quo_vadis 1.4.0 → 2.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (191) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +11 -7
  3. data/CHANGELOG.md +22 -0
  4. data/Gemfile +11 -1
  5. data/LICENSE.txt +21 -0
  6. data/README.md +453 -127
  7. data/Rakefile +15 -9
  8. data/app/controllers/quo_vadis/confirmations_controller.rb +102 -0
  9. data/app/controllers/quo_vadis/logs_controller.rb +20 -0
  10. data/app/controllers/quo_vadis/password_resets_controller.rb +65 -0
  11. data/app/controllers/quo_vadis/passwords_controller.rb +26 -0
  12. data/app/controllers/quo_vadis/recovery_codes_controller.rb +54 -0
  13. data/app/controllers/quo_vadis/sessions_controller.rb +50 -132
  14. data/app/controllers/quo_vadis/totps_controller.rb +72 -0
  15. data/app/controllers/quo_vadis/twofas_controller.rb +26 -0
  16. data/app/mailers/quo_vadis/mailer.rb +73 -0
  17. data/app/models/quo_vadis/account.rb +59 -0
  18. data/app/models/quo_vadis/account_confirmation_token.rb +17 -0
  19. data/app/models/quo_vadis/log.rb +57 -0
  20. data/app/models/quo_vadis/password.rb +52 -0
  21. data/app/models/quo_vadis/password_reset_token.rb +17 -0
  22. data/app/models/quo_vadis/recovery_code.rb +26 -0
  23. data/app/models/quo_vadis/session.rb +55 -0
  24. data/app/models/quo_vadis/token.rb +42 -0
  25. data/app/models/quo_vadis/totp.rb +56 -0
  26. data/bin/console +15 -0
  27. data/bin/rails +21 -0
  28. data/bin/setup +8 -0
  29. data/config/locales/quo_vadis.en.yml +50 -23
  30. data/config/routes.rb +46 -12
  31. data/db/migrate/202102150904_setup.rb +48 -0
  32. data/lib/generators/quo_vadis/install_generator.rb +4 -23
  33. data/lib/quo_vadis.rb +103 -97
  34. data/lib/quo_vadis/controller.rb +228 -0
  35. data/lib/quo_vadis/crypt.rb +43 -0
  36. data/lib/quo_vadis/current_request_details.rb +11 -0
  37. data/lib/quo_vadis/defaults.rb +18 -0
  38. data/lib/quo_vadis/encrypted_type.rb +17 -0
  39. data/lib/quo_vadis/engine.rb +9 -11
  40. data/lib/quo_vadis/hmacable.rb +26 -0
  41. data/lib/quo_vadis/ip_masking.rb +31 -0
  42. data/lib/quo_vadis/model.rb +86 -0
  43. data/lib/quo_vadis/version.rb +3 -1
  44. data/quo_vadis.gemspec +20 -25
  45. data/test/dummy/README.markdown +1 -0
  46. data/test/dummy/Rakefile +2 -6
  47. data/test/dummy/app/controllers/application_controller.rb +0 -1
  48. data/test/dummy/app/controllers/articles_controller.rb +8 -11
  49. data/test/dummy/app/controllers/sign_ups_controller.rb +42 -0
  50. data/test/dummy/app/controllers/users_controller.rb +13 -5
  51. data/test/dummy/app/models/application_record.rb +3 -0
  52. data/test/dummy/app/models/article.rb +2 -1
  53. data/test/dummy/app/models/person.rb +5 -2
  54. data/test/dummy/app/models/user.rb +4 -1
  55. data/test/dummy/app/views/articles/also_secret.html.erb +1 -0
  56. data/test/dummy/app/views/articles/index.html.erb +1 -1
  57. data/test/dummy/app/views/articles/secret.html.erb +1 -0
  58. data/test/dummy/app/views/articles/very_secret.html.erb +2 -0
  59. data/test/dummy/app/views/layouts/application.html.erb +41 -25
  60. data/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb +10 -0
  61. data/test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb +14 -0
  62. data/test/dummy/app/views/quo_vadis/confirmations/index.html.erb +14 -0
  63. data/test/dummy/app/views/quo_vadis/confirmations/new.html.erb +16 -0
  64. data/test/dummy/app/views/quo_vadis/logs/index.html.erb +28 -0
  65. data/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb +4 -0
  66. data/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb +8 -0
  67. data/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb +8 -0
  68. data/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb +8 -0
  69. data/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb +8 -0
