propel_authentication 0.1.1

data/lib/generators/propel_auth/templates/test/controllers/auth/tokens_controller_test.rb.tt

@@ -0,0 +1,265 @@
+require 'test_helper'
+
+class TokensControllerTest < ActionDispatch::IntegrationTest
+  # BEHAVIOR-DRIVEN TESTING: NO MOCKS - Test Real Functionality
+  # These tests verify actual JWT authentication works with real database operations
+  # and HTTP requests to provide 100% confidence in production functionality
+  
+  setup do
+    # Create real test data in the database - NO MOCKS
+    @organization = Organization.create!(
+      name: "Marvel",
+      website: "https://marvel.com"
+    )
+    @rival_organization = Organization.create!(
+      name: "DC Comics",
+      website: "https://dccomics.com"
+    )
+    
+    @valid_user = User.create!(
+      email_address: "valid@example.com",
+      username: "validuser",
+      password: "securepassword123",
+      password_confirmation: "securepassword123",
+      organization: @organization,
+      first_name: "Valid",
+      last_name: "User"
+    )
+    
+    @other_user = User.create!(
+      email_address: "other@example.com",
+      username: "otheruser",
+      password: "securepassword123",
+      password_confirmation: "securepassword123",
+      organization: @rival_organization,
+      first_name: "Other",
+      last_name: "User"
+    )
+    
+    @inactive_user = User.create!(
+      email_address: "inactive@example.com",
+      username: "inactiveuser",
+      password: "password123",
+      password_confirmation: "password123",
+      organization: @organization,
+      first_name: "Inactive",
+      last_name: "User",
+      status: 1
+    )
+  end
+
+  test "POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login with valid credentials returns JWT token and user data" do
+    # BEHAVIOR TEST: Verify login for a user in a different organization to ensure multi-tenancy.
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @other_user.email_address,
+        password: "securepassword123"
+      }
+    }
+    
+    # VERIFY RESPONSE STRUCTURE: Basic validation
+    assert_response :ok, "Login should return OK status"
+    response_json = JSON.parse(response.body)
+    assert response_json.key?("token"), "Response should contain JWT token"
+    assert response_json.key?("user"), "Response should contain user data"
+    
+    # VERIFY USER DATA ACCURACY: Check that the correct user and organization are returned.
+    user_data = response_json["user"]
+    assert_equal @other_user.id, user_data["id"], "Should return correct user ID"
+    assert_equal @other_user.email_address, user_data["email_address"], "Should return correct user email_address"
+    assert_equal @rival_organization.id, user_data["organization_id"], "Should return correct organization ID for the rival organization"
+    
+    # VERIFY DATA ISOLATION: Ensure data from the other user/org is not returned.
+    assert_not_equal @valid_user.id, user_data["id"], "Should not return data for the wrong user"
+    assert_not_equal @organization.id, user_data["organization_id"], "Should not return data for the wrong organization"
+  end
+
+  test "POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login with invalid credentials returns proper error" do
+    # BEHAVIOR TEST: Verify authentication rejection with real database validation
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @valid_user.email_address,
+        password: "wrongpassword"
+      }
+    }
+    
+    # VERIFY ERROR RESPONSE: Check proper error handling
+    assert_response :unauthorized, "Invalid credentials should return unauthorized status"
+    response_json = JSON.parse(response.body)
+    assert response_json.key?("error"), "Error response should contain error message"
+    assert_equal "Invalid credentials", response_json["error"], "Should return proper error message"
+    assert_nil response_json["token"], "Should not return token on authentication failure"
+    assert_nil response_json["user"], "Should not return user data on authentication failure"
+  end
+
+  test "POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login with nonexistent user returns proper error" do
+    # BEHAVIOR TEST: Verify handling of nonexistent users
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: "nonexistent@example.com",
+        password: "somepassword"
+      }
+    }
+    
+    # VERIFY ERROR RESPONSE: Check user not found handling
+    assert_response :unauthorized, "Nonexistent user should return unauthorized status"
+    response_json = JSON.parse(response.body)
+    assert_equal "Invalid credentials", response_json["error"], "Should return generic error message for security"
+  end
+
+  test "POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login with inactive user returns proper error" do
+    # BEHAVIOR TEST: Verify inactive user access is properly denied
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @inactive_user.email_address,
+        password: "password123"
+      }
+    }
+    
+    # VERIFY INACTIVE USER HANDLING: Check business logic enforcement
+    assert_response :unauthorized, "Inactive user should be denied access"
+    response_json = JSON.parse(response.body)
+    assert_equal "Account is inactive", response_json["error"], "Should return appropriate error for inactive account"
+  end
+
+  test "GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me with valid JWT token returns current user" do
+    # BEHAVIOR TEST: Verify JWT authentication for a user from a different organization.
