graphql_devise 0.13.4 → 0.14.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (39) hide show
  1. checksums.yaml +4 -4
  2. data/.coveralls.yml +1 -0
  3. data/.gitlab-ci.yml +109 -0
  4. data/Appraisals +39 -5
  5. data/CHANGELOG.md +47 -0
  6. data/README.md +20 -9
  7. data/app/views/graphql_devise/mailer/reset_password_instructions.html.erb +7 -1
  8. data/config/locales/en.yml +2 -1
  9. data/docs/usage/reset_password_flow.md +90 -0
  10. data/graphql_devise.gemspec +1 -1
  11. data/lib/graphql_devise/concerns/controller_methods.rb +7 -1
  12. data/lib/graphql_devise/default_operations/mutations.rb +10 -6
  13. data/lib/graphql_devise/mutations/resend_confirmation.rb +2 -0
  14. data/lib/graphql_devise/mutations/send_password_reset.rb +2 -0
  15. data/lib/graphql_devise/mutations/send_password_reset_with_token.rb +37 -0
  16. data/lib/graphql_devise/mutations/sign_up.rb +1 -3
  17. data/lib/graphql_devise/mutations/update_password_with_token.rb +38 -0
  18. data/lib/graphql_devise/resolvers/check_password_token.rb +1 -0
  19. data/lib/graphql_devise/resolvers/confirm_account.rb +2 -0
  20. data/lib/graphql_devise/schema_plugin.rb +22 -11
  21. data/lib/graphql_devise/version.rb +1 -1
  22. data/spec/dummy/app/graphql/dummy_schema.rb +4 -3
  23. data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb +13 -0
  24. data/spec/dummy/config/initializers/devise_token_auth.rb +2 -0
  25. data/spec/dummy/config/routes.rb +2 -1
  26. data/spec/graphql/user_queries_spec.rb +118 -0
  27. data/spec/requests/mutations/additional_mutations_spec.rb +0 -1
  28. data/spec/requests/mutations/resend_confirmation_spec.rb +16 -1
  29. data/spec/requests/mutations/send_password_reset_spec.rb +16 -1
  30. data/spec/requests/mutations/send_password_reset_with_token_spec.rb +78 -0
  31. data/spec/requests/mutations/sign_up_spec.rb +19 -1
  32. data/spec/requests/mutations/update_password_with_token_spec.rb +119 -0
  33. data/spec/requests/queries/check_password_token_spec.rb +16 -1
  34. data/spec/requests/queries/confirm_account_spec.rb +17 -2
  35. data/spec/requests/queries/introspection_query_spec.rb +149 -0
  36. data/spec/requests/user_controller_spec.rb +9 -9
  37. data/spec/support/contexts/schema_test.rb +14 -0
  38. metadata +25 -9
  39. data/.travis.yml +0 -79
data/spec/requests/mutations/additional_mutations_spec.rb CHANGED
@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:password_confirmation) { password }
11
11
  let(:email) { Faker::Internet.email }
12
- let(:redirect) { Faker::Internet.url }
13
12
 
14
13
  context 'when using the user model' do
15
14
  let(:query) do
data/spec/requests/mutations/resend_confirmation_spec.rb CHANGED
@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
9
9
  let!(:user) { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
10
10
  let(:email) { user.email }
11
11
  let(:id) { user.id }
12
- let(:redirect) { Faker::Internet.url }
12
+ let(:redirect) { 'https://google.com' }
13
13
  let(:query) do
14
14
  <<-GRAPHQL
15
15
  mutation {
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
23
23
  GRAPHQL
24
24
  end
25
25
 
26
+ context 'when redirect_url is not whitelisted' do
27
+ let(:redirect) { 'https://not-safe.com' }
28
+
29
+ it 'returns a not whitelisted redirect url error' do
30
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
31
+
32
+ expect(json_response[:errors]).to containing_exactly(
33
+ hash_including(
34
+ message: "Redirect to '#{redirect}' not allowed.",
35
+ extensions: { code: 'USER_ERROR' }
36
+ )
37
+ )
38
+ end
39
+ end
40
+
26
41
  context 'when params are correct' do
27
42
  context 'when using the gem schema' do
28
43
  it 'sends an email to the user with confirmation url and returns a success message' do
data/spec/requests/mutations/send_password_reset_spec.rb CHANGED
@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
7
7
 
8
8
  let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
9
9
  let(:email) { user.email }
10
- let(:redirect_url) { Faker::Internet.url }
10
+ let(:redirect_url) { 'https://google.com' }
11
11
  let(:query) do
12
12
  <<-GRAPHQL
13
13
  mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
21
21
  GRAPHQL
22
22
  end
23
23
 
