digix_devise_token_auth 0.1.44

data/test/controllers/devise_token_auth/token_validations_controller_test.rb

@@ -0,0 +1,90 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe DeviseTokenAuth::TokenValidationsController do
+    before do
+      @resource = users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+
+      @auth_headers = @resource.create_new_auth_token
+
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+
+    describe 'vanilla user' do
+      before do
+        get '/auth/validate_token', params: {}, headers: @auth_headers
+        @resp = JSON.parse(response.body)
+      end
+
+      test 'token valid' do
+        assert_equal 200, response.status
+      end
+    end
+
+    describe 'using namespaces' do
+      before do
+        get '/api/v1/auth/validate_token', params: {}, headers: @auth_headers
+        @resp = JSON.parse(response.body)
+      end
+
+      test 'token valid' do
+        assert_equal 200, response.status
+      end
+    end
+
+    describe 'failure' do
+      before do
+        get '/api/v1/auth/validate_token',
+            params: {},
+            headers: @auth_headers.merge('access-token' => '12345')
+        @resp = JSON.parse(response.body)
+      end
+
+      test 'request should fail' do
+        assert_equal 401, response.status
+      end
+
+      test 'response should contain errors' do
+        assert @resp['errors']
+        assert_equal @resp['errors'], [I18n.t('devise_token_auth.token_validations.invalid')]
+      end
+    end
+  end
+
+  describe 'using namespaces with unused resource' do
+    before do
+      @resource = scoped_users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+
+      @auth_headers = @resource.create_new_auth_token
+
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+
+    test 'should be successful' do
+      get '/api_v2/auth/validate_token',
+          params: {},
+          headers: @auth_headers
+      assert_equal 200, response.status
+    end
+  end
+end

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -0,0 +1,194 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
+  describe DeviseTokenAuth::UnlocksController do
+    setup do
+      @request.env['devise.mapping'] = Devise.mappings[:lockable_user]
+    end
+
+    teardown do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+
+    before do
+      @original_lock_strategy = Devise.lock_strategy
+      @original_unlock_strategy = Devise.unlock_strategy
+      @original_maximum_attempts = Devise.maximum_attempts
+      Devise.lock_strategy = :failed_attempts
+      Devise.unlock_strategy = :email
+      Devise.maximum_attempts = 5
+    end
+
+    after do
+      Devise.lock_strategy = @original_lock_strategy
+      Devise.maximum_attempts = @original_maximum_attempts
+      Devise.unlock_strategy = @original_unlock_strategy
+    end
+
+    describe 'Unlocking user' do
+      before do
+        @resource = lockable_users(:unlocked_user)
+      end
+
+      describe 'request unlock without email' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
+
+          post :create
+          @data = JSON.parse(response.body)
+        end
+
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data['errors']
+          assert_equal @data['errors'], [I18n.t('devise_token_auth.passwords.missing_email')]
+        end
+      end
+
+      describe 'request unlock' do
+        describe 'unknown user should return 404' do
+          before do
+            post :create, params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.user_not_found',
+                                 email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'successfully requested unlock' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @data = JSON.parse(response.body)
+          end
+
+          test 'response should not contain extra data' do
+            assert_nil @data['data']
+          end
+        end
+
+        describe 'case-sensitive email' do
+          before do
+            post :create, params: { email: @resource.email }
+
+            @mail = ActionMailer::Base.deliveries.last
+            @resource.reload
+            @data = JSON.parse(response.body)
+
+            @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/unlock_token=(.*)\"/)[1]
+          end
+
+          test 'response should return success status' do
+            assert_equal 200, response.status
+          end
+
+          test 'response should contains message' do
+            assert_equal @data['message'], I18n.t('devise_token_auth.unlocks.sended', email: @resource.email)
+          end
+
+          test 'action should send an email' do
+            assert @mail
+          end
+
+          test 'the email should be addressed to the user' do
+            assert_equal @mail.to.first, @resource.email
+          end
+
+          test 'the client config name should fall back to "default"' do
+            assert_equal 'default', @mail_config_name
+          end
+
+          test 'the email body should contain a link with reset token as a query param' do
+            user = LockableUser.unlock_access_by_token(@mail_reset_token)
+            assert_equal user.id, @resource.id
+          end
+
+          describe 'unlock link failure' do
+            test 'response should return 404' do
+              assert_raises(ActionController::RoutingError) do
+                get :show, params: { unlock_token: 'bogus' }
+              end
+            end
+          end
+
+          describe 'password reset link success' do
+            before do
+              get :show, params: { unlock_token: @mail_reset_token }
+
+              @resource.reload
+
+              raw_qs = response.location.split('?')[1]
+              @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+              @access_token   = @qs['access-token']
+              @client         = @qs['client']
+              @client_id      = @qs['client_id']
+              @expiry         = @qs['expiry']
+              @token          = @qs['token']
+              @uid            = @qs['uid']
+              @unlock         = @qs['unlock']
+            end
+
+            test 'respones should have success redirect status' do
+              assert_equal 302, response.status
+            end
+
+            test 'response should contain auth params' do
+              assert @access_token
+              assert @client
+              assert @client_id
+              assert @expiry
+              assert @token
+              assert @uid
+              assert @unlock
+            end
+
+            test 'response auth params should be valid' do
+              assert @resource.valid_token?(@token, @client_id)
+              assert @resource.valid_token?(@access_token, @client)
+            end
+          end
+        end
+
+        describe 'case-insensitive email' do
+          before do
+            @resource_class = LockableUser
+            @request_params = {
+              email:        @resource.email.upcase
+            }
+          end
+
+          test 'response should return success status if configured' do
+            @resource_class.case_insensitive_keys = [:email]
+            post :create, params: @request_params
+            assert_equal 200, response.status
+          end
+
+          test 'response should return failure status if not configured' do
+            @resource_class.case_insensitive_keys = []
+            post :create, params: @request_params
+            assert_equal 404, response.status
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -0,0 +1,43 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::ConfirmationsController do
+    before do
+      @redirect_url = Faker::Internet.url
+      @new_user = evil_users(:unconfirmed_email_user)
+
+      # generate + send email
+      @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
+
+      @mail = ActionMailer::Base.deliveries.last
+      @confirmation_path = @mail.body.match(/localhost([^\"]*)\"/)[1]
+
+      # visit confirmation link
+      get @confirmation_path
+
+      # reload user from db
+      @new_user.reload
+    end
+
+    test 'user is confirmed' do
+      assert @new_user.confirmed?
+    end
+
+    test 'user can be authenticated via confirmation link' do
+      # hard coded in override controller
+      override_proof_str = '(^^,)'
+
+      # ensure present in redirect URL
+      override_proof_param = URI.unescape(response.headers['Location']
+                                .match(/override_proof=([^&]*)&/)[1])
+
+      assert_equal override_proof_str, override_proof_param
+    end
+  end
+end