+    # First get a valid token by logging in as the user from the rival organization.
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @other_user.email_address,
+        password: "securepassword123"
+      }
+    }
+    
+    token = JSON.parse(response.body)["token"]
+    
+    # Now test the protected endpoint with the real token.
+    get <%= me_path_helper %>, headers: {
+      'Authorization' => "Bearer #{token}"
+    }
+    
+    # VERIFY AUTHENTICATED RESPONSE: Check that the correct user data is returned.
+    assert_response :ok, "Valid token should allow access to protected endpoint"
+    response_json = JSON.parse(response.body)
+    user_data = response_json["user"]
+    
+    # VERIFY USER DATA ACCURACY: Check that the data belongs to the authenticated user.
+    assert_equal @other_user.id, user_data["id"], "Should return correct authenticated user ID"
+    assert_equal @other_user.email_address, user_data["email_address"], "Should return correct authenticated user email_address"
+    assert_equal @rival_organization.id, user_data["organization_id"], "Should return correct organization relationship"
+  end
+
+  test "GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me with invalid JWT token returns error" do
+    # BEHAVIOR TEST: Verify JWT validation rejects invalid tokens
+    get <%= me_path_helper %>, headers: {
+      'Authorization' => "Bearer invalid.jwt.token"
+    }
+    
+    # VERIFY SECURITY VALIDATION: Check token validation properly rejects invalid tokens
+    assert_response :unauthorized, "Invalid token should be rejected"
+    response_json = JSON.parse(response.body)
+    assert_equal "Invalid token", response_json["error"], "Should return proper error message"
+  end
+
+  test "GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me with expired JWT token returns error" do
+    # BEHAVIOR TEST: Verify expired tokens are properly rejected
+    # Create an expired token for testing
+    expired_payload = {
+      user_id: @valid_user.id,
+      exp: 1.hour.ago.to_i  # Token expired 1 hour ago
+    }
+    expired_token = JWT.encode(expired_payload, Rails.application.credentials.secret_key_base, 'HS256')
+    
+    get <%= me_path_helper %>, headers: {
+      'Authorization' => "Bearer #{expired_token}"
+    }
+    
+    # VERIFY EXPIRATION HANDLING: Check expired tokens are rejected
+    assert_response :unauthorized, "Expired token should be rejected"
+    response_json = JSON.parse(response.body)
+    assert_equal "Token expired", response_json["error"], "Should return proper expiration error"
+  end
+
+  test "GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me without authorization header returns error" do
+    # BEHAVIOR TEST: Verify endpoint protection when no token provided
+    get <%= me_path_helper %>
+    
+    # VERIFY AUTHORIZATION REQUIREMENT: Check endpoint requires authentication
+    assert_response :unauthorized, "Missing authorization should be rejected"
+    response_json = JSON.parse(response.body)
+    assert_equal "No token provided", response_json["error"], "Should return proper missing token error"
+  end
+
+  test "DELETE <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/logout clears authentication state" do
+    # BEHAVIOR TEST: Verify logout functionality
+    # First login to get a token
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @valid_user.email_address,
+        password: "securepassword123"
+      }
+    }
+    
+    token = JSON.parse(response.body)["token"]
+    
+    # Now logout with the token
+    delete <%= logout_path_helper %>, headers: {
+      'Authorization' => "Bearer #{token}"
+    }
+    
+    # VERIFY LOGOUT RESPONSE: Check logout confirmation
+    assert_response :ok, "Logout should return success status"
+    response_json = JSON.parse(response.body)
+    assert_equal "Logged out successfully", response_json["message"], "Should return logout confirmation"
+  end
+
+  test "POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login validates required parameters" do
+    # BEHAVIOR TEST: Verify parameter validation
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @valid_user.email_address
+        # Missing password parameter
+      }
+    }
+    
+    # VERIFY PARAMETER VALIDATION: Check required field enforcement
+    assert_response :unprocessable_entity, "Missing required parameters should return unprocessable_entity"
+    response_json = JSON.parse(response.body)
+    assert response_json["error"].present?, "Should return validation error message"
+  end
+
+  test "JWT token contains proper user context for multi-tenant application" do
+    # BEHAVIOR TEST: Verify JWT for a different organization contains correct context.
