RubyGems - practical - Versions diffs - 0.1.0 - Mend

practical 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (119) hide show

data/app/lib/practical/test/shared/auth/passkeys/controllers/emergency_registration/base.rb ADDED Viewed

@@ -0,0 +1,372 @@
+# frozen_string_literal: true
+module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistration::Base
+  extend ActiveSupport::Concern
+  included do
+    test "show: renders successfully when given an emergency_registration token for the resource's emergency registration class" do
+      show_emergency_registration_action(token: valid_emergency_registration_token)
+      assert_response :success
+    end
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if an expired token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_emergency_registration_action(token: expired_emergency_registration_token)
+      end
+    end
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if a bad token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_emergency_registration_action(token: SecureRandom.hex)
+      end
+    end
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if a raw emergency registration ID is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_emergency_registration_action(token: raw_emergency_registration_id)
+      end
+    end
+    test "new_create_challenge: renders successfully when given a valid emergency_registration token for the resource's emergency registration class" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+    end
+    test "new_create_challenge: raises ActiveSupport::MessageVerifier::InvalidSignature if an expired token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        get_new_challenge_action(token: expired_emergency_registration_token)
+      end
+    end
+    test "new_create_challenge: raises ActiveSupport::MessageVerifier::InvalidSignature if a bad token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        get_new_challenge_action(token: SecureRandom.hex)
+      end
+    end
+    test "new_create_challenge: raises ActiveSupport::MessageVerifier::InvalidSignature if a raw emergency registration ID is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        get_new_challenge_action(token: raw_emergency_registration_id)
+      end
+    end
+    test "use: registers a new passkey for the owner, using the client details" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+      assert_difference "#{passkey_class}.count", +1 do
+        use_emergency_registration_action(token: token, params: params)
+        assert_json_redirected_to expected_new_session_url
+      end
+      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party, raw_credential: raw_credential).credential
+      new_passkey = emergency_passkey_registration.reload.passkey
+      assert_equal label, new_passkey.label
+      assert_equal Base64.strict_encode64(credential.id), new_passkey.external_id
+      assert_not_nil new_passkey.public_key
+      assert_nil new_passkey.last_used_at
+    end
+    test "use: does not allow overriding who the passkey is registered for" do
+      old_owner = owner_instance
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_that_try_to_override_owner_during_emergency_registration(label: label, raw_credential: raw_credential)
+      assert_difference "#{passkey_class}.count", +1 do
+        use_emergency_registration_action(token: token, params: params)
+        assert_json_redirected_to expected_new_session_url
+      end
+      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party, raw_credential: raw_credential).credential
+      new_passkey = emergency_passkey_registration.reload.passkey
+      assert_equal label, new_passkey.label
+      assert_equal Base64.strict_encode64(credential.id), new_passkey.external_id
+      assert_not_nil new_passkey.public_key
+      assert_nil new_passkey.last_used_at
+      assert_old_owner_owns_passkey(passkey: new_passkey)
+    end
+    test "use: raises ActiveRecord::RecordNotFound if an expired token is given" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        use_emergency_registration_action(token: expired_emergency_registration_token, params: params)
+      end
+    end
+    test "use: raises ActiveRecord::RecordNotFound if a bad token is given" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        use_emergency_registration_action(token: SecureRandom.hex, params: params)
+      end
+    end
+    test "use: raises ActiveRecord::RecordNotFound if a raw emergency registration ID is given" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        use_emergency_registration_action(token: raw_emergency_registration_id, params: params)
+      end
+    end
+    test "use: returns a unprocessable_entity with the PracticalFramework error JSON if the passkey label is missing" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      params = params_for_using_emergency_passkey_registration(label: "    ", raw_credential: raw_credential)
+      assert_no_difference "#{passkey_class}.count" do
+        use_emergency_registration_action(token: token, params: params)
+      end
+      assert_response :unprocessable_entity
+      assert_form_error_for_label(message: "can't be blank", type: :blank)
+    end
+    test "use: returns a unprocessable_entity with the PracticalFramework error JSON if the passkey challenge fails" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = SecureRandom.hex
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+      assert_no_difference "#{passkey_class}.count" do
+        use_emergency_registration_action(token: token, params: params)
+      end
+      assert_response :unprocessable_entity
+      assert_form_error_for_credential(message: I18n.translate("devise.emergency_passkey_registrations.webauthn_challenge_verification_error"))
+    end
+    test "use: returns a unprocessable_entity with the PracticalFramework error JSON if the credential was missing" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: nil)
+      assert_no_difference "#{passkey_class}.count" do
+        use_emergency_registration_action(token: token, params: params)
+      end
+      assert_response :unprocessable_entity
+      assert_form_error_for_credential(message: I18n.translate("devise.emergency_passkey_registrations.credential_missing_or_could_not_be_parsed"))
+    end
+    test "use: returns a unprocessable_entity with the PracticalFramework error JSON if the credential could not be parsed" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+      get_new_challenge_action(token: token)
+      assert_response :ok
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+      challenge = expected_stored_challenge
+      client = webauthn_client
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: "blah")
+      assert_no_difference "#{passkey_class}.count" do
+        use_emergency_registration_action(token: token, params: params)
+      end
+      assert_response :unprocessable_entity
+      assert_form_error_for_credential(message: I18n.translate("devise.emergency_passkey_registrations.credential_missing_or_could_not_be_parsed"))
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/controllers/emergency_registration/self_service.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistration::SelfService
+  extend ActiveSupport::Concern
+  included do
+    test "new: renders successfully" do
+      get_new_registration_action
+      assert_response :success
+    end
+    test "create: calls service to send emergency passkey registration with the user_agent, ip_address, and found owner" do
+      owner = owner_instance
+      params = {
+        new_emergency_passkey_registration_form: {
+          email: owner.email
+        }
+      }
+      ip_address = Faker::Internet.ip_v6_address
+      user_agent = Faker::Internet.user_agent
+      env = {"REMOTE_ADDR" => ip_address, "User-Agent" => user_agent}
+      service_spy = Spy.on_instance_method(send_registration_service_class, run!: true)
+      request_emergency_registration_action(params: params, env: env)
+      assert_json_redirected_to expected_new_session_url
+      assert_flash_message(
+        type: :notice,
+        message: I18n.translate('emergency_passkey_registrations.sent_message'),
+        icon_name: "envelope-dot"
+      )
+      assert_times_called(spy: service_spy, times: 1)
+    end
+    test "create: silently ignores bad email addresses" do
+      params = {
+        new_emergency_passkey_registration_form: {
+          email: "bad@example.com"
+        }
+      }
+      ip_address = Faker::Internet.ip_v6_address
+      user_agent = Faker::Internet.user_agent
+      env = {"REMOTE_ADDR" => ip_address, "User-Agent" => user_agent}
+      service_spy = Spy.on_instance_method(send_registration_service_class, run!: true)
+      request_emergency_registration_action(params: params, env: env)
+      assert_json_redirected_to expected_new_session_url
+      assert_flash_message(
+        type: :notice,
+        message: I18n.translate('emergency_passkey_registrations.sent_message'),
+        icon_name: "envelope-dot"
+      )
+      assert_times_called(spy: service_spy, times: 0)
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/controllers/reauthentication/base.rb ADDED Viewed