  70. data/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb +8 -0
  71. data/test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb +4 -0
  72. data/test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb +6 -0
  73. data/test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb +8 -0
  74. data/test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb +8 -0
  75. data/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb +25 -0
  76. data/test/dummy/app/views/quo_vadis/password_resets/index.html.erb +5 -0
  77. data/test/dummy/app/views/quo_vadis/password_resets/new.html.erb +12 -0
  78. data/test/dummy/app/views/quo_vadis/passwords/edit.html.erb +30 -0
  79. data/test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb +11 -0
  80. data/test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb +25 -0
  81. data/test/dummy/app/views/quo_vadis/sessions/index.html.erb +26 -0
  82. data/test/dummy/app/views/quo_vadis/sessions/new.html.erb +24 -0
  83. data/test/dummy/app/views/quo_vadis/totps/challenge.html.erb +11 -0
  84. data/test/dummy/app/views/quo_vadis/totps/new.html.erb +17 -0
  85. data/test/dummy/app/views/quo_vadis/twofas/show.html.erb +20 -0
  86. data/test/dummy/app/views/sign_ups/new.html.erb +37 -0
  87. data/test/dummy/app/views/sign_ups/show.html.erb +5 -0
  88. data/test/dummy/app/views/users/new.html.erb +32 -9
  89. data/test/dummy/config.ru +6 -3
  90. data/test/dummy/config/application.rb +18 -9
  91. data/test/dummy/config/boot.rb +3 -9
  92. data/test/dummy/config/database.yml +2 -14
  93. data/test/dummy/config/environment.rb +2 -3
  94. data/test/dummy/config/initializers/quo_vadis.rb +5 -75
  95. data/test/dummy/config/routes.rb +11 -3
  96. data/test/dummy/db/migrate/202102121932_create_users.rb +10 -0
  97. data/test/dummy/db/migrate/202102121935_create_people.rb +10 -0
  98. data/test/dummy/db/schema.rb +80 -21
  99. data/test/fixtures/quo_vadis/mailer/account_confirmation.text +4 -0
  100. data/test/fixtures/quo_vadis/mailer/email_change_notification.text +8 -0
  101. data/test/fixtures/quo_vadis/mailer/identifier_change_notification.text +8 -0
  102. data/test/fixtures/quo_vadis/mailer/password_change_notification.text +8 -0
  103. data/test/fixtures/quo_vadis/mailer/password_reset_notification.text +8 -0
  104. data/test/fixtures/quo_vadis/mailer/recovery_codes_generation_notification.text +8 -0
  105. data/test/fixtures/quo_vadis/mailer/reset_password.text +4 -0
  106. data/test/fixtures/quo_vadis/mailer/totp_reuse_notification.text +6 -0
  107. data/test/fixtures/quo_vadis/mailer/totp_setup_notification.text +8 -0
  108. data/test/fixtures/quo_vadis/mailer/twofa_deactivated_notification.text +8 -0
  109. data/test/integration/account_confirmation_test.rb +145 -0
  110. data/test/integration/controller_test.rb +280 -0
  111. data/test/integration/logging_test.rb +235 -0
  112. data/test/integration/password_change_test.rb +93 -0
  113. data/test/integration/password_login_test.rb +125 -0
  114. data/test/integration/password_reset_test.rb +136 -0
  115. data/test/integration/recovery_codes_test.rb +48 -0
  116. data/test/integration/sessions_test.rb +86 -0
  117. data/test/integration/sign_up_test.rb +26 -12
  118. data/test/integration/totps_test.rb +96 -0
  119. data/test/integration/twofa_test.rb +82 -0
  120. data/test/mailers/mailer_test.rb +200 -0
  121. data/test/models/account_test.rb +34 -0
  122. data/test/models/crypt_test.rb +22 -0
  123. data/test/models/log_test.rb +16 -0
  124. data/test/models/mask_ip_test.rb +27 -0
  125. data/test/models/model_test.rb +66 -0
  126. data/test/models/password_test.rb +163 -0
  127. data/test/models/recovery_code_test.rb +54 -0
  128. data/test/models/session_test.rb +67 -0
  129. data/test/models/token_test.rb +70 -0
  130. data/test/models/totp_test.rb +68 -0