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: @other_user.email_address,
+        password: "securepassword123"
+      }
+    }
+    
+    token = JSON.parse(response.body)["token"]
+    decoded_token = JWT.decode(token, Rails.application.credentials.secret_key_base, true, { algorithm: 'HS256' })
+    payload = decoded_token[0]
+    
+    # VERIFY MULTI-TENANT CONTEXT: Check that the correct organization context is in the token.
+    assert_equal @rival_organization.id, payload['organization_id'], "Token should contain the correct rival organization context"
+    assert_equal @other_user.id, payload['user_id'], "Token should contain the correct user ID"
+    assert payload['exp'].present?, "Token should have expiration"
+    assert payload['iat'].present?, "Token should have issued at time"
+  end
+
+  private
+
+  # Helper method to create authenticated request headers for testing
+  def authenticated_headers_for(user)
+    post <%= login_path_helper %>, params: {
+      user: {
+        email_address: user.email_address,
+        password: 'securepassword123'
+      }
+    }
+    token = JSON.parse(response.body)['token']
+    { 'Authorization' => "Bearer #{token}" }
+  end
+end 

data/lib/generators/propel_auth/templates/test/mailers/auth_mailer_test.rb.tt

@@ -0,0 +1,216 @@
+require 'test_helper'
+
+class AuthMailerTest < ActionMailer::TestCase
+  def setup
+    @organization = Organization.create!(name: "Test Organization")
+    @user = User.create!(
+      email_address: "auth-mailer-test@example.com",
+      username: "authmailertestuser",
+      password: "password123",
+      organization: @organization,
+      first_name: "Auth",
+      last_name: "Tester"
+    )
+  end
+
+  def teardown
+    User.destroy_all
+    Organization.destroy_all
+  end
+
+  # BEHAVIOR: Test password reset email generation and content
+  test "password reset email should contain proper content and structure" do
+    # SETUP: Generate reset token
+    reset_token = @user.generate_password_reset_token
+    reset_url = "http://localhost:3000/reset-password?token=#{reset_token}"
+    
+    # EXECUTE: Generate password reset email
+    email = AuthMailer.with(
+      user: @user,
+      token: reset_token,
+      reset_url: reset_url
+    ).password_reset
+    
+    # VERIFY STRUCTURE: Basic email structure validation
+    assert_emails 1 do
+      email.deliver_now
+    end
+    
+    # VERIFY FUNCTIONALITY: Email content and behavior
+    assert_equal [@user.email_address], email.to, "Email should be sent to user's email address"
+    assert_equal ["noreply@#{Rails.application.class.module_parent.name.downcase}.com"], email.from, "Email should have proper from address"
+    assert_match(/Reset your password/i, email.subject, "Subject should contain password reset text")
+    
+    # VERIFY BUSINESS LOGIC: Email body content validation
+    email_body = email.body.to_s
+    assert_match(@user.first_name, email_body, "Email should contain user's first name for personalization")
+    assert_match(@user.email_address, email_body, "Email should display user's email address for verification")
+    assert_match(reset_url, email_body, "Email should contain the reset URL with token")
+    assert_match(/15 minutes/i, email_body, "Email should specify token expiration time")
+    assert_match(/security/i, email_body, "Email should contain security messaging")
+    
+    # VERIFY EDGE CASES: Token format validation
+    assert_match(/^[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+$/, reset_token, "Reset token should be valid JWT format")
+  end
+
+  # BEHAVIOR: Test account unlock email generation and content
+  test "account unlock email should contain proper content and security messaging" do
+    # SETUP: Lock user account and generate unlock token
+    @user.lock_account!
