prx_auth-rails 4.0.0 → 4.2.0

data/test/dummy/config/environments/production.rb

@@ -13,7 +13,7 @@ Rails.application.configure do
   config.eager_load = true
 
   # Full error reports are disabled and caching is turned on.
-  config.consider_all_requests_local       = false
+  config.consider_all_requests_local = false
   config.action_controller.perform_caching = true
 
   # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
@@ -22,7 +22,7 @@ Rails.application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
+  config.public_file_server.enabled = ENV["RAILS_SERVE_STATIC_FILES"].present?
 
   # Compress CSS using a preprocessor.
   # config.assets.css_compressor = :sass
@@ -53,7 +53,7 @@ Rails.application.configure do
   config.log_level = :info
 
   # Prepend all log lines with the following tags.
-  config.log_tags = [ :request_id ]
+  config.log_tags = [:request_id]
 
   # Use a different cache store in production.
   # config.cache_store = :mem_cache_store
@@ -89,9 +89,9 @@ Rails.application.configure do
   # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
 
   if ENV["RAILS_LOG_TO_STDOUT"].present?
-    logger           = ActiveSupport::Logger.new(STDOUT)
+    logger = ActiveSupport::Logger.new($stdout)
     logger.formatter = config.log_formatter
-    config.logger    = ActiveSupport::TaggedLogging.new(logger)
+    config.logger = ActiveSupport::TaggedLogging.new(logger)
   end
 
   # Do not dump schema after migrations.

data/test/dummy/config/environments/test.rb

@@ -19,11 +19,11 @@ Rails.application.configure do
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {
-    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
+    "Cache-Control" => "public, max-age=#{1.hour.to_i}"
   }
 
   # Show full error reports and disable caching.
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
   config.action_controller.perform_caching = false
   config.cache_store = :null_store
 

data/test/dummy/config/initializers/assets.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file.
 
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = '1.0'
+Rails.application.config.assets.version = "1.0"
 
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path

data/test/dummy/config/initializers/prx_auth.rb

@@ -1,8 +1,8 @@
- require 'prx_auth/rails'
+require "prx_auth/rails"
 
- PrxAuth::Rails.configure do |config|
-   config.install_middleware = true
-   config.namespace = :test_app
-   config.prx_client_id = '1234'
-   config.id_host = 'id.prx.test'
- end
+PrxAuth::Rails.configure do |config|
+  config.install_middleware = true
+  config.namespace = :test_app
+  config.prx_client_id = "1234"
+  config.id_host = "id.prx.test"
+end

data/test/dummy/config/routes.rb

@@ -1,5 +1,5 @@
 Rails.application.routes.draw do
-  get 'index', to: 'application#index'
-  put 'index', to: 'application#index'
+  get "index", to: "application#index"
+  put "index", to: "application#index"
   mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/configuration_test.rb

@@ -1,35 +1,37 @@
-require 'test_helper'
+require "test_helper"
 
 describe PrxAuth::Rails::Configuration do
-
   subject { PrxAuth::Rails::Configuration.new }
 
-  it 'initializes with defaults' do
+  it "initializes with defaults" do
     assert subject.install_middleware
     assert_nil subject.prx_client_id
-    assert_equal 'id.prx.org', subject.id_host
-    assert_equal 'api/v1/certs', subject.cert_path
+    assert_nil subject.prx_scope
+    assert_equal "id.prx.org", subject.id_host
+    assert_equal "api/v1/certs", subject.cert_path
   end
 
-  it 'infers the default namespace from the rails app name' do
+  it "infers the default namespace from the rails app name" do
     assert_equal :dummy, subject.namespace
   end
 
