propel_authentication 0.1.1

data/lib/generators/propel_auth/templates/test/concerns/recoverable_test.rb.tt

@@ -0,0 +1,327 @@
+require 'test_helper'
+
+class RecoverableTest < ActiveSupport::TestCase
+  def setup
+    @user = users(:john_user)
+    @organization = @user.organization
+  end
+
+  # Test basic password reset token functionality
+  test "should generate password reset token with proper structure" do
+    # BEHAVIOR: Verify password reset token contains required fields and structure
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # VERIFY TOKEN STRUCTURE: Check JWT token is properly formatted
+    assert reset_token.present?, "Should generate password reset token"
+    assert_equal 3, reset_token.split('.').length, "JWT should have 3 parts separated by dots"
+    
+    # VERIFY TOKEN CONTENT: Decode and validate payload
+    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    
+    assert_equal @user.id, payload['user_id'], "Token should contain correct user ID"
+    assert_equal @user.email_address, payload['email_address'], "Token should contain user email_address"
+    assert_equal 'password_reset', payload['type'], "Token should be marked as password_reset type"
+    assert payload['iat'].present?, "Token should have issued at timestamp"
+    assert payload['exp'].present?, "Token should have expiration timestamp"
+    assert payload['password_hash'].present?, "Token should contain password hash fragment for invalidation"
+  end
+
+  test "should generate unique tokens for each request" do
+    # SECURITY: Verify each reset request generates unique tokens
+    
+    token1 = @user.generate_password_reset_token
+    token2 = @user.generate_password_reset_token
+    
+    assert_not_equal token1, token2, "Each reset request should generate unique tokens"
+    
+    # Both should be valid but different
+    assert @user.valid_password_reset_token?(token1), "First token should be valid"
+    assert @user.valid_password_reset_token?(token2), "Second token should be valid"
+  end
+
+  test "should validate password reset tokens correctly" do
+    # BEHAVIOR: Verify token validation logic works correctly
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # VERIFY VALIDATION: Valid token should pass validation
+    assert @user.valid_password_reset_token?(reset_token), "Valid token should pass validation"
+    
+    # VERIFY TOKEN BINDING: Token should be bound to specific user
+    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    assert_equal @user.id, payload['user_id'], "Token should be bound to correct user"
+  end
+
+  test "should enforce password reset token expiration" do
+    # SECURITY: Verify tokens expire after configured time
+    
+    # SETUP: Create token that should expire quickly for testing
+    expired_payload = {
+      user_id: @user.id,
+      email_address: @user.email_address,
+      type: 'password_reset',
+      iat: Time.now.to_i,
+      exp: 1.second.ago.to_i,  # Already expired
+      password_hash: @user.password_digest[0..10]
+    }
+    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    # VERIFY EXPIRATION: Expired token should be rejected
+    assert_not @user.valid_password_reset_token?(expired_token), "Expired token should be rejected"
+  end
+
+  test "should invalidate tokens when password changes" do
+    # SECURITY: Verify tokens become invalid if password already changed
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # VERIFY INITIAL VALIDITY: Token should be valid initially
+    assert @user.valid_password_reset_token?(reset_token), "Token should be valid before password change"
+    
+    # SIMULATE PASSWORD CHANGE: Update user password
+    @user.update!(password: "newpassword456")
+    
+    # VERIFY INVALIDATION: Token should now be invalid due to password hash change
+    assert_not @user.valid_password_reset_token?(reset_token), "Token should be invalid after password change"
+  end
+
+  test "should reset password with valid token" do
+    # BEHAVIOR: Verify password reset functionality works end-to-end
+    
+    reset_token = @user.generate_password_reset_token
+    new_password = "resetpassword789"
+    
