quo_vadis 1.3.2 → 2.0.1

data/test/dummy/config/routes.rb

@@ -1,5 +1,13 @@
-Dummy::Application.routes.draw do
-  resources :articles
+Rails.application.routes.draw do
   resources :users
-  root :to => 'articles#index'
+  resources :sign_ups
+  resources :articles do
+    collection do
+      get 'secret'
+      get 'also_secret'
+      get 'very_secret'
+    end
+  end
+  get '/articles/secret', as: 'after_login'
+  root 'articles#index'
 end

data/test/dummy/db/migrate/202102121932_create_users.rb

@@ -0,0 +1,10 @@
+class CreateUsers < ActiveRecord::Migration[6.1]
+  def change
+    create_table :users do |t|
+      t.string :name, null: false
+      t.string :email, null: false
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/202102121935_create_people.rb

@@ -0,0 +1,10 @@
+class CreatePeople < ActiveRecord::Migration[6.1]
+  def change
+    create_table :people do |t|
+      t.string :username, null: false
+      t.string :email, null: false
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -2,32 +2,91 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
-# It's strongly recommended to check this file into your version control system.
+# It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20110127094709) do
+ActiveRecord::Schema.define(version: 202102150904) do
 
-  create_table "articles", :force => true do |t|
-    t.string   "title"
-    t.text     "content"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+  create_table "people", force: :cascade do |t|
+    t.string "username", null: false
+    t.string "email", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
   end
 
-  create_table "users", :force => true do |t|
-    t.string   "name"
-    t.datetime "created_at"
-    t.datetime "updated_at"
-    t.string   "username"
-    t.string   "password_digest"
-    t.string   "email"
-    t.string   "token"
-    t.string   "token_created_at"
+  create_table "qv_accounts", force: :cascade do |t|
+    t.string "model_type", null: false
+    t.bigint "model_id", null: false
+    t.string "identifier", null: false
+    t.datetime "confirmed_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["identifier"], name: "index_qv_accounts_on_identifier", unique: true
+    t.index ["model_type", "model_id"], name: "index_qv_accounts_on_model_type_and_model_id", unique: true
   end
 
+  create_table "qv_logs", force: :cascade do |t|
+    t.bigint "account_id"
+    t.string "action", null: false
+    t.string "ip", null: false
+    t.json "metadata", default: {}, null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_logs_on_account_id"
+  end
+
+  create_table "qv_passwords", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "password_digest", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_passwords_on_account_id"
+  end
+
+  create_table "qv_recovery_codes", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "code_digest", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_recovery_codes_on_account_id"
+  end
+
+  create_table "qv_sessions", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "ip", null: false
+    t.string "user_agent", null: false
+    t.datetime "lifetime_expires_at"
+    t.datetime "last_seen_at"
+    t.datetime "second_factor_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_sessions_on_account_id"
+  end
+
+  create_table "qv_totps", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "key", null: false
+    t.integer "last_used_at", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_totps_on_account_id"
+  end
+
+  create_table "users", force: :cascade do |t|
+    t.string "name", null: false
+    t.string "email", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+  end
+
+  add_foreign_key "qv_logs", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_passwords", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_recovery_codes", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_sessions", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_totps", "qv_accounts", column: "account_id"
 end

data/test/fixtures/quo_vadis/mailer/account_confirmation.text

@@ -0,0 +1,4 @@
+You can confirm your account here:
+
+http://example.com/confirm/123abc
+

data/test/fixtures/quo_vadis/mailer/email_change_notification.text

@@ -0,0 +1,8 @@
+Your email address was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/identifier_change_notification.text

@@ -0,0 +1,8 @@
+Your email was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/password_change_notification.text

@@ -0,0 +1,8 @@
+Your password was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/password_reset_notification.text

@@ -0,0 +1,8 @@
+Your password was reset just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/recovery_codes_generation_notification.text

@@ -0,0 +1,8 @@
+Recovery codes for two-factor authentication were generated for your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/reset_password.text

@@ -0,0 +1,4 @@
+You can reset your password here:
+
+http://example.com/pwd-reset/123abc
+

data/test/fixtures/quo_vadis/mailer/totp_reuse_notification.text

@@ -0,0 +1,6 @@
+Your two-factor authentication code was reused just now.
+
+It was rejected and whoever reused it was not able to log in.
+
+Location: 1.2.3.4
+Time: TIMESTAMP

data/test/fixtures/quo_vadis/mailer/totp_setup_notification.text

@@ -0,0 +1,8 @@
+Two-factor authentication was set up on your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/twofa_deactivated_notification.text