-  it 'is updated by the prxauth configure block' do
+  it "is updated by the prxauth configure block" do
     PrxAuth::Rails.stub(:configuration, subject) do
       PrxAuth::Rails.configure do |config|
         config.install_middleware = false
-        config.prx_client_id = 'some-id'
-        config.id_host = 'id.prx.blah'
-        config.cert_path = 'cert/path'
+        config.prx_client_id = "some-id"
+        config.prx_scope = "appname:*"
+        config.id_host = "id.prx.blah"
+        config.cert_path = "cert/path"
         config.namespace = :new_test
       end
     end
 
     refute subject.install_middleware
-    assert_equal 'some-id', subject.prx_client_id
-    assert_equal 'id.prx.blah', subject.id_host
-    assert_equal 'cert/path', subject.cert_path
+    assert_equal "some-id", subject.prx_client_id
+    assert_equal "appname:*", subject.prx_scope
+    assert_equal "id.prx.blah", subject.id_host
+    assert_equal "cert/path", subject.cert_path
     assert_equal :new_test, subject.namespace
   end
 end

data/test/prx_auth/rails/ext/controller_test.rb

@@ -1,142 +1,144 @@
-require 'test_helper'
+require "test_helper"
 
 module PrxAuth::Rails::Ext
   class ControllerTest < ActionController::TestCase
-
     setup do
       @controller = ApplicationController.new
       @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
       @user_info_key = ApplicationController::PRX_USER_INFO_SESSION_KEY
       @account_mapping_key = ApplicationController::PRX_ACCOUNT_MAPPING_SESSION_KEY
-      @stub_claims = {'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 3600}
+      @stub_claims = {"iat" => Time.now.to_i, "exp" => Time.now.to_i + 3600}
     end
 
     # stub auth and init controller+session by getting a page
     def with_stubbed_auth(jwt)
-      session[@jwt_session_key] = 'some-jwt'
+      session[@jwt_session_key] = "some-jwt"
       @controller.stub(:prx_auth_needs_refresh?, false) do
         get :index
-        assert_equal response.code, '200'
+        assert_equal response.code, "200"
         yield
       end
     end
 
-    test 'redirects unless you are authenticated' do
+    test "redirects unless you are authenticated" do
       get :index
-      assert_equal response.code, '302'
-      assert response.headers['Location'].ends_with?('/sessions/new')
+      assert_equal response.code, "302"
+      assert response.headers["Location"].ends_with?("/sessions/new")
     end
 
-    test 'uses a valid session token' do
-      session[@jwt_session_key] = 'some-jwt'
+    test "uses a valid session token" do
+      session[@jwt_session_key] = "some-jwt"
       JSON::JWT.stub(:decode, @stub_claims) do
         get :index
-        assert_equal response.code, '200'
-        assert response.body.include?('the controller index!')
+        assert_equal response.code, "200"
+        assert response.body.include?("the controller index!")
         assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
       end
     end
 
-    test 'redirects if your token is nearing expiration' do
-      session[@jwt_session_key] = 'some-jwt'
-      @stub_claims['exp'] = Time.now.to_i + 10
+    test "redirects if your token is nearing expiration" do
+      session[@jwt_session_key] = "some-jwt"
+      @stub_claims["exp"] = Time.now.to_i + 10
       JSON::JWT.stub(:decode, @stub_claims) do
         get :index
-        assert_equal response.code, '302'
-        assert response.headers['Location'].ends_with?('/sessions/new')
+        assert_equal response.code, "302"
+        assert response.headers["Location"].ends_with?("/sessions/new")
       end
     end
 
-    test 'does not redirect if your token has expired on a non-GET request' do
-      session[@jwt_session_key] = 'some-jwt'
-      @stub_claims['exp'] = Time.now.to_i + 10
+    test "does not redirect if your token has expired on a non-GET request" do
+      session[@jwt_session_key] = "some-jwt"
+      @stub_claims["exp"] = Time.now.to_i + 10
       JSON::JWT.stub(:decode, @stub_claims) do
         put :index
-        assert_equal response.code, '200'
-        assert response.body.include?('the controller index!')
+        assert_equal response.code, "200"
+        assert response.body.include?("the controller index!")
       end
     end
 
