RubyGems - digix_devise_token_auth - Versions diffs - 0.1.44 - Mend

digix_devise_token_auth 0.1.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

data/test/controllers/devise_token_auth/token_validations_controller_test.rb ADDED

@@ -0,0 +1,90 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe DeviseTokenAuth::TokenValidationsController do
+    before do
+      @resource = users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+      @auth_headers = @resource.create_new_auth_token
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+    describe 'vanilla user' do
+      before do
+        get '/auth/validate_token', params: {}, headers: @auth_headers
+        @resp = JSON.parse(response.body)
+      end
+      test 'token valid' do
+        assert_equal 200, response.status
+      end
+    end
+    describe 'using namespaces' do
+      before do
+        get '/api/v1/auth/validate_token', params: {}, headers: @auth_headers
+        @resp = JSON.parse(response.body)
+      end
+      test 'token valid' do
+        assert_equal 200, response.status
+      end
+    end
+    describe 'failure' do
+      before do
+        get '/api/v1/auth/validate_token',
+            params: {},
+            headers: @auth_headers.merge('access-token' => '12345')
+        @resp = JSON.parse(response.body)
+      end
+      test 'request should fail' do
+        assert_equal 401, response.status
+      end
+      test 'response should contain errors' do
+        assert @resp['errors']
+        assert_equal @resp['errors'], [I18n.t('devise_token_auth.token_validations.invalid')]
+      end
+    end
+  end
+  describe 'using namespaces with unused resource' do
+    before do
+      @resource = scoped_users(:confirmed_email_user)
+      @resource.skip_confirmation!
+      @resource.save!
+      @auth_headers = @resource.create_new_auth_token
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @expiry    = @auth_headers['expiry']
+      # ensure that request is not treated as batch request
+      age_token(@resource, @client_id)
+    end
+    test 'should be successful' do
+      get '/api_v2/auth/validate_token',
+          params: {},
+          headers: @auth_headers
+      assert_equal 200, response.status
+    end
+  end
+end

data/test/controllers/devise_token_auth/unlocks_controller_test.rb ADDED

@@ -0,0 +1,194 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
+  describe DeviseTokenAuth::UnlocksController do
+    setup do
+      @request.env['devise.mapping'] = Devise.mappings[:lockable_user]
+    end
+    teardown do
+      @request.env['devise.mapping'] = Devise.mappings[:user]
+    end
+    before do
+      @original_lock_strategy = Devise.lock_strategy
+      @original_unlock_strategy = Devise.unlock_strategy
+      @original_maximum_attempts = Devise.maximum_attempts
+      Devise.lock_strategy = :failed_attempts
+      Devise.unlock_strategy = :email
+      Devise.maximum_attempts = 5
+    end
+    after do
+      Devise.lock_strategy = @original_lock_strategy
+      Devise.maximum_attempts = @original_maximum_attempts
+      Devise.unlock_strategy = @original_unlock_strategy
+    end
+    describe 'Unlocking user' do
+      before do
+        @resource = lockable_users(:unlocked_user)
+      end
+      describe 'request unlock without email' do
+        before do
+          @auth_headers = @resource.create_new_auth_token
+          @new_password = Faker::Internet.password
+          post :create
+          @data = JSON.parse(response.body)
+        end
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+        test 'error message should be returned' do
+          assert @data['errors']
+          assert_equal @data['errors'], [I18n.t('devise_token_auth.passwords.missing_email')]
+        end
+      end
+      describe 'request unlock' do
+        describe 'unknown user should return 404' do
+          before do
+            post :create, params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.user_not_found',
+                                 email: 'chester@cheet.ah')]
+          end
+        end
+        describe 'successfully requested unlock' do
+          before do
+            post :create, params: { email: @resource.email }
+            @data = JSON.parse(response.body)
+          end
+          test 'response should not contain extra data' do
+            assert_nil @data['data']
+          end
+        end
+        describe 'case-sensitive email' do
+          before do
+            post :create, params: { email: @resource.email }
+            @mail = ActionMailer::Base.deliveries.last
+            @resource.reload
+            @data = JSON.parse(response.body)
+            @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+            @mail_reset_token  = @mail.body.match(/unlock_token=(.*)\"/)[1]
+          end
+          test 'response should return success status' do
+            assert_equal 200, response.status
+          end
+          test 'response should contains message' do
+            assert_equal @data['message'], I18n.t('devise_token_auth.unlocks.sended', email: @resource.email)
+          end
+          test 'action should send an email' do
+            assert @mail
+          end
+          test 'the email should be addressed to the user' do
+            assert_equal @mail.to.first, @resource.email
+          end
+          test 'the client config name should fall back to "default"' do
+            assert_equal 'default', @mail_config_name
+          end
+          test 'the email body should contain a link with reset token as a query param' do
+            user = LockableUser.unlock_access_by_token(@mail_reset_token)
+            assert_equal user.id, @resource.id
+          end
+          describe 'unlock link failure' do
+            test 'response should return 404' do
+              assert_raises(ActionController::RoutingError) do
+                get :show, params: { unlock_token: 'bogus' }
+              end
+            end
+          end
+          describe 'password reset link success' do
+            before do
+              get :show, params: { unlock_token: @mail_reset_token }
+              @resource.reload
+              raw_qs = response.location.split('?')[1]
+              @qs = Rack::Utils.parse_nested_query(raw_qs)
+              @access_token   = @qs['access-token']
+              @client         = @qs['client']
+              @client_id      = @qs['client_id']
+              @expiry         = @qs['expiry']
+              @token          = @qs['token']
+              @uid            = @qs['uid']
+              @unlock         = @qs['unlock']
+            end
+            test 'respones should have success redirect status' do
+              assert_equal 302, response.status
+            end
+            test 'response should contain auth params' do
+              assert @access_token
+              assert @client
+              assert @client_id
+              assert @expiry
+              assert @token
+              assert @uid
+              assert @unlock
+            end
+            test 'response auth params should be valid' do
+              assert @resource.valid_token?(@token, @client_id)
+              assert @resource.valid_token?(@access_token, @client)
+            end
+          end
+        end
+        describe 'case-insensitive email' do
+          before do
+            @resource_class = LockableUser
+            @request_params = {
+              email:        @resource.email.upcase
+            }
+          end
+          test 'response should return success status if configured' do
+            @resource_class.case_insensitive_keys = [:email]
+            post :create, params: @request_params
+            assert_equal 200, response.status
+          end
+          test 'response should return failure status if not configured' do
+            @resource_class.case_insensitive_keys = []
+            post :create, params: @request_params
+            assert_equal 404, response.status
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/overrides/confirmations_controller_test.rb ADDED

