graphql_devise 0.13.5 → 0.14.3

data/spec/requests/queries/check_password_token_spec.rb

@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
           expect(response.body).to include('uid=')
           expect(response.body).to include('expiry=')
         end
+
+        context 'when redirect_url is not whitelisted' do
+          let(:redirect_url) { 'https://not-safe.com' }
+
+          before { post_request }
+
+          it 'returns a not whitelisted redirect url error' do
+            expect(json_response[:errors]).to containing_exactly(
+              hash_including(
+                message:    "Redirect to '#{redirect_url}' not allowed.",
+                extensions: { code: 'USER_ERROR' }
+              )
+            )
+          end
+        end
       end
 
       context 'when token has expired' do
@@ -74,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
 
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
 
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/confirm_account_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the user model' do
     let(:user)     { create(:user, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
         expect(user).to be_active_for_authentication
       end
 
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
+
       context 'when unconfirmed_email is present' do
         let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
 
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
 
   context 'when using the admin model' do
     let(:admin)    { create(:admin, confirmed_at: nil) }
-    let(:redirect) { Faker::Internet.url }
+    let(:redirect) { 'https://google.com' }
     let(:query) do
       <<-GRAPHQL
         {

data/spec/requests/queries/introspection_query_spec.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+
+    GRAPHQL
+  end
+
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end

data/spec/requests/user_controller_spec.rb

@@ -31,15 +31,6 @@ RSpec.describe "Integrations with the user's controller" do
         expect(json_response[:data][:publicField]).to eq('Field does not require authentication')
       end
     end
-
-    context 'when using the failing route' do
-      it 'raises an invalid resource_name error' do
-        expect { post_request('/api/v1/failing') }.to raise_error(
-          GraphqlDevise::Error,
-          'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
-        )
-      end
-    end
   end
 
   describe 'privateField' do
@@ -77,6 +68,15 @@ RSpec.describe "Integrations with the user's controller" do
           )
         end
       end
+
+      context 'when using the failing route' do
+        it 'raises an invalid resource_name error' do
+          expect { post_request('/api/v1/failing') }.to raise_error(
+            GraphqlDevise::Error,
+            'Invalid resource_name `fail` provided to `graphql_context`. Possible values are: [:user, :admin, :guest, :users_customer, :schema_user].'
+          )
+        end
+      end
     end
 
     context 'when using an interpreter schema' do

data/spec/support/contexts/graphql_request.rb

@@ -4,18 +4,26 @@ RSpec.shared_context 'with graphql query request' do
   let(:headers)   { {} }
   let(:variables) { {} }
   let(:graphql_params) do
-    if Rails::VERSION::MAJOR >= 5
-      [{ params: { query: query, variables: variables }, headers: headers }]
+    if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.0.0') || Rails::VERSION::MAJOR >= 5
+      { params: { query: query, variables: variables }, headers: headers }
     else
       [{ query: query, variables: variables }, headers]
     end
   end
 
   def post_request(path = '/api/v1/graphql_auth')
-    post path, *graphql_params
+    send_request(path, :post)
   end
 
   def get_request(path = '/api/v1/graphql_auth')
-    get path, *graphql_params
+    send_request(path, :get)
+  end
+
+  def send_request(path, method)
+    if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.0.0') || Rails::VERSION::MAJOR >= 5
+      public_send(method, path, **graphql_params)
+    else
+      public_send(method, path, *graphql_params)
+    end
   end
 end