-    test 'fetches current user info' do
-      with_stubbed_auth('some-jwt') do
+    test "fetches current user info" do
+      with_stubbed_auth("some-jwt") do
         body = {
-          'name' => 'Some Username',
-          'apps' => {'publish.prx.test' => 'https://publish.prx.test'},
-          'other' => 'stuff'
+          "name" => "Some Username",
+          "apps" => {"publish.prx.test" => "https://publish.prx.test"},
+          "other" => "stuff"
         }
 
         id_host = PrxAuth::Rails.configuration.id_host
-        stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile").
-          with(headers: {'Authorization' => 'Bearer some-jwt'}).
-          to_return(status: 200, body: JSON.generate(body))
-
-        assert session[@user_info_key] == nil
-        assert_equal @controller.current_user_info, body
-        refute session[@user_info_key] == nil
-        assert_equal @controller.current_user_name, 'Some Username'
-        assert_equal @controller.current_user_apps, {'PRX Publish' => 'https://publish.prx.test'}
+        stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile")
+          .with(headers: {"Authorization" => "Bearer some-jwt"})
+          .to_return(status: 200, body: JSON.generate(body))
+
+        assert session[@user_info_key].nil?
+        assert_equal @controller.current_user_info, body.slice("name", "apps")
+        refute session[@user_info_key].nil?
+        assert_equal @controller.current_user_name, "Some Username"
+        assert_equal @controller.current_user_apps, {"PRX Publish" => "https://publish.prx.test"}
       end
     end
 
-    test 'has user name fallbacks' do
-      with_stubbed_auth('some-jwt') do
-        session[@user_info_key] = {'name' => 'one', 'preferred_username' => 'two', 'email' => 'three'}
-        assert_equal @controller.current_user_name, 'one'
+    test "has user name fallbacks" do
+      with_stubbed_auth("some-jwt") do
+        session[@user_info_key] = {"name" => "one", "preferred_username" => "two", "email" => "three"}
+        assert_equal @controller.current_user_name, "one"
 
-        session[@user_info_key] = {'preferred_username' => 'two', 'email' => 'three'}
-        assert_equal @controller.current_user_name, 'two'
+        session[@user_info_key] = {"preferred_username" => "two", "email" => "three"}
+        assert_equal @controller.current_user_name, "two"
 
-        session[@user_info_key] = {'email' => 'three'}
-        assert_equal @controller.current_user_name, 'three'
+        session[@user_info_key] = {"email" => "three"}
+        assert_equal @controller.current_user_name, "three"
       end
     end
 
-    test 'filters apps displayed in production' do
-      with_stubbed_auth('some-jwt') do
+    test "filters apps displayed in production" do
+      with_stubbed_auth("some-jwt") do
         Rails.env.stub(:production?, true) do
           session[@user_info_key] = {
-            'apps' => {
-              'localhost stuff' => 'http://localhost:4000/path1',
-              'publish.prx.test' => 'https://publish.prx.test/path2',
-              'metrics.prx.tech' => 'https://metrics.prx.tech/path3',
-              'augury.prx.org' => 'https://augury.prx.org/path4',
+            "apps" => {
+              "localhost stuff" => "http://localhost:4000/path1",
+              "publish.prx.test" => "https://publish.prx.test/path2",
+              "metrics.prx.tech" => "https://metrics.prx.tech/path3",
+              "augury.prx.org" => "https://augury.prx.org/path4"
             }
           }
 
           assert_equal @controller.current_user_apps, {
-            'PRX Metrics' => 'https://metrics.prx.tech/path3',
-            'PRX Augury' => 'https://augury.prx.org/path4',
+            "PRX Metrics" => "https://metrics.prx.tech/path3",
+            "PRX Augury" => "https://augury.prx.org/path4"
           }
         end
       end
     end
 
-    test 'fetches accounts' do
-      with_stubbed_auth('some-jwt') do
-        one = {'id' => 1, 'type' => 'IndividualAccount', 'name' => 'One'}
-        three = {'id' => 3, 'type' => 'GroupAccount', 'name' => 'Three'}
-        body = {'_embedded' => {'prx:items' => [one, three]}}
+    test "fetches accounts" do
+      with_stubbed_auth("some-jwt") do
+        one = {"id" => 1, "type" => "IndividualAccount", "name" => "One"}
+        three = {"id" => 3, "type" => "GroupAccount", "name" => "Three"}
+        body = {"_embedded" => {"prx:items" => [one, three]}}
+
+        min_one = one.slice("name", "type")
+        min_three = three.slice("name", "type")
 
         id_host = PrxAuth::Rails.configuration.id_host
-        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3").
-          to_return(status: 200, body: JSON.generate(body))
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3")
+          .to_return(status: 200, body: JSON.generate(body))
 