  131. data/test/quo_vadis_test.rb +39 -3
  132. data/test/test_helper.rb +42 -70
  133. metadata +123 -207
  134. data/app/controllers/controller_mixin.rb +0 -109
  135. data/app/mailers/quo_vadis/notifier.rb +0 -30
  136. data/app/models/model_mixin.rb +0 -128
  137. data/lib/generators/quo_vadis/templates/migration.rb.erb +0 -18
  138. data/lib/generators/quo_vadis/templates/quo_vadis.rb.erb +0 -96
  139. data/test/dummy/.gitignore +0 -2
  140. data/test/dummy/app/helpers/application_helper.rb +0 -2
  141. data/test/dummy/app/helpers/articles_helper.rb +0 -2
  142. data/test/dummy/app/views/articles/new.html.erb +0 -11
  143. data/test/dummy/app/views/layouts/sessions.html.erb +0 -3
  144. data/test/dummy/app/views/quo_vadis/notifier/change_password.text.erb +0 -9
  145. data/test/dummy/app/views/quo_vadis/notifier/invite.text.erb +0 -8
  146. data/test/dummy/app/views/sessions/edit.html.erb +0 -11
  147. data/test/dummy/app/views/sessions/forgotten.html.erb +0 -13
  148. data/test/dummy/app/views/sessions/invite.html.erb +0 -31
  149. data/test/dummy/app/views/sessions/new.html.erb +0 -15
  150. data/test/dummy/config/environments/development.rb +0 -26
  151. data/test/dummy/config/environments/production.rb +0 -49
  152. data/test/dummy/config/environments/test.rb +0 -37
  153. data/test/dummy/config/initializers/backtrace_silencers.rb +0 -7
  154. data/test/dummy/config/initializers/inflections.rb +0 -10
  155. data/test/dummy/config/initializers/mime_types.rb +0 -5
  156. data/test/dummy/config/initializers/rack_patch.rb +0 -16
  157. data/test/dummy/config/initializers/secret_token.rb +0 -7
  158. data/test/dummy/config/initializers/session_store.rb +0 -8
  159. data/test/dummy/config/locales/en.yml +0 -5
  160. data/test/dummy/config/locales/quo_vadis.en.yml +0 -21
  161. data/test/dummy/db/migrate/20110124125037_create_users.rb +0 -13
  162. data/test/dummy/db/migrate/20110124131535_create_articles.rb +0 -14
  163. data/test/dummy/db/migrate/20110127094709_add_authentication_to_users.rb +0 -18
  164. data/test/dummy/db/migrate/20111004112209_create_people.rb +0 -13
  165. data/test/dummy/db/migrate/20111004132342_add_authentication_to_people.rb +0 -18
  166. data/test/dummy/public/404.html +0 -26
  167. data/test/dummy/public/422.html +0 -26
  168. data/test/dummy/public/500.html +0 -26
  169. data/test/dummy/public/javascripts/application.js +0 -2
  170. data/test/dummy/public/javascripts/controls.js +0 -965
  171. data/test/dummy/public/javascripts/dragdrop.js +0 -974
  172. data/test/dummy/public/javascripts/effects.js +0 -1123
  173. data/test/dummy/public/javascripts/prototype.js +0 -6001
  174. data/test/dummy/public/javascripts/rails.js +0 -175
  175. data/test/dummy/public/stylesheets/.gitkeep +0 -0
  176. data/test/dummy/script/rails +0 -6
  177. data/test/integration/activation_test.rb +0 -108
  178. data/test/integration/authenticate_test.rb +0 -39
  179. data/test/integration/blocked_test.rb +0 -23
  180. data/test/integration/config_test.rb +0 -118
  181. data/test/integration/cookie_test.rb +0 -67
  182. data/test/integration/csrf_test.rb +0 -41
  183. data/test/integration/forgotten_test.rb +0 -93
  184. data/test/integration/helper_test.rb +0 -18
  185. data/test/integration/locale_test.rb +0 -197
  186. data/test/integration/navigation_test.rb +0 -7
  187. data/test/integration/sign_in_person_test.rb +0 -26
  188. data/test/integration/sign_in_test.rb +0 -24
  189. data/test/integration/sign_out_test.rb +0 -20
  190. data/test/support/integration_case.rb +0 -11
  191. data/test/unit/user_test.rb +0 -75
@@ -1,5 +1,4 @@
1
- # Load the rails application
2
- require File.expand_path('../application', __FILE__)
1
+ require_relative 'application'
3
2
 
4
- # Initialize the rails application
5
3
  Dummy::Application.initialize!
