graphql_devise 0.13.3 → 0.14.1

data/spec/requests/mutations/send_password_reset_with_token_spec.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Send Password Reset Requests' do
+  include_context 'with graphql query request'
+
+  let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:redirect_url) { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userSendPasswordResetWithToken(
+          email:       "#{email}",
+          redirectUrl: "#{redirect_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends password reset  email' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+
+        expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+          message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+        )
+
+        email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        link  = email.css('a').first
+
+        expect(link['href']).to include(redirect_url + '?reset_password_token')
+      end
+    end
+  end
+
+  context 'when email address uses different casing' do
+    let(:email) { 'jWinnfield@wallaceinc.com' }
+
+    it 'honors devise configuration for case insensitive fields' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+        message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+      )
+    end
+  end
+
+  context 'when user email is not found' do
+    let(:email) { 'nothere@gmail.com' }
+
+    before { post_request }
+
+    it 'returns an error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end

data/spec/requests/mutations/sign_up_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
   let(:name)     { Faker::Name.name }
   let(:password) { Faker::Internet.password }
   let(:email)    { Faker::Internet.email }
-  let(:redirect) { Faker::Internet.url }
+  let(:redirect) { 'https://google.com' }
 
   context 'when using the user model' do
     let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
       GRAPHQL
     end
 
+    context 'when redirect_url is not whitelisted' do
+      let(:redirect) { 'https://not-safe.com' }
+
+      it 'returns a not whitelisted redirect url error' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "Redirect to '#{redirect}' not allowed.",
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+
     context 'when params are correct' do
       it 'creates a new resource that requires confirmation' do
         expect { post_request }.to(

data/spec/requests/mutations/update_password_with_token_spec.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Update Password With Token' do
+  include_context 'with graphql query request'
+
+  let(:password)              { '12345678' }
+  let(:password_confirmation) { password }
+
+  context 'when using the user model' do
+    let(:user) { create(:user, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { accessToken }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { user.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          user.reload
+        end.to change(user, :encrypted_password)
+
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to     be_nil
+        expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
+      end
+
+      context 'when token has expired' do
+        it 'returns an expired token error' do
+          travel_to 10.hours.ago do
+            token
+          end
+
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
+          )
+        end
+      end
+
+      context 'when password confirmation does not match' do
+        let(:password_confirmation) { 'does not match' }
+
+        it 'returns an error' do
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
+            )
+          )
+        end
+      end
+    end
+
+    context 'when reset password token is not found' do
+      let(:token) { user.send(:set_reset_password_token) + 'invalid' }
+
+      it 'returns an error' do
+        post_request
+
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
+        )
+      end
+    end
+  end
+
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { uid }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { admin.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          admin.reload
+        end.to change(admin, :encrypted_password)
+
+        expect(admin).to be_valid_password(password)
+        expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
+          credentials:     { uid: admin.email },
+          authenticatable: { email: admin.email }
+        )
+      end
+    end
+  end
+end

data/spec/requests/queries/check_password_token_spec.rb

@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
           expect(response.body).to include('uid=')
           expect(response.body).to include('expiry=')
         end
+
+        context 'when redirect_url is not whitelisted' do
+          let(:redirect_url) { 'https://not-safe.com' }
+
+          before { post_request }
+
+          it 'returns a not whitelisted redirect url error' do
+            expect(json_response[:errors]).to containing_exactly(
+              hash_including(
+                message:    "Redirect to '#{redirect_url}' not allowed.",
+                extensions: { code: 'USER_ERROR' }
+              )
+            )
+          end
+        end
       end
 
       context 'when token has expired' do
@@ -74,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
 
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
 
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/confirm_account_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the user model' do
     let(:user)     { create(:user, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
         expect(user).to be_active_for_authentication
       end
 
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
+
       context 'when unconfirmed_email is present' do
         let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
 
