graphql_devise 0.13.1 → 0.13.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 543ed51aaeb46699f17efb47cb13909ebfcd98ee0b97d27207fa0423199d72d2
-  data.tar.gz: 393496018363cadce3251a7ac4b3b9b0c74f8830fd72414fd97d47453406df2a
+  metadata.gz: e90de970ae686dd8437156a6d830b922c1fe4369c10206532073e5bb3f8f75f8
+  data.tar.gz: 3a74fe59c81889eb9f5a4bb42710d4cb7e086b9a9bdbd0e9bd09a370ccd7f435
 SHA512:
-  metadata.gz: c085a18386d7d2ae725140a1c4a089cebcae117485395145dbc24106fc28a97a6d35b895bb3ae990243c936ed3253467d0a471b85bda3180844421ea85f3a3a0
-  data.tar.gz: c8a271975c6306edbac33bacace9c00db6286eb988f015cec36007be0d860f6f92b3b9b8c65d5d7b4f5d2f524c8a306815b7a9b56141b759ef53ccfbc8c9d526
+  metadata.gz: 0f608b88cf17acc4e8c4d7d54fb4d578afb38d2c7f7a73b9df2cee7b9661cdb6a35b1b45e4a6d7c05e022a334f6c7ed8bf1427b301422c2e27f191a830dde621
+  data.tar.gz: 5d5bc1eab5158c5134f18a7f2f85e0653139ee13d67c45efb7050274d41ed6f1a5c2dee0c97c57ca987bd7f74556cbca9ae478b7782aee28f5967308d7bd3c92

data/CHANGELOG.md

@@ -1,5 +1,46 @@
 # Changelog
 
+## [v0.13.6](https://github.com/graphql-devise/graphql_devise/tree/v0.13.6) (2020-12-22)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.5...v0.13.6)
+
+**Security fixes:**
+
+- Possible security issue with password reset and redirectUrl [\#136](https://github.com/graphql-devise/graphql_devise/issues/136)
+- Add redirect whitelist validation to all queries and mutations [\#140](https://github.com/graphql-devise/graphql_devise/pull/140) ([mcelicalderon](https://github.com/mcelicalderon))
+
+## [v0.13.5](https://github.com/graphql-devise/graphql_devise/tree/v0.13.5) (2020-11-20)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.4...v0.13.5)
+
+**Implemented enhancements:**
+
+- Fixes connection\_config deprecation warning [\#135](https://github.com/graphql-devise/graphql_devise/pull/135) ([artplan1](https://github.com/artplan1))
+
+## [v0.13.4](https://github.com/graphql-devise/graphql_devise/tree/v0.13.4) (2020-08-15)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.3...v0.13.4)
+
+**Implemented enhancements:**
+
+- Allow resend of confirmation with unconfirmed email [\#127](https://github.com/graphql-devise/graphql_devise/pull/127) ([j15e](https://github.com/j15e))
+
+## [v0.13.3](https://github.com/graphql-devise/graphql_devise/tree/v0.13.3) (2020-08-13)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.2...v0.13.3)
+
+**Fixed bugs:**
+
+- Fix unconfirmed\_email confirmation. Ignore devise reconfirmable config. [\#126](https://github.com/graphql-devise/graphql_devise/pull/126) ([mcelicalderon](https://github.com/mcelicalderon))
+
+## [v0.13.2](https://github.com/graphql-devise/graphql_devise/tree/v0.13.2) (2020-08-12)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.1...v0.13.2)
+
+**Fixed bugs:**
+
+- Save resource after generating credentials in resource confirmation [\#125](https://github.com/graphql-devise/graphql_devise/pull/125) ([mcelicalderon](https://github.com/mcelicalderon))
+
 ## [v0.13.1](https://github.com/graphql-devise/graphql_devise/tree/v0.13.1) (2020-07-29)
 
 [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.0...v0.13.1)

data/README.md

@@ -1,5 +1,5 @@
 # GraphqlDevise
-[![Build Status](https://travis-ci.org/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.org/graphql-devise/graphql_devise)
+[![Build Status](https://travis-ci.com/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.com/graphql-devise/graphql_devise)
 [![Coverage Status](https://coveralls.io/repos/github/graphql-devise/graphql_devise/badge.svg?branch=master)](https://coveralls.io/github/graphql-devise/graphql_devise?branch=master)
 [![Gem Version](https://badge.fury.io/rb/graphql_devise.svg)](https://badge.fury.io/rb/graphql_devise)
 
@@ -47,7 +47,8 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
 <!--te-->
 
 ## Introduction
-Graphql-Devise heavily relies on two gems:
+Graphql-Devise heavily relies on 3 gems:
+- [GraphQL Ruby](https://github.com/rmosolgo/graphql-ruby)
 - [Devise Token Auth](https://github.com/lynndylanhurley/devise_token_auth) (DTA)
 - [Devise](https://github.com/heartcombo/devise) (which is a DTA dependency)
 
@@ -107,7 +108,7 @@ and `api/auth` could be any mount path you would like to use for auth.
  - Avoid passing the `--mount` option or the gem will try to use an existing schema.
 