@@ -0,0 +1,8 @@
+Two-factor authentication was deactivated on your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/integration/account_confirmation_test.rb

@@ -0,0 +1,112 @@
+require 'test_helper'
+
+class AccountConfirmationTest < IntegrationTest
+
+  setup do
+    QuoVadis.accounts_require_confirmation true
+  end
+
+
+  test 'new signup requiring confirmation' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+    refute QuoVadis::Account.last.confirmed?
+
+    # verify response
+    assert_response :redirect
+    follow_redirect!
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+
+    # click link in email
+    url = extract_url_from_email
+    get url
+    assert_response :success
+    action_path = extract_path_from_email
+    assert_select "form[action='#{action_path}']"
+
+    # click button on confirmation page
+    put action_path
+
+    # verify logged in
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
+    assert controller.logged_in?
+    assert QuoVadis::Account.last.confirmed?
+  end
+
+
+  test 'resend confirmation email: valid identifier' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    get quo_vadis.new_confirmation_path
+    assert_response :success
+
+    assert_emails 1 do
+      post quo_vadis.confirmations_path(email: 'bob@example.com')
+    end
+
+    assert_redirected_to  '/confirmations'
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'resend confirmation email: unknown identifier' do
+    assert_no_emails do
+      post quo_vadis.confirmations_path(email: 'bob@example.com')
+    end
+
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Sorry, your account could not be found.  Please try again.', flash[:alert]
+  end
+
+
+  test 'reusing a token' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    put extract_path_from_email
+
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
+
+    put extract_path_from_email
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
+  end
+
+
+  test 'token expired' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    travel QuoVadis.account_confirmation_token_lifetime + 1.minute
+    get extract_url_from_email
+
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
+  end
+
+
+  test 'accounts requiring confirmation cannot log in' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Please confirm your account first.', flash[:notice]
+    refute controller.logged_in?
+  end
+
+
+  private
+
+  def extract_url_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
+  end
+
+  def extract_path_from_email
+    extract_url_from_email.sub 'http://www.example.com', ''
+  end
+
+end