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the admin model' do
     let(:admin)    { create(:admin, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {

data/spec/requests/user_controller_spec.rb

@@ -31,15 +31,6 @@ RSpec.describe "Integrations with the user's controller" do
         expect(json_response[:data][:publicField]).to eq('Field does not require authentication')
       end
     end
-
-    context 'when using the failing route' do
-      it 'raises an invalid resource_name error' do
-        expect { post_request('/api/v1/failing') }.to raise_error(
-          GraphqlDevise::Error,
-          'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
-        )
-      end
-    end
   end
 
   describe 'privateField' do
@@ -77,6 +68,15 @@ RSpec.describe "Integrations with the user's controller" do
           )
         end
       end
+
+      context 'when using the failing route' do
+        it 'raises an invalid resource_name error' do
+          expect { post_request('/api/v1/failing') }.to raise_error(
+            GraphqlDevise::Error,
+            'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
+          )
+        end
+      end
     end
 
     context 'when using an interpreter schema' do

data/spec/support/contexts/schema_test.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+RSpec.shared_context 'with graphql schema test' do
+  let(:variables)      { {} }
+  let(:resource_names) { [:user] }
+  let(:resource)       { nil }
+  let(:controller)     { instance_double(GraphqlDevise::GraphqlController) }
+  let(:context) do
+    { current_resource: resource, controller: controller, resource_name: resource_names }
+  end
+  let(:response) do
+    schema.execute(query, context: context, variables: variables).deep_symbolize_keys
+  end
+end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: graphql_devise
 version: !ruby/object:Gem::Version
-  version: 0.13.3
+  version: 0.14.1
 platform: ruby
 authors:
 - Mario Celi
 - David Revelo
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-08-13 00:00:00.000000000 Z
+date: 2021-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_token_auth
@@ -40,7 +40,7 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -50,7 +50,7 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -302,6 +302,7 @@ files:
 - bin/setup
 - config/locales/en.yml
 - config/routes.rb
+- docs/usage/reset_password_flow.md
 - graphql_devise.gemspec
 - lib/generators/graphql_devise/install_generator.rb
 - lib/graphql_devise.rb
@@ -338,8 +339,10 @@ files:
 - lib/graphql_devise/mutations/logout.rb
 - lib/graphql_devise/mutations/resend_confirmation.rb
 - lib/graphql_devise/mutations/send_password_reset.rb
+- lib/graphql_devise/mutations/send_password_reset_with_token.rb
 - lib/graphql_devise/mutations/sign_up.rb
 - lib/graphql_devise/mutations/update_password.rb
+- lib/graphql_devise/mutations/update_password_with_token.rb
 - lib/graphql_devise/rails/routes.rb
 - lib/graphql_devise/resolvers/base.rb
 - lib/graphql_devise/resolvers/check_password_token.rb
@@ -362,6 +365,7 @@ files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
 - spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
@@ -428,6 +432,7 @@ files:
 - spec/factories/users.rb
 - spec/factories/users_customers.rb
 - spec/generators/graphql_devise/install_generator_spec.rb
+- spec/graphql/user_queries_spec.rb
 - spec/graphql_devise/model/with_email_updater_spec.rb
 - spec/graphql_devise_spec.rb
 - spec/models/user_spec.rb
@@ -439,8 +444,10 @@ files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
 - spec/requests/user_controller_spec.rb
@@ -465,6 +472,7 @@ files:
 - spec/services/schema_plugin_spec.rb
 - spec/spec_helper.rb
 - spec/support/contexts/graphql_request.rb
+- spec/support/contexts/schema_test.rb
 - spec/support/factory_bot.rb
 - spec/support/matchers/auth_headers_matcher.rb
 - spec/support/matchers/not_change_matcher.rb
@@ -476,7 +484,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/graphql-devise/graphql_devise
   source_code_uri: https://github.com/graphql-devise/graphql_devise
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -491,8 +499,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
 summary: GraphQL queries and mutations on top of devise_token_auth
 test_files:
@@ -505,6 +513,7 @@ test_files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
 - spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
@@ -571,6 +580,7 @@ test_files:
 - spec/factories/users.rb
 - spec/factories/users_customers.rb
 - spec/generators/graphql_devise/install_generator_spec.rb
+- spec/graphql/user_queries_spec.rb
 - spec/graphql_devise/model/with_email_updater_spec.rb
 - spec/graphql_devise_spec.rb
 - spec/models/user_spec.rb
@@ -582,8 +592,10 @@ test_files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
 - spec/requests/user_controller_spec.rb
@@ -608,6 +620,7 @@ test_files:
 - spec/services/schema_plugin_spec.rb
 - spec/spec_helper.rb
 - spec/support/contexts/graphql_request.rb
+- spec/support/contexts/schema_test.rb
 - spec/support/factory_bot.rb
 - spec/support/matchers/auth_headers_matcher.rb
 - spec/support/matchers/not_change_matcher.rb