propel_authentication 0.1.1

data/lib/generators/propel_auth/templates/test/concerns/confirmable_test.rb.tt

@@ -0,0 +1,247 @@
+require 'test_helper'
+
+class ConfirmableTest < ActiveSupport::TestCase
+  def setup
+    @user = users(:john_user)
+    @organization = @user.organization
+  end
+
+  # TOKEN GENERATION TESTS
+
+  test "should generate confirmation token on user creation" do
+    user = User.new(
+      email_address: 'jane@example.com',
+      username: 'jane_doe',
+      password: 'securepassword123',
+      password_confirmation: 'securepassword123',
+      organization: @organization
+    )
+    
+    assert_nil user.confirmation_token, "Confirmation token should be nil before save"
+    assert_nil user.confirmation_sent_at, "Confirmation sent at should be nil before save"
+    
+    user.save!
+    
+    assert_not_nil user.confirmation_token, "Confirmation token should be generated on save"
+    assert_not_nil user.confirmation_sent_at, "Confirmation sent at should be set on save"
+    assert user.confirmation_token.length >= 32, "Confirmation token should be at least 32 characters"
+  end
+
+  test "should not generate confirmation token for already confirmed users" do
+    @user.update!(confirmed_at: Time.current)
+    original_token = @user.confirmation_token
+    
+    @user.save!
+    
+    assert_equal original_token, @user.confirmation_token, "Confirmation token should not change for confirmed users"
+  end
+
+  test "should generate new confirmation token when resending confirmation" do
+    original_token = @user.confirmation_token
+    original_sent_at = @user.confirmation_sent_at
+    
+    sleep 0.001 # Ensure time difference
+    @user.send_confirmation_instructions
+    
+    assert_not_equal original_token, @user.confirmation_token, "Should generate new confirmation token"
+    assert @user.confirmation_sent_at > original_sent_at, "Should update confirmation sent time"
+  end
+
+  # CONFIRMATION STATUS TESTS
+
+  test "should not be confirmed by default" do
+    assert_not @user.confirmed?, "User should not be confirmed by default"
+    assert_nil @user.confirmed_at, "Confirmed at should be nil by default"
+  end
+
+  test "should be confirmed after setting confirmed_at" do
+    @user.update!(confirmed_at: Time.current)
+    
+    assert @user.confirmed?, "User should be confirmed after setting confirmed_at"
+    assert_not_nil @user.confirmed_at, "Confirmed at should be set"
+  end
+
+  test "should identify confirmation as pending" do
+    assert @user.confirmation_pending?, "Confirmation should be pending for unconfirmed user"
+    
+    @user.update!(confirmed_at: Time.current)
+    assert_not @user.confirmation_pending?, "Confirmation should not be pending for confirmed user"
+  end
+
+  # CONFIRMATION TOKEN VALIDATION
+
+  test "should confirm user with valid token" do
+    token = @user.confirmation_token
+    
+    result = @user.confirm_by_token(token)
+    
+    assert result, "Should successfully confirm with valid token"
+    assert @user.confirmed?, "User should be confirmed after token confirmation"
+    assert_not_nil @user.confirmed_at, "Confirmed at should be set"
+    assert_nil @user.confirmation_token, "Confirmation token should be cleared"
+  end
+
+  test "should not confirm user with invalid token" do
+    result = @user.confirm_by_token('invalid_token')
+    
+    assert_not result, "Should not confirm with invalid token"
+    assert_not @user.confirmed?, "User should remain unconfirmed"
+    assert_nil @user.confirmed_at, "Confirmed at should remain nil"
+    assert_not_nil @user.confirmation_token, "Confirmation token should remain"
+  end
+
+  test "should not confirm user with expired token" do
+    @user.update!(confirmation_sent_at: 25.hours.ago) # Expired (24h default)
+    token = @user.confirmation_token
+    
+    result = @user.confirm_by_token(token)
+    
+    assert_not result, "Should not confirm with expired token"
+    assert_not @user.confirmed?, "User should remain unconfirmed"
+    assert @user.confirmation_expired?, "Confirmation should be expired"
+  end
+
+  test "should detect expired confirmation tokens" do
+    @user.update!(confirmation_sent_at: 25.hours.ago)
+    assert @user.confirmation_expired?, "Confirmation should be expired after 24 hours"
+    
+    @user.update!(confirmation_sent_at: 23.hours.ago)
+    assert_not @user.confirmation_expired?, "Confirmation should not be expired within 24 hours"
+  end
+
+  # EMAIL INTEGRATION TESTS
+