+    # VERIFY INITIAL STATE: User should authenticate with original password
+    assert @user.authenticate("password123"), "Should authenticate with original password"
+    assert_not @user.authenticate(new_password), "Should not authenticate with new password yet"
+    
+    # EXECUTE PASSWORD RESET: Reset password using valid token
+    result = @user.reset_password_with_token!(reset_token, new_password)
+    
+    # VERIFY RESET SUCCESS: Method should return true
+    assert result, "Password reset should succeed with valid token"
+    
+    # VERIFY PASSWORD CHANGE: User should now authenticate with new password
+    @user.reload
+    assert @user.authenticate(new_password), "Should authenticate with new password"
+    assert_not @user.authenticate("password123"), "Should not authenticate with old password"
+  end
+
+  test "should reject password reset with invalid token" do
+    # SECURITY: Verify invalid tokens are rejected
+    
+    invalid_token = "invalid.jwt.token"
+    new_password = "attemptedpassword"
+    original_password_digest = @user.password_digest
+    
+    # EXECUTE WITH INVALID TOKEN: Attempt reset with invalid token
+    result = @user.reset_password_with_token!(invalid_token, new_password)
+    
+    # VERIFY REJECTION: Reset should fail
+    assert_not result, "Password reset should fail with invalid token"
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert_equal original_password_digest, @user.password_digest, "Password should not change with invalid token"
+    assert @user.authenticate("password123"), "Should still authenticate with original password"
+  end
+
+  test "should reject password reset with wrong user token" do
+    # SECURITY: Verify tokens cannot be used across different users
+    
+    other_user = User.create!(
+      email_address: "other-user@example.com",
+      username: "otheruser",
+      password: "otherpassword123",
+      organization: @organization
+    )
+    
+    # GENERATE TOKEN FOR OTHER USER: Create token for different user
+    other_token = other_user.generate_password_reset_token
+    original_password_digest = @user.password_digest
+    
+    # ATTEMPT CROSS-USER RESET: Try to use other user's token
+    result = @user.reset_password_with_token!(other_token, "hackedpassword")
+    
+    # VERIFY REJECTION: Reset should fail
+    assert_not result, "Should reject token from different user"
+    
+    # VERIFY NO CHANGE: Original user password should remain unchanged
+    @user.reload
+    assert_equal original_password_digest, @user.password_digest, "Password should not change with wrong user token"
+  end
+
+  test "should reject password reset with tampered token" do
+    # SECURITY: Verify JWT signature validation prevents tampering
+    
+    valid_token = @user.generate_password_reset_token
+    tampered_token = valid_token[0..-10] + "tamperedXX"  # Tamper with signature
+    original_password_digest = @user.password_digest
+    
+    # ATTEMPT RESET WITH TAMPERED TOKEN: Try to use tampered token
+    result = @user.reset_password_with_token!(tampered_token, "hackedpassword")
+    
+    # VERIFY REJECTION: Reset should fail
+    assert_not result, "Should reject tampered token"
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert_equal original_password_digest, @user.password_digest, "Password should not change with tampered token"
+  end
+
+  test "should enforce password requirements during reset" do
+    # VALIDATION: Verify password requirements are enforced
+    
+    reset_token = @user.generate_password_reset_token
+    weak_password = "123"  # Too short
+    original_password_digest = @user.password_digest
+    
+    # ATTEMPT RESET WITH WEAK PASSWORD: Try to set weak password
+    result = @user.reset_password_with_token!(reset_token, weak_password)
+    
+    # VERIFY REJECTION: Reset should fail due to weak password
+    assert_not result, "Should reject weak password during reset"
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert_equal original_password_digest, @user.password_digest, "Password should not change with weak password"
+  end
+
+  test "should handle validation failures gracefully during reset" do
