practical 0.1.0 → 3.0.0.pre.alpha1

data/app/lib/practical/test/shared/auth/passkeys/controllers/registrations/self_destroy.rb

@@ -10,14 +10,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -28,9 +32,11 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       resource_id = resource_instance.id
 
       assert_difference "#{resource_class}.count", -1 do
+      assert_destroy_authorized do
         destroy_registration_action(params: params)
         assert_redirected_to destroy_success_url
       end
+      end
 
       assert_nil resource_class.find_by(id: resource_id)
     end
@@ -41,14 +47,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -73,14 +83,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -105,14 +119,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge

data/app/lib/practical/test/shared/auth/passkeys/controllers/registrations/self_signup.rb

@@ -80,7 +80,8 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
       end
 
       new_resource = resource_class.last
-      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party, raw_credential: raw_credential).credential
+      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party,
+                                                        raw_credential: raw_credential).credential
 
       new_passkey = new_resource.passkeys.last
       assert_equal passkey_label, new_passkey.label
@@ -205,7 +206,7 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Self
 
       client = webauthn_client
       challenge = expected_stored_challenge
-      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
 
       params = params_for_registration(email: email, passkey_label: passkey_label, raw_credential: "   ")
 

data/app/lib/practical/test/shared/auth/passkeys/controllers/registrations/update.rb

@@ -3,16 +3,20 @@
 module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Update
   extend ActiveSupport::Concern
 
-    included do
+  included do
     test "edit renders successfully for the resource" do
       sign_in_as_resource
-      edit_registration_action
+      assert_edit_authorized do
+        edit_registration_action
+      end
       assert_response :ok
     end
 
     test "edit does not render a different resource" do
       sign_in_as_resource
-      attempt_to_edit_other_resource_action
+      assert_edit_authorized do
+        attempt_to_edit_other_resource_action
+      end
       assert_response :ok
       assert_not_includes response.body, other_resource.email
     end
@@ -23,14 +27,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -41,8 +49,10 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       params = params_for_updating_resource(email: new_email, reauthentication_token: reauthentication_token)
 
       assert_no_difference "#{resource_class}.count" do
+      assert_update_authorized do
         update_registration_action(params: params)
-        assert_json_redirected_to expected_update_success_url
+        assert_update_redirect
+      end
       end
 
       resource_instance.reload
@@ -55,14 +65,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -89,14 +103,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -123,14 +141,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -142,9 +164,11 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       params = params_for_updating_resource(email: new_email, reauthentication_token: reauthentication_token)
 
       assert_no_difference "#{resource_class}.count" do
+      assert_update_authorized do
         update_registration_action(params: params)
         assert_response :unprocessable_entity
-        assert_form_error_for_email(message: "can't be blank")
+        assert_form_error_for_blank_email
+      end
       end
 
       resource_instance.reload
@@ -157,14 +181,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -176,9 +204,11 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       params = params_for_updating_resource(email: new_email, reauthentication_token: reauthentication_token)
 
       assert_no_difference "#{resource_class}.count" do
+      assert_update_authorized do
         update_registration_action(params: params)
         assert_response :unprocessable_entity
-        assert_form_error_for_email(message: "has already been taken")
+        assert_form_error_for_taken_email
+      end
       end
 
       resource_instance.reload
@@ -191,14 +221,18 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       client = webauthn_client
       create_passkey_for_user_and_return_webauthn_credential(user: resource_instance)
 
-      new_reauthentication_challenge_action
+      assert_reauthentication_challenge_authorized do
+        new_reauthentication_challenge_action
+      end
       assert_response :ok
       assert_reauthentication_token_challenge
 
       challenge = response.parsed_body["challenge"]
       credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
 
-      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_reauthentication_authorized do
+        reauthenticate_action(params: {passkey_credential: credential.to_json})
+      end
       assert_response :ok
       assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
       assert_nil expected_stored_reauthentication_challenge
@@ -209,8 +243,10 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::Upda
       params = params_trying_to_update_other_resource(email: new_email, reauthentication_token: reauthentication_token)
 
       assert_no_difference "#{resource_class}.count" do
+      assert_update_authorized do
         update_registration_action(params: params)
-        assert_json_redirected_to expected_update_success_url
+        assert_update_redirect
+      end
       end
 
       resource_instance.reload

data/app/lib/practical/test/shared/auth/passkeys/controllers/sessions/cross_pollination.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Auth::Passkeys::Controllers::Sessions::CrossPollination
+  extend ActiveSupport::Concern
+
+  included do
+    test "create: does not allow another resource to log in" do
+      sign_in_as_other_resource
+
+      issue_new_challenge_action
+      assert_response :ok
+
+      assert_passkey_authentication_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        credentials_to_allow: []
+      )
+
+      challenge = response.parsed_body["challenge"]
+      credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
+
+      authenticate_action(params: {resource_key => {passkey_credential: credential.to_json}})
+      assert_response :unprocessable_entity
+
+      assert_nil get_session_challenge
+      assert_resource_not_signed_in
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/forms/emergency_registration.rb