         assert_nil session[@account_mapping_key]
-        assert_equal @controller.accounts_for([1, 2, 3]), [one, nil, three]
+        assert_equal @controller.accounts_for([1, 2, 3]), [min_one, nil, min_three]
         refute_nil session[@account_mapping_key]
-        assert_equal @controller.account_for(1), one
-        assert_equal @controller.account_for(3), three
-        assert_equal @controller.account_name_for(1), 'One'
-        assert_equal @controller.account_name_for(3), 'Three'
+        assert_equal @controller.account_for(1), min_one
+        assert_equal @controller.account_for(3), min_three
+        assert_equal @controller.account_name_for(1), "One"
+        assert_equal @controller.account_name_for(3), "Three"
       end
     end
 
-    test 'handles unknown account ids' do
-      with_stubbed_auth('some-jwt') do
+    test "handles unknown account ids" do
+      with_stubbed_auth("some-jwt") do
         id_host = PrxAuth::Rails.configuration.id_host
-        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
-          to_return(status: 200, body: JSON.generate({'_embedded' => {'prx:items' => []}})).
-          times(3)
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
+          .to_return(status: 200, body: JSON.generate({"_embedded" => {"prx:items" => []}}))
+          .times(3)
 
         assert_equal @controller.accounts_for([2]), [nil]
         assert_nil @controller.account_for(2)
@@ -144,21 +146,25 @@ module PrxAuth::Rails::Ext
       end
     end
 
-    test 'only fetches only missing accounts' do
-      with_stubbed_auth('some-jwt') do
-        one = {'name' => 'One'}
-        two = {'id' => 2, 'type' => 'StationAccount', 'name' => 'Two'}
-        three = {'name' => 'Three'}
+    test "only fetches only missing accounts" do
+      with_stubbed_auth("some-jwt") do
+        one = {"name" => "One"}
+        two = {"id" => 2, "type" => "StationAccount", "name" => "Two"}
+        three = {"name" => "Three"}
         session[@account_mapping_key] = {1 => one, 3 => three}
-        body = {'_embedded' => {'prx:items' => [two]}}
+        body = {"_embedded" => {"prx:items" => [two]}}
+
+        min_one = one.slice("name", "type")
+        min_two = two.slice("name", "type")
+        min_three = three.slice("name", "type")
 
         id_host = PrxAuth::Rails.configuration.id_host
-        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
-          to_return(status: 200, body: JSON.generate(body))
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
+          .to_return(status: 200, body: JSON.generate(body))
 
-        assert_equal @controller.accounts_for([1, 2, 3]), [one, two, three]
-        assert_equal @controller.account_for(2), two
-        assert_equal @controller.account_name_for(2), 'Two'
+        assert_equal @controller.accounts_for([1, 2, 3]), [min_one, min_two, min_three]
+        assert_equal @controller.account_for(2), min_two
+        assert_equal @controller.account_name_for(2), "Two"
       end
     end
   end

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -2,19 +2,18 @@ require "test_helper"
 
 module PrxAuth::Rails
   class SessionsControllerTest < ActionController::TestCase
-
     setup do
       @routes = PrxAuth::Rails::Engine.routes
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
       @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
-      @token_params = {id_token: 'idtok', access_token: 'accesstok'}
-      @stub_claims = {'nonce' => '123', 'sub' => '1'}
-      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new())
+      @token_params = {id_token: "idtok", access_token: "accesstok"}
+      @stub_claims = {"nonce" => "123", "sub" => "1"}
+      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new)
     end
 
     test "new creates nonce" do
       nonce = session[@nonce_session_key]
-      assert nonce == nil
+      assert nonce.nil?
 
       get :new
 
@@ -23,7 +22,7 @@ module PrxAuth::Rails
       assert nonce.length == 32
     end
 
-    test 'new should should not overwrite the saved nonce' do
+    test "new should should not overwrite the saved nonce" do
       get :new
       nonce1 = session[@nonce_session_key]
 
@@ -32,92 +31,93 @@ module PrxAuth::Rails
       assert nonce1 == nonce2
     end
 
