mail_config_name
+          end
+
+          test 'the email body should contain a link with reset token as a query param' do
+            user = LockableUser.unlock_access_by_token(@mail_reset_token)
+            assert_equal user.id, @resource.id
+          end
+
+          describe 'unlock link failure' do
+            test 'response should return 404' do
+              assert_raises(ActionController::RoutingError) do
+                get :show, params: { unlock_token: 'bogus' }
+              end
+            end
+          end
+
+          describe 'password reset link success' do
+            before do
+              get :show, params: { unlock_token: @mail_reset_token }
+
+              @resource.reload
+
+              raw_qs = response.location.split('?')[1]
+              @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+              @access_token   = @qs['access-token']
+              @client         = @qs['client']
+              @client_id      = @qs['client_id']
+              @expiry         = @qs['expiry']
+              @token          = @qs['token']
+              @uid            = @qs['uid']
+              @unlock         = @qs['unlock']
+            end
+
+            test 'respones should have success redirect status' do
+              assert_equal 302, response.status
+            end
+
+            test 'response should contain auth params' do
+              assert @access_token
+              assert @client
+              assert @client_id
+              assert @expiry
+              assert @token
+              assert @uid
+              assert @unlock
+            end
+
+            test 'response auth params should be valid' do
+              assert @resource.valid_token?(@token, @client_id)
+              assert @resource.valid_token?(@access_token, @client)
+            end
+          end
+        end
+
+        describe 'case-insensitive email' do
+          before do
+            @resource_class = LockableUser
+            @request_params = {
+              email:        @resource.email.upcase
+            }
+          end
+
+          test 'response should return success status if configured' do
+            @resource_class.case_insensitive_keys = [:email]
+            post :create, params: @request_params
+            assert_equal 200, response.status
+          end
+
+          test 'response should return failure status if not configured' do
+            @resource_class.case_insensitive_keys = []
+            post :create, params: @request_params
+            assert_equal 404, response.status
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::ConfirmationsController do
+    before do
+      @redirect_url = Faker::Internet.url
+      @new_user = create(:user)
+
+      # generate + send email
+      @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
+
+      @mail = ActionMailer::Base.deliveries.last
+      @confirmation_path = @mail.body.match(/localhost([^\"]*)\"/)[1]
+
+      # visit confirmation link
+      get @confirmation_path
+
+      # reload user from db
+      @new_user.reload
+    end
+
+    test 'user is confirmed' do
+      assert @new_user.confirmed?
+    end
+
+    test 'user can be authenticated via confirmation link' do
+      # hard coded in override controller
+      override_proof_str = '(^^,)'
+
+      # ensure present in redirect URL
+      override_proof_param = URI.unescape(response.headers['Location']
+                                .match(/override_proof=([^&]*)&/)[1])
+
+      assert_equal override_proof_str, override_proof_param
+    end
+  end
+end

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::OmniauthCallbacksController do
+    before do
+      OmniAuth.config.test_mode = true
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
+          name: 'chong',
+          email: 'chongbong@aol.com'
+        }
+      )
+
+      @favorite_color = 'gray'
+
+      get '/evil_user_auth/facebook',
+          params: {
+            auth_origin_url: Faker::Internet.url,
+            favorite_color: @favorite_color,
+            omniauth_window_type: 'newWindow'
+          }
+
+      follow_all_redirects!
+
+      @resource = assigns(:resource)
+    end
+
+    test 'request is successful' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal @resource.nickname,
+                   Overrides::OmniauthCallbacksController::DEFAULT_NICKNAME
+    end
+
+    test 'whitelisted param was allowed' do
+      assert_equal @favorite_color, @resource.favorite_color
+    end
+  end
+end

data/test/controllers/overrides/passwords_controller_test.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::PasswordsController do
+    before do
+      @resource = create(:user, :confirmed)
+
+      post '/evil_user_auth/password',
+           params: {
+             email: @resource.email,
+             redirect_url: Faker::Internet.url
+           }
+
+      mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+
+      mail_reset_token  = mail.body.match(/reset_password_token=(.*)\"/)[1]
+      mail_redirect_url = CGI.unescape(mail.body.match(/redirect_url=([^&]*)&/)[1])
+
+      get '/evil_user_auth/password/edit',
+          params: {
+            reset_password_token: mail_reset_token,
+            redirect_url: mail_redirect_url
+          }
+
+      @resource.reload
+
+      _, raw_query_string = response.location.split('?')
+      @query_string = Rack::Utils.parse_nested_query(raw_query_string)
+    end
+
+    test 'response should have success redirect status' do
+      assert_equal 302, response.status
+    end
+
+    test 'response should contain auth params + override proof' do
+      assert @query_string['access-token']
+      assert @query_string['client']
+      assert @query_string['client_id']
+      assert @query_string['expiry']
+      assert @query_string['override_proof']
+      assert @query_string['reset_password']
+      assert @query_string['token']
+      assert @query_string['uid']
+    end
+
+    test 'override proof is correct' do
+      assert_equal(
+        @query_string['override_proof'],
+        Overrides::PasswordsController::OVERRIDE_PROOF
+      )
+    end
+  end
+end