+    # ERROR HANDLING: Verify graceful failure on validation errors
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # ATTEMPT WITH INVALID USER STATE: Create invalid state that would fail save
+    @user.email_address = nil  # Make user invalid (email_address is required)
+    new_password = "validnewpassword123"
+    
+    # EXECUTE RESET: Attempt reset with invalid user state
+    result = @user.reset_password_with_token!(reset_token, new_password)
+    
+    # VERIFY GRACEFUL FAILURE: Method should return false
+    assert_not result, "Should handle validation failure gracefully"
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert @user.authenticate("password123"), "Should still authenticate with original password"
+  end
+
+  test "should clear failed login attempts on successful password reset" do
+    # INTEGRATION: Verify password reset clears lockable state
+    
+    # SETUP: Build up failed login attempts
+    @user.update!(failed_login_attempts: 5)
+    assert_equal 5, @user.failed_login_attempts, "Should have failed attempts"
+    
+    # EXECUTE RESET: Reset password with valid token
+    reset_token = @user.generate_password_reset_token
+    result = @user.reset_password_with_token!(reset_token, "newpassword123")
+    
+    # VERIFY INTEGRATION: Failed attempts should be cleared
+    assert result, "Password reset should succeed"
+    @user.reload
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should be cleared on password reset"
+  end
+
+  # Class method tests for token validation
+  test "should find user by valid password reset token" do
+    # BEHAVIOR: Verify class method for finding users by reset token
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # EXECUTE LOOKUP: Find user by reset token
+    found_user = User.find_user_by_password_reset_token(reset_token)
+    
+    # VERIFY LOOKUP: Should find correct user
+    assert_equal @user.id, found_user.id, "Should find user by valid reset token"
+    assert_equal @user.email_address, found_user.email_address, "Should return correct user"
+  end
+
+  test "should return nil for invalid password reset token lookup" do
+    # SECURITY: Verify invalid tokens return nil
+    
+    invalid_token = "invalid.jwt.token"
+    
+    # EXECUTE LOOKUP: Try to find user with invalid token
+    found_user = User.find_user_by_password_reset_token(invalid_token)
+    
+    # VERIFY REJECTION: Should return nil
+    assert_nil found_user, "Should return nil for invalid token"
+  end
+
+  test "should return nil for expired password reset token lookup" do
+    # SECURITY: Verify expired tokens return nil
+    
+    expired_payload = {
+      user_id: @user.id,
+      email_address: @user.email_address,
+      type: 'password_reset',
+      iat: Time.now.to_i,
+      exp: 1.second.ago.to_i,  # Already expired
+      password_hash: @user.password_digest[0..10]
+    }
+    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    # EXECUTE LOOKUP: Try to find user with expired token
+    found_user = User.find_user_by_password_reset_token(expired_token)
+    
+    # VERIFY EXPIRATION: Should return nil
+    assert_nil found_user, "Should return nil for expired token"
+  end
+
+  test "should enforce reasonable token expiration times" do
+    # SECURITY: Verify token expiration is reasonable (not too long)
+    
+    reset_token = @user.generate_password_reset_token
+    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    
+    token_lifetime = payload['exp'] - payload['iat']
+    
+    # VERIFY EXPIRATION BOUNDS: Token should expire reasonably soon
+    assert token_lifetime <= 1.hour, "Reset token should expire within 1 hour for security"
+    assert token_lifetime >= 5.minutes, "Reset token should be valid for at least 5 minutes for usability"
+  end
+
+  test "should validate token type to prevent reuse" do
+    # SECURITY: Verify only password_reset type tokens are accepted
+    
+    # CREATE UNLOCK TOKEN: Generate token with different type
+    unlock_payload = {
+      user_id: @user.id,
+      email_address: @user.email_address,
+      type: 'unlock',  # Wrong type
+      iat: Time.now.to_i,
+      exp: 1.hour.from_now.to_i,
+      password_hash: @user.password_digest[0..10]