24
+ context 'when redirect_url is not whitelisted' do
25
+ let(:redirect_url) { 'https://not-safe.com' }
26
+
27
+ it 'returns a not whitelisted redirect url error' do
28
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
29
+
30
+ expect(json_response[:errors]).to containing_exactly(
31
+ hash_including(
32
+ message: "Redirect to '#{redirect_url}' not allowed.",
33
+ extensions: { code: 'USER_ERROR' }
34
+ )
35
+ )
36
+ end
37
+ end
38
+
24
39
  context 'when params are correct' do
25
40
  context 'when using the gem schema' do
26
41
  it 'sends password reset email' do
data/spec/requests/mutations/send_password_reset_with_token_spec.rb ADDED
@@ -0,0 +1,78 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Send Password Reset Requests' do
6
+ include_context 'with graphql query request'
7
+
8
+ let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
9
+ let(:email) { user.email }
10
+ let(:redirect_url) { 'https://google.com' }
11
+ let(:query) do
12
+ <<-GRAPHQL
13
+ mutation {
14
+ userSendPasswordResetWithToken(
15
+ email: "#{email}",
16
+ redirectUrl: "#{redirect_url}"
17
+ ) {
18
+ message
19
+ }
20
+ }
21
+ GRAPHQL
22
+ end
23
+
24
+ context 'when redirect_url is not whitelisted' do
25
+ let(:redirect_url) { 'https://not-safe.com' }
26
+
27
+ it 'returns a not whitelisted redirect url error' do
28
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
29
+
30
+ expect(json_response[:errors]).to containing_exactly(
31
+ hash_including(
32
+ message: "Redirect to '#{redirect_url}' not allowed.",
33
+ extensions: { code: 'USER_ERROR' }
34
+ )
35
+ )
36
+ end
37
+ end
38
+
39
+ context 'when params are correct' do
40
+ context 'when using the gem schema' do
41
+ it 'sends password reset email' do
42
+ expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
43
+
44
+ expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
45
+ message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
46
+ )
47
+
48
+ email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
49
+ link = email.css('a').first
50
+
51
+ expect(link['href']).to include(redirect_url + '?reset_password_token')
52
+ end
53
+ end
54
+ end
55
+
56
+ context 'when email address uses different casing' do
57
+ let(:email) { 'jWinnfield@wallaceinc.com' }
58
+
59
+ it 'honors devise configuration for case insensitive fields' do
60
+ expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
61
+ expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
62
+ message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
63
+ )
64
+ end
65
+ end
66
+
67
+ context 'when user email is not found' do
68
+ let(:email) { 'nothere@gmail.com' }
69
+
70
+ before { post_request }
71
+
72
+ it 'returns an error' do
73
+ expect(json_response[:errors]).to contain_exactly(
74
+ hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
75
+ )
76
+ end
77
+ end
78
+ end
data/spec/requests/mutations/sign_up_spec.rb CHANGED
@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
8
8
  let(:name) { Faker::Name.name }
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:email) { Faker::Internet.email }
11
- let(:redirect) { Faker::Internet.url }
11
+ let(:redirect) { 'https://google.com' }
12
12
 
13
13
  context 'when using the user model' do
14
14
  let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
31
31
  GRAPHQL
32
32
  end
33
33
 