data/test/integration/controller_test.rb

@@ -0,0 +1,280 @@
+require 'test_helper'
+
+class ControllerTest < IntegrationTest
+
+  setup do
+    User.first_or_create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.two_factor_authentication_mandatory false
+  end
+
+
+  teardown do
+    QuoVadis.session_lifetime_extend_to_end_of_day false
+    QuoVadis.session_idle_timeout :lifetime
+  end
+
+
+  test 'require_authentication when not logged in' do
+    get secret_articles_path
+
+    assert_redirected_to quo_vadis.login_path
+    assert_equal 'Please log in first.', flash[:notice]
+  end
+
+
+  test 'require_authentication when logged in' do
+    login
+    get secret_articles_path
+
+    assert_response :success
+    assert_equal secret_articles_path, path
+  end
+
+
+  test 'require_authentication remembers original path' do
+    get also_secret_articles_path
+    assert_equal '/articles/also_secret', session[:qv_bookmark]
+  end
+
+
+  test 'require_two_factor_authentication when not logged in' do
+    QuoVadis.two_factor_authentication_mandatory true
+    get very_secret_articles_path
+
+    assert_redirected_to quo_vadis.login_path
+    assert_equal 'Please log in first.', flash[:notice]
+  end
+
+
+  test 'require_two_factor_authentication when logged in but second factor not required' do
+    QuoVadis.two_factor_authentication_mandatory false
+    login
+    get very_secret_articles_path
+
+    assert_response :success
+    assert_equal very_secret_articles_path, path
+  end
+
+
+  test 'require_two_factor_authentication when logged in and second factor required' do
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    get very_secret_articles_path
+
+    assert_redirected_to quo_vadis.challenge_totps_path
+    follow_redirect!
+
+    # This second redirect is part of the totps controller but I think
+    # it makes sense to test here.
+    assert_redirected_to quo_vadis.new_totp_path
+    assert_equal 'Please set up two factor authentication.', flash[:alert]
+  end
+
+
+  test 'require_two_factor_authentication when already authenticated with two factors' do
+    User.first.qv_account.create_totp! last_used_at: Time.now
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    QuoVadis::Session.last.authenticated_with_second_factor
+
+    get very_secret_articles_path
+    assert_equal very_secret_articles_path, path
+  end
+
+
+  test 'second_factor_required?' do
+    # 2FA optional, user has not set up 2nd factor
+    QuoVadis.two_factor_authentication_mandatory false
+    login
+    get articles_path
+    assert controller.logged_in?
+    refute controller.qv.second_factor_required?
+
+    # 2FA optional, user has set up 2nd factor
+    QuoVadis.two_factor_authentication_mandatory false
+    User.first.qv_account.create_totp! last_used_at: Time.now
+    login
+    get articles_path
+    assert controller.logged_in?
+    assert controller.qv.second_factor_required?
+
+    # 2FA mandatory
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    get articles_path
+    assert controller.logged_in?
+    assert controller.qv.second_factor_required?
+  end
+
+
+  test 'logged_in?' do
+    # not logged in
+    get articles_path
+    refute @controller.logged_in?
+
+    # logged in
+    login
+    get articles_path
+    assert @controller.logged_in?
+
+    # session remotely deleted
+    QuoVadis::Session.destroy jar.encrypted[QuoVadis.cookie_name]
+    get articles_path
+    refute @controller.logged_in?
+
+    # login and logout
+    login
+    get articles_path
+    logout
+    refute @controller.logged_in?
+  end
+
+
+  test 'login' do
+    QuoVadis.two_factor_authentication_mandatory false
+
+    get articles_path
+    session_id = session.id
+    assert_nil jar.encrypted[QuoVadis.cookie_name]
+
+    assert_difference 'QuoVadis::Session.count' do
+      # We want to test the controller mixin's login method, not the session
+      # controller's login action, i.e. the following:
+      #
+      #     @controller.login user
+      #
+      # But we store the QuoVadis session id in an encrypted cookie, and we can
+      # only access cookies as part of a request-response cycle.  So we have to
+      # trigger the mixin's login method via the session controller's login action.
+      login
+    end
+
+    refute_equal session_id, session.id
+    qv_session = QuoVadis::Session.last
+    assert_equal qv_session.id, jar.encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test 'logout' do
+    login
+
+    session_id = session.id
+    qv_session_id = jar.encrypted[QuoVadis.cookie_name]
+    assert QuoVadis::Session.exists?(qv_session_id)
+
+    assert_difference 'QuoVadis::Session.count', -1 do
+      # We want to test the controller mixin's logout method, not the session
+      # controller's logout action, i.e. the following:
+      #
+      #     @controller.logout
+      #
+      # But we store the QuoVadis session id in an encrypted cookie, and we can
+      # only access cookies as part of a request-response cycle.  So we have to
+      # trigger the mixin's logout method via the session controller's logout action.
+      logout
+    end
+
+    refute_equal session_id, session.id
+    assert_nil jar.encrypted[QuoVadis.cookie_name]
+    refute QuoVadis::Session.exists?(qv_session_id)
+  end
+
+
+  test 'qv_logout_other_sessions' do
+    desktop = session_login
+    phone = session_login
+
+    desktop.controller.qv.logout_other_sessions
+
+    phone.get articles_path
+    refute phone.controller.logged_in?
+
+    desktop.get articles_path
+    assert desktop.controller.logged_in?
+  end
+
+
+  test 'authenticated_model' do
+    # not logged in
+    get articles_path
+    assert_nil @controller.authenticated_model
+
+    # logged in
+    login
+    get articles_path
+    assert_equal User.first, @controller.authenticated_model
+  end
+
+
+  test 'request_confirmation' do
+    get articles_path
+
+    assert_emails 1 do
+      controller.request_confirmation User.last
+    end
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'session lifetime exceeded' do
+    QuoVadis.session_lifetime 1.week
+    login
+
+    travel 1.week
+    travel (-5).minutes
+    get articles_path
+    assert controller.logged_in?
+
+    travel 10.minutes
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'session lifetime extended to end of day' do
+    QuoVadis.session_lifetime 1.week
+    QuoVadis.session_lifetime_extend_to_end_of_day true
+    login
+
+    travel 1.week
+    travel 10.minutes
+    get articles_path
+    assert controller.logged_in?
+
+    travel 1.day
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'idle timeout exceeded' do
+    QuoVadis.session_lifetime 1.week
+    QuoVadis.session_idle_timeout 1.day
+    login
+
+    get articles_path
+    assert controller.logged_in?
+
+    travel 2.days
+
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def logout
+    delete quo_vadis.logout_path
+  end
+
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+end