graphql_devise 0.13.4 → 0.14.2

data/spec/requests/mutations/additional_mutations_spec.rb

@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
   let(:password)              { Faker::Internet.password }
   let(:password_confirmation) { password }
   let(:email)                 { Faker::Internet.email }
-  let(:redirect)              { Faker::Internet.url }
 
   context 'when using the user model' do
     let(:query) do

data/spec/requests/mutations/resend_confirmation_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
   let!(:user)        { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
   let(:email)        { user.email }
   let(:id)           { user.id }
-  let(:redirect)     { Faker::Internet.url }
+  let(:redirect)     { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends an email to the user with confirmation url and returns a success message' do

data/spec/requests/mutations/send_password_reset_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
 
   let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
   let(:email)        { user.email }
-  let(:redirect_url) { Faker::Internet.url }
+  let(:redirect_url) { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends password reset  email' do

data/spec/requests/mutations/send_password_reset_with_token_spec.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Send Password Reset Requests' do
+  include_context 'with graphql query request'
+
+  let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:redirect_url) { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userSendPasswordResetWithToken(
+          email:       "#{email}",
+          redirectUrl: "#{redirect_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends password reset  email' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+
+        expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+          message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+        )
+
+        email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        link  = email.css('a').first
+
+        expect(link['href']).to include(redirect_url + '?reset_password_token')
+      end
+    end
+  end
+
+  context 'when email address uses different casing' do
+    let(:email) { 'jWinnfield@wallaceinc.com' }
+
+    it 'honors devise configuration for case insensitive fields' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+        message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+      )
+    end
+  end
+
+  context 'when user email is not found' do
+    let(:email) { 'nothere@gmail.com' }
+
+    before { post_request }
+
+    it 'returns an error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end

data/spec/requests/mutations/sign_up_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
   let(:name)     { Faker::Name.name }
   let(:password) { Faker::Internet.password }
   let(:email)    { Faker::Internet.email }
-  let(:redirect) { Faker::Internet.url }
+  let(:redirect) { 'https://google.com' }
 
   context 'when using the user model' do
     let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
       GRAPHQL
     end
 
+    context 'when redirect_url is not whitelisted' do
+      let(:redirect) { 'https://not-safe.com' }
+
+      it 'returns a not whitelisted redirect url error' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "Redirect to '#{redirect}' not allowed.",
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+
     context 'when params are correct' do
       it 'creates a new resource that requires confirmation' do
         expect { post_request }.to(

data/spec/requests/mutations/update_password_with_token_spec.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Update Password With Token' do
+  include_context 'with graphql query request'
+
+  let(:password)              { '12345678' }
+  let(:password_confirmation) { password }
+
+  context 'when using the user model' do
+    let(:user) { create(:user, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { accessToken }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { user.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          user.reload
+        end.to change(user, :encrypted_password)
+
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to     be_nil
+        expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
+      end
+
+      context 'when token has expired' do
+        it 'returns an expired token error' do
+          travel_to 10.hours.ago do
+            token
+          end
+
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
+          )
+        end
+      end
+
+      context 'when password confirmation does not match' do
+        let(:password_confirmation) { 'does not match' }
+
+        it 'returns an error' do
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
+            )
+          )
+        end
+      end
+    end
+
+    context 'when reset password token is not found' do
+      let(:token) { user.send(:set_reset_password_token) + 'invalid' }
+
+      it 'returns an error' do
+        post_request
+
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
+        )
+      end
+    end
+  end
+
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { uid }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { admin.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          admin.reload
+        end.to change(admin, :encrypted_password)
+
+        expect(admin).to be_valid_password(password)
+        expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
+          credentials:     { uid: admin.email },
+          authenticatable: { email: admin.email }
+        )
+      end
+    end
+  end
+end

data/spec/requests/queries/check_password_token_spec.rb

@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
           expect(response.body).to include('uid=')
           expect(response.body).to include('expiry=')
         end
+
+        context 'when redirect_url is not whitelisted' do
+          let(:redirect_url) { 'https://not-safe.com' }
+
+          before { post_request }
+
+          it 'returns a not whitelisted redirect url error' do
+            expect(json_response[:errors]).to containing_exactly(
+              hash_including(
+                message:    "Redirect to '#{redirect_url}' not allowed.",
+                extensions: { code: 'USER_ERROR' }
+              )
+            )
+          end
+        end
       end
 
       context 'when token has expired' do
@@ -74,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
 
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
 
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/confirm_account_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the user model' do
     let(:user)     { create(:user, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
         expect(user).to be_active_for_authentication
       end
 
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
+
       context 'when unconfirmed_email is present' do
         let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
 
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the admin model' do
     let(:admin)    { create(:admin, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {

data/spec/requests/queries/introspection_query_spec.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+
+    GRAPHQL
+  end
+
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end