4
+ # Rails.application.initialize!
@@ -1,77 +1,7 @@
1
- QuoVadis.configure do |config|
2
-
3
- #
4
- # Sign in
5
- #
6
-
7
- # The URL to redirect the user to after s/he signs in.
8
- # Use a proc if the URL depends on the user. E.g.:
9
- #
10
- # config.signed_in_url = Proc.new do |user|
11
- # user.admin? ? :admin : :root
12
- # end
13
- #
14
- # See also `:override_original_url`.
15
- config.signed_in_url = :root
16
-
17
- # Whether the `:signed_in_url` should override the URL the user was trying
18
- # to reach when they were made to authenticate.
19
- config.override_original_url = false
20
-
21
- # Code to run when the user has signed in. E.g.:
22
- #
23
- # config.signed_in_hook = Proc.new do |user, controller|
24
- # user.increment! :sign_in_count # assuming this attribute exists
25
- # end
26
- config.signed_in_hook = nil
27
-
28
- # Code to run when someone has tried but failed to sign in. E.g.:
29
- #
30
- # config.failed_sign_in_hook = Proc.new do |controller|
31
- # Rails.logger.info "Failed sign in from #{controller.request.remote_ip}"
32
- # end
33
- config.failed_sign_in_hook = nil
34
-
35
- # How long to remember user across browser sessions.
36
- # Set to <tt>nil</tt> to never remember user.
37
- config.remember_for = 2.weeks
38
-
39
- # Code to run to determine whether the sign-in process is blocked to the user. E.g.:
40
- #
41
- # config.blocked = Proc.new do |controller|
42
- # # Assuming a SignIn model with scopes for `failed`, `last_day`, `for_ip`.
43
- # SignIn.failed.last_day.for_ip(controller.request.remote_ip) >= 5
44
- # end
45
- config.blocked = false
46
-
47
-
48
- #
49
- # Sign out
50
- #
51
-
52
- # The URL to redirect the user to after s/he signs out.
53
- config.signed_out_url = :root
54
-
55
- # Code to run just before the user has signed out. E.g.:
56
- #
57
- # config.signed_out_hook = Proc.new do |user, controller|
58
- # controller.session.reset
59
- # end
60
- config.signed_out_hook = nil
61
-
62
-
63
- #
64
- # Forgotten-password Mailer
65
- #
66
-
67
- # From whom the forgotten-password email should be sent.
68
- config.from = 'noreply@example.com'
69
-
70
- #
71
- # Miscellaneous
72
- #
73
-
74
- # Layout for the sign-in view. Pass a string or a symbol.
75
- config.layout = 'application'
1
+ QuoVadis.configure do
2
+ # Cannot use the __Host- prefix in a non-SSL environment.
3
+ # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
4
+ cookie_name 'qv'
76
5
 
6
+ session_lifetime 1.week
77
7
  end
@@ -1,5 +1,13 @@
1
- Dummy::Application.routes.draw do
2
- resources :articles
1
+ Rails.application.routes.draw do
3
2
  resources :users
4
- root :to => 'articles#index'
3
+ resources :sign_ups
4
+ resources :articles do
5
+ collection do
6
+ get 'secret'
7
+ get 'also_secret'
8
+ get 'very_secret'
9
+ end
10
+ end
11
+ get '/articles/secret', as: 'after_login'
12
+ root 'articles#index'
5
13
  end
@@ -0,0 +1,10 @@
1
+ class CreateUsers < ActiveRecord::Migration[6.1]
2
+ def change
3
+ create_table :users do |t|
4
+ t.string :name, null: false
5
+ t.string :email, null: false
6
+
7
+ t.timestamps
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,10 @@
1
+ class CreatePeople < ActiveRecord::Migration[6.1]
