graphql_devise 0.14.1 → 0.17.0

data/spec/requests/mutations/confirm_registration_with_token_spec.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Registration confirmation with token' do
+  include_context 'with graphql query request'
+
+  context 'when using the user model' do
+    let(:user) { create(:user, confirmed_at: nil) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userConfirmRegistrationWithToken(
+            confirmationToken: "#{token}"
+          ) {
+            authenticatable {
+              email
+              name
+            }
+            credentials { client }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { user.confirmation_token }
+
+      before do
+        user.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer']
+        )
+      end
+
+      it 'confirms the resource and returns credentials' do
+        expect do
+          post_request
+          user.reload
+        end.to(change(user, :confirmed_at).from(nil))
+
+        expect(json_response[:data][:userConfirmRegistrationWithToken]).to include(
+          authenticatable: { email: user.email, name: user.name },
+          credentials:     { client: user.tokens.keys.first }
+        )
+
+        expect(user).to be_active_for_authentication
+      end
+
+      context 'when unconfirmed_email is present' do
+        let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
+
+        it 'confirms the unconfirmed email' do
+          expect do
+            post_request
+            user.reload
+          end.to change(user, :email).from(user.email).to('vvega@wallaceinc.com').and(
+            change(user, :unconfirmed_email).from('vvega@wallaceinc.com').to(nil)
+          )
+        end
+      end
+    end
+
+    context 'when reset password token is not found' do
+      let(:token) { "#{user.confirmation_token}-invalid" }
+
+      it 'does *NOT* confirm the user' do
+        expect do
+          post_request
+          user.reload
+        end.not_to change(user, :confirmed_at).from(nil)
+
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(
+            message:    'Invalid confirmation token. Please try again',
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+  end
+
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, confirmed_at: nil) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminConfirmRegistrationWithToken(
+            confirmationToken: "#{token}"
+          ) {
+            authenticatable { email }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { admin.confirmation_token }
+
+      before do
+        admin.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer']
+        )
+      end
+
+      it 'confirms the resource and persists credentials on the DB' do
+        expect do
+          get_request
+          admin.reload
+        end.to change(admin, :confirmed_at).from(nil).and(
+          change { admin.tokens.keys.count }.from(0).to(1)
+        )
+
+        expect(admin).to be_active_for_authentication
+      end
+    end
+  end
+end

data/spec/requests/mutations/register_spec.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Registration process' do
+  include_context 'with graphql query request'
+
+  let(:name)     { Faker::Name.name }
+  let(:password) { Faker::Internet.password }
+  let(:email)    { Faker::Internet.email }
+  let(:redirect) { 'https://google.com' }
+
+  context 'when using the user model' do
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userRegister(
+            email:                "#{email}"
+            name:                 "#{name}"
+            password:             "#{password}"
+            passwordConfirmation: "#{password}"
+            confirmUrl:          "#{redirect}"
+          ) {
+            credentials { accessToken }
+            user {
+              email
+              name
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when redirect_url is not whitelisted' do
+      let(:redirect) { 'https://not-safe.com' }
+
+      it 'returns a not whitelisted redirect url error' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "Redirect to '#{redirect}' not allowed.",
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+
+    context 'when params are correct' do
+      it 'creates a new resource that requires confirmation' do
+        expect { post_request }.to(
+          change(User, :count).by(1)
+          .and(change(ActionMailer::Base.deliveries, :count).by(1))
+        )
+
+        user = User.last
+
+        expect(user).not_to be_active_for_authentication
+        expect(user.confirmed_at).to be_nil
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userRegister]).to include(
+          credentials: nil,
+          user:        {
+            email: email,
+            name:  name
+          }
+        )
+
+        email         = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        confirm_link  = email.css('a').first['href']
+        confirm_token = confirm_link.match(/\?confirmationToken\=(?<token>.+)\z/)[:token]
+
+        expect(User.confirm_by_token(confirm_token)).to eq(user)
+      end
+
+      context 'when email address uses different casing' do
+        let(:email) { 'miaWallace@wallaceinc.com' }