data/spec/support/contexts/schema_test.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+RSpec.shared_context 'with graphql schema test' do
+  let(:variables)      { {} }
+  let(:resource_names) { [:user] }
+  let(:resource)       { nil }
+  let(:controller)     { instance_double(GraphqlDevise::GraphqlController) }
+  let(:context) do
+    { current_resource: resource, controller: controller, resource_name: resource_names }
+  end
+  let(:response) do
+    schema.execute(query, context: context, variables: variables).deep_symbolize_keys
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: graphql_devise
 version: !ruby/object:Gem::Version
-  version: 0.13.5
+  version: 0.14.3
 platform: ruby
 authors:
 - Mario Celi
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-20 00:00:00.000000000 Z
+date: 2021-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_token_auth
@@ -40,7 +40,7 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -50,7 +50,7 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -86,19 +86,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: coveralls-ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.2'
 - !ruby/object:Gem::Dependency
   name: factory_bot
   requirement: !ruby/object:Gem::Requirement
@@ -275,13 +275,13 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".github/ISSUE_TEMPLATE/bug_report.md"
 - ".github/ISSUE_TEMPLATE/enhancement.md"
 - ".github/ISSUE_TEMPLATE/question.md"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - Appraisals
 - CHANGELOG.md
 - Gemfile
@@ -302,6 +302,7 @@ files:
 - bin/setup
 - config/locales/en.yml
 - config/routes.rb
+- docs/usage/reset_password_flow.md
 - graphql_devise.gemspec
 - lib/generators/graphql_devise/install_generator.rb
 - lib/graphql_devise.rb
@@ -338,8 +339,10 @@ files:
 - lib/graphql_devise/mutations/logout.rb
 - lib/graphql_devise/mutations/resend_confirmation.rb
 - lib/graphql_devise/mutations/send_password_reset.rb
+- lib/graphql_devise/mutations/send_password_reset_with_token.rb
 - lib/graphql_devise/mutations/sign_up.rb
 - lib/graphql_devise/mutations/update_password.rb
+- lib/graphql_devise/mutations/update_password_with_token.rb
 - lib/graphql_devise/rails/routes.rb
 - lib/graphql_devise/resolvers/base.rb
 - lib/graphql_devise/resolvers/check_password_token.rb
@@ -362,6 +365,7 @@ files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
 - spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
@@ -428,6 +432,7 @@ files:
 - spec/factories/users.rb
 - spec/factories/users_customers.rb
 - spec/generators/graphql_devise/install_generator_spec.rb
+- spec/graphql/user_queries_spec.rb
 - spec/graphql_devise/model/with_email_updater_spec.rb
 - spec/graphql_devise_spec.rb
 - spec/models/user_spec.rb
@@ -439,10 +444,13 @@ files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
+- spec/requests/queries/introspection_query_spec.rb
 - spec/requests/user_controller_spec.rb
 - spec/services/mount_method/operation_preparer_spec.rb
 - spec/services/mount_method/operation_preparers/custom_operation_preparer_spec.rb
@@ -465,6 +473,7 @@ files:
 - spec/services/schema_plugin_spec.rb
 - spec/spec_helper.rb
 - spec/support/contexts/graphql_request.rb
+- spec/support/contexts/schema_test.rb
 - spec/support/factory_bot.rb
 - spec/support/matchers/auth_headers_matcher.rb
 - spec/support/matchers/not_change_matcher.rb
@@ -491,7 +500,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: GraphQL queries and mutations on top of devise_token_auth
@@ -505,6 +514,7 @@ test_files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
 - spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
@@ -571,6 +581,7 @@ test_files:
 - spec/factories/users.rb
 - spec/factories/users_customers.rb
 - spec/generators/graphql_devise/install_generator_spec.rb
+- spec/graphql/user_queries_spec.rb
 - spec/graphql_devise/model/with_email_updater_spec.rb
 - spec/graphql_devise_spec.rb
 - spec/models/user_spec.rb
@@ -582,10 +593,13 @@ test_files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
+- spec/requests/queries/introspection_query_spec.rb
 - spec/requests/user_controller_spec.rb
 - spec/services/mount_method/operation_preparer_spec.rb
 - spec/services/mount_method/operation_preparers/custom_operation_preparer_spec.rb
@@ -608,6 +622,7 @@ test_files:
 - spec/services/schema_plugin_spec.rb
 - spec/spec_helper.rb
 - spec/support/contexts/graphql_request.rb
+- spec/support/contexts/schema_test.rb
 - spec/support/factory_bot.rb
 - spec/support/matchers/auth_headers_matcher.rb
 - spec/support/matchers/not_change_matcher.rb