@@ -75,7 +75,6 @@ module Practical::Test::Shared::Auth::Passkeys::Forms::EmergencyRegistration
       assert_equal new_passkey, emergency_registration.passkey
       assert_equal time.to_formatted_s(:db), emergency_registration.used_at.to_formatted_s(:db)
 
-
       assert_new_passkey_email(new_passkey: new_passkey)
     end
   end

data/app/lib/practical/test/shared/auth/passkeys/models/{passkey.rb → passkey/base.rb}

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module Practical::Test::Shared::Auth::Passkeys::Models::Passkey
+module Practical::Test::Shared::Auth::Passkeys::Models::Passkey::Base
   extend ActiveSupport::Concern
 
   included do

data/app/lib/practical/test/shared/auth/passkeys/models/passkey/emergency_registration.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Auth::Passkeys::Models::Passkey::EmergencyRegistration
+  extend ActiveSupport::Concern
+
+  included do
+    test "has_one: emergency_passkey_registration, dependent: :destroy" do
+      reflection = model_class.reflect_on_association(emergency_passkey_registration_reflection_name)
+      assert_equal :has_one, reflection.macro
+      assert_equal :destroy, reflection.options[:dependent]
+    end
+
+    test "can destroy a passkey if it has an emergency_passkey_registration" do
+      instance = model_instance_with_emergency_registration
+
+      assert_not_nil instance.emergency_passkey_registration
+
+      assert_difference "#{model_class}.count", -1 do
+        instance.destroy!
+      end
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/models/{resource_with_passkeys.rb → resource_with_passkeys/base.rb}

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module Practical::Test::Shared::Auth::Passkeys::Models::ResourceWithPasskeys
+module Practical::Test::Shared::Auth::Passkeys::Models::ResourceWithPasskeys::Base
   extend ActiveSupport::Concern
 
   included do

data/app/lib/practical/test/shared/auth/passkeys/models/resource_with_passkeys/emergency_registration.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Auth::Passkeys::Models::ResourceWithPasskeys::EmergencyRegistration
+  extend ActiveSupport::Concern
+
+  included do
+    test "email: is required and cannot be blank" do
+      instance = model_instance
+      instance.email = ""
+      assert_equal false, instance.valid?
+      assert_equal true, instance.errors.of_kind?(:email, :blank)
+
+      instance.email = Faker::Internet.email
+      assert_equal true, instance.valid?
+    end
+
+    test "email: is unique" do
+      instance = model_class.new(email: model_instance.email)
+      assert_equal false, instance.valid?
+      assert_equal true, instance.errors.of_kind?(:email, :taken)
+
+      instance.email = Faker::Internet.email
+      instance.valid?
+
+      assert_equal false, instance.errors.of_kind?(:email, :taken)
+    end
+
+    test "has many emergency_passkey_registrations" do
+      reflection = model_class.reflect_on_association(:emergency_passkey_registrations)
+      assert_equal :has_many, reflection.macro
+
+      assert_difference "#{emergency_passkey_registration_class}.count", +1 do
+        new_emergency_registration = model_instance.emergency_passkey_registrations.create!
+
+        assert_instance_of emergency_passkey_registration_class, new_emergency_registration
+
+        assert_includes model_instance.emergency_passkey_registrations, new_emergency_registration
+      end
+    end
+  end
+end