+    unlock_token = @user.generate_unlock_token
+    unlock_url = "http://localhost:3000/unlock-account?token=#{unlock_token}"
+    
+    # VERIFY PRECONDITION: User should be locked
+    assert @user.locked?, "User should be locked before sending unlock email"
+    
+    # EXECUTE: Generate account unlock email
+    email = AuthMailer.with(
+      user: @user,
+      token: unlock_token,
+      unlock_url: unlock_url
+    ).account_unlock
+    
+    # VERIFY STRUCTURE: Basic email structure validation
+    assert_emails 1 do
+      email.deliver_now
+    end
+    
+    # VERIFY FUNCTIONALITY: Email content and behavior
+    assert_equal [@user.email_address], email.to, "Email should be sent to user's email address"
+    assert_match(/Account locked/i, email.subject, "Subject should indicate account lock status")
+    
+    # VERIFY BUSINESS LOGIC: Email body content validation
+    email_body = email.body.to_s
+    assert_match(@user.first_name, email_body, "Email should contain user's first name")
+    assert_match(/multiple failed login attempts/i, email_body, "Email should explain why account was locked")
+    assert_match(unlock_url, email_body, "Email should contain unlock URL with token")
+    assert_match(/1 hour/i, email_body, "Email should specify unlock token expiration")
+    assert_match(/security/i, email_body, "Email should contain security messaging")
+    assert_match(/contact support/i, email_body, "Email should provide support contact information")
+    
+    # VERIFY EDGE CASES: Token format validation
+    assert_match(/^[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+$/, unlock_token, "Unlock token should be valid JWT format")
+  end
+
+  # BEHAVIOR: Test user invitation email generation and content
+  test "user invitation email should contain proper invitation content and onboarding" do
+    # SETUP: Create invitation
+    inviter = User.create!(
+      email_address: "inviter@example.com",
+      username: "inviter",
+      password: "password123",
+      organization: @organization,
+      first_name: "Inviter",
+      last_name: "User"
+    )
+    
+    invitation = Invitation.create!(
+      email_address: "invited@example.com",
+      first_name: "Invited",
+      last_name: "User",
+      organization: @organization,
+      inviter: inviter
+    )
+    
+    invitation_token = invitation.generate_invitation_token
+    invitation_url = "http://localhost:3000/accept-invitation?token=#{invitation_token}"
+    
+    # EXECUTE: Generate invitation email
+    email = AuthMailer.with(
+      invitation: invitation,
+      inviter: inviter,
+      token: invitation_token,
+      invitation_url: invitation_url
+    ).user_invitation
+    
+    # VERIFY STRUCTURE: Basic email structure validation
+    assert_emails 1 do
+      email.deliver_now
+    end
+    
+    # VERIFY FUNCTIONALITY: Email content and behavior
+    assert_equal [invitation.email_address], email.to, "Email should be sent to invitation email address"
+    assert_match(/invited/i, email.subject, "Subject should indicate invitation")
+    assert_match(@organization.name, email.subject, "Subject should contain organization name")
+    
+    # VERIFY BUSINESS LOGIC: Email body content validation
+    email_body = email.body.to_s
+    assert_match(invitation.first_name, email_body, "Email should contain invitee's first name")
+    assert_match(inviter.first_name, email_body, "Email should contain inviter's name")
+    assert_match(@organization.name, email_body, "Email should contain organization name")
+    assert_match(invitation_url, email_body, "Email should contain invitation acceptance URL")
+    assert_match(/7 days/i, email_body, "Email should specify invitation expiration")