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+module Practical::Test::Shared::Auth::Passkeys::Controllers::Reauthentication::Base
+  extend ActiveSupport::Concern
+  included do
+    test "new_challenge: requires the resource to be authenticated" do
+      issue_new_challenge_action
+      assert_response :not_found
+    end
+    test "new_challenge: sets the session variable that stores the new challenge" do
+      sign_in_as_resource
+      issue_new_challenge_action
+      assert_response :ok
+      assert_equal get_session_challenge, response.parsed_body["challenge"]
+    end
+    test "new_challenge: overrides the session variable that stores the new challenge" do
+      sign_in_as_resource
+      issue_new_challenge_action
+      assert_response :ok
+      old_session_challenge = get_session_challenge
+      issue_new_challenge_action
+      assert_response :ok
+      assert_not_equal old_session_challenge, get_session_challenge
+      assert_not_equal old_session_challenge, response.parsed_body["challenge"]
+    end
+    test "reauthenticate: requires the resource to be authenticated" do
+      reauthenticate_action(params: {})
+      assert_response :not_found
+    end
+    test """reauthenticate:
+      - verifies that the given challenge matches what is in the session
+      - clears the challenge session variable
+      - returns the reauthentication_token
+      - stores the reauthentication_token in the session
+    """ do
+      sign_in_as_resource
+      issue_new_challenge_action
+      assert_response :ok
+      assert_passkey_authentication_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        credentials_to_allow: expected_credentials_to_allow
+      )
+      challenge = response.parsed_body["challenge"]
+      credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
+      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_response :ok
+      assert_equal expected_stored_reauthentication_token, response.parsed_body["reauthentication_token"]
+      assert_nil get_session_challenge
+    end
+    test """reauthenticate:
+      - raises an error if the challenge does not match what is in the session
+      - clears the challenge session variable
+      - does not have a reauthentication_token in the session
+    """ do
+      sign_in_as_resource
+      issue_new_challenge_action
+      assert_response :ok
+      assert_passkey_authentication_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        credentials_to_allow: expected_credentials_to_allow
+      )
+      challenge = SecureRandom.hex
+      credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
+      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_response :unauthorized
+      assert_equal I18n.translate("devise.failure.webauthn_challenge_verification_error"), response.parsed_body["error"]
+      assert_nil expected_stored_reauthentication_token
+      assert_nil get_session_challenge
+      assert_resource_not_signed_in
+    end
+    test """reauthenticate:
+      - raises an error if the credential is invalid
+      - clears the challenge session variable
+      - does not have a reauthentication_token in the session
+    """ do
+      sign_in_as_resource
+      issue_new_challenge_action
+      assert_response :ok
+      assert_passkey_authentication_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        credentials_to_allow: expected_credentials_to_allow
+      )
+      challenge = response.parsed_body["challenge"]
+      credential = get_credential_payload_from_challenge(client: client, challenge: challenge)
+      invalidate_all_credentials
+      reauthenticate_action(params: {passkey_credential: credential.to_json})
+      assert_response :unauthorized
+      assert_equal I18n.translate("devise.failure.stored_credential_not_found"), response.parsed_body["error"]
+      assert_nil expected_stored_reauthentication_token
+      assert_nil get_session_challenge
+      assert_resource_not_signed_in
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/controllers/registrations/no_self_destroy.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::NoSelfDestroy
+  extend ActiveSupport::Concern
+  included do
+    test "destroy action returns 501" do
+      sign_in_as_resource
+      destroy_registration_action
+      assert_response :not_implemented
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/controllers/registrations/no_self_signup.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Practical::Test::Shared::Auth::Passkeys::Controllers::Registrations::NoSelfSignup
+  extend ActiveSupport::Concern
+  included do
+    test "new registration challenge action returns 501" do
+      new_registration_challenge_action
+      assert_response :not_implemented
+    end
+    test "new registration action returns 501" do
+      new_registration_action
+      assert_response :not_implemented
+    end
+    test "create registration action returns 501" do
+      create_registration_action
+      assert_response :not_implemented
+    end
+  end
+end