 #### Mounting Operations in Your Own Schema (> v0.12.0)
-To configure the gem to use your own GQL schema use the `--mount` option. 
+To configure the gem to use your own GQL schema use the `--mount` option.
 For instance the executing:
 
 ```bash
@@ -318,20 +319,19 @@ The install generator can do this for you if you specify the `user_class` option
 See [Installation](#installation) for details.
 
 ### Email Reconfirmation
-DTA and Devise support email reconfirmation. When the `confirmable` module is added to your
-resource, an email is sent to the provided email address when the `signUp` mutation is used.
-You can also use this gem so every time a user updates the `email` field, a new email gets sent
-for the user to confirm the new email address. Only after clicking on the confirmation link,
-the email will be updated on the database to use the new value.
-
-In order to use this feature there are a couple of things to setup first:
-1. Make user your model includes the `:confirmable` module.
-1. Add an `unconfirmed_email` String column to your resource's table.
-
-After that is done, you simply need to call a different update method on your resource,
-`update_with_email`. This method behaves exactly the same as ActiveRecord's `update` method
-if the previous steps are not performed, or if you are not updating the `email` attribute.
-It is also mandatory to provide two additional attributes when email will change or an error
+Email reconfirmation is supported just like in Devise and DTA, but we want reconfirmable
+in this gem to work on model basis instead of having a global configuration like in Devise.
+**For this reason Devise's global `reconfirmable` setting is ignored.**
+
+For a resource to be considered reconfirmable it has to meet 2 conditions:
+1. Include the `:confirmable` module.
+1. Has an `unconfirmed_email` column in the resource's table.
+
+In order to trigger the reconfirmation email in a reconfirmable resource, you simply needi
+to call a different update method on your resource,`update_with_email`.
+When the resource is not reconfirmable or the email is not updated, this method behaves exactly
+the same as ActiveRecord's `update`.
+`update_with_email` requires two additional attributes when email will change or an error
 will be raised:
 
 1. `schema_url`: The full url where your GQL schema is mounted. You can get this value from the
@@ -355,6 +355,9 @@ user.update_with_email(
 )
 ```
 
+ We want reconfirmable in this gem to work separately
+ from DTA's or Devise (too much complexity in the model based on callbacks).
+
 ### Customizing Email Templates
 The approach of this gem is a bit different from DeviseTokenAuth. We have placed our templates in `app/views/graphql_devise/mailer`,
 so if you want to change them, place yours on the same dir structure on your Rails project. You can customize these two templates:

data/app/models/graphql_devise/concerns/model.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
     Model = DeviseTokenAuth::Concerns::User
 
     Model.module_eval do
+      class_methods do
+        def reconfirmable
+          devise_modules.include?(:confirmable) && column_names.include?('unconfirmed_email')
+        end
+      end
+
       def update_with_email(attributes = {})
         GraphqlDevise::Model::WithEmailUpdater.new(self, attributes).call
       end

data/config/locales/en.yml

@@ -1,5 +1,6 @@
 en:
   graphql_devise:
+    redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
     registration_failed: "User couldn't be registered"
     resource_build_failed: "Resource couldn't be built, execution stopped."
     not_authenticated: "User is not logged in."
@@ -7,7 +8,6 @@ en:
     invalid_resource: "Errors present in the resource."
     registrations:
       missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
-      redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
     passwords:
       update_password_error: "Unable to update user password"
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."

data/lib/graphql_devise/concerns/controller_methods.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
 
       private
 
+      def check_redirect_url_whitelist!(redirect_url)
+        if blacklisted_redirect_url?(redirect_url)
+          raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
+        end
+      end
+
       def raise_user_error(message)
         raise GraphqlDevise::UserError, message
       end
@@ -90,7 +96,7 @@ module GraphqlDevise
       end
 
       def find_resource(field, value)
-        if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+        if resource_class.connection.adapter_name.downcase.include?('mysql')
           # fix for mysql default case insensitivity
           resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
         elsif Gem::Version.new(DeviseTokenAuth::VERSION) < Gem::Version.new('1.1.0')

data/lib/graphql_devise/mutations/resend_confirmation.rb

@@ -9,15 +9,16 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
-        resource = find_resource(
-          :email,
-          get_case_insensitive_field(:email, email)
-        )
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_confirmable_resource(email)
 
         if resource
           yield resource if block_given?
 