+    }
+    unlock_token = JWT.encode(unlock_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    # VERIFY TYPE VALIDATION: Unlock token should not work for password reset
+    assert_not @user.valid_password_reset_token?(unlock_token), "Should reject wrong token type"
+    
+    # VERIFY FAILED RESET: Password reset should fail with wrong token type
+    result = @user.reset_password_with_token!(unlock_token, "newpassword")
+    assert_not result, "Password reset should fail with wrong token type"
+  end
+
+  test "should bind token to current password hash" do
+    # SECURITY: Verify token includes password hash binding
+    
+    reset_token = @user.generate_password_reset_token
+    decoded = JWT.decode(reset_token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded.first
+    
+    # VERIFY BINDING: Token should contain password hash fragment
+    assert payload['password_hash'].present?, "Token should contain password hash binding"
+    assert payload['password_hash'].length > 0, "Password hash binding should not be empty"
+    
+    # VERIFY CURRENT BINDING: Should match current password hash
+    expected_hash_fragment = @user.password_digest[0..10]
+    assert_equal expected_hash_fragment, payload['password_hash'], "Token should be bound to current password hash"
+  end
+end 

data/lib/generators/propel_auth/templates/test/controllers/auth/lockable_integration_test.rb.tt

@@ -0,0 +1,196 @@
+require 'test_helper'
+
+class <%= controller_namespace %>::LockableIntegrationTest < ActionDispatch::IntegrationTest
+  def setup
+    @organization = Organization.create!(name: "Test Organization")
+    @user = User.create!(
+      email_address: "lockable-integration@example.com",
+      username: "lockableintegration",
+      password: "correctpassword123",
+      organization: @organization
+    )
+  end
+
+  # CRITICAL: Real API integration with lockable functionality
+  
+  test "should track failed attempts during actual login API calls" do
+    # BEHAVIOR: Verify failed login attempts are tracked through real API
+    9.times do |i|
+      post <%= login_path_helper %>, params: { 
+        user: { email_address: @user.email_address, password: "wrongpassword" } 
+      }
+      
+      assert_response :unauthorized, "Failed login should return unauthorized"
+      @user.reload
+      assert_equal i + 1, @user.failed_login_attempts, "Should track failed attempt #{i + 1}"
+      assert_not @user.locked?, "Should not be locked until max attempts reached"
+    end
+  end
+
+  test "should lock account and return 423 after max failed login attempts" do
+    # BEHAVIOR: Verify account locks after exactly 10 failed attempts via API
+    
+    # First 9 attempts should not lock
+    9.times do
+      post <%= login_path_helper %>, params: { 
+        user: { email_address: @user.email_address, password: "wrongpassword" } 
+      }
+      assert_response :unauthorized
+    end
+    
+    # 10th attempt should lock the account
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: @user.email_address, password: "wrongpassword" } 
+    }
+    
+    @user.reload
+    assert @user.locked?, "User should be locked after 10 failed attempts"
+    assert_equal 10, @user.failed_login_attempts, "Should have exactly 10 failed attempts"
+  end
+
+  test "should return 423 locked status when attempting to login to locked account" do
+    # BEHAVIOR: Verify locked accounts return proper HTTP status and error
+    @user.lock_account!
+    
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: @user.email_address, password: "correctpassword123" } 
+    }
+    
+    assert_response :locked, "Should return 423 locked status"
+    
+    json = JSON.parse(response.body)
+    assert_match(/locked.*too many failed attempts/i, json['error'], "Should return descriptive error message")
+    assert_nil json['token'], "Should not return authentication token"
+    assert_nil json['user'], "Should not return user data"
+  end
+
+  test "should prevent login even with correct password when account is locked" do
+    # SECURITY: Verify locked accounts cannot authenticate regardless of password
+    @user.lock_account!