@@ -0,0 +1,43 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::ConfirmationsController do
+    before do
+      @redirect_url = Faker::Internet.url
+      @new_user = evil_users(:unconfirmed_email_user)
+      # generate + send email
+      @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
+      @mail = ActionMailer::Base.deliveries.last
+      @confirmation_path = @mail.body.match(/localhost([^\"]*)\"/)[1]
+      # visit confirmation link
+      get @confirmation_path
+      # reload user from db
+      @new_user.reload
+    end
+    test 'user is confirmed' do
+      assert @new_user.confirmed?
+    end
+    test 'user can be authenticated via confirmation link' do
+      # hard coded in override controller
+      override_proof_str = '(^^,)'
+      # ensure present in redirect URL
+      override_proof_param = URI.unescape(response.headers['Location']
+                                .match(/override_proof=([^&]*)&/)[1])
+      assert_equal override_proof_str, override_proof_param
+    end
+  end
+end

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb ADDED

@@ -0,0 +1,49 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::OmniauthCallbacksController do
+    setup do
+      OmniAuth.config.test_mode = true
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
+          name: 'chong',
+          email: 'chongbong@aol.com'
+        }
+      )
+      @favorite_color = 'gray'
+      get '/evil_user_auth/facebook',
+          params: {
+            auth_origin_url: Faker::Internet.url,
+            favorite_color: @favorite_color,
+            omniauth_window_type: 'newWindow'
+          }
+      follow_all_redirects!
+      @resource = assigns(:resource)
+    end
+    test 'request is successful' do
+      assert_equal 200, response.status
+    end
+    test 'controller was overridden' do
+      assert_equal @resource.nickname,
+                   Overrides::OmniauthCallbacksController::DEFAULT_NICKNAME
+    end
+    test 'whitelisted param was allowed' do
+      assert_equal @favorite_color, @resource.favorite_color
+    end
+  end
+end

data/test/controllers/overrides/passwords_controller_test.rb ADDED

@@ -0,0 +1,66 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::PasswordsController do
+    before do
+      @resource = evil_users(:confirmed_email_user)
+      @redirect_url = Faker::Internet.url
+      post '/evil_user_auth/password',
+           params: {
+             email: @resource.email,
+             redirect_url: @redirect_url
+           }
+      @mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+      @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+      get '/evil_user_auth/password/edit',
+          params: { reset_password_token: @mail_reset_token,
+                    redirect_url: @mail_redirect_url }
+      @resource.reload
+      raw_qs = response.location.split('?')[1]
+      @qs = Rack::Utils.parse_nested_query(raw_qs)
+      @access_token   = @qs['access-token']
+      @client         = @qs['client']
+      @client_id      = @qs['client_id']
+      @expiry         = @qs['expiry']
+      @override_proof = @qs['override_proof']
+      @reset_password = @qs['reset_password']
+      @token          = @qs['token']
+      @uid            = @qs['uid']
+    end
+    test 'response should have success redirect status' do
+      assert_equal 302, response.status
+    end
+    test 'response should contain auth params + override proof' do
+      assert @access_token
+      assert @client
+      assert @client_id
+      assert @expiry
+      assert @override_proof
+      assert @reset_password
+      assert @token
+      assert @uid
+    end
+    test 'override proof is correct' do
+      assert_equal @override_proof, Overrides::PasswordsController::OVERRIDE_PROOF
+    end
+  end
+end

data/test/controllers/overrides/registrations_controller_test.rb ADDED

@@ -0,0 +1,40 @@
+require 'test_helper'
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+class Overrides::RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe Overrides::RegistrationsController do
+    setup do
+      @existing_user  = evil_users(:confirmed_email_user)
+      @auth_headers   = @existing_user.create_new_auth_token
+      @client_id      = @auth_headers['client']
+      @favorite_color = 'pink'
+      # ensure request is not treated as batch request
+      age_token(@existing_user, @client_id)
+      # test valid update param
+      @new_operating_thetan = 1_000_000
+      put '/evil_user_auth',
+          params: { favorite_color: @favorite_color },
+          headers: @auth_headers
+      @data = JSON.parse(response.body)
+      @existing_user.reload
+    end
+    test 'user was updated' do
+      assert_equal @favorite_color, @existing_user.favorite_color
+    end
+    test 'controller was overridden' do
+      assert_equal Overrides::RegistrationsController::OVERRIDE_PROOF,
+                   @data['override_proof']
+    end
+  end
+end