-          raise_user_error(I18n.t('graphql_devise.confirmations.already_confirmed')) if resource.confirmed?
+          if resource.confirmed? && !resource.pending_reconfirmation?
+            raise_user_error(I18n.t('graphql_devise.confirmations.already_confirmed'))
+          end
 
           resource.send_confirmation_instructions(
             redirect_url:  redirect_url,
@@ -30,6 +31,15 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.confirmations.user_not_found', email: email))
         end
       end
+
+      private
+
+      def find_confirmable_resource(email)
+        email_insensitive = get_case_insensitive_field(:email, email)
+        resource = find_resource(:unconfirmed_email, email_insensitive) if resource_class.reconfirmable
+        resource ||= find_resource(:email, email_insensitive)
+        resource
+      end
     end
   end
 end

data/lib/graphql_devise/mutations/send_password_reset.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_resource(:email, get_case_insensitive_field(:email, email))
 
         if resource

data/lib/graphql_devise/mutations/sign_up.rb

@@ -22,9 +22,7 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
         end
 
-        if blacklisted_redirect_url?(redirect_url)
-          raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
-        end
+        check_redirect_url_whitelist!(redirect_url)
 
         resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
 

data/lib/graphql_devise/resolvers/check_password_token.rb

@@ -27,6 +27,7 @@ module GraphqlDevise
           )
 
           if redirect_url.present?
+            check_redirect_url_whitelist!(redirect_url)
             controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
           else
             set_auth_headers(resource)

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -7,6 +7,8 @@ module GraphqlDevise
       argument :redirect_url,       String, required: true
 
       def resolve(confirmation_token:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = resource_class.confirm_by_token(confirmation_token)
 
         if resource.errors.empty?
@@ -15,13 +17,16 @@ module GraphqlDevise
           redirect_header_options = { account_confirmation_success: true }
 
           redirect_to_link = if controller.signed_in?(resource_name)
-            resource.build_auth_url(
+            url = resource.build_auth_url(
               redirect_url,
               redirect_headers(
                 client_and_token(resource.create_token),
                 redirect_header_options
               )
             )
+            resource.save!
+
+            url
           else
             DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
           end

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.13.1'.freeze
+  VERSION = '0.13.6'.freeze
 end

data/spec/dummy/app/graphql/resolvers/confirm_admin_account.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Resolvers
+  class ConfirmAdminAccount < GraphqlDevise::Resolvers::ConfirmAccount
+    type Types::AdminType, null: false
+
+    def resolve(confirmation_token:, redirect_url:)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/app/graphql/types/admin_type.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Types
+  class AdminType < GraphQL::Schema::Object
+    field :id,    Int,    null: false
+    field :email, String, null: false
+  end
+end

data/spec/dummy/config/initializers/devise.rb

@@ -142,7 +142,7 @@ Devise.setup do |config|
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed, new email is stored in
   # unconfirmed_email column, and copied to email column on successful confirmation.
-  config.reconfirmable = true
+  config.reconfirmable = false
 
   # Defines which key will be used when confirming an account
   # config.confirmation_keys = [:email]

data/spec/dummy/config/initializers/devise_token_auth.rb

@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
 
   config.default_confirm_success_url = 'https://google.com'
 
+  config.redirect_whitelist = ['https://google.com']
+
   # By default we will use callbacks for single omniauth.
   # It depends on fields like email, provider and uid.
   # config.default_callbacks = true

data/spec/dummy/config/routes.rb

@@ -14,6 +14,9 @@ Rails.application.routes.draw do
     'Admin',
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
+    operations:           {
+      confirm_account: Resolvers::ConfirmAdminAccount
+    },
     at:                   '/api/v1/admin/graphql_auth'
   )
 

data/spec/dummy/db/schema.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.

data/spec/requests/mutations/additional_mutations_spec.rb

@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
   let(:password)              { Faker::Internet.password }
   let(:password_confirmation) { password }
   let(:email)                 { Faker::Internet.email }
-  let(:redirect)              { Faker::Internet.url }
 
   context 'when using the user model' do
     let(:query) do

data/spec/requests/mutations/resend_confirmation_spec.rb

@@ -5,10 +5,11 @@ require 'rails_helper'
 RSpec.describe 'Resend confirmation' do
   include_context 'with graphql query request'
 