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -0,0 +1,49 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::OmniauthCallbacksController do
+    setup do
+      OmniAuth.config.test_mode = true
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
+          name: 'chong',
+          email: 'chongbong@aol.com'
+        }
+      )
+
+      @favorite_color = 'gray'
+
+      get '/evil_user_auth/facebook',
+          params: {
+            auth_origin_url: Faker::Internet.url,
+            favorite_color: @favorite_color,
+            omniauth_window_type: 'newWindow'
+          }
+
+      follow_all_redirects!
+
+      @resource = assigns(:resource)
+    end
+
+    test 'request is successful' do
+      assert_equal 200, response.status
+    end
+
+    test 'controller was overridden' do
+      assert_equal @resource.nickname,
+                   Overrides::OmniauthCallbacksController::DEFAULT_NICKNAME
+    end
+
+    test 'whitelisted param was allowed' do
+      assert_equal @favorite_color, @resource.favorite_color
+    end
+  end
+end

data/test/controllers/overrides/passwords_controller_test.rb

@@ -0,0 +1,66 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::PasswordsController do
+    before do
+      @resource = evil_users(:confirmed_email_user)
+      @redirect_url = Faker::Internet.url
+
+      post '/evil_user_auth/password',
+           params: {
+             email: @resource.email,
+             redirect_url: @redirect_url
+           }
+
+      @mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+
+      @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+
+      get '/evil_user_auth/password/edit',
+          params: { reset_password_token: @mail_reset_token,
+                    redirect_url: @mail_redirect_url }
+
+      @resource.reload
+
+      raw_qs = response.location.split('?')[1]
+      @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+      @access_token   = @qs['access-token']
+      @client         = @qs['client']
+      @client_id      = @qs['client_id']
+      @expiry         = @qs['expiry']
+      @override_proof = @qs['override_proof']
+      @reset_password = @qs['reset_password']
+      @token          = @qs['token']
+      @uid            = @qs['uid']
+    end
+
+    test 'response should have success redirect status' do
+      assert_equal 302, response.status
+    end
+
+    test 'response should contain auth params + override proof' do
+      assert @access_token
+      assert @client
+      assert @client_id
+      assert @expiry
+      assert @override_proof
+      assert @reset_password
+      assert @token
+      assert @uid
+    end
+
+    test 'override proof is correct' do
+      assert_equal @override_proof, Overrides::PasswordsController::OVERRIDE_PROOF
+    end
+  end
+end

data/test/controllers/overrides/registrations_controller_test.rb

@@ -0,0 +1,40 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::RegistrationsController do
+    setup do
+      @existing_user  = evil_users(:confirmed_email_user)
+      @auth_headers   = @existing_user.create_new_auth_token
+      @client_id      = @auth_headers['client']
+      @favorite_color = 'pink'
+
+      # ensure request is not treated as batch request
+      age_token(@existing_user, @client_id)
+
+      # test valid update param
+      @new_operating_thetan = 1_000_000
+
+      put '/evil_user_auth',
+          params: { favorite_color: @favorite_color },
+          headers: @auth_headers
+
+      @data = JSON.parse(response.body)
+      @existing_user.reload
+    end
+
+    test 'user was updated' do
+      assert_equal @favorite_color, @existing_user.favorite_color
+    end
+
+    test 'controller was overridden' do
+      assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF,
+                   @data['override_proof']
+    end
+  end
+end