data/test/controllers/overrides/registrations_controller_test.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::RegistrationsController do
+    describe 'Succesful Registration update' do
+      before do
+        @existing_user  = create(:user, :confirmed)
+        @auth_headers   = @existing_user.create_new_auth_token
+        @client_id      = @auth_headers['client']
+        @favorite_color = 'pink'
+
+        # ensure request is not treated as batch request
+        age_token(@existing_user, @client_id)
+
+        # test valid update param
+        @new_operating_thetan = 1_000_000
+
+        put '/evil_user_auth',
+            params: { favorite_color: @favorite_color },
+            headers: @auth_headers
+
+        @data = JSON.parse(response.body)
+        @existing_user.reload
+      end
+
+      test 'user was updated' do
+        assert_equal @favorite_color, @existing_user.favorite_color
+      end
+
+      test 'controller was overridden' do
+        assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF,
+                     @data['override_proof']
+      end
+    end
+  end
+end

data/test/controllers/overrides/sessions_controller_test.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::RegistrationsController do
+    before do
+      @existing_user = create(:user, :confirmed)
+
+      post '/evil_user_auth/sign_in',
+           params: { email: @existing_user.email,
+                     password: @existing_user.password }
+
+      @resource = assigns(:resource)
+      @data = JSON.parse(response.body)
+    end
+
+    test 'request should succeed' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF,
+                   @data['override_proof']
+    end
+  end
+end

data/test/controllers/overrides/token_validations_controller_test.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  include OverridesControllersRoutes
+
+  describe Overrides::TokenValidationsController do
+    before do
+      @resource = create(:user, :confirmed)
+
+      @auth_headers = @resource.create_new_auth_token
+
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+
+      get '/evil_user_auth/validate_token',
+          params: {},
+          headers: @auth_headers
+
+      @resp = JSON.parse(response.body)
+    end
+
+    test 'token valid' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::TokenValidationsController::OVERRIDE_PROOF,
+                   @resp['override_proof']
+    end
+  end
+end

data/test/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/test/dummy/app/active_record/confirmable_user.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ConfirmableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable,
+         :validatable, :confirmable
+  DeviseTokenAuth.send_confirmation_email = true
+  include DeviseTokenAuth::Concerns::User
+  DeviseTokenAuth.send_confirmation_email = false
+end

data/test/dummy/app/active_record/lockable_user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class LockableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable, :lockable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/mang.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Mang < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/only_email_user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class OnlyEmailUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/scoped_user.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class ScopedUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable,
+         :validatable, :confirmable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/unconfirmable_user.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class UnconfirmableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable,
+         :validatable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/unregisterable_user.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class UnregisterableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :recoverable,
+         :validatable, :confirmable,
+         :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/active_record/user.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class User < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+  include FavoriteColor
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class ApplicationController < ActionController::Base
+  include DeviseTokenAuth::Concerns::SetUserByToken
+
+  before_action :configure_permitted_parameters, if: :devise_controller?
+
+  protected
+
+  def configure_permitted_parameters
+    permitted_parameters = devise_parameter_sanitizer.instance_values['permitted']
+    permitted_parameters[:sign_up] << :operating_thetan
+    permitted_parameters[:sign_up] << :favorite_color
+    permitted_parameters[:account_update] << :operating_thetan
+    permitted_parameters[:account_update] << :favorite_color
+    permitted_parameters[:account_update] << :current_password
+  end
+end

data/test/dummy/app/controllers/auth_origin_controller.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AuthOriginController < ApplicationController
+  def redirected
+    head :ok
+  end
+end

data/test/dummy/app/controllers/custom/confirmations_controller.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class Custom::ConfirmationsController < DeviseTokenAuth::ConfirmationsController
+  def show
+    super do |resource|
+      @show_block_called = true unless resource.nil?
+    end
+  end
+
+  def show_block_called?
+    @show_block_called == true
+  end
+end

data/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class Custom::OmniauthCallbacksController < DeviseTokenAuth::OmniauthCallbacksController
+  def omniauth_success
+    super do |resource|
+      @omniauth_success_block_called = true unless resource.nil?
+    end
+  end
+
+  def omniauth_success_block_called?
+    @omniauth_success_block_called == true
+  end
+end