graphql_devise 0.13.5 → 0.14.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. checksums.yaml +4 -4
  2. data/.circleci/config.yml +118 -0
  3. data/Appraisals +39 -5
  4. data/CHANGELOG.md +57 -6
  5. data/README.md +27 -7
  6. data/Rakefile +2 -1
  7. data/app/controllers/graphql_devise/graphql_controller.rb +1 -1
  8. data/app/views/graphql_devise/mailer/reset_password_instructions.html.erb +7 -1
  9. data/config/locales/en.yml +2 -1
  10. data/docs/usage/reset_password_flow.md +90 -0
  11. data/graphql_devise.gemspec +2 -2
  12. data/lib/graphql_devise/concerns/controller_methods.rb +6 -0
  13. data/lib/graphql_devise/default_operations/mutations.rb +10 -6
  14. data/lib/graphql_devise/mutations/resend_confirmation.rb +2 -0
  15. data/lib/graphql_devise/mutations/send_password_reset.rb +2 -0
  16. data/lib/graphql_devise/mutations/send_password_reset_with_token.rb +37 -0
  17. data/lib/graphql_devise/mutations/sign_up.rb +1 -3
  18. data/lib/graphql_devise/mutations/update_password_with_token.rb +38 -0
  19. data/lib/graphql_devise/resolvers/check_password_token.rb +1 -0
  20. data/lib/graphql_devise/resolvers/confirm_account.rb +2 -0
  21. data/lib/graphql_devise/schema_plugin.rb +22 -11
  22. data/lib/graphql_devise/version.rb +1 -1
  23. data/spec/dummy/app/controllers/api/v1/graphql_controller.rb +2 -2
  24. data/spec/dummy/app/graphql/dummy_schema.rb +4 -3
  25. data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb +13 -0
  26. data/spec/dummy/config/initializers/devise_token_auth.rb +2 -0
  27. data/spec/dummy/config/routes.rb +2 -1
  28. data/spec/dummy/db/migrate/20200623003142_create_schema_users.rb +0 -1
  29. data/spec/dummy/db/schema.rb +0 -1
  30. data/spec/graphql/user_queries_spec.rb +118 -0
  31. data/spec/requests/graphql_controller_spec.rb +12 -11
  32. data/spec/requests/mutations/additional_mutations_spec.rb +0 -1
  33. data/spec/requests/mutations/resend_confirmation_spec.rb +16 -1
  34. data/spec/requests/mutations/send_password_reset_spec.rb +16 -1
  35. data/spec/requests/mutations/send_password_reset_with_token_spec.rb +78 -0
  36. data/spec/requests/mutations/sign_up_spec.rb +19 -1
  37. data/spec/requests/mutations/update_password_with_token_spec.rb +119 -0
  38. data/spec/requests/queries/check_password_token_spec.rb +16 -1
  39. data/spec/requests/queries/confirm_account_spec.rb +17 -2
  40. data/spec/requests/queries/introspection_query_spec.rb +149 -0
  41. data/spec/requests/user_controller_spec.rb +9 -9
  42. data/spec/support/contexts/graphql_request.rb +12 -4
  43. data/spec/support/contexts/schema_test.rb +14 -0
  44. metadata +26 -11
  45. data/.travis.yml +0 -79
@@ -0,0 +1,118 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Users controller specs' do
6
+ include_context 'with graphql schema test'
7
+
8
+ let(:schema) { DummySchema }
9
+ let(:user) { create(:user, :confirmed) }
10
+ let(:field) { 'privateField' }
11
+ let(:public_message) { 'Field does not require authentication' }
12
+ let(:private_message) { 'Field will always require authentication' }
13
+ let(:private_error) do
14
+ {
15
+ message: "#{field} field requires authentication",
16
+ extensions: { code: 'AUTHENTICATION_ERROR' }
17
+ }
18
+ end
19
+
20
+ describe 'publicField' do
21
+ let(:query) do
22
+ <<-GRAPHQL
23
+ query {
24
+ publicField
25
+ }
26
+ GRAPHQL
27
+ end
28
+
29
+ context 'when using a regular schema' do
30
+ it 'does not require authentication' do
31
+ expect(response[:data][:publicField]).to eq(public_message)
32
+ end
33
+ end
34
+ end
35
+
36
+ describe 'privateField' do
37
+ let(:query) do
38
+ <<-GRAPHQL
39
+ query {
40
+ privateField
41
+ }
42
+ GRAPHQL
43
+ end
44
+
45
+ context 'when using a regular schema' do
46
+ context 'when user is authenticated' do
47
+ let(:resource) { user }
48
+
49
+ it 'allows to perform the query' do
50
+ expect(response[:data][:privateField]).to eq(private_message)
51
+ end
52
+
53
+ context 'when using a SchemaUser' do
54
+ let(:resource) { create(:schema_user, :confirmed) }
55
+
56
+ it 'allows to perform the query' do
57
+ expect(response[:data][:privateField]).to eq(private_message)
58
+ end
59
+ end
60
+ end
61
+ end
62
+
63
+ context 'when using an interpreter schema' do
64
+ let(:schema) { InterpreterSchema }
65
+
66
+ context 'when user is authenticated' do
67
+ let(:resource) { user }
68
+
69
+ it 'allows to perform the query' do
70
+ expect(response[:data][:privateField]).to eq(private_message)
71
+ end
72
+ end
73
+ end
74
+ end
75
+
76
+ describe 'user' do
77
+ let(:user_data) { { email: user.email, id: user.id } }
78
+ let(:query) do
79
+ <<-GRAPHQL
80
+ query {
81
+ user(id: #{user.id}) {
82
+ id
83
+ email
84
+ }
85
+ }
86
+ GRAPHQL
87
+ end
88
+
89
+ context 'when using a regular schema' do
90
+ context 'when user is authenticated' do
91
+ let(:resource) { user }
92
+
93
+ it 'allows to perform the query' do
94
+ expect(response[:data][:user]).to match(**user_data)
95
+ end
96
+ end
97
+ end
98
+
99
+ context 'when using an interpreter schema' do
100
+ let(:schema) { InterpreterSchema }
101
+
102
+ context 'when user is authenticated' do
103
+ let(:resource) { user }
104
+
105
+ it 'allows to perform the query' do
106
+ expect(response[:data][:user]).to match(**user_data)
107
+ end
108
+ end
109
+
110
+ context 'when user is not authenticated' do
111
+ # Interpreter schema fields are public unless specified otherwise (plugin setting)
112
+ it 'allows to perform the query' do
113
+ expect(response[:data][:user]).to match(**user_data)
114
+ end
115
+ end
116
+ end
117
+ end
118
+ end
@@ -6,20 +6,13 @@ RSpec.describe GraphqlDevise::GraphqlController do
6
6
  let(:password) { 'password123' }
7
7
  let(:user) { create(:user, :confirmed, password: password) }
8
8
  let(:params) { { query: query, variables: variables } }
9
- let(:request_params) do
10
- if Rails::VERSION::MAJOR >= 5
11
- { params: params }
12
- else
13
- params
14
- end
15
- end
16
9
 