2
+ def change
3
+ create_table :people do |t|
4
+ t.string :username, null: false
5
+ t.string :email, null: false
6
+
7
+ t.timestamps
8
+ end
9
+ end
10
+ end
@@ -2,32 +2,91 @@
2
2
  # of editing this file, please use the migrations feature of Active Record to
3
3
  # incrementally modify your database, and then regenerate this schema definition.
4
4
  #
5
- # Note that this schema.rb definition is the authoritative source for your
6
- # database schema. If you need to create the application database on another
7
- # system, you should be using db:schema:load, not running all the migrations
8
- # from scratch. The latter is a flawed and unsustainable approach (the more migrations
9
- # you'll amass, the slower it'll run and the greater likelihood for issues).
5
+ # This file is the source Rails uses to define your schema when running `bin/rails
6
+ # db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
7
+ # be faster and is potentially less error prone than running all of your
8
+ # migrations from scratch. Old migrations may fail to apply correctly if those
9
+ # migrations use external dependencies or application code.
10
10
  #
11
- # It's strongly recommended to check this file into your version control system.
11
+ # It's strongly recommended that you check this file into your version control system.
12
12
 
13
- ActiveRecord::Schema.define(:version => 20110127094709) do
13
+ ActiveRecord::Schema.define(version: 202102150904) do
14
14
 
15
- create_table "articles", :force => true do |t|
16
- t.string "title"
17
- t.text "content"
18
- t.datetime "created_at"
19
- t.datetime "updated_at"
15
+ create_table "people", force: :cascade do |t|
16
+ t.string "username", null: false
17
+ t.string "email", null: false
18
+ t.datetime "created_at", precision: 6, null: false
19
+ t.datetime "updated_at", precision: 6, null: false
20
20
  end
21
21
 
22
- create_table "users", :force => true do |t|
23
- t.string "name"
24
- t.datetime "created_at"
25
- t.datetime "updated_at"
26
- t.string "username"
27
- t.string "password_digest"
28
- t.string "email"
29
- t.string "token"
30
- t.string "token_created_at"
22
+ create_table "qv_accounts", force: :cascade do |t|
23
+ t.string "model_type", null: false
24
+ t.bigint "model_id", null: false
25
+ t.string "identifier", null: false
26
+ t.datetime "confirmed_at"
27
+ t.datetime "created_at", precision: 6, null: false
28
+ t.datetime "updated_at", precision: 6, null: false
29
+ t.index ["identifier"], name: "index_qv_accounts_on_identifier", unique: true
30
+ t.index ["model_type", "model_id"], name: "index_qv_accounts_on_model_type_and_model_id", unique: true
31
31
  end
32
32
 
33
+ create_table "qv_logs", force: :cascade do |t|
34
+ t.bigint "account_id"
35
+ t.string "action", null: false
36
+ t.string "ip", null: false
37
+ t.json "metadata", default: {}, null: false
38
+ t.datetime "created_at", precision: 6, null: false
39
+ t.datetime "updated_at", precision: 6, null: false
40
+ t.index ["account_id"], name: "index_qv_logs_on_account_id"
41
+ end
42
+
43
+ create_table "qv_passwords", force: :cascade do |t|
44
+ t.bigint "account_id", null: false
45
+ t.string "password_digest", null: false
46
+ t.datetime "created_at", precision: 6, null: false
47
+ t.datetime "updated_at", precision: 6, null: false
48
+ t.index ["account_id"], name: "index_qv_passwords_on_account_id"
49
+ end
50
+
51
+ create_table "qv_recovery_codes", force: :cascade do |t|
52
+ t.bigint "account_id", null: false
53
+ t.string "code_digest", null: false
54
+ t.datetime "created_at", precision: 6, null: false
55
+ t.datetime "updated_at", precision: 6, null: false
56
+ t.index ["account_id"], name: "index_qv_recovery_codes_on_account_id"
57
+ end
58
+
59
+ create_table "qv_sessions", force: :cascade do |t|
60
+ t.bigint "account_id", null: false
61
+ t.string "ip", null: false
62
+ t.string "user_agent", null: false
63
+ t.datetime "lifetime_expires_at"
64
+ t.datetime "last_seen_at"
65
+ t.datetime "second_factor_at"
66
+ t.datetime "created_at", precision: 6, null: false
