graphql_devise 0.13.5 → 0.14.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.circleci/config.yml +118 -0
- data/Appraisals +39 -5
- data/CHANGELOG.md +57 -6
- data/README.md +27 -7
- data/Rakefile +2 -1
- data/app/controllers/graphql_devise/graphql_controller.rb +1 -1
- data/app/views/graphql_devise/mailer/reset_password_instructions.html.erb +7 -1
- data/config/locales/en.yml +2 -1
- data/docs/usage/reset_password_flow.md +90 -0
- data/graphql_devise.gemspec +2 -2
- data/lib/graphql_devise/concerns/controller_methods.rb +6 -0
- data/lib/graphql_devise/default_operations/mutations.rb +10 -6
- data/lib/graphql_devise/mutations/resend_confirmation.rb +2 -0
- data/lib/graphql_devise/mutations/send_password_reset.rb +2 -0
- data/lib/graphql_devise/mutations/send_password_reset_with_token.rb +37 -0
- data/lib/graphql_devise/mutations/sign_up.rb +1 -3
- data/lib/graphql_devise/mutations/update_password_with_token.rb +38 -0
- data/lib/graphql_devise/resolvers/check_password_token.rb +1 -0
- data/lib/graphql_devise/resolvers/confirm_account.rb +2 -0
- data/lib/graphql_devise/schema_plugin.rb +22 -11
- data/lib/graphql_devise/version.rb +1 -1
- data/spec/dummy/app/controllers/api/v1/graphql_controller.rb +2 -2
- data/spec/dummy/app/graphql/dummy_schema.rb +4 -3
- data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb +13 -0
- data/spec/dummy/config/initializers/devise_token_auth.rb +2 -0
- data/spec/dummy/config/routes.rb +2 -1
- data/spec/dummy/db/migrate/20200623003142_create_schema_users.rb +0 -1
- data/spec/dummy/db/schema.rb +0 -1
- data/spec/graphql/user_queries_spec.rb +118 -0
- data/spec/requests/graphql_controller_spec.rb +12 -11
- data/spec/requests/mutations/additional_mutations_spec.rb +0 -1
- data/spec/requests/mutations/resend_confirmation_spec.rb +16 -1
- data/spec/requests/mutations/send_password_reset_spec.rb +16 -1
- data/spec/requests/mutations/send_password_reset_with_token_spec.rb +78 -0
- data/spec/requests/mutations/sign_up_spec.rb +19 -1
- data/spec/requests/mutations/update_password_with_token_spec.rb +119 -0
- data/spec/requests/queries/check_password_token_spec.rb +16 -1
- data/spec/requests/queries/confirm_account_spec.rb +17 -2
- data/spec/requests/queries/introspection_query_spec.rb +149 -0
- data/spec/requests/user_controller_spec.rb +9 -9
- data/spec/support/contexts/graphql_request.rb +12 -4
- data/spec/support/contexts/schema_test.rb +14 -0
- metadata +26 -11
- data/.travis.yml +0 -79
@@ -0,0 +1,118 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails_helper'
|
4
|
+
|
5
|
+
RSpec.describe 'Users controller specs' do
|
6
|
+
include_context 'with graphql schema test'
|
7
|
+
|
8
|
+
let(:schema) { DummySchema }
|
9
|
+
let(:user) { create(:user, :confirmed) }
|
10
|
+
let(:field) { 'privateField' }
|
11
|
+
let(:public_message) { 'Field does not require authentication' }
|
12
|
+
let(:private_message) { 'Field will always require authentication' }
|
13
|
+
let(:private_error) do
|
14
|
+
{
|
15
|
+
message: "#{field} field requires authentication",
|
16
|
+
extensions: { code: 'AUTHENTICATION_ERROR' }
|
17
|
+
}
|
18
|
+
end
|
19
|
+
|
20
|
+
describe 'publicField' do
|
21
|
+
let(:query) do
|
22
|
+
<<-GRAPHQL
|
23
|
+
query {
|
24
|
+
publicField
|
25
|
+
}
|
26
|
+
GRAPHQL
|
27
|
+
end
|
28
|
+
|
29
|
+
context 'when using a regular schema' do
|
30
|
+
it 'does not require authentication' do
|
31
|
+
expect(response[:data][:publicField]).to eq(public_message)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
describe 'privateField' do
|
37
|
+
let(:query) do
|
38
|
+
<<-GRAPHQL
|
39
|
