RubyGems - graphql_devise - Versions diffs - 0.13.6 → 0.15.0 - Mend

graphql_devise 0.13.6 → 0.15.0

Files changed (53) hide show

data/spec/dummy/db/schema.rb CHANGED Viewed

@@ -73,7 +73,6 @@ ActiveRecord::Schema.define(version: 2020_06_23_003142) do
     t.text "tokens"
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
-    t.index "\"unlock_token\"", name: "index_schema_users_on_unlock_token", unique: true
     t.index ["confirmation_token"], name: "index_schema_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_schema_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_schema_users_on_reset_password_token", unique: true

data/spec/generators/graphql_devise/install_generator_spec.rb CHANGED Viewed

@@ -33,7 +33,7 @@ RSpec.describe GraphqlDevise::InstallGenerator, type: :generator do
       assert_file 'app/controllers/application_controller.rb', /^\s{2}include GraphqlDevise::Concerns::SetUserByToken/
-      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new('Admin')")}/
+      assert_file 'app/graphql/gqld_dummy_schema.rb', /\s+#{Regexp.escape("GraphqlDevise::ResourceLoader.new(Admin)")}/
     end
   end

data/spec/graphql/user_queries_spec.rb ADDED Viewed

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Users controller specs' do
+  include_context 'with graphql schema test'
+  let(:schema)          { DummySchema }
+  let(:user)            { create(:user, :confirmed) }
+  let(:field)           { 'privateField' }
+  let(:public_message)  { 'Field does not require authentication' }
+  let(:private_message) { 'Field will always require authentication' }
+  let(:private_error) do
+    {
+      message:    "#{field} field requires authentication",
+      extensions: { code: 'AUTHENTICATION_ERROR' }
+    }
+  end
+  describe 'publicField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          publicField
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      it 'does not require authentication' do
+        expect(response[:data][:publicField]).to eq(public_message)
+      end
+    end
+  end
+  describe 'privateField' do
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          privateField
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+        context 'when using a SchemaUser' do
+          let(:resource) { create(:schema_user, :confirmed) }
+          it 'allows to perform the query' do
+            expect(response[:data][:privateField]).to eq(private_message)
+          end
+        end
+      end
+    end
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:privateField]).to eq(private_message)
+        end
+      end
+    end
+  end
+  describe 'user' do
+    let(:user_data) { { email: user.email, id: user.id } }
+    let(:query) do
+      <<-GRAPHQL
+        query {
+          user(
+            id: #{user.id}
+          ) {
+            id
+            email
+          }
+        }
+      GRAPHQL
+    end
+    context 'when using a regular schema' do
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+    context 'when using an interpreter schema' do
+      let(:schema) { InterpreterSchema }
+      context 'when user is authenticated' do
+        let(:resource) { user }
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+      context 'when user is not authenticated' do
+        # Interpreter schema fields are public unless specified otherwise (plugin setting)
+        it 'allows to perform the query' do
+          expect(response[:data][:user]).to match(**user_data)
+        end
+      end
+    end
+  end
+end