-    test 'create should validate a token and set the session variable' do
+    test "create should validate a token and set the session variable" do
       session[SessionsController::PRX_JWT_SESSION_KEY] = nil
       @controller.stub(:validate_token, @stub_claims) do
         @controller.stub(:session_token, @stub_token) do
-          session[@nonce_session_key] = '123'
+          session[@nonce_session_key] = "123"
           post :create, params: @token_params, format: :json
-          assert session[SessionsController::PRX_JWT_SESSION_KEY] == 'accesstok'
+          assert session[SessionsController::PRX_JWT_SESSION_KEY] == "accesstok"
         end
       end
     end
 
-    test 'create should call test_nonce! if upon verification' do
-      @controller.stub(:validate_token, {'nonce' => 'not matching', 'aud' => '1'}) do
-        session[@nonce_session_key] = 'nonce'
+    test "create should call test_nonce! if upon verification" do
+      @controller.stub(:validate_token, {"nonce" => "not matching", "aud" => "1"}) do
+        session[@nonce_session_key] = "nonce"
         post :create, params: @token_params, format: :json
-        assert session[@nonce_session_key] == nil
+        assert session[@nonce_session_key].nil?
       end
     end
 
-    test 'create should reset the nonce after consumed' do
+    test "create should reset the nonce after consumed" do
       @controller.stub(:validate_token, @stub_claims) do
         @controller.stub(:session_token, @stub_token) do
-          session[@nonce_session_key] = '123'
+          session[@nonce_session_key] = "123"
           post :create, params: @token_params, format: :json
 
-          assert session[@nonce_session_key] == nil
-          assert response.code == '302'
+          assert session[@nonce_session_key].nil?
+          assert response.code == "302"
           assert response.body.match?(/after-sign-in-path/)
         end
       end
     end
 
-    test 'redirects to a back-path after refresh' do
+    test "redirects to a back-path after refresh" do
       @controller.stub(:validate_token, @stub_claims) do
         @controller.stub(:session_token, @stub_token) do
-          session[@nonce_session_key] = '123'
-          session[@refresh_back_key] = '/lets/go/here?okay'
+          session[@nonce_session_key] = "123"
+          session[@refresh_back_key] = "/lets/go/here?okay"
           post :create, params: @token_params, format: :json
 
           # A trailing log of the 'last' page
-          assert session[@refresh_back_key] == '/lets/go/here?okay'
+          assert session[@refresh_back_key] == "/lets/go/here?okay"
 
-          assert response.code == '302'
-          assert response.headers['Location'].ends_with?('/lets/go/here?okay')
+          assert response.code == "302"
+          assert response.headers["Location"].ends_with?("/lets/go/here?okay")
         end
       end
     end
 
-    test 'should respond with redirect to the auth error page / code if the nonce does not match' do
+    test "should respond with redirect to the auth error page / code if the nonce does not match" do
       @controller.stub(:validate_token, @stub_claims) do
-        session[@nonce_session_key] = 'nonce-does-not-match'
+        @token_params[:error] = "verification_failed"
+        session[@nonce_session_key] = "nonce-does-not-match"
         post :create, params: @token_params, format: :json
-        assert response.code == '302'
+        assert response.code == "302"
         assert response.body.match(/auth_error\?error=verification_failed/)
       end
     end
 
-    test 'auth_error should return a formatted error message to the user' do
-      get :auth_error, params: {error: 'error_message'}
-      assert response.code == '200'
-      assert response.body.match?(/Message was: <pre>error_message/)
+    test "auth_error should return a formatted error message to the user" do
+      get :auth_error, params: {error: "error_message"}
+      assert response.code == "200"
+      assert response.body.match?(/Not authorized/)
     end
 
-    test 'auth_error should expect the error param' do
+    test "auth_error should expect the error param" do
       assert_raises ActionController::ParameterMissing do
         get :auth_error, params: {}
       end
     end
 
-    test 'validates that the user id matches in both tokens' do
+    test "validates that the user id matches in both tokens" do
       @controller.stub(:id_claims, @stub_claims) do
-        @controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
-
-          session[@nonce_session_key] = '123'
+        @controller.stub(:access_claims, @stub_claims.merge("sub" => "444")) do
+          @token_params[:error] = "verification_failed"
+          session[@nonce_session_key] = "123"
           post :create, params: @token_params, format: :json
 