+  test "should send confirmation email on user creation" do
+    assert_emails 1 do
+      User.create!(
+        email_address: 'newuser@example.com',
+        username: 'newuser',
+        password: 'securepassword123',
+        password_confirmation: 'securepassword123',
+        organization: @organization
+      )
+    end
+    
+    email = ActionMailer::Base.deliveries.last
+    assert_equal 'newuser@example.com', email.to.first, "Email should be sent to user's email address"
+    assert_match(/confirm/i, email.subject, "Email subject should mention confirmation")
+    assert_match(/confirm/i, email.body.to_s, "Email body should contain confirmation instructions")
+  end
+
+  test "should send confirmation email when resending instructions" do
+    ActionMailer::Base.deliveries.clear
+    
+    assert_emails 1 do
+      @user.send_confirmation_instructions
+    end
+    
+    email = ActionMailer::Base.deliveries.last
+    assert_equal @user.email_address, email.to.first, "Email should be sent to user's email address"
+    assert_match(@user.confirmation_token, email.body.to_s, "Email should contain confirmation token")
+  end
+
+  test "should not send confirmation email to already confirmed users" do
+    @user.update!(confirmed_at: Time.current)
+    ActionMailer::Base.deliveries.clear
+    
+    assert_emails 0 do
+      @user.send_confirmation_instructions
+    end
+  end
+
+  # BUSINESS LOGIC TESTS
+
+  test "should prevent login for unconfirmed users" do
+    assert_not @user.can_login?, "Unconfirmed users should not be able to login"
+    
+    @user.update!(confirmed_at: Time.current)
+    assert @user.can_login?, "Confirmed users should be able to login"
+  end
+
+  test "should allow confirmation resend with rate limiting" do
+    @user.send_confirmation_instructions
+    first_sent_at = @user.confirmation_sent_at
+    
+    # Try to resend immediately (should be rate limited)
+    @user.send_confirmation_instructions
+    assert_equal first_sent_at, @user.confirmation_sent_at, "Should not resend immediately"
+    
+    # Simulate time passing (1 minute)
+    @user.update!(confirmation_sent_at: 2.minutes.ago)
+    @user.send_confirmation_instructions
+    assert @user.confirmation_sent_at > first_sent_at, "Should allow resend after time limit"
+  end
+
+  test "should handle email address changes requiring reconfirmation" do
+    @user.update!(confirmed_at: Time.current)
+    original_email = @user.email_address
+    
+    assert_emails 1 do
+      @user.update!(email_address: 'newemail@example.com')
+    end
+    
+    @user.reload
+    assert_not @user.confirmed?, "Should require reconfirmation after email change"
+    assert_equal 'newemail@example.com', @user.email_address, "Email should be updated"
+    assert_not_nil @user.confirmation_token, "Should generate new confirmation token"
+  end
+
+  # SECURITY TESTS
+
+  test "should use secure random tokens" do
+    tokens = []
+    
+    10.times do
+      user = User.create!(
+        email_address: "user#{SecureRandom.hex(4)}@example.com",
+        username: "user#{SecureRandom.hex(4)}",
+        password: 'securepassword123',
+        password_confirmation: 'securepassword123',
+        organization: @organization
+      )
+      tokens << user.confirmation_token
+    end
+    
+    # All tokens should be unique
+    assert_equal tokens.length, tokens.uniq.length, "All confirmation tokens should be unique"
+    
+    # All tokens should be proper length
+    tokens.each do |token|
+      assert token.length >= 32, "Token should be at least 32 characters: #{token}"
+      assert token.match?(/\A[a-f0-9]+\z/), "Token should be hexadecimal: #{token}"
+    end
+  end
+
+  test "should clear sensitive data after confirmation" do
+    token = @user.confirmation_token
+    
+    @user.confirm_by_token(token)
+    
+    assert_nil @user.confirmation_token, "Confirmation token should be cleared"
+    assert_not_nil @user.confirmed_at, "Confirmed at should be preserved"
+  end
+
+  # EDGE CASES
+
+  test "should handle nil confirmation token gracefully" do
+    @user.update_column(:confirmation_token, nil)
+    
+    result = @user.confirm_by_token('any_token')
+    assert_not result, "Should not confirm when token is nil"
+  end
+
+  test "should handle missing confirmation_sent_at gracefully" do
+    @user.update_column(:confirmation_sent_at, nil)
+    
+    assert_not @user.confirmation_expired?, "Should not be expired when sent_at is nil"
+  end
+
+  private
+