17
10
  context 'when variables are a string' do
18
11
  let(:variables) { "{\"email\": \"#{user.email}\"}" }
19
12
  let(:query) { "mutation($email: String!) { userLogin(email: $email, password: \"#{password}\") { user { email name signInCount } } }" }
20
13
 
21
14
  it 'parses the string variables' do
22
- post '/api/v1/graphql_auth', request_params
15
+ post_request('/api/v1/graphql_auth')
23
16
 
24
17
  expect(json_response).to match(
25
18
  data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -31,7 +24,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
31
24
  let(:query) { "mutation { userLogin(email: \"#{user.email}\", password: \"#{password}\") { user { email name signInCount } } }" }
32
25
 
33
26
  it 'returns an empty hash as variables' do
34
- post '/api/v1/graphql_auth', request_params
27
+ post_request('/api/v1/graphql_auth')
35
28
 
36
29
  expect(json_response).to match(
37
30
  data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -46,7 +39,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
46
39
 
47
40
  it 'raises an error' do
48
41
  expect do
49
- post '/api/v1/graphql_auth', request_params
42
+ post_request('/api/v1/graphql_auth')
50
43
  end.to raise_error(ArgumentError)
51
44
  end
52
45
  end
@@ -62,7 +55,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
62
55
  end
63
56
 
64
57
  it 'executes multiple queries in the same request' do
65
- post '/api/v1/graphql_auth', request_params
58
+ post_request('/api/v1/graphql_auth')
66
59
 
67
60
  expect(json_response).to match(
68
61
  [
@@ -79,4 +72,12 @@ RSpec.describe GraphqlDevise::GraphqlController do
79
72
  )
80
73
  end
81
74
  end
75
+
76
+ def post_request(path)
77
+ if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.0.0') || Rails::VERSION::MAJOR >= 5
78
+ post(path, params: params)
79
+ else
80
+ post(path, params)
81
+ end
82
+ end
82
83
  end
@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:password_confirmation) { password }
11
11
  let(:email) { Faker::Internet.email }
12
- let(:redirect) { Faker::Internet.url }
13
12
 