+
query {
|
40
|
+
privateField
|
41
|
+
}
|
42
|
+
GRAPHQL
|
43
|
+
end
|
44
|
+
|
45
|
+
context 'when using a regular schema' do
|
46
|
+
context 'when user is authenticated' do
|
47
|
+
let(:resource) { user }
|
48
|
+
|
49
|
+
it 'allows to perform the query' do
|
50
|
+
expect(response[:data][:privateField]).to eq(private_message)
|
51
|
+
end
|
52
|
+
|
53
|
+
context 'when using a SchemaUser' do
|
54
|
+
let(:resource) { create(:schema_user, :confirmed) }
|
55
|
+
|
56
|
+
it 'allows to perform the query' do
|
57
|
+
expect(response[:data][:privateField]).to eq(private_message)
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
context 'when using an interpreter schema' do
|
64
|
+
let(:schema) { InterpreterSchema }
|
65
|
+
|
66
|
+
context 'when user is authenticated' do
|
67
|
+
let(:resource) { user }
|
68
|
+
|
69
|
+
it 'allows to perform the query' do
|
70
|
+
expect(response[:data][:privateField]).to eq(private_message)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
describe 'user' do
|
77
|
+
let(:user_data) { { email: user.email, id: user.id } }
|
78
|
+
let(:query) do
|
79
|
+
<<-GRAPHQL
|
80
|
+
query {
|
81
|
+
user(id: #{user.id}) {
|
82
|
+
id
|
83
|
+
email
|
84
|
+
}
|
85
|
+
}
|
86
|
+
GRAPHQL
|
87
|
+
end
|
88
|
+
|
89
|
+
context 'when using a regular schema' do
|
90
|
+
context 'when user is authenticated' do
|
91
|
+
let(:resource) { user }
|
92
|
+
|
93
|
+
it 'allows to perform the query' do
|
94
|
+
expect(response[:data][:user]).to match(**user_data)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
99
|
+
context 'when using an interpreter schema' do
|
100
|
+
let(:schema) { InterpreterSchema }
|
101
|
+
|
102
|
+
context 'when user is authenticated' do
|
103
|
+
let(:resource) { user }
|
104
|
+
|
105
|
+
it 'allows to perform the query' do
|
106
|
+
expect(response[:data][:user]).to match(**user_data)
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
context 'when user is not authenticated' do
|
111
|
+
# Interpreter schema fields are public unless specified otherwise (plugin setting)
|
112
|
+
it 'allows to perform the query' do
|
113
|
+
expect(response[:data][:user]).to match(**user_data)
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
@@ -6,20 +6,13 @@ RSpec.describe GraphqlDevise::GraphqlController do
|
|
6
6
|
let(:password) { 'password123' }
|
7
7
|
let(:user) { create(:user, :confirmed, password: password) }
|
8
8
|
let(:params) { { query: query, variables: variables } }
|
9
|
-
let(:request_params) do
|
10
|
-
if Rails::VERSION::MAJOR >= 5
|
11
|
-
{ params: params }
|
12
|
-
else
|
13
|
-
params
|
14
|
-
end
|
15
|
-
end
|
16
9
|
|
17
10
|
context 'when variables are a string' do
|
18
11
|
let(:variables) { "{\"email\": \"#{user.email}\"}" }
|
19
12
|
let(:query) { "mutation($email: String!) { userLogin(email: $email, password: \"#{password}\") { user { email name signInCount } } }" }
|
20
13
|
|
21
14
|
it 'parses the string variables' do
|
22
|
-
|
15
|
+
post_request('/api/v1/graphql_auth')
|
23
16
|
|
24
17
|
expect(json_response).to match(
|
25
18
|
data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
|
@@ -31,7 +24,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
|
|
31
24
|
let(:query) { "mutation { userLogin(email: \"#{user.email}\", password: \"#{password}\") { user { email name signInCount } } }" }
|
32
25
|
|
33
26
|
it 'returns an empty hash as variables' do
|
34
|
-
|
27
|
+
post_request('/api/v1/graphql_auth')
|
35
28
|
|
36
29
|
expect(json_response).to match(
|
37
30
|
data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
|