67
+ t.datetime "updated_at", precision: 6, null: false
68
+ t.index ["account_id"], name: "index_qv_sessions_on_account_id"
69
+ end
70
+
71
+ create_table "qv_totps", force: :cascade do |t|
72
+ t.bigint "account_id", null: false
73
+ t.string "key", null: false
74
+ t.integer "last_used_at", null: false
75
+ t.datetime "created_at", precision: 6, null: false
76
+ t.datetime "updated_at", precision: 6, null: false
77
+ t.index ["account_id"], name: "index_qv_totps_on_account_id"
78
+ end
79
+
80
+ create_table "users", force: :cascade do |t|
81
+ t.string "name", null: false
82
+ t.string "email", null: false
83
+ t.datetime "created_at", precision: 6, null: false
84
+ t.datetime "updated_at", precision: 6, null: false
85
+ end
86
+
87
+ add_foreign_key "qv_logs", "qv_accounts", column: "account_id"
88
+ add_foreign_key "qv_passwords", "qv_accounts", column: "account_id"
89
+ add_foreign_key "qv_recovery_codes", "qv_accounts", column: "account_id"
90
+ add_foreign_key "qv_sessions", "qv_accounts", column: "account_id"
91
+ add_foreign_key "qv_totps", "qv_accounts", column: "account_id"
33
92
  end
@@ -0,0 +1,4 @@
1
+ You can confirm your account here:
2
+
3
+ http://example.com/confirm/123abc
4
+
@@ -0,0 +1,8 @@
1
+ Your email address was changed just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,8 @@
1
+ Your email was changed just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,8 @@
1
+ Your password was changed just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,8 @@
1
+ Your password was reset just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,8 @@
1
+ Recovery codes for two-factor authentication were generated for your account just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,4 @@
1
+ You can reset your password here:
2
+
3
+ http://example.com/pwd-reset/123abc
4
+
@@ -0,0 +1,6 @@
1
+ Your two-factor authentication code was reused just now.
2
+
3
+ It was rejected and whoever reused it was not able to log in.
4
+
5
+ Location: 1.2.3.4
6
+ Time: TIMESTAMP
@@ -0,0 +1,8 @@
1
+ Two-factor authentication was set up on your account just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,8 @@
1
+ Two-factor authentication was deactivated on your account just now.
2
+
3
+ Location: 1.2.3.4
4
+ Time: TIMESTAMP
5
+
6
+ If this was you, you don't need to do anything.
7
+
8
+ If this wasn't you, please let us know.
@@ -0,0 +1,145 @@
1
+ require 'test_helper'
2
+
3
+ class AccountConfirmationTest < IntegrationTest
4
+
5
+ setup do
6
+ QuoVadis.accounts_require_confirmation true
7
+ end
8
+
9
+ teardown do
10
+ QuoVadis.accounts_require_confirmation false
11
+ end
12
+
13
+
14
+ test 'new signup requiring confirmation' do
15
+ assert_emails 1 do
16
+ post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
17
+ end
18
+ refute QuoVadis::Account.last.confirmed?
19
+
20
+ # verify response
21
+ assert_response :redirect
22
+ follow_redirect!
23
+ assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
24
+
25
+ # click link in email
26
+ url = extract_url_from_email
27
+ get url
28
+ assert_response :success
29
+ action_path = extract_path_from_email
30
+ assert_select "form[action='#{action_path}']"
31
+
32
+ # click button on confirmation page
33
+ put action_path
34
+
35
+ # verify logged in
36
+ assert_redirected_to '/articles/secret'
37
+ assert_equal 'Thanks for confirming your account. You are now logged in.', flash[:notice]
38
+ assert controller.logged_in?
39
+ assert QuoVadis::Account.last.confirmed?
40
+ end
41
+
42
+
43
+ test 'new signup updates email' do
44
+ assert_emails 1 do
45
+ post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
46
+ end
47
+
48
+ get quo_vadis.edit_email_confirmations_path
49
+ assert_response :success
50
+
51
+ # First email: changed-email notifier sent to original address
52
+ # Second email: confirmation email sent to new address
53
+ assert_emails 2 do
54
+ put quo_vadis.update_email_confirmations_path(email: 'bobby@example.com')
55
+ end
56
+ assert_equal ['bobby@example.com'], ActionMailer::Base.deