propel_authentication 0.1.1

data/lib/generators/propel_auth/templates/test/controllers/auth/password_reset_integration_test.rb.tt

@@ -0,0 +1,471 @@
+require 'test_helper'
+
+class <%= controller_namespace %>::PasswordResetIntegrationTest < ActionDispatch::IntegrationTest
+  def setup
+    @organization = Organization.create!(name: "Test Organization")
+    @user = User.create!(
+      email_address: "password-reset@example.com",
+      username: "passwordresetuser",
+      password: "originalpassword123",
+      organization: @organization,
+      first_name: "Password",
+      last_name: "User"
+    )
+  end
+
+  def teardown
+    User.destroy_all
+    Organization.destroy_all
+  end
+
+  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Request Password Reset Tests
+  test "should initiate password reset with valid email_address" do
+    # BEHAVIOR: Verify password reset request works with valid email_address
+    
+    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    
+    # VERIFY API RESPONSE: Should return success status
+    assert_response :ok, "Valid email_address should initiate password reset"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/reset.*sent/i, response_json['message'], "Should confirm reset email sent")
+    assert_not response_json.key?('token'), "Should not expose reset token in response"
+    
+    # VERIFY EMAIL DELIVERY: Email should be sent (will test this when we add mailer)
+    # For now, verify the request was processed successfully
+  end
+
+  test "should reject password reset with invalid email_address format" do
+    # VALIDATION: Verify email_address format validation
+    
+    post <%= reset_path_helper %>, params: { email_address: "invalid-email-format" }
+    
+    # VERIFY VALIDATION ERROR: Should return validation error
+    assert_response :unprocessable_entity, "Invalid email_address format should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/email.*invalid/i, response_json['error'], "Should indicate email_address format error")
+  end
+
+  test "should handle password reset for nonexistent email_address safely" do
+    # SECURITY: Verify nonexistent email_addresses don't reveal user information
+    
+    post <%= reset_path_helper %>, params: { email_address: "nonexistent@example.com" }
+    
+    # VERIFY SECURITY RESPONSE: Should return same response as valid email_address (prevent enumeration)
+    assert_response :ok, "Nonexistent email_address should return same response as valid email_address"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/reset.*sent/i, response_json['message'], "Should return same success message")
+    
+    # VERIFY NO EMAIL SENT: No actual email should be sent for nonexistent user
+  end
+
+  test "should require email_address parameter for password reset request" do
+    # VALIDATION: Verify email_address parameter is required
+    
+    post <%= reset_path_helper %>, params: {}
+    
+    # VERIFY PARAMETER VALIDATION: Should return parameter error
+    assert_response :unprocessable_entity, "Missing email_address should return validation error"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/email.*required/i, response_json['error'], "Should indicate email_address is required")
+  end
+
+  test "should rate limit password reset requests" do
+    # SECURITY: Verify rate limiting prevents abuse
+    
+    # EXECUTE MULTIPLE REQUESTS: Send multiple reset requests rapidly
+    5.times do
+      post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    end
+    
+    # Make one more request that should be rate limited
+    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    
+    # VERIFY RATE LIMITING: Should eventually rate limit (implementation dependent)
+    # For now, verify the endpoint is accessible (rate limiting will be added later)
+    assert_response :ok, "Rate limiting test - endpoint should be accessible"
+  end
+
+  # PUT <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Confirm Password Reset Tests
+  test "should reset password with valid token and new password" do
+    # BEHAVIOR: Verify password reset confirmation works end-to-end
+    
+    # SETUP: Generate valid reset token
+    reset_token = @user.generate_password_reset_token
+    new_password = "newpassword456"
+    
+    # EXECUTE RESET: Confirm password reset with token
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: new_password,
+      password_confirmation: new_password
+    }
+    
+    # VERIFY API RESPONSE: Should return success
+    assert_response :ok, "Valid token should allow password reset"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/password.*reset.*successfully/i, response_json['message'], "Should confirm password reset")
+    assert response_json.key?('user'), "Should return user data"
+    assert_equal @user.id, response_json['user']['id'], "Should return correct user"
+    
+    # VERIFY PASSWORD CHANGE: User should authenticate with new password
+    @user.reload
+    assert @user.authenticate(new_password), "Should authenticate with new password"
+    assert_not @user.authenticate("originalpassword123"), "Should not authenticate with old password"
+  end
+
+  test "should reject password reset with invalid token" do
+    # SECURITY: Verify invalid tokens are rejected
+    