-          assert response.code == '302'
+          assert response.code == "302"
           assert response.body.match?(/error=verification_failed/)
         end
       end
     end
 
-    test 'should clear the user token on sign out' do
-      session[SessionsController::PRX_JWT_SESSION_KEY] = 'some-token'
+    test "should clear the user token on sign out" do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = "some-token"
       post :destroy
-      assert session[SessionsController::PRX_JWT_SESSION_KEY] == nil
+      assert session[SessionsController::PRX_JWT_SESSION_KEY].nil?
     end
   end
 end

data/test/prx_auth/rails/token_test.rb

@@ -1,35 +1,35 @@
-require 'test_helper'
+require "test_helper"
 
 describe PrxAuth::Rails::Token do
-  let (:aur) { { "123" => "test_app:read other_namespace:write", "*" => "test_app:add" } }
-  let (:sub) { "123" }
-  let (:scope) { "one two three" }
-  let (:token_data) { Rack::PrxAuth::TokenData.new("aur" => aur, "scope" => scope, "sub" => sub)}
-  let (:mock_token_data) { Minitest::Mock.new(token_data) }
-  let (:token) { PrxAuth::Rails::Token.new(mock_token_data) }
-
-  it 'automatically namespaces requests' do
+  let(:aur) { {"123" => "test_app:read other_namespace:write", "*" => "test_app:add"} }
+  let(:sub) { "123" }
+  let(:scope) { "one two three" }
+  let(:token_data) { Rack::PrxAuth::TokenData.new("aur" => aur, "scope" => scope, "sub" => sub) }
+  let(:mock_token_data) { Minitest::Mock.new(token_data) }
+  let(:token) { PrxAuth::Rails::Token.new(mock_token_data) }
+
+  it "automatically namespaces requests" do
     mock_token_data.expect(:authorized?, true, ["123", :test_app, :read])
     assert token.authorized?("123", :read)
 
     mock_token_data.expect(:resources, ["123"], [:test_app, :read])
-    assert token.resources(:read) === ['123']
+    assert token.resources(:read) === ["123"]
 
     mock_token_data.expect(:globally_authorized?, true, [:test_app, :add])
-    assert token.globally_authorized?(:add) 
+    assert token.globally_authorized?(:add)
 
     mock_token_data.verify
   end
 
-  it 'allows unscoped calls to authorized?' do
+  it "allows unscoped calls to authorized?" do
     assert token.authorized?("123")
   end
 
-  it 'allows unscoped calls to resources' do
-    assert token.resources == [ "123" ]
+  it "allows unscoped calls to resources" do
+    assert token.resources == ["123"]
   end
 
-  it 'allows manual setting of namespace' do
+  it "allows manual setting of namespace" do
     assert token.authorized?("123", :other_namespace, :write)
     assert !token.authorized?("123", :other_namespace, :read)
 
@@ -41,5 +41,33 @@ describe PrxAuth::Rails::Token do
     assert !token.globally_authorized?(:other_namespace, :add)
   end
 
-  
+  it "returns a token except resources" do
+    token2 = token.except("123")
+
+    assert token.authorized?("123", :read)
+    refute token2.authorized?("123", :read)
+
+    # BUT cannot remove wildcard resources
+    assert token.authorized?("123", :add)
+    assert token2.authorized?("123", :add)
+
+    # the ! version modifies
+    token.except!("123")
+    refute token.authorized?("123", :read)
+  end
+
+  it "checks for empty resources" do
+    # wilcard tokens are never empty
+    refute token.empty_resources?
+    refute token.except("123").empty_resources?
+
+    # non-wildcard token
+    aur2 = {"123" => "anything"}
+    token_data2 = Rack::PrxAuth::TokenData.new("aur" => aur2, "scope" => scope, "sub" => sub)
+    mock_token_data2 = Minitest::Mock.new(token_data2)
+    token2 = PrxAuth::Rails::Token.new(mock_token_data2)
+
+    refute token2.empty_resources?
+    assert token2.except("123").empty_resources?
+  end
 end