34
+ context 'when redirect_url is not whitelisted' do
35
+ let(:redirect) { 'https://not-safe.com' }
36
+
37
+ it 'returns a not whitelisted redirect url error' do
38
+ expect { post_request }.to(
39
+ not_change(User, :count)
40
+ .and(not_change(ActionMailer::Base.deliveries, :count))
41
+ )
42
+
43
+ expect(json_response[:errors]).to containing_exactly(
44
+ hash_including(
45
+ message: "Redirect to '#{redirect}' not allowed.",
46
+ extensions: { code: 'USER_ERROR' }
47
+ )
48
+ )
49
+ end
50
+ end
51
+
34
52
  context 'when params are correct' do
35
53
  it 'creates a new resource that requires confirmation' do
36
54
  expect { post_request }.to(
data/spec/requests/mutations/update_password_with_token_spec.rb ADDED
@@ -0,0 +1,119 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Update Password With Token' do
6
+ include_context 'with graphql query request'
7
+
8
+ let(:password) { '12345678' }
9
+ let(:password_confirmation) { password }
10
+
11
+ context 'when using the user model' do
12
+ let(:user) { create(:user, :confirmed) }
13
+ let(:query) do
14
+ <<-GRAPHQL
15
+ mutation {
16
+ userUpdatePasswordWithToken(
17
+ resetPasswordToken: "#{token}",
18
+ password: "#{password}",
19
+ passwordConfirmation: "#{password_confirmation}"
20
+ ) {
21
+ authenticatable { email }
22
+ credentials { accessToken }
23
+ }
24
+ }
25
+ GRAPHQL
26
+ end
27
+
28
+ context 'when reset password token is valid' do
29
+ let(:token) { user.send(:set_reset_password_token) }
30
+
31
+ it 'updates the password' do
32
+ expect do
33
+ post_request
34
+ user.reload
35
+ end.to change(user, :encrypted_password)
36
+
37
+ expect(user).to be_valid_password(password)
38
+ expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to be_nil
39
+ expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
40
+ end
41
+
42
+ context 'when token has expired' do
43
+ it 'returns an expired token error' do
44
+ travel_to 10.hours.ago do
45
+ token
46
+ end
47
+
48
+ post_request
49
+
50
+ expect(json_response[:errors]).to contain_exactly(
51
+ hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
52
+ )
53
+ end
54
+ end
55
+
56
+ context 'when password confirmation does not match' do
57
+ let(:password_confirmation) { 'does not match' }
58
+
59
+ it 'returns an error' do
60
+ post_request
61
+
62
+ expect(json_response[:errors]).to contain_exactly(
63
+ hash_including(
64
+ message: 'Unable to update user password',
65
+ extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
66
+ )
67
+ )
68
+ end
69
+ end
70
+ end
71
+
72
+ context 'when reset password token is not found' do
73
+ let(:token) { user.send(:set_reset_password_token) + 'invalid' }
74
+
75
+ it 'returns an error' do
76
+ post_request
77
+
78
+ expect(json_response[:errors]).to contain_exactly(
79
+ hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
80
+ )
81
+ end
82
+ end
83
+ end
84
+
85
+ context 'when using the admin model' do
86
+ let(:admin) { create(:admin, :confirmed) }
87
+ let(:query) do
88
+ <<-GRAPHQL
89
+ mutation {
90
+ adminUpdatePasswordWithToken(
91
+ resetPasswordToken: "#{token}",
92
+ password: "#{password}",
93
+ passwordConfirmation: "#{password_confirmation}"
94
+ ) {
95
+ authenticatable { email }
96
+ credentials { uid }
97
+ }
98
+ }
99
+ GRAPHQL
100
+ end
101
+
102
+ context 'when reset password token is valid' do
103
+ let(:token) { admin.send(:set_reset_password_token) }
104
+
105
+ it 'updates the password' do
106
+ expect do
107
+ post_request
108
+ admin.reload
109
+ end.to change(admin, :encrypted_password)
110
+
111
+ expect(admin).to be_valid_password(password)
112
+ expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
113
+ credentials: { uid: admin.email },
114
+ authenticatable: { email: admin.email }
115
+ )
116
+ end
117
+ end
118
+ end
119
+ end
data/spec/requests/queries/check_password_token_spec.rb CHANGED
@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
54
54
  expect(response.body).to include('uid=')
55
55
  expect(response.body).to include('expiry=')
56
56
  end
57
+
58
+ context 'when redirect_url is not whitelisted' do
59
+ let(:redirect_url) { 'https://not-safe.com' }
60
+
61
+ before { post_request }
62
+
63
+ it 'returns a not whitelisted redirect url error' do
64
+ expect(json_response[:errors]).to containing_exactly(
65
+ hash_including(
66
+ message: "Redirect to '#{redirect_url}' not allowed.",
67
+ extensions: { code: 'USER_ERROR' }
68
+ )
69
+ )
70
+ end
71
+ end
57
72
  end
58
73
 
59
74
  context 'when token has expired' do
@@ -74,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
74
89
  context 'when reset password token is not found' do
75
90
  let(:token) { user.send(:set_reset_password_token) + 'invalid' }
76
91
 
77
- it 'redirects to redirect url' do
92
+ it 'returns an error message' do
78
93
  get_request
79
94
 
80
95
  expect(json_response[:errors]).to contain_exactly(
data/spec/requests/queries/confirm_account_spec.rb CHANGED
@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
7
7
 
8
8
  context 'when using the user model' do
9
9
  let(:user) { create(:user, confirmed_at: nil) }
10
- let(:redirect) { Faker::Internet.url }
10
+ let(:redirect) { 'https://google.com' }
11
11
  let(:query) do
12
12
  <<-GRAPHQL
13
13
  {
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
43
43
  expect(user).to be_active_for_authentication
44
44
  end
45
45
 