+    
+    # Try with correct password
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: @user.email_address, password: "correctpassword123" } 
+    }
+    
+    assert_response :locked, "Should reject even correct password when locked"
+    
+    # Verify no login tracking occurs
+    @user.reload
+    assert @user.locked?, "Should remain locked after correct password attempt"
+  end
+
+  test "should reset failed attempts counter on successful login" do
+    # BEHAVIOR: Verify successful login clears failed attempt tracking
+    
+    # Build up some failed attempts
+    5.times do
+      post <%= login_path_helper %>, params: { 
+        user: { email_address: @user.email_address, password: "wrongpassword" } 
+      }
+    end
+    
+    @user.reload
+    assert_equal 5, @user.failed_login_attempts, "Should have 5 failed attempts"
+    
+    # Successful login should reset counter
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: @user.email_address, password: "correctpassword123" } 
+    }
+    
+    assert_response :ok, "Successful login should return 200"
+    
+    @user.reload
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should reset to 0"
+    assert_not @user.locked?, "User should not be locked"
+    assert @user.last_login_at.present?, "Should update last login timestamp"
+  end
+
+  test "should handle unlock endpoint with valid unlock token" do
+    # API INTEGRATION: Verify unlock endpoint works with JWT tokens
+    @user.lock_account!
+    unlock_token = @user.generate_unlock_token
+    
+    post <%= unlock_path_helper %>, params: { token: unlock_token }
+    
+    assert_response :ok, "Valid unlock token should return 200"
+    
+    json = JSON.parse(response.body)
+    assert_match(/unlocked successfully/i, json['message'], "Should return success message")
+    assert_equal @user.id, json['user']['id'], "Should return user data"
+    
+    @user.reload
+    assert_not @user.locked?, "User should be unlocked"
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should be reset"
+  end
+
+  test "should reject unlock endpoint with invalid token" do
+    # API INTEGRATION: Verify unlock endpoint properly validates tokens
+    @user.lock_account!
+    
+    post <%= unlock_path_helper %>, params: { token: "invalid_token_12345" }
+    
+    assert_response :unauthorized, "Invalid token should return 401"
+    
+    json = JSON.parse(response.body)
+    assert_match(/invalid.*expired/i, json['error'], "Should return error message")
+    
+    @user.reload
+    assert @user.locked?, "User should remain locked with invalid token"
+  end
+
+  test "should require unlock token parameter" do
+    # API VALIDATION: Verify unlock endpoint validates required parameters
+    @user.lock_account!
+    
+    post <%= unlock_path_helper %>, params: {}
+    
+    assert_response :unprocessable_entity, "Missing token should return 422"
+    
+    json = JSON.parse(response.body)
+    assert_match(/token.*required/i, json['error'], "Should indicate token is required")
+  end
+
+  test "should not increment attempts when user does not exist" do
+    # SECURITY: Verify failed attempts are not tracked for nonexistent users
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: "nonexistent@example.com", password: "anypassword" } 
+    }
+    
+    assert_response :unauthorized, "Nonexistent user should return unauthorized"
+    
+    # Verify no user was created or attempts tracked
+    assert_nil User.find_by(email_address: "nonexistent@example.com"), "Should not create user record"
+  end
+
+  test "should handle graceful error responses for authentication failures" do
+    # ERROR HANDLING: Verify system handles authentication failures gracefully
+    
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: "nonexistent@example.com", password: "wrongpassword" } 
+    }
+    
+    # Should still return unauthorized in a controlled way, not crash
+    assert_response :unauthorized, "Should handle authentication failure gracefully"
+    
+    json = JSON.parse(response.body)
+    assert json['error'].present?, "Should return error message"
+    assert_match(/invalid credentials/i, json['error'], "Should return appropriate error")
+  end
+
+  test "should properly update last_login_at on successful authentication" do
+    # BEHAVIOR: Verify login timestamp tracking
+    start_time = Time.current
+    
+    post <%= login_path_helper %>, params: { 
+      user: { email_address: @user.email_address, password: "correctpassword123" } 
+    }
+    
+    assert_response :ok
+    
+    @user.reload
+    assert @user.last_login_at.present?, "Should set last login timestamp"
+    assert @user.last_login_at >= start_time, "Login timestamp should be after start time"
+    assert @user.last_login_at > 1.minute.ago, "Login timestamp should be recent"
+  end
+end