@@ -46,7 +39,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
|
|
46
39
|
|
47
40
|
it 'raises an error' do
|
48
41
|
expect do
|
49
|
-
|
42
|
+
post_request('/api/v1/graphql_auth')
|
50
43
|
end.to raise_error(ArgumentError)
|
51
44
|
end
|
52
45
|
end
|
@@ -62,7 +55,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
|
|
62
55
|
end
|
63
56
|
|
64
57
|
it 'executes multiple queries in the same request' do
|
65
|
-
|
58
|
+
post_request('/api/v1/graphql_auth')
|
66
59
|
|
67
60
|
expect(json_response).to match(
|
68
61
|
[
|
@@ -79,4 +72,12 @@ RSpec.describe GraphqlDevise::GraphqlController do
|
|
79
72
|
)
|
80
73
|
end
|
81
74
|
end
|
75
|
+
|
76
|
+
def post_request(path)
|
77
|
+
if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.0.0') || Rails::VERSION::MAJOR >= 5
|
78
|
+
post(path, params: params)
|
79
|
+
else
|
80
|
+
post(path, params)
|
81
|
+
end
|
82
|
+
end
|
82
83
|
end
|
@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
|
|
9
9
|
let(:password) { Faker::Internet.password }
|
10
10
|
let(:password_confirmation) { password }
|
11
11
|
let(:email) { Faker::Internet.email }
|
12
|
-
let(:redirect) { Faker::Internet.url }
|
13
12
|
|
14
13
|
context 'when using the user model' do
|
15
14
|
let(:query) do
|
@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
|
|
9
9
|
let!(:user) { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
|
10
10
|
let(:email) { user.email }
|
11
11
|
let(:id) { user.id }
|
12
|
-
let(:redirect) {
|
12
|
+
let(:redirect) { 'https://google.com' }
|
13
13
|
let(:query) do
|
14
14
|
<<-GRAPHQL
|
15
15
|
mutation {
|
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
|
|
23
23
|
GRAPHQL
|
24
24
|
end
|
25
25
|
|
26
|
+
context 'when redirect_url is not whitelisted' do
|
27
|
+
let(:redirect) { 'https://not-safe.com' }
|
28
|
+
|
29
|
+
it 'returns a not whitelisted redirect url error' do
|
30
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
31
|
+
|
32
|
+
expect(json_response[:errors]).to containing_exactly(
|
33
|
+
hash_including(
|
34
|
+
message: "Redirect to '#{redirect}' not allowed.",
|
35
|
+
extensions: { code: 'USER_ERROR' }
|
36
|
+
)
|
37
|
+
)
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
26
41
|
context 'when params are correct' do
|
27
42
|
context 'when using the gem schema' do
|
28
43
|
it 'sends an email to the user with confirmation url and returns a success message' do
|
@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
|
|
7
7
|
|
8
8
|
let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
|
9
9
|
let(:email) { user.email }
|
10
|
-
let(:redirect_url) {
|
10
|
+
let(:redirect_url) { 'https://google.com' }
|
11
11
|
let(:query) do
|
12
12
|
<<-GRAPHQL
|
13
13
|
mutation {
|
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
|
|
21
21
|
GRAPHQL
|
22
22
|
end
|
23
23
|
|
24
|
+
context 'when redirect_url is not whitelisted' do
|
25
|
+
let(:redirect_url) { 'https://not-safe.com' }
|
26
|
+
|
27
|
+
it 'returns a not whitelisted redirect url error' do
|
28
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
29
|
+
|
30
|
+
expect(json_response[:errors]).to containing_exactly(
|
31
|
+
hash_including(
|
32
|
+
message: "Redirect to '#{redirect_url}' not allowed.",
|
33
|
+
extensions: { code: 'USER_ERROR' }
|
34
|
+
)
|
35
|
+
)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
24
39
|
context 'when params are correct' do
|
25
40
|
context 'when using the gem schema' do
|
26
41
|
it 'sends password reset email' do
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails_helper'
|
4
|
+
|
5
|
+
RSpec.describe 'Send Password Reset Requests' do