+    invalid_token = "invalid.jwt.token"
+    new_password = "attemptedpassword"
+    
+    # EXECUTE WITH INVALID TOKEN: Try to reset with invalid token
+    put <%= reset_path_helper %>, params: {
+      token: invalid_token,
+      password: new_password,
+      password_confirmation: new_password
+    }
+    
+    # VERIFY REJECTION: Should return unauthorized
+    assert_response :unauthorized, "Invalid token should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/invalid.*expired.*token/i, response_json['error'], "Should indicate token error")
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert @user.authenticate("originalpassword123"), "Password should remain unchanged"
+  end
+
+  test "should reject password reset with expired token" do
+    # SECURITY: Verify expired tokens are rejected
+    
+    # CREATE EXPIRED TOKEN: Generate token that's already expired
+    expired_payload = {
+      user_id: @user.id,
+      email_address: @user.email_address,
+      type: 'password_reset',
+      iat: Time.now.to_i,
+      exp: 1.second.ago.to_i,  # Already expired
+      password_hash: @user.password_digest[0..10]
+    }
+    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    # EXECUTE WITH EXPIRED TOKEN: Try to reset with expired token
+    put <%= reset_path_helper %>, params: {
+      token: expired_token,
+      password: "newpassword",
+      password_confirmation: "newpassword"
+    }
+    
+    # VERIFY EXPIRATION: Should return unauthorized
+    assert_response :unauthorized, "Expired token should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/invalid.*expired.*token/i, response_json['error'], "Should indicate token expiration")
+  end
+
+  test "should validate password confirmation matches" do
+    # VALIDATION: Verify password confirmation is enforced
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # EXECUTE WITH MISMATCHED PASSWORDS: Password and confirmation don't match
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "newpassword123",
+      password_confirmation: "differentpassword456"
+    }
+    
+    # VERIFY VALIDATION: Should return validation error
+    assert_response :unprocessable_entity, "Mismatched passwords should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/password.*confirmation.*match/i, response_json['error'], "Should indicate password mismatch")
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert @user.authenticate("originalpassword123"), "Password should remain unchanged"
+  end
+
+  test "should enforce password requirements during reset" do
+    # VALIDATION: Verify password requirements are enforced
+    
+    reset_token = @user.generate_password_reset_token
+    weak_password = "123"  # Too short
+    
+    # EXECUTE WITH WEAK PASSWORD: Try to set weak password
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: weak_password,
+      password_confirmation: weak_password
+    }
+    
+    # VERIFY VALIDATION: Should return validation error
+    assert_response :unprocessable_entity, "Weak password should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/password.*too short/i, response_json['error'], "Should indicate password strength issue")
+    
+    # VERIFY NO CHANGE: Password should remain unchanged
+    @user.reload
+    assert @user.authenticate("originalpassword123"), "Password should remain unchanged"
+  end
+
+  test "should require all parameters for password reset confirmation" do
+    # VALIDATION: Verify all required parameters are present
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # TEST MISSING TOKEN
+    put <%= reset_path_helper %>, params: {
+      password: "newpassword123",
+      password_confirmation: "newpassword123"
+    }
+    
+    assert_response :unprocessable_entity, "Missing token should be rejected"
+    
+    # TEST MISSING PASSWORD
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password_confirmation: "newpassword123"
+    }
+    
+    assert_response :unprocessable_entity, "Missing password should be rejected"
+    
+    # TEST MISSING CONFIRMATION
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "newpassword123"
+    }
+    
+    assert_response :unprocessable_entity, "Missing password confirmation should be rejected"
+  end
+
+  test "should clear failed login attempts on successful password reset" do
+    # INTEGRATION: Verify password reset clears lockable state
+    
+    # SETUP: Build up failed login attempts
+    @user.update!(failed_login_attempts: 8)
+    assert_equal 8, @user.failed_login_attempts, "Should have failed attempts"
+    
+    # EXECUTE RESET: Reset password successfully
+    reset_token = @user.generate_password_reset_token
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "newpassword123",
+      password_confirmation: "newpassword123"
+    }
+    
+    # VERIFY SUCCESS: Should reset password
+    assert_response :ok, "Password reset should succeed"
+    
+    # VERIFY FAILED ATTEMPTS CLEARED: Should clear lockable state
+    @user.reload
+    assert_equal 0, @user.failed_login_attempts, "Failed attempts should be cleared"
+  end
+
+  test "should not affect locked account status during password reset" do
+    # INTEGRATION: Verify password reset doesn't unlock account automatically
+    
+    # SETUP: Lock the account
+    @user.lock_account!