46
+ context 'when redirect_url is not whitelisted' do
47
+ let(:redirect) { 'https://not-safe.com' }
48
+
49
+ it 'returns a not whitelisted redirect url error' do
50
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
51
+
52
+ expect(json_response[:errors]).to containing_exactly(
53
+ hash_including(
54
+ message: "Redirect to '#{redirect}' not allowed.",
55
+ extensions: { code: 'USER_ERROR' }
56
+ )
57
+ )
58
+ end
59
+ end
60
+
46
61
  context 'when unconfirmed_email is present' do
47
62
  let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
48
63
 
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
81
96
 
82
97
  context 'when using the admin model' do
83
98
  let(:admin) { create(:admin, confirmed_at: nil) }
84
- let(:redirect) { Faker::Internet.url }
99
+ let(:redirect) { 'https://google.com' }
85
100
  let(:query) do
86
101
  <<-GRAPHQL
87
102
  {
data/spec/requests/queries/introspection_query_spec.rb ADDED
@@ -0,0 +1,149 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Login Requests' do
6
+ include_context 'with graphql query request'
7
+
8
+ let(:query) do
9
+ <<-GRAPHQL
10
+ query IntrospectionQuery {
11
+ __schema {
12
+ queryType { name }
13
+ mutationType { name }
14
+ subscriptionType { name }
15
+ types {
16
+ ...FullType
17
+ }
18
+ directives {
19
+ name
20
+ description
21
+ args {
22
+ ...InputValue
23
+ }
24
+ onOperation
25
+ onFragment
26
+ onField
27
+ }
28
+ }
29
+ }
30
+
31
+ fragment FullType on __Type {
32
+ kind
33
+ name
34
+ description
35
+ fields(includeDeprecated: true) {
36
+ name
37
+ description
38
+ args {
39
+ ...InputValue
40
+ }
41
+ type {
42
+ ...TypeRef
43
+ }
44
+ isDeprecated
45
+ deprecationReason
46
+ }
47
+ inputFields {
48
+ ...InputValue
49
+ }
50
+ interfaces {
51
+ ...TypeRef
52
+ }
53
+ enumValues(includeDeprecated: true) {
54
+ name
55
+ description
56
+ isDeprecated
57
+ deprecationReason
58
+ }
59
+ possibleTypes {
60
+ ...TypeRef
61
+ }
62
+ }
63
+
64
+ fragment InputValue on __InputValue {
65
+ name
66
+ description
67
+ type { ...TypeRef }
68
+ defaultValue
69
+ }
70
+
71
+ fragment TypeRef on __Type {
72
+ kind
73
+ name
74
+ ofType {
75
+ kind
76
+ name
77
+ ofType {
78
+ kind
79
+ name
80
+ ofType {
81
+ kind
82
+ name
83
+ }
84
+ }
85
+ }
86
+ }
87
+
88
+ GRAPHQL
89
+ end
90
+
91
+ context 'when using a schema plugin to mount devise operations' do
92
+ context 'when schema plugin is set to authenticate by default' do
93
+ context 'when the resource is authenticated' do
94
+ let(:user) { create(:user, :confirmed) }
95
+ let(:headers) { user.create_new_auth_token }
96
+
97
+ it 'return the schema information' do
98
+ post_request('/api/v1/graphql')
99
+
100
+ expect(json_response[:data][:__schema].keys).to contain_exactly(
101
+ :queryType, :mutationType, :subscriptionType, :types, :directives
102
+ )
103
+ end
104
+ end
105
+
106
+ context 'when the resource is *NOT* authenticated' do
107
+ context 'and instrospection is set to be public' do
108
+ it 'return the schema information' do
109
+ post_request('/api/v1/graphql')
110
+
111
+ expect(json_response[:data][:__schema].keys).to contain_exactly(
112
+ :queryType, :mutationType, :subscriptionType, :types, :directives
113
+ )
114
+ end
115
+ end
116
+
117
+ context 'and introspection is set to require auth' do
118
+ before do
119
+ allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
120
+ receive(:public_introspection).and_return(false)
121
+ )
122
+ end
123
+
124
+ it 'return an error' do
125
+ post_request('/api/v1/graphql')
126
+
127
+ expect(json_response[:data]).to be_nil
128
+ expect(json_response[:errors]).to contain_exactly(
129
+ hash_including(
130
+ message: '__schema field requires authentication',
131
+ extensions: { code: 'AUTHENTICATION_ERROR' }
132
+ )
133
+ )
134
+ end
135
+ end
136
+ end
137
+ end
138
+
139
+ context 'when schema plugin is set *NOT* to authenticate by default' do
140
+ it 'return the schema information' do
141
+ post_request('/api/v1/interpreter')
142
+
143
+ expect(json_response[:data][:__schema].keys).to contain_exactly(
144
+ :queryType, :mutationType, :subscriptionType, :types, :directives
145
+ )
146
+ end
147
+ end
148
+ end
149
+ end