|
6
|
+
include_context 'with graphql query request'
|
7
|
+
|
8
|
+
let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
|
9
|
+
let(:email) { user.email }
|
10
|
+
let(:redirect_url) { 'https://google.com' }
|
11
|
+
let(:query) do
|
12
|
+
<<-GRAPHQL
|
13
|
+
mutation {
|
14
|
+
userSendPasswordResetWithToken(
|
15
|
+
email: "#{email}",
|
16
|
+
redirectUrl: "#{redirect_url}"
|
17
|
+
) {
|
18
|
+
message
|
19
|
+
}
|
20
|
+
}
|
21
|
+
GRAPHQL
|
22
|
+
end
|
23
|
+
|
24
|
+
context 'when redirect_url is not whitelisted' do
|
25
|
+
let(:redirect_url) { 'https://not-safe.com' }
|
26
|
+
|
27
|
+
it 'returns a not whitelisted redirect url error' do
|
28
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
29
|
+
|
30
|
+
expect(json_response[:errors]).to containing_exactly(
|
31
|
+
hash_including(
|
32
|
+
message: "Redirect to '#{redirect_url}' not allowed.",
|
33
|
+
extensions: { code: 'USER_ERROR' }
|
34
|
+
)
|
35
|
+
)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
context 'when params are correct' do
|
40
|
+
context 'when using the gem schema' do
|
41
|
+
it 'sends password reset email' do
|
42
|
+
expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
|
43
|
+
|
44
|
+
expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
|
45
|
+
message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
|
46
|
+
)
|
47
|
+
|
48
|
+
email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
|
49
|
+
link = email.css('a').first
|
50
|
+
|
51
|
+
expect(link['href']).to include(redirect_url + '?reset_password_token')
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context 'when email address uses different casing' do
|
57
|
+
let(:email) { 'jWinnfield@wallaceinc.com' }
|
58
|
+
|
59
|
+
it 'honors devise configuration for case insensitive fields' do
|
60
|
+
expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
|
61
|
+
expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
|
62
|
+
message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
|
63
|
+
)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
context 'when user email is not found' do
|
68
|
+
let(:email) { 'nothere@gmail.com' }
|
69
|
+
|
70
|
+
before { post_request }
|
71
|
+
|
72
|
+
it 'returns an error' do
|
73
|
+
expect(json_response[:errors]).to contain_exactly(
|
74
|
+
hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
|
75
|
+
)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
|
|
8
8
|
let(:name) { Faker::Name.name }
|
9
9
|
let(:password) { Faker::Internet.password }
|
10
10
|
let(:email) { Faker::Internet.email }
|
11
|
-
let(:redirect) {
|
11
|
+
let(:redirect) { 'https://google.com' }
|
12
12
|
|
13
13
|
context 'when using the user model' do
|
14
14
|
let(:query) do
|
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
|
|
31
31
|
GRAPHQL
|
32
32
|
end
|
33
33
|
|
34
|
+
context 'when redirect_url is not whitelisted' do
|
35
|
+
let(:redirect) { 'https://not-safe.com' }
|
36
|
+
|
37
|
+
it 'returns a not whitelisted redirect url error' do
|
38
|
+
expect { post_request }.to(
|
39
|
+
not_change(User, :count)
|
40
|
+
.and(not_change(ActionMailer::Base.deliveries, :count))
|
41
|
+
)
|
42
|
+
|
43
|
+
expect(json_response[:errors]).to containing_exactly(
|
44
|
+
hash_including(
|
45
|
+
message: "Redirect to '#{redirect}' not allowed.",
|
46
|
+
extensions: { code: 'USER_ERROR' }
|
47
|
+
)
|
48
|
+
)
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
34
52
|
context 'when params are correct' do
|
35
53
|
it 'creates a new resource that requires confirmation' do
|
36
54
|
expect { post_request }.to(
|