+    assert @user.locked?, "Account should be locked"
+    
+    # EXECUTE RESET: Reset password while locked
+    reset_token = @user.generate_password_reset_token
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "newpassword123",
+      password_confirmation: "newpassword123"
+    }
+    
+    # VERIFY PASSWORD RESET: Should succeed
+    assert_response :ok, "Password reset should succeed even for locked account"
+    
+    # VERIFY LOCK STATUS: Account should remain locked (require explicit unlock)
+    @user.reload
+    assert @user.locked?, "Account should remain locked after password reset"
+    assert @user.authenticate("newpassword123"), "Should authenticate with new password"
+  end
+
+  # GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset/verify - Token Verification Tests
+  test "should verify valid password reset token" do
+    # BEHAVIOR: Verify token verification endpoint works
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # EXECUTE VERIFICATION: Verify token is valid
+    get <%= reset_path_helper %>, params: { token: reset_token }
+    
+    # VERIFY API RESPONSE: Should confirm token validity
+    assert_response :ok, "Valid token should pass verification"
+    
+    response_json = JSON.parse(response.body)
+    assert response_json['valid'], "Should indicate token is valid"
+    assert response_json.key?('user'), "Should return user data for valid token"
+    assert_equal @user.email_address, response_json['user']['email_address'], "Should return correct user"
+    assert_not response_json['user'].key?('password_digest'), "Should not expose password"
+  end
+
+  test "should reject invalid token during verification" do
+    # SECURITY: Verify invalid tokens are rejected during verification
+    
+    invalid_token = "invalid.jwt.token"
+    
+    # EXECUTE VERIFICATION: Verify invalid token
+    get <%= reset_path_helper %>, params: { token: invalid_token }
+    
+    # VERIFY REJECTION: Should indicate token is invalid
+    assert_response :unauthorized, "Invalid token should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_not response_json['valid'], "Should indicate token is invalid"
+    assert_match(/invalid.*expired.*token/i, response_json['error'], "Should indicate token error")
+  end
+
+  test "should reject expired token during verification" do
+    # SECURITY: Verify expired tokens are rejected during verification
+    
+    expired_payload = {
+      user_id: @user.id,
+      email_address: @user.email_address,
+      type: 'password_reset',
+      iat: Time.now.to_i,
+      exp: 1.second.ago.to_i,  # Already expired
+      password_hash: @user.password_digest[0..10]
+    }
+    expired_token = JWT.encode(expired_payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    
+    # EXECUTE VERIFICATION: Verify expired token
+    get <%= reset_path_helper %>, params: { token: expired_token }
+    
+    # VERIFY EXPIRATION: Should indicate token is expired
+    assert_response :unauthorized, "Expired token should be rejected"
+    
+    response_json = JSON.parse(response.body)
+    assert_not response_json['valid'], "Should indicate token is invalid"
+  end
+
+  test "should require token parameter for verification" do
+    # VALIDATION: Verify token parameter is required for verification
+    
+    get <%= reset_path_helper %>, params: {}
+    
+    # VERIFY PARAMETER VALIDATION: Should return parameter error
+    assert_response :unprocessable_entity, "Missing token should return validation error"
+    
+    response_json = JSON.parse(response.body)
+    assert_match(/token.*required/i, response_json['error'], "Should indicate token is required")
+  end
+
+  # Full Workflow Integration Tests
+  test "should complete full password reset workflow" do
+    # INTEGRATION: Test complete password reset workflow from start to finish
+    
+    # STEP 1: REQUEST RESET - Send password reset request
+    post <%= reset_path_helper %>, params: { email_address: @user.email_address }
+    assert_response :ok, "Reset request should succeed"