data/spec/requests/graphql_controller_spec.rb CHANGED Viewed

@@ -6,20 +6,13 @@ RSpec.describe GraphqlDevise::GraphqlController do
   let(:password) { 'password123' }
   let(:user)     { create(:user, :confirmed, password: password) }
   let(:params)   { { query: query, variables: variables } }
-  let(:request_params) do
-    if Rails::VERSION::MAJOR >= 5
-      { params: params }
-    else
-      params
-    end
-  end
   context 'when variables are a string' do
     let(:variables) { "{\"email\": \"#{user.email}\"}" }
     let(:query)     { "mutation($email: String!) { userLogin(email: $email, password: \"#{password}\") { user { email name signInCount } } }" }
     it 'parses the string variables' do
-      post '/api/v1/graphql_auth', request_params
+      post_request('/api/v1/graphql_auth')
       expect(json_response).to match(
         data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -31,7 +24,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
       let(:query)     { "mutation { userLogin(email: \"#{user.email}\", password: \"#{password}\") { user { email name signInCount } } }" }
       it 'returns an empty hash as variables' do
-        post '/api/v1/graphql_auth', request_params
+        post_request('/api/v1/graphql_auth')
         expect(json_response).to match(
           data: { userLogin: { user: { email: user.email, name: user.name, signInCount: 1 } } }
@@ -46,7 +39,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
     it 'raises an error' do
       expect do
-        post '/api/v1/graphql_auth', request_params
+        post_request('/api/v1/graphql_auth')
       end.to raise_error(ArgumentError)
     end
   end
@@ -62,7 +55,7 @@ RSpec.describe GraphqlDevise::GraphqlController do
     end
     it 'executes multiple queries in the same request' do
-      post '/api/v1/graphql_auth', request_params
+      post_request('/api/v1/graphql_auth')
       expect(json_response).to match(
         [
@@ -79,4 +72,12 @@ RSpec.describe GraphqlDevise::GraphqlController do
       )
     end
   end
+  def post_request(path)
+    if Rails::VERSION::MAJOR >= 5
+      post(path, params: params)
+    else
+      post(path, params)
+    end
+  end
 end

data/spec/requests/mutations/send_password_reset_with_token_spec.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Send Password Reset Requests' do
+  include_context 'with graphql query request'
+  let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:redirect_url) { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userSendPasswordResetWithToken(
+          email:       "#{email}",
+          redirectUrl: "#{redirect_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends password reset  email' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+        expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+          message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+        )
+        email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        link  = email.css('a').first
+        expect(link['href']).to include(redirect_url + '?reset_password_token')
+      end
+    end
+  end
+  context 'when email address uses different casing' do
+    let(:email) { 'jWinnfield@wallaceinc.com' }
+    it 'honors devise configuration for case insensitive fields' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+        message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+      )
+    end
+  end
+  context 'when user email is not found' do
+    let(:email) { 'nothere@gmail.com' }
+    before { post_request }
+    it 'returns an error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end

data/spec/requests/mutations/update_password_with_token_spec.rb ADDED Viewed

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Update Password With Token' do
+  include_context 'with graphql query request'
+  let(:password)              { '12345678' }
+  let(:password_confirmation) { password }
+  context 'when using the user model' do
+    let(:user) { create(:user, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { accessToken }
+          }
+        }
+      GRAPHQL
+    end
+    context 'when reset password token is valid' do
+      let(:token) { user.send(:set_reset_password_token) }
+      it 'updates the password' do
+        expect do
+          post_request
+          user.reload
+        end.to change(user, :encrypted_password)
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to     be_nil
+        expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
+      end
+      context 'when token has expired' do
+        it 'returns an expired token error' do
+          travel_to 10.hours.ago do
+            token
+          end
+          post_request
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
+          )
+        end
+      end
+      context 'when password confirmation does not match' do
+        let(:password_confirmation) { 'does not match' }
+        it 'returns an error' do
+          post_request
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
+            )
+          )
+        end
+      end
+    end
+    context 'when reset password token is not found' do
+      let(:token) { user.send(:set_reset_password_token) + 'invalid' }
+      it 'returns an error' do
+        post_request
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
+        )
+      end
+    end
+  end
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { uid }
+          }
+        }
+      GRAPHQL
+    end
+    context 'when reset password token is valid' do
+      let(:token) { admin.send(:set_reset_password_token) }
+      it 'updates the password' do
+        expect do
+          post_request
+          admin.reload
+        end.to change(admin, :encrypted_password)
+        expect(admin).to be_valid_password(password)
+        expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
+          credentials:     { uid: admin.email },
+          authenticatable: { email: admin.email }
+        )
+      end
+    end
+  end
+end

data/spec/requests/queries/check_password_token_spec.rb CHANGED Viewed

@@ -89,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/introspection_query_spec.rb ADDED Viewed

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+    GRAPHQL
+  end
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end