data/app/lib/practical/test/shared/memberships/controllers/membership_invitations/base.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Memberships::Controllers::MembershipInvitations::Base
+  extend ActiveSupport::Concern
+
+  included do
+    test "show: renders successfully when given a visible, unused membership_invitation token" do
+      show_membership_invitation_action(token: visible_unused_token)
+      assert_response :ok
+    end
+
+    test "show: returns 404 if a used membership_invitation token is given" do
+      show_membership_invitation_action(token: used_token)
+      assert_response :not_found
+    end
+
+    test "show: returns 404 if a hidden membership_invitation token is given" do
+      show_membership_invitation_action(token: hidden_token)
+      assert_response :not_found
+    end
+
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if a bad token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_membership_invitation_action(token: bad_token)
+      end
+    end
+
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if a raw token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_membership_invitation_action(token: raw_token)
+      end
+    end
+
+    test "sign_out_then_show: signs out the resource, but stores the path and redirects them" do
+      sign_in_as_resource
+
+      sign_out_then_show_action(token: visible_unused_token)
+      assert_redirected_to_invitation(token: visible_unused_token)
+    end
+
+    test "sign_out_then_show: returns 404 if a used membership_invitation token is given" do
+      sign_in_as_resource
+
+      sign_out_then_show_action(token: used_token)
+      assert_response :not_found
+    end
+
+    test "sign_out_then_show: returns 404 if a hidden membership_invitation token is given" do
+      sign_in_as_resource
+
+      sign_out_then_show_action(token: hidden_token)
+      assert_response :not_found
+    end
+
+    test "sign_out_then_show: raises ActiveSupport::MessageVerifier::InvalidSignature if a bad token is given" do
+      sign_in_as_resource
+
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        sign_out_then_show_action(token: bad_token)
+      end
+    end
+
+    test "sign_out_then_show: raises ActiveSupport::MessageVerifier::InvalidSignature if a raw token is given" do
+      sign_in_as_resource
+
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        sign_out_then_show_action(token: raw_token)
+      end
+    end
+
+    test "accept_as_current_user: links the invitation to a given resource, creating the final membership" do
+      sign_in_as_resource
+
+      assert_difference "#{membership_class}.count", +1 do
+        accept_as_current_user_action(token: visible_unused_token)
+      end
+
+      assert_redirected_to_organization
+      assert_accepted_invitation_flash_message
+
+      assert_membership_accepted_for_resource(resource: resource_instance)
+    end
+
+    test "accept_as_current_user: links the invitation to a given resource, even if the email does not match" do
+      sign_in_as_resource_with_different_email
+
+      assert_difference "#{membership_class}.count", +1 do
+        accept_as_current_user_action(token: visible_unused_token)
+      end
+
+      assert_redirected_to_organization
+      assert_accepted_invitation_flash_message
+
+      assert_membership_accepted_for_resource(resource: resource_instance_with_different_email)
+    end
+
+    test "accept_as_current_user: raises an error and does not change the invitation if the resource is already a member of this organization" do
+      sign_in_as_resource_already_in_organization
+
+      assert_no_difference "#{membership_class}.count" do
+        accept_as_current_user_action(token: visible_unused_token)
+      end
+
+      assert_response :unprocessable_entity
+      assert_taken_flash_message
+
+      assert_membership_invitation_unclaimed
+    end
+
+    test "accept_as_current_user: returns 404 if the resource is not signed in" do
+      assert_no_difference "#{membership_class}.count" do
+        accept_as_current_user_action(token: visible_unused_token)
+      end
+
+      assert_response :not_found
+      assert_membership_invitation_unclaimed
+    end
+
+    test "accept_as_current_user: returns 404 if a used membership_invitation token is given" do
+      sign_in_as_resource
+
+      assert_no_difference "#{membership_class}.count" do
+        accept_as_current_user_action(token: used_token)
+      end
+
+      assert_response :not_found
+      assert_membership_invitation_unclaimed
+    end
+
+    test "accept_as_current_user: returns 404 if a hidden membership_invitation token is given" do
+      sign_in_as_resource
+
+      assert_no_difference "#{membership_class}.count" do
+        accept_as_current_user_action(token: hidden_token)
+      end
+
+      assert_response :not_found
+      assert_membership_invitation_unclaimed
+    end
+
+    test "accept_as_current_user: raises ActiveSupport::MessageVerifier::InvalidSignature if a bad token is given" do
+      sign_in_as_resource
+
+      assert_no_difference "#{membership_class}.count" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        accept_as_current_user_action(token: bad_token)
+      end
+      end
+
+      assert_membership_invitation_unclaimed
+    end
+
+    test "accept_as_current_user: raises ActiveSupport::MessageVerifier::InvalidSignature if a raw token is given" do
+      sign_in_as_resource
+
+      assert_no_difference "#{membership_class}.count" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        accept_as_current_user_action(token: raw_token)
+      end
+      end
+
+      assert_membership_invitation_unclaimed
+    end
+  end
+end