+    
+    # STEP 2: VERIFY TOKEN - Check that we can verify tokens (simulate email link click)
+    reset_token = @user.generate_password_reset_token  # Simulate token from email
+    get <%= reset_path_helper %>, params: { token: reset_token }
+    assert_response :ok, "Token verification should succeed"
+    
+    verification_json = JSON.parse(response.body)
+    assert verification_json['valid'], "Token should be valid"
+    
+    # STEP 3: RESET PASSWORD - Complete password reset
+    new_password = "completeworkflow123"
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: new_password,
+      password_confirmation: new_password
+    }
+    assert_response :ok, "Password reset should succeed"
+    
+    # STEP 4: VERIFY NEW PASSWORD - Test login with new password
+    post <%= login_path_helper %>, params: {
+      user: { email_address: @user.email_address, password: new_password }
+    }
+    assert_response :ok, "Should login with new password"
+    
+    login_json = JSON.parse(response.body)
+    assert login_json['token'].present?, "Should receive JWT token"
+    
+    # STEP 5: VERIFY OLD PASSWORD INVALID - Test old password doesn't work
+    post <%= login_path_helper %>, params: {
+      user: { email_address: @user.email_address, password: "originalpassword123" }
+    }
+    assert_response :unauthorized, "Should not login with old password"
+  end
+
+  test "should prevent token reuse after successful password reset" do
+    # SECURITY: Verify tokens can't be reused after successful reset
+    
+    reset_token = @user.generate_password_reset_token
+    
+    # FIRST RESET: Use token successfully
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "firstnewpassword123",
+      password_confirmation: "firstnewpassword123"
+    }
+    assert_response :ok, "First password reset should succeed"
+    
+    # ATTEMPTED REUSE: Try to use same token again
+    put <%= reset_path_helper %>, params: {
+      token: reset_token,
+      password: "secondnewpassword456",
+      password_confirmation: "secondnewpassword456"
+    }
+    
+    # VERIFY PREVENTION: Second attempt should fail
+    assert_response :unauthorized, "Token reuse should be prevented"
+    
+    # VERIFY PASSWORD UNCHANGED: Password should remain as first reset
+    @user.reload
+    assert @user.authenticate("firstnewpassword123"), "Password should remain from first reset"
+    assert_not @user.authenticate("secondnewpassword456"), "Second password should not be set"
+  end
+
+  test "should handle concurrent password reset attempts safely" do
+    # CONCURRENCY: Verify system handles concurrent reset attempts
+    
+    # GENERATE MULTIPLE TOKENS: Simulate multiple reset requests
+    token1 = @user.generate_password_reset_token
+    sleep(0.1)  # Small delay to ensure different timestamps
+    token2 = @user.generate_password_reset_token
+    
+    # VERIFY BOTH VALID: Both tokens should be valid initially
+    assert @user.valid_password_reset_token?(token1), "First token should be valid"
+    assert @user.valid_password_reset_token?(token2), "Second token should be valid"
+    
+    # USE FIRST TOKEN: Reset password with first token
+    put <%= reset_path_helper %>, params: {
+      token: token1,
+      password: "concurrentpassword1",
+      password_confirmation: "concurrentpassword1"
+    }
+    assert_response :ok, "First reset should succeed"
+    
+    # TRY SECOND TOKEN: Attempt reset with second token (should fail due to password change)
+    put <%= reset_path_helper %>, params: {
+      token: token2,
+      password: "concurrentpassword2",
+      password_confirmation: "concurrentpassword2"
+    }
+    
+    # VERIFY CONCURRENCY HANDLING: Second token should be invalid due to password change
+    assert_response :unauthorized, "Second token should be invalid after password change"
+    
+    # VERIFY FINAL STATE: Password should be from first successful reset
+    @user.reload
+    assert @user.authenticate("concurrentpassword1"), "Password should be from first reset"
+  end
+end