RubyGems - graphql_devise - Versions diffs - 0.13.6 → 0.15.0 - Mend

graphql_devise 0.13.6 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

data/spec/dummy/db/schema.rb CHANGED Viewed

@@ -73,7 +73,6 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.text "tokens"
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
-    t.index "\"unlock_token\"", name: "index_schema_users_on_unlock_token", unique: true
     t.index ["confirmation_token"], name: "index_schema_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_schema_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_schema_users_on_reset_password_token", unique: true

data/spec/generators/graphql_devise/install_generator_spec.rb CHANGED Viewed

@@ -33,7 +33,7 @@ RSpec.describe GraphqlDevise::InstallGenerator, type: :generator do
       assert_file 'app/controllers/application_controller.rb', /^\s{2}include GraphqlDevise::Concerns::SetUserByToken/
-      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new('Admin')")}/
+      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new(Admin)")}/
     end
   end

data/spec/graphql/user_queries_spec.rb ADDED Viewed

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Users controller specs' do
+  include_context 'with graphql schema test'
+  let(:schema)          { DummySchema }
+  let(:user)            { create(:user, :confirmed) }
+  let(:field)           { 'privateField' }
+  let(:public_message)  { 'Field does not require authentication' }
+  let(:private_message) { 'Field will always require authentication' }
+  let(:private_error) do
+    {
+      message:    "#{field} field requires authentication",
+      extensions: { code: 'AUTHENTICATION_ERROR' }
+    }
+  end
+  describe 'publicField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          publicField
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      it 'does not require authentication' do
+        expect(response[:data][:publicField]).to eq(public_message)
+      end
+    end
+  end
+  describe 'privateField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          privateField
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+        context 'when using a SchemaUser' do
+          let(:resource) { create(:schema_user, :confirmed) }
+          it 'allows to perform the query' do
+            expect(response[:data][:privateField]).to eq(private_message)
+          end
+        end
+      end
+    end
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+      end
+    end
+  end
+  describe 'user' do
+    let(:user_data) { { email: user.email, id: user.id } }
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          user(
+            id: #{user.id}
+          ) {
+            id
+            email
+          }
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+      context 'when user is not authenticated' do
+        # Interpreter schema fields are public unless specified otherwise (plugin setting)
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+  end
+end

data/spec/requests/graphql_controller_spec.rb CHANGED Viewed

@@ -6,20 +6,13 @@ RSpec.describe GraphqlDevise::GraphqlController do
   let(:password) { 'password123' }
   let(:user)     { create(:user, :confirmed, password: password) }
   let(:params)   { { query: query, variables: variables } }
-  let(:request_params) do
-    if Rails::VERSION::MAJOR >= 5
-      { params: params }
-    else
-      params
-    end
-  end
   context 'when variables are a string' do
     let(:variables) { "{\"email\": \"#{user.email}\"}" }
     let(:query)     { "mutation($email: String!) { userLogin(email: $email, password: \"#{password}\") { user { email name signInCount } } }" }
     it 'parses the string variables' do
-      post '/api/v1/graphql_auth', request_params
+      post_request('/api/v1/graphql_auth')
       expect(json_response).to match(
         data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -31,7 +24,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
       let(:query)     { "mutation { userLogin(email: \"#{user.email}\", password: \"#{password}\") { user { email name signInCount } } }" }
       it 'returns an empty hash as variables' do
-        post '/api/v1/graphql_auth', request_params
+        post_request('/api/v1/graphql_auth')
         expect(json_response).to match(
           data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -46,7 +39,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
     it 'raises an error' do
       expect do
-        post '/api/v1/graphql_auth', request_params
+        post_request('/api/v1/graphql_auth')
       end.to raise_error(ArgumentError)
     end
   end
@@ -62,7 +55,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
     end
     it 'executes multiple queries in the same request' do
-      post '/api/v1/graphql_auth', request_params
+      post_request('/api/v1/graphql_auth')
       expect(json_response).to match(
         [
@@ -79,4 +72,12 @@ RSpec.describe GraphqlDevise::GraphqlController do
       )
     end
   end
+  def post_request(path)
+    if Rails::VERSION::MAJOR >= 5
+      post(path, params: params)
+    else
+      post(path, params)
+    end
+  end
 end

data/spec/requests/mutations/send_password_reset_with_token_spec.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Send Password Reset Requests' do
+  include_context 'with graphql query request'
+  let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:redirect_url) { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userSendPasswordResetWithToken(
+          email:       "#{email}",
+          redirectUrl: "#{redirect_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends password reset  email' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+        expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+          message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+        )
+        email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        link  = email.css('a').first
+        expect(link['href']).to include(redirect_url + '?reset_password_token')
+      end
+    end
+  end
+  context 'when email address uses different casing' do
+    let(:email) { 'jWinnfield@wallaceinc.com' }
+    it 'honors devise configuration for case insensitive fields' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+        message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+      )
+    end
+  end
+  context 'when user email is not found' do
+    let(:email) { 'nothere@gmail.com' }
+    before { post_request }
+    it 'returns an error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end

data/spec/requests/mutations/update_password_with_token_spec.rb ADDED Viewed

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Update Password With Token' do
+  include_context 'with graphql query request'
+  let(:password)              { '12345678' }
+  let(:password_confirmation) { password }
+  context 'when using the user model' do
+    let(:user) { create(:user, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { accessToken }
+          }
+        }
+      GRAPHQL
+    end
+    context 'when reset password token is valid' do
+      let(:token) { user.send(:set_reset_password_token) }
+      it 'updates the password' do
+        expect do
+          post_request
+          user.reload
+        end.to change(user, :encrypted_password)
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to     be_nil
+        expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
+      end
+      context 'when token has expired' do
+        it 'returns an expired token error' do
+          travel_to 10.hours.ago do
+            token
+          end
+          post_request
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
+          )
+        end
+      end
+      context 'when password confirmation does not match' do
+        let(:password_confirmation) { 'does not match' }
+        it 'returns an error' do
+          post_request
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
+            )
+          )
+        end
+      end
+    end
+    context 'when reset password token is not found' do
+      let(:token) { user.send(:set_reset_password_token) + 'invalid' }
+      it 'returns an error' do
+        post_request
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
+        )
+      end
+    end
+  end
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { uid }
+          }
+        }
+      GRAPHQL
+    end
+    context 'when reset password token is valid' do
+      let(:token) { admin.send(:set_reset_password_token) }
+      it 'updates the password' do
+        expect do
+          post_request
+          admin.reload
+        end.to change(admin, :encrypted_password)
+        expect(admin).to be_valid_password(password)
+        expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
+          credentials:     { uid: admin.email },
+          authenticatable: { email: admin.email }
+        )
+      end
+    end
+  end
+end

data/spec/requests/queries/check_password_token_spec.rb CHANGED Viewed

@@ -89,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/introspection_query_spec.rb ADDED Viewed

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+    GRAPHQL
+  end
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end