+
+        it 'honors devise configuration for case insensitive fields' do
+          expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+          expect(User.last.email).to eq('miawallace@wallaceinc.com')
+          expect(json_response[:data][:userRegister]).to include(user: { email: 'miawallace@wallaceinc.com', name: name })
+        end
+      end
+    end
+
+    context 'when required params are missing' do
+      let(:email) { '' }
+
+      it 'does *NOT* create resource a resource nor send an email' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:data][:userRegister]).to be_nil
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "User couldn't be registered",
+            extensions: { code: 'USER_ERROR', detailed_errors: ["Email can't be blank"] }
+          )
+        )
+      end
+    end
+  end
+
+  context 'when using the admin model' do
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminRegister(
+            email:                "#{email}"
+            password:             "#{password}"
+            passwordConfirmation: "#{password}"
+          ) {
+            authenticatable {
+              email
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    before { post_request }
+
+    it 'skips the register mutation' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: "Field 'adminRegister' doesn't exist on type 'Mutation'")
+      )
+    end
+  end
+
+  context 'when using the guest model' do
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          guestRegister(
+            email:                "#{email}"
+            password:             "#{password}"
+            passwordConfirmation: "#{password}"
+          ) {
+            credentials { accessToken client uid }
+            authenticatable {
+              email
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    it 'returns credentials as no confirmation is required' do
+      expect { post_request }.to change(Guest, :count).from(0).to(1)
+
+      expect(json_response[:data][:guestRegister]).to include(
+        authenticatable: { email: email },
+        credentials:     hash_including(
+          uid:    email,
+          client: Guest.last.tokens.keys.first
+        )
+      )
+    end
+  end
+end

data/spec/requests/mutations/resend_confirmation_with_token_spec.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Resend confirmation with token' do
+  include_context 'with graphql query request'
+
+  let(:confirmed_at) { nil }
+  let!(:user)        { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:id)           { user.id }
+  let(:confirm_url)  { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userResendConfirmationWithToken(
+          email:"#{email}",
+          confirmUrl:"#{confirm_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+
+  context 'when confirm_url is not whitelisted' do
+    let(:confirm_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted confirm url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{confirm_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends an email to the user with confirmation url and returns a success message' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+        expect(json_response[:data][:userResendConfirmationWithToken]).to include(
+          message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+        )
+
+        email         = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        confirm_link  = email.css('a').first['href']
+        confirm_token = confirm_link.match(/\?confirmationToken\=(?<token>.+)\z/)[:token]
+
+        expect(User.confirm_by_token(confirm_token)).to eq(user)
+      end
+    end
+
+    context 'when using a custom schema' do
+      let(:custom_path) { '/api/v1/graphql' }
+
+      it 'sends an email to the user with confirmation url and returns a success message' do
+        expect { post_request(custom_path) }.to change(ActionMailer::Base.deliveries, :count).by(1)
+        expect(json_response[:data][:userResendConfirmationWithToken]).to include(
+          message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+        )
+
+        email         = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        confirm_link  = email.css('a').first['href']
+        confirm_token = confirm_link.match(/\?confirmationToken\=(?<token>.+)\z/)[:token]
+
+        expect(User.confirm_by_token(confirm_token)).to eq(user)
+      end
+    end
+
+    context 'when email address uses different casing' do
+      let(:email) { 'mWallace@wallaceinc.com' }
+
+      it 'honors devise configuration for case insensitive fields' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+        expect(json_response[:data][:userResendConfirmationWithToken]).to include(
+          message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+        )
+      end
+    end
+
+    context 'when the user has already been confirmed' do
+      before { user.confirm }
+
+      it 'does *NOT* send an email and raises an error' do
+        expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+        expect(json_response[:data][:userResendConfirmationWithToken]).to be_nil
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(
+            message:    'Email was already confirmed, please try signing in',
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+  end
+
+  context 'when the email was changed' do
+    let(:confirmed_at) { 2.seconds.ago }
+    let(:email)        { 'new-email@wallaceinc.com' }
+    let(:new_email)    { email }
+
+    before do
+      user.update_with_email(
+        email:                    new_email,
+        schema_url:               'http://localhost/test',
+        confirmation_success_url: 'https://google.com'
+      )
+    end
+
+    it 'sends new confirmation email' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(ActionMailer::Base.deliveries.first.to).to contain_exactly(new_email)
+      expect(json_response[:data][:userResendConfirmationWithToken]).to include(
+        message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+      )
+    end
+  end
+
+  context "when the email isn't in the system" do
+    let(:email) { 'notthere@gmail.com' }
+
+    it 'does *NOT* send an email and raises an error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+      expect(json_response[:data][:userResendConfirmationWithToken]).to be_nil
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(
+          message:    "Unable to find user with email '#{email}'.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+end

data/spec/requests/queries/introspection_query_spec.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Login Requests' do
+  include_context 'with graphql query request'
+
+  let(:query) do
+    <<-GRAPHQL
+      query IntrospectionQuery {
+        __schema {
+          queryType { name }
+          mutationType { name }
+          subscriptionType { name }
+          types {
+            ...FullType
+          }
+          directives {
+            name
+            description
+            args {
+              ...InputValue
+            }
+            onOperation
+            onFragment
+            onField
+          }
+        }
+      }
+
+      fragment FullType on __Type {
+        kind
+        name
+        description
+        fields(includeDeprecated: true) {
+          name
+          description
+          args {
+            ...InputValue
+          }
+          type {
+            ...TypeRef
+          }
+          isDeprecated
+          deprecationReason
+        }
+        inputFields {
+          ...InputValue
+        }
+        interfaces {
+          ...TypeRef
+        }
+        enumValues(includeDeprecated: true) {
+          name
+          description
+          isDeprecated
+          deprecationReason
+        }
+        possibleTypes {
+          ...TypeRef
+        }
+      }
+
+      fragment InputValue on __InputValue {
+        name
+        description
+        type { ...TypeRef }
+        defaultValue
+      }
+
+      fragment TypeRef on __Type {
+        kind
+        name
+        ofType {
+          kind
+          name
+          ofType {
+            kind
+            name
+            ofType {
+              kind
+              name
+            }
+          }
+        }
+      }
+
+    GRAPHQL
+  end
+
+  context 'when using a schema plugin to mount devise operations' do
+    context 'when schema plugin is set to authenticate by default' do
+      context 'when the resource is authenticated' do
+        let(:user) { create(:user, :confirmed) }
+        let(:headers) { user.create_new_auth_token }
+
+        it 'return the schema information' do
+          post_request('/api/v1/graphql')
+
+          expect(json_response[:data][:__schema].keys).to contain_exactly(
+            :queryType, :mutationType, :subscriptionType, :types, :directives
+          )
+        end
+      end
+
+      context 'when the resource is *NOT* authenticated' do
+        context 'and instrospection is set to be public' do
+          it 'return the schema information' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data][:__schema].keys).to contain_exactly(
+              :queryType, :mutationType, :subscriptionType, :types, :directives
+            )
+          end
+        end
+
+        context 'and introspection is set to require auth' do
+          before do
+            allow_any_instance_of(GraphqlDevise::SchemaPlugin).to(
+              receive(:public_introspection).and_return(false)
+            )
+          end
+
+          it 'return an error' do
+            post_request('/api/v1/graphql')
+
+            expect(json_response[:data]).to be_nil
+            expect(json_response[:errors]).to contain_exactly(
+              hash_including(
+                message:    '__schema field requires authentication',
+                extensions: { code: 'AUTHENTICATION_ERROR' }
+              )
+            )
+          end
+        end
+      end
+    end
+
+    context 'when schema plugin is set *NOT* to authenticate by default' do
+      it 'return the schema information' do
+        post_request('/api/v1/interpreter')
+
+        expect(json_response[:data][:__schema].keys).to contain_exactly(
+          :queryType, :mutationType, :subscriptionType, :types, :directives
+        )
+      end
+    end
+  end
+end