14
13
  context 'when using the user model' do
15
14
  let(:query) do
@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
9
9
  let!(:user) { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
10
10
  let(:email) { user.email }
11
11
  let(:id) { user.id }
12
- let(:redirect) { Faker::Internet.url }
12
+ let(:redirect) { 'https://google.com' }
13
13
  let(:query) do
14
14
  <<-GRAPHQL
15
15
  mutation {
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
23
23
  GRAPHQL
24
24
  end
25
25
 
26
+ context 'when redirect_url is not whitelisted' do
27
+ let(:redirect) { 'https://not-safe.com' }
28
+
29
+ it 'returns a not whitelisted redirect url error' do
30
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
31
+
32
+ expect(json_response[:errors]).to containing_exactly(
33
+ hash_including(
34
+ message: "Redirect to '#{redirect}' not allowed.",
35
+ extensions: { code: 'USER_ERROR' }
36
+ )
37
+ )
38
+ end
39
+ end
40
+
26
41
  context 'when params are correct' do
27
42
  context 'when using the gem schema' do
28
43
  it 'sends an email to the user with confirmation url and returns a success message' do
@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
7
7
 
8
8
  let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
9
9
  let(:email) { user.email }
10
- let(:redirect_url) { Faker::Internet.url }
10
+ let(:redirect_url) { 'https://google.com' }
11
11
  let(:query) do
12
12
  <<-GRAPHQL
13
13
  mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
21
21
  GRAPHQL
22
22
  end
23
23
 
24
+ context 'when redirect_url is not whitelisted' do
25
+ let(:redirect_url) { 'https://not-safe.com' }
26
+
27
+ it 'returns a not whitelisted redirect url error' do
28
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
29
+
30
+ expect(json_response[:errors]).to containing_exactly(
31
+ hash_including(
32
+ message: "Redirect to '#{redirect_url}' not allowed.",
33
+ extensions: { code: 'USER_ERROR' }
34
+ )
35
+ )
36
+ end
37
+ end
38
+
24
39
  context 'when params are correct' do
25
40
  context 'when using the gem schema' do
26
41
  it 'sends password reset email' do
@@ -0,0 +1,78 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Send Password Reset Requests' do
6
+ include_context 'with graphql query request'
7
+
8
+ let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
9
+ let(:email) { user.email }
10
+ let(:redirect_url) { 'https://google.com' }
11
+ let(:query) do
12
+ <<-GRAPHQL
13
+ mutation {
14
+ userSendPasswordResetWithToken(
15
+ email: "#{email}",
16
+ redirectUrl: "#{redirect_url}"
17
+ ) {
18
+ message
19
+ }
20
+ }
21
+ GRAPHQL
22
+ end
23
+
24
+ context 'when redirect_url is not whitelisted' do
25
+ let(:redirect_url) { 'https://not-safe.com' }
26
+
27
+ it 'returns a not whitelisted redirect url error' do
28
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
29
+
30
+ expect(json_response[:errors]).to containing_exactly(
31
+ hash_including(
32
+ message: "Redirect to '#{redirect_url}' not allowed.",
33
+ extensions: { code: 'USER_ERROR' }
34
+ )
35
+ )
36
+ end
37
+ end
38
+
39
+ context 'when params are correct' do
40
+ context 'when using the gem schema' do
41
+ it 'sends password reset email' do
42
+ expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
43
+
44
+ expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
45
+ message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
46
+ )
47
+
48
+ email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
49
+ link = email.css('a').first
50
+
51
+ expect(link['href']).to include(redirect_url + '?reset_password_token')
52
+ end
53
+ end
54
+ end
55
+
56
+ context 'when email address uses different casing' do
57
+ let(:email) { 'jWinnfield@wallaceinc.com' }
58
+
59
+ it 'honors devise configuration for case insensitive fields' do
60
+ expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
61
+ expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
62
+ message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
63
+ )
64
+ end
65
+ end
66
+
67
+ context 'when user email is not found' do
68
+ let(:email) { 'nothere@gmail.com' }
69
+
70
+ before { post_request }
71
+
72
+ it 'returns an error' do
73
+ expect(json_response[:errors]).to contain_exactly(
74
+ hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
75
+ )
76
+ end
77
+ end
78
+ end
@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
8
8
  let(:name) { Faker::Name.name }
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:email) { Faker::Internet.email }
11
- let(:redirect) { Faker::Internet.url }
11
+ let(:redirect) { 'https://google.com' }
12
12
 