+  def assert_emails(number, &block)
+    original_count = ActionMailer::Base.deliveries.count
+    yield
+    new_count = ActionMailer::Base.deliveries.count
+    assert_equal original_count + number, new_count, "Expected #{number} emails to be sent"
+  end
+end 

data/lib/generators/propel_auth/templates/test/concerns/lockable_test.rb.tt

@@ -0,0 +1,282 @@
+require 'test_helper'
+
+class LockableTest < ActiveSupport::TestCase
+  def setup
+    @user = users(:jane_user)
+    @organization = @user.organization
+  end
+
+  # Test basic lockable functionality
+  test "should not be locked initially" do
+    assert_not @user.locked?, "User should not be locked initially"
+    assert_equal 0, @user.failed_login_attempts, "Failed login attempts should be 0 initially"
+    assert_nil @user.locked_at, "Locked at should be nil initially"
+  end
+
+  test "should increment failed login attempts" do
+    @user.increment_failed_attempts
+    assert_equal 1, @user.failed_login_attempts, "Failed attempts should increment to 1"
+    assert_not @user.locked?, "User should not be locked after 1 failed attempt"
+  end
+
+  test "should lock account after max failed attempts" do
+    # Simulate 10 failed attempts
+    PropelAuth.configuration.max_failed_attempts.times do
+      @user.increment_failed_attempts
+    end
+    
+    assert @user.locked?, "User should be locked after #{PropelAuth.configuration.max_failed_attempts} failed attempts"
+    assert @user.locked_at.present?, "Locked at timestamp should be set"
+    assert_equal PropelAuth.configuration.max_failed_attempts, @user.failed_login_attempts, "Failed attempts should equal max"
+  end
+
+  test "should reset failed attempts on successful login" do
+    # Set some failed attempts
+    @user.update!(failed_login_attempts: 5)
+    
+    # Simulate successful login
+    @user.reset_failed_attempts
+    
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should reset to 0 on successful login"
+  end
+
+  test "should unlock account manually" do
+    # Lock the account
+    @user.lock_account!
+    assert @user.locked?, "User should be locked"
+    
+    # Unlock manually
+    @user.unlock_account!
+    assert_not @user.locked?, "User should be unlocked"
+    assert_nil @user.locked_at, "Locked at should be nil after unlock"
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should reset after unlock"
+  end
+
+  test "should automatically unlock after lockout duration" do
+    # Lock the account with a past timestamp
+    past_time = (PropelAuth.configuration.lockout_duration + 1.minute).ago
+    @user.update!(
+      locked_at: past_time,
+      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+    )
+    
+    # Check if automatically unlocked
+    assert_not @user.locked?, "User should be automatically unlocked after lockout duration"
+  end
+
+  test "should remain locked within lockout duration" do
+    # Lock the account recently
+    recent_time = 5.minutes.ago
+    @user.update!(
+      locked_at: recent_time,
+      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+    )
+    
+    # Should still be locked
+    assert @user.locked?, "User should remain locked within lockout duration"
+  end
+
+  test "should prevent authentication when locked" do
+    @user.lock_account!
+    
+    # Even with correct password, should not authenticate when locked
+    assert_not @user.can_authenticate?, "Locked user should not be able to authenticate"
+  end
+
+  test "should allow authentication when not locked" do
+    assert @user.can_authenticate?, "Unlocked user should be able to authenticate"
+  end
+
+  test "should provide unlock token for self-service unlock" do
+    @user.lock_account!
+    
+    unlock_token = @user.generate_unlock_token
+    assert unlock_token.present?, "Should generate unlock token"
+    assert_equal 3, unlock_token.split('.').length, "Unlock token should be a JWT"
+    
+    # Verify token can be used to find user
+    found_user = User.find_by_unlock_token(unlock_token)
+    assert_equal @user.id, found_user.id, "Should find user by unlock token"
+  end
+
+  test "should unlock with valid unlock token" do
+    @user.lock_account!
+    unlock_token = @user.generate_unlock_token
+    
+    result = @user.unlock_with_token!(unlock_token)
+    assert result, "Should unlock with valid token"
+    assert_not @user.locked?, "User should be unlocked after valid token"
+  end
+
+  test "should not unlock with invalid unlock token" do
+    @user.lock_account!