-  let!(:user)    { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
-  let(:email)    { user.email }
-  let(:id)       { user.id }
-  let(:redirect) { Faker::Internet.url }
+  let(:confirmed_at) { nil }
+  let!(:user)        { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:id)           { user.id }
+  let(:redirect)     { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -22,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends an email to the user with confirmation url and returns a success message' do
@@ -98,6 +114,28 @@ RSpec.describe 'Resend confirmation' do
     end
   end
 
+  context 'when the email was changed' do
+    let(:confirmed_at) { 2.seconds.ago }
+    let(:email)        { 'new-email@wallaceinc.com' }
+    let(:new_email)    { email }
+
+    before do
+      user.update_with_email(
+        email:                    new_email,
+        schema_url:               'http://localhost/test',
+        confirmation_success_url: 'https://google.com'
+      )
+    end
+
+    it 'sends new confirmation email' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(ActionMailer::Base.deliveries.first.to).to contain_exactly(new_email)
+      expect(json_response[:data][:userResendConfirmation]).to include(
+        message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+      )
+    end
+  end
+
   context "when the email isn't in the system" do
     let(:email) { 'nothere@gmail.com' }
 

data/spec/requests/mutations/send_password_reset_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
 
   let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
   let(:email)        { user.email }
-  let(:redirect_url) { Faker::Internet.url }
+  let(:redirect_url) { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends password reset  email' do

data/spec/requests/mutations/sign_up_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
   let(:name)     { Faker::Name.name }
   let(:password) { Faker::Internet.password }
   let(:email)    { Faker::Internet.email }
-  let(:redirect) { Faker::Internet.url }
+  let(:redirect) { 'https://google.com' }
 
   context 'when using the user model' do
     let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
       GRAPHQL
     end
 
+    context 'when redirect_url is not whitelisted' do
+      let(:redirect) { 'https://not-safe.com' }
+
+      it 'returns a not whitelisted redirect url error' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "Redirect to '#{redirect}' not allowed.",
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+
     context 'when params are correct' do
       it 'creates a new resource that requires confirmation' do
         expect { post_request }.to(

data/spec/requests/queries/check_password_token_spec.rb

@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
           expect(response.body).to include('uid=')
           expect(response.body).to include('expiry=')
         end
+
+        context 'when redirect_url is not whitelisted' do
+          let(:redirect_url) { 'https://not-safe.com' }
+
+          before { post_request }
+
+          it 'returns a not whitelisted redirect url error' do
+            expect(json_response[:errors]).to containing_exactly(
+              hash_including(
+                message:    "Redirect to '#{redirect_url}' not allowed.",
+                extensions: { code: 'USER_ERROR' }
+              )
+            )
+          end
+        end
       end
 
       context 'when token has expired' do

data/spec/requests/queries/confirm_account_spec.rb

@@ -5,60 +5,133 @@ require 'rails_helper'
 RSpec.describe 'Account confirmation' do
   include_context 'with graphql query request'
 
-  let(:user)     { create(:user, confirmed_at: nil) }
-  let(:redirect) { Faker::Internet.url }
-  let(:query) do
-    <<-GRAPHQL
-      {
-        userConfirmAccount(
-          confirmationToken: "#{token}"
-          redirectUrl:       "#{redirect}"
-        ) {
-          email
-          name
+  context 'when using the user model' do
+    let(:user)     { create(:user, confirmed_at: nil) }
+    let(:redirect) { 'https://google.com' }
+    let(:query) do
+      <<-GRAPHQL
+        {
+          userConfirmAccount(
+            confirmationToken: "#{token}"
+            redirectUrl:       "#{redirect}"
+          ) {
+            email
+            name
+          }
         }
-      }
-    GRAPHQL
-  end
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { user.confirmation_token }
+
+      before do
+        user.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer'],
+          controller:    'graphql_devise/graphql',
+          schema_url:    'http://not-using-this-value.com/gql'
+        )
+      end
+
+      it 'confirms the resource and redirects to the sent url' do
+        expect do
+          get_request
+          user.reload
+        end.to(change(user, :confirmed_at).from(nil))
+
+        expect(response).to redirect_to("#{redirect}?account_confirmation_success=true")
+        expect(user).to be_active_for_authentication
+      end
+
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
 