+    assert_match(/getting started/i, email_body, "Email should contain onboarding information")
+    
+    # VERIFY EDGE CASES: Token format validation
+    assert_match(/^[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+$/, invitation_token, "Invitation token should be valid JWT format")
+  end
+
+  # BEHAVIOR: Test email delivery failure handling
+  test "should handle email delivery failures gracefully" do
+    # SETUP: Create user with invalid email to simulate delivery failure
+    user_with_invalid_email = User.create!(
+      email_address: "invalid-email-that-will-bounce@nonexistent-domain-12345.invalid",
+      username: "invalidemailuser",
+      password: "password123",
+      organization: @organization,
+      first_name: "Invalid",
+      last_name: "Email"
+    )
+    
+    reset_token = user_with_invalid_email.generate_password_reset_token
+    
+    # EXECUTE: Attempt to send email to invalid address
+    email = AuthMailer.with(
+      user: user_with_invalid_email,
+      token: reset_token,
+      reset_url: "http://localhost:3000/reset?token=#{reset_token}"
+    ).password_reset
+    
+    # VERIFY FUNCTIONALITY: Email should be generated even with invalid address
+    assert_not_nil email, "Email should be generated even with invalid email address"
+    assert_equal [user_with_invalid_email.email_address], email.to, "Email should contain the provided address"
+    
+    # VERIFY BUSINESS LOGIC: System should not crash on delivery attempts
+    assert_nothing_raised "Email delivery should not raise exceptions in test environment" do
+      email.deliver_now
+    end
+  end
+
+  # BEHAVIOR: Test email template rendering with missing data
+  test "should handle missing user data gracefully in email templates" do
+    # SETUP: Create user with minimal data
+    minimal_user = User.create!(
+      email_address: "minimal@example.com",
+      username: "minimaluser",
+      password: "password123",
+      organization: @organization
+      # No first_name, last_name provided
+    )
+    
+    reset_token = minimal_user.generate_password_reset_token
+    
+    # EXECUTE: Generate email for user with minimal data
+    email = AuthMailer.with(
+      user: minimal_user,
+      token: reset_token,
+      reset_url: "http://localhost:3000/reset?token=#{reset_token}"
+    ).password_reset
+    
+    # VERIFY FUNCTIONALITY: Email should be generated successfully
+    assert_not_nil email, "Email should be generated for user with minimal data"
+    
+    # VERIFY BUSINESS LOGIC: Email should handle missing first name gracefully
+    email_body = email.body.to_s
+    assert_match(/Hello/i, email_body, "Email should have fallback greeting")
+    assert_match(minimal_user.email_address, email_body, "Email should display email address when name unavailable")
+  end
+
+  private
+
+  # Helper method to extract token from email body
+  def extract_token_from_email_body(email_body)
+    match = email_body.match(/token=([A-Za-z0-9\-_\.]+)/)
+    match ? match[1] : nil
+  end
+end 

data/lib/generators/propel_auth/templates/test/mailers/previews/auth_mailer_preview.rb

@@ -0,0 +1,161 @@
+# Preview all authentication emails
+# Visit http://localhost:3000/rails/mailers/auth_mailer to see email previews
+class AuthMailerPreview < ActionMailer::Preview
+  
+  # Preview email confirmation
+  # http://localhost:3000/rails/mailers/auth_mailer/email_confirmation
+  def email_confirmation
+    user = sample_user
+    user.confirmation_token = SecureRandom.hex(32)
+    user.confirmation_sent_at = Time.current
+    
+    AuthMailer.email_confirmation(user)
+  end
+  
+  # Preview password reset email
+  # http://localhost:3000/rails/mailers/auth_mailer/password_reset