+    
+    result = @user.unlock_with_token!("invalid_token")
+    assert_not result, "Should not unlock with invalid token"
+    assert @user.locked?, "User should remain locked with invalid token"
+  end
+
+  test "should track time of lock for security auditing" do
+    # BEHAVIOR: Verify lock timestamp is recorded within reasonable time
+    start_time = Time.current
+    @user.lock_account!
+    end_time = Time.current
+    
+    # Should be locked within the time range
+    assert @user.locked_at >= start_time, "Lock time should be after start time"
+    assert @user.locked_at <= end_time, "Lock time should be before end time"
+    assert @user.locked_at.present?, "Lock timestamp should be recorded"
+  end
+
+  test "should integrate with failed login attempt configuration" do
+    # Test with different configuration
+    original_max = PropelAuth.configuration.max_failed_attempts
+    PropelAuth.configuration.max_failed_attempts = 3
+    
+    # Should lock after 3 attempts with new config
+    3.times { @user.increment_failed_attempts }
+    assert @user.locked?, "Should respect updated configuration"
+    
+    # Restore original config
+    PropelAuth.configuration.max_failed_attempts = original_max
+  end
+
+  # CRITICAL EDGE CASE TESTS - Missing from initial implementation
+
+  test "should not increment attempts beyond max when already locked" do
+    # SECURITY: Prevent attempt counter overflow on locked accounts
+    @user.lock_account!
+    original_attempts = @user.failed_login_attempts
+    
+    @user.increment_failed_attempts  # Try to increment past lock
+    assert_equal original_attempts, @user.reload.failed_login_attempts, "Should not increment attempts when already locked"
+  end
+
+  test "should reject expired unlock tokens" do
+    # SECURITY: Verify token expiration is enforced
+    @user.lock_account!
+    
+    # Create token that expires immediately
+    expired_payload = { 
+      user_id: @user.id, 
+      email_address: @user.email_address,
+      type: 'unlock', 
+      iat: Time.now.to_i,
+      exp: 1.second.ago.to_i 
+    }
+    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    assert_not @user.unlock_with_token!(expired_token), "Should reject expired unlock token"
+    assert @user.locked?, "Should remain locked with expired token"
+  end
+
+  test "should reject unlock tokens for different users" do
+    # SECURITY: Prevent token reuse across users
+    other_user = User.create!(
+      email_address: "other-user@example.com",
+      username: "otheruser", 
+      password: "password123",
+      organization: @organization
+    )
+    
+    @user.lock_account!
+    other_user.lock_account!
+    
+    # Generate token for other user
+    other_token = other_user.generate_unlock_token
+    
+    # Try to use other user's token
+    assert_not @user.unlock_with_token!(other_token), "Should reject token from different user"
+    assert @user.locked?, "Should remain locked with wrong user token"
+  end
+
+  test "should reject tampered unlock tokens" do
+    # SECURITY: Verify JWT signature validation
+    @user.lock_account!
+    
+    valid_token = @user.generate_unlock_token
+    tampered_token = valid_token[0..-10] + "tamperedXX"  # Tamper with signature
+    
+    assert_not @user.unlock_with_token!(tampered_token), "Should reject tampered token"
+    assert @user.locked?, "Should remain locked with tampered token"
+  end
+
+  test "should handle validation failures gracefully during locking" do
+    # ERROR HANDLING: Verify graceful failure on validation errors
+    
+    # Create invalid state that would fail validation
+    @user.email_address = nil  # Make user invalid (email_address is required)
+    
+    # Attempt to lock - should fail due to validation
+    assert_raises(ActiveRecord::RecordInvalid) { @user.lock_account! }
+    
+    # Verify state remains consistent after failure
+    @user.reload
+    assert_not @user.locked?, "Should not be locked if validation failed"
+  end
+
+  test "should handle validation failures gracefully during unlock" do
+    # ERROR HANDLING: Verify graceful failure on validation errors
+    @user.lock_account!