-  context 'when confirmation token is correct' do
-    let(:token) { user.confirmation_token }
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
 
-    before do
-      user.send_confirmation_instructions(
-        template_path: ['graphql_devise/mailer'],
-        controller:    'graphql_devise/graphql',
-        schema_url:    'http://not-using-this-value.com/gql'
-      )
+      context 'when unconfirmed_email is present' do
+        let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
+
+        it 'confirms the unconfirmed email and redirects' do
+          expect do
+            get_request
+            user.reload
+          end.to change(user, :email).from(user.email).to('vvega@wallaceinc.com').and(
+            change(user, :unconfirmed_email).from('vvega@wallaceinc.com').to(nil)
+          )
+
+          expect(response).to redirect_to("#{redirect}?account_confirmation_success=true")
+        end
+      end
     end
 
-    it 'confirms the resource and redirects to the sent url' do
-      expect do
-        get_request
-        user.reload
-      end.to(change(user, :confirmed_at).from(nil))
+    context 'when reset password token is not found' do
+      let(:token) { "#{user.confirmation_token}-invalid" }
+
+      it 'does *NOT* confirm the user nor does the redirection' do
+        expect do
+          get_request
+          user.reload
+        end.not_to(change(user, :confirmed_at).from(nil))
 
-      expect(response).to redirect_to "#{redirect}?account_confirmation_success=true"
-      expect(user).to be_active_for_authentication
+        expect(response).not_to be_redirect
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(
+            message:    'Invalid confirmation token. Please try again',
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
     end
   end
 
-  context 'when reset password token is not found' do
-    let(:token) { "#{user.confirmation_token}-invalid" }
+  context 'when using the admin model' do
+    let(:admin)    { create(:admin, confirmed_at: nil) }
+    let(:redirect) { 'https://google.com' }
+    let(:query) do
+      <<-GRAPHQL
+        {
+          adminConfirmAccount(
+            confirmationToken: "#{token}"
+            redirectUrl:       "#{redirect}"
+          ) {
+            email
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { admin.confirmation_token }
 
-    it 'does *NOT* confirm the user nor does the redirection' do
-      expect do
-        get_request
-        user.reload
-      end.not_to(change(user, :confirmed_at).from(nil))
+      before do
+        admin.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer'],
+          controller:    'graphql_devise/graphql',
+          schema_url:    'http://not-using-this-value.com/gql'
+        )
+      end
 
-      expect(response).not_to be_redirect
-      expect(json_response[:errors]).to contain_exactly(
-        hash_including(
-          message: 'Invalid confirmation token. Please try again',
-          extensions: { code: 'USER_ERROR' }
+      it 'confirms the resource, persists credentials on the DB and redirects to the sent url' do
+        expect do
+          get_request
+          admin.reload
+        end.to change(admin, :confirmed_at).from(nil).and(
+          change { admin.tokens.keys.count }.from(0).to(1)
         )
-      )
+
+        expect(response).to redirect_to(/\A#{redirect}.+access\-token=/)
+        expect(admin).to be_active_for_authentication
+      end
     end
   end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: graphql_devise
 version: !ruby/object:Gem::Version
-  version: 0.13.1
+  version: 0.13.6
 platform: ruby
 authors:
 - Mario Celi
 - David Revelo
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-30 00:00:00.000000000 Z
+date: 2020-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_token_auth
@@ -364,8 +364,10 @@ files:
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
+- spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
 - spec/dummy/app/graphql/resolvers/public_user.rb
 - spec/dummy/app/graphql/resolvers/user_show.rb
+- spec/dummy/app/graphql/types/admin_type.rb
 - spec/dummy/app/graphql/types/base_object.rb
 - spec/dummy/app/graphql/types/custom_admin_type.rb
 - spec/dummy/app/graphql/types/mutation_type.rb
@@ -474,7 +476,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/graphql-devise/graphql_devise
   source_code_uri: https://github.com/graphql-devise/graphql_devise
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -489,8 +491,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
 summary: GraphQL queries and mutations on top of devise_token_auth
 test_files:
@@ -505,8 +507,10 @@ test_files:
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
+- spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
 - spec/dummy/app/graphql/resolvers/public_user.rb
 - spec/dummy/app/graphql/resolvers/user_show.rb
+- spec/dummy/app/graphql/types/admin_type.rb
 - spec/dummy/app/graphql/types/base_object.rb
 - spec/dummy/app/graphql/types/custom_admin_type.rb
 - spec/dummy/app/graphql/types/mutation_type.rb