@@ -0,0 +1,119 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rails_helper'
|
4
|
+
|
5
|
+
RSpec.describe 'Update Password With Token' do
|
6
|
+
include_context 'with graphql query request'
|
7
|
+
|
8
|
+
let(:password) { '12345678' }
|
9
|
+
let(:password_confirmation) { password }
|
10
|
+
|
11
|
+
context 'when using the user model' do
|
12
|
+
let(:user) { create(:user, :confirmed) }
|
13
|
+
let(:query) do
|
14
|
+
<<-GRAPHQL
|
15
|
+
mutation {
|
16
|
+
userUpdatePasswordWithToken(
|
17
|
+
resetPasswordToken: "#{token}",
|
18
|
+
password: "#{password}",
|
19
|
+
passwordConfirmation: "#{password_confirmation}"
|
20
|
+
) {
|
21
|
+
authenticatable { email }
|
22
|
+
credentials { accessToken }
|
23
|
+
}
|
24
|
+
}
|
25
|
+
GRAPHQL
|
26
|
+
end
|
27
|
+
|
28
|
+
context 'when reset password token is valid' do
|
29
|
+
let(:token) { user.send(:set_reset_password_token) }
|
30
|
+
|
31
|
+
it 'updates the password' do
|
32
|
+
expect do
|
33
|
+
post_request
|
34
|
+
user.reload
|
35
|
+
end.to change(user, :encrypted_password)
|
36
|
+
|
37
|
+
expect(user).to be_valid_password(password)
|
38
|
+
expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to be_nil
|
39
|
+
expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
|
40
|
+
end
|
41
|
+
|
42
|
+
context 'when token has expired' do
|
43
|
+
it 'returns an expired token error' do
|
44
|
+
travel_to 10.hours.ago do
|
45
|
+
token
|
46
|
+
end
|
47
|
+
|
48
|
+
post_request
|
49
|
+
|
50
|
+
expect(json_response[:errors]).to contain_exactly(
|
51
|
+
hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
|
52
|
+
)
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context 'when password confirmation does not match' do
|
57
|
+
let(:password_confirmation) { 'does not match' }
|
58
|
+
|
59
|
+
it 'returns an error' do
|
60
|
+
post_request
|
61
|
+
|
62
|
+
expect(json_response[:errors]).to contain_exactly(
|
63
|
+
hash_including(
|
64
|
+
message: 'Unable to update user password',
|
65
|
+
extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
|
66
|
+
)
|
67
|
+
)
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
context 'when reset password token is not found' do
|
73
|
+
let(:token) { user.send(:set_reset_password_token) + 'invalid' }
|
74
|
+
|
75
|
+
it 'returns an error' do
|
76
|
+
post_request
|
77
|
+
|
78
|
+
expect(json_response[:errors]).to contain_exactly(
|
79
|
+
hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
|
80
|
+
)
|
81
|
+
end
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
context 'when using the admin model' do
|
86
|
+
let(:admin) { create(:admin, :confirmed) }
|
87
|
+
let(:query) do
|
88
|
+
<<-GRAPHQL
|
89
|
+
mutation {
|
90
|
+
adminUpdatePasswordWithToken(
|
91
|
+
resetPasswordToken: "#{token}",
|
92
|
+
password: "#{password}",
|
93
|
+
passwordConfirmation: "#{password_confirmation}"
|
94
|
+
) {
|
95
|
+
authenticatable { email }
|
96
|
+
credentials { uid }
|
97
|
+
}
|
98
|
+
}
|
99
|
+
GRAPHQL
|
100
|
+
end
|
101
|
+
|
102
|
+
context 'when reset password token is valid' do
|
103
|
+
let(:token) { admin.send(:set_reset_password_token) }
|
104
|
+
|
105
|
+
it 'updates the password' do
|
106
|
+
expect do
|
107
|
+
post_request
|
108
|
+
admin.reload
|
109
|
+
end.to change(admin, :encrypted_password)
|
110
|
+
|
111
|
+
expect(admin).to be_valid_password(password)
|
112
|
+
expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
|
113
|
+
credentials: { uid: admin.email },
|
114
|
+
authenticatable: { email: admin.email }
|
115
|
+
)
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
119
|
+
end
|