+    
+    # Create invalid state that would fail validation
+    @user.email_address = nil  # Make user invalid (email_address is required)
+    
+    # Attempt to unlock - should fail due to validation
+    assert_raises(ActiveRecord::RecordInvalid) { @user.unlock_account! }
+    
+    # Verify state remains consistent after failure  
+    @user.reload
+    assert @user.locked?, "Should remain locked if validation failed"
+  end
+
+  test "should persist failed attempts across multiple increment calls" do
+    # DATA INTEGRITY: Verify attempts are properly persisted
+    5.times do |i|
+      @user.increment_failed_attempts
+      @user.reload  # Simulate fresh load from database
+      assert_equal i + 1, @user.failed_login_attempts, "Failed attempts should persist across reloads"
+    end
+  end
+
+  test "should not allow double-locking with race conditions" do
+    # CONCURRENCY: Verify locking is idempotent
+    @user.lock_account!
+    first_locked_at = @user.locked_at
+    
+    # Try to lock again (simulating race condition)
+    @user.lock_account!
+    @user.reload
+    
+    assert_equal first_locked_at.to_i, @user.locked_at.to_i, "Locked timestamp should not change on double-lock"
+  end
+
+  test "should validate unlock token structure and content" do
+    # JWT VALIDATION: Verify token contains required fields
+    @user.lock_account!
+    
+    unlock_token = @user.generate_unlock_token
+    decoded = JWT.decode(unlock_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    
+    assert_equal @user.id, payload['user_id'], "Token should contain correct user ID"
+    assert_equal @user.email_address, payload['email_address'], "Token should contain user email_address"
+    assert_equal 'unlock', payload['type'], "Token should be marked as unlock type"
+    assert payload['iat'].present?, "Token should have issued at timestamp"
+    assert payload['exp'].present?, "Token should have expiration timestamp"
+    assert payload['exp'] > Time.now.to_i, "Token should not be expired immediately"
+  end
+
+  test "should enforce maximum unlock token lifetime" do
+    # SECURITY: Verify unlock tokens have reasonable expiration
+    @user.lock_account!
+    
+    unlock_token = @user.generate_unlock_token
+    decoded = JWT.decode(unlock_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    
+    token_lifetime = payload['exp'] - payload['iat']
+    assert token_lifetime <= 1.hour, "Unlock token should expire within 1 hour"
+    assert token_lifetime > 30.minutes, "Unlock token should be valid for at least 30 minutes"
+  end
+end 

data/lib/generators/propel_auth/templates/test/concerns/propel_authentication_test.rb.tt

@@ -0,0 +1,75 @@
+require 'test_helper'
+
+# A dummy controller to test the concern
+class PropelAuthenticationTestController < ActionController::Base
+  include PropelAuthentication
+  before_action :authenticate_user
+
+  def index
+    render json: { user_id: current_user.id }
+  end
+end
+
+class PropelAuthenticationTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:john_user)
+    @organization = @user.organization
+    @token = @user.generate_jwt_token
+  end
+
+  def with_test_routes
+    Rails.application.routes.draw do
+      get '/test_auth', to: 'propel_authentication_test#index'
+      yield
+    end
+  ensure
+    Rails.application.reload_routes!
+  end
+
+  test "should get index with valid token" do
+    with_test_routes do
+      get '/test_auth', headers: { 'Authorization' => "Bearer #{@token}" }
+      assert_response :success
+      json_response = JSON.parse(response.body)
+      assert_equal @user.id, json_response['user_id']
+    end
+  end
+
+  test "should return unauthorized with invalid token" do
+    with_test_routes do
+      get '/test_auth', headers: { 'Authorization' => 'Bearer invalidtoken' }
+      assert_response :unauthorized
+      assert_equal 'Invalid token', JSON.parse(response.body)['error']
+    end
+  end
+
+  test "should return unauthorized with expired token" do
+    payload = {
+      user_id: @user.id,
+      exp: 1.hour.ago.to_i
+    }
+    expired_token = JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+
+    with_test_routes do
+      get '/test_auth', headers: { 'Authorization' => "Bearer #{expired_token}" }
+      assert_response :unauthorized
+      assert_equal 'Token expired', JSON.parse(response.body)['error']
+    end
+  end
+
+  test "should return unauthorized with no token" do
+    with_test_routes do
+      get '/test_auth'
+      assert_response :unauthorized
+      assert_equal 'No token provided', JSON.parse(response.body)['error']
+    end
+  end
+
+  test "should return unauthorized with incorrectly formatted token header" do
+    with_test_routes do
+      get '/test_auth', headers: { 'Authorization' => @token }
+      assert_response :unauthorized
+      assert_equal 'No token provided', JSON.parse(response.body)['error']
+    end
+  end
+end