+  def password_reset
+    user = sample_user
+    token = JWT.encode(
+      {
+        user_id: user.id,
+        email_address: user.email_address,
+        type: 'password_reset',
+        exp: 15.minutes.from_now.to_i
+      },
+      Rails.application.secret_key_base
+    )
+    
+    AuthMailer.with(
+      user: user,
+      token: token,
+      reset_url: "http://localhost:3000/auth/reset?token=#{token}"
+    ).password_reset
+  end
+  
+  # Preview account unlock email
+  # http://localhost:3000/rails/mailers/auth_mailer/account_unlock
+  def account_unlock
+    user = sample_user
+    user.locked_at = Time.current
+    user.failed_login_attempts = 5
+    
+    token = JWT.encode(
+      {
+        user_id: user.id,
+        email_address: user.email_address,
+        type: 'account_unlock',
+        exp: 1.hour.from_now.to_i
+      },
+      Rails.application.secret_key_base
+    )
+    
+    AuthMailer.with(
+      user: user,
+      token: token,
+      unlock_url: "http://localhost:3000/auth/unlock?token=#{token}"
+    ).account_unlock
+  end
+  
+  # Preview user invitation email
+  # http://localhost:3000/rails/mailers/auth_mailer/user_invitation
+  def user_invitation
+    invitation = sample_invitation
+    inviter = sample_user
+    
+    token = JWT.encode(
+      {
+        invitation_id: invitation.id,
+        email_address: invitation.email_address,
+        type: 'invitation',
+        exp: 7.days.from_now.to_i
+      },
+      Rails.application.secret_key_base
+    )
+    
+    AuthMailer.with(
+      invitation: invitation,
+      inviter: inviter,
+      token: token,
+      invitation_url: "http://localhost:3000/auth/invitation?token=#{token}"
+    ).user_invitation
+  end
+  
+  # Preview welcome email
+  # http://localhost:3000/rails/mailers/auth_mailer/welcome
+  def welcome
+    user = sample_user
+    user.confirmed_at = Time.current
+    
+    AuthMailer.with(user: user).welcome
+  end
+  
+  # Preview email change confirmation
+  # http://localhost:3000/rails/mailers/auth_mailer/email_change_confirmation
+  def email_change_confirmation
+    user = sample_user
+    new_email = 'newemail@example.com'
+    
+    token = JWT.encode(
+      {
+        user_id: user.id,
+        email_address: new_email,
+        type: 'email_change',
+        exp: 24.hours.from_now.to_i
+      },
+      Rails.application.secret_key_base
+    )
+    
+    AuthMailer.with(
+      user: user,
+      new_email_address: new_email,
+      token: token,
+      confirmation_url: "http://localhost:3000/auth/confirm-email?token=#{token}"
+    ).email_change_confirmation
+  end
+  
+  private
+  
+  def sample_user
+    # Create a sample user for preview purposes
+    organization = sample_organization
+    
+    User.new(
+      id: 1,
+      email_address: 'john.doe@example.com',
+      username: 'johndoe',
+      first_name: 'John',
+      last_name: 'Doe',
+      phone_number: '+1-555-123-4567',
+      organization: organization,
+      created_at: Time.current,
+      updated_at: Time.current
+    )
+  end
+  
+  def sample_organization
+    # Create a sample organization for preview purposes
+    Organization.new(
+      id: 1,
+      name: 'Acme Corporation',
+      domain: 'acme.com',
+      created_at: Time.current,
+      updated_at: Time.current
+    )
+  end
+  
+  def sample_invitation
+    # Create a sample invitation for preview purposes
+    organization = sample_organization
+    
+    Invitation.new(
+      id: 1,
+      email_address: 'newuser@example.com',
+      organization: organization,
+      role: 'user',
+      status: 'pending',
+      created_at: Time.current,
+      updated_at: Time.current
+    )
+  end
+end