13
13
  context 'when using the user model' do
14
14
  let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
31
31
  GRAPHQL
32
32
  end
33
33
 
34
+ context 'when redirect_url is not whitelisted' do
35
+ let(:redirect) { 'https://not-safe.com' }
36
+
37
+ it 'returns a not whitelisted redirect url error' do
38
+ expect { post_request }.to(
39
+ not_change(User, :count)
40
+ .and(not_change(ActionMailer::Base.deliveries, :count))
41
+ )
42
+
43
+ expect(json_response[:errors]).to containing_exactly(
44
+ hash_including(
45
+ message: "Redirect to '#{redirect}' not allowed.",
46
+ extensions: { code: 'USER_ERROR' }
47
+ )
48
+ )
49
+ end
50
+ end
51
+
34
52
  context 'when params are correct' do
35
53
  it 'creates a new resource that requires confirmation' do
36
54
  expect { post_request }.to(
@@ -0,0 +1,119 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'rails_helper'
4
+
5
+ RSpec.describe 'Update Password With Token' do
6
+ include_context 'with graphql query request'
7
+
8
+ let(:password) { '12345678' }
9
+ let(:password_confirmation) { password }
10
+
11
+ context 'when using the user model' do
12
+ let(:user) { create(:user, :confirmed) }
13
+ let(:query) do
14
+ <<-GRAPHQL
15
+ mutation {
16
+ userUpdatePasswordWithToken(
17
+ resetPasswordToken: "#{token}",
18
+ password: "#{password}",
19
+ passwordConfirmation: "#{password_confirmation}"
20
+ ) {
21
+ authenticatable { email }
22
+ credentials { accessToken }
23
+ }
24
+ }
25
+ GRAPHQL
26
+ end
27
+
28
+ context 'when reset password token is valid' do
29
+ let(:token) { user.send(:set_reset_password_token) }
30
+
31
+ it 'updates the password' do
32
+ expect do
33
+ post_request
34
+ user.reload
35
+ end.to change(user, :encrypted_password)
36
+
37
+ expect(user).to be_valid_password(password)
38
+ expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to be_nil
39
+ expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
40
+ end
41
+
42
+ context 'when token has expired' do
43
+ it 'returns an expired token error' do
44
+ travel_to 10.hours.ago do
45
+ token
46
+ end
47
+
48
+ post_request
49
+
50
+ expect(json_response[:errors]).to contain_exactly(
51
+ hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
52
+ )
53
+ end
54
+ end
55
+
56
+ context 'when password confirmation does not match' do
57
+ let(:password_confirmation) { 'does not match' }
58
+
59
+ it 'returns an error' do
60
+ post_request
61
+
62
+ expect(json_response[:errors]).to contain_exactly(
63
+ hash_including(
64
+ message: 'Unable to update user password',
65
+ extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
66
+ )
67
+ )
68
+ end
69
+ end
70
+ end
71
+
72
+ context 'when reset password token is not found' do
73
+ let(:token) { user.send(:set_reset_password_token) + 'invalid' }
74
+
75
+ it 'returns an error' do
76
+ post_request
77
+
78
+ expect(json_response[:errors]).to contain_exactly(
79
+ hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
80
+ )
81
+ end
82
+ end
83
+ end
84
+
85
+ context 'when using the admin model' do
86
+ let(:admin) { create(:admin, :confirmed) }
87
+ let(:query) do
88
+ <<-GRAPHQL
89
+ mutation {
90
+ adminUpdatePasswordWithToken(
91
+ resetPasswordToken: "#{token}",
92
+ password: "#{password}",
93
+ passwordConfirmation: "#{password_confirmation}"
94
+ ) {
95
+ authenticatable { email }
96
+ credentials { uid }
97
+ }
98
+ }
99
+ GRAPHQL
100
+ end
101
+
102
+ context 'when reset password token is valid' do
103
+ let(:token) { admin.send(:set_reset_password_token) }
104
+
105
+ it 'updates the password' do
106
+ expect do
107
+ post_request
108
+ admin.reload
109
+ end.to change(admin, :encrypted_password)
110
+
111
+ expect(admin).to be_valid_password(password)
112
+ expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
113
+ credentials: { uid: admin.email },
114
+ authenticatable: { email: admin.email }
115
+ )
116
+ end
117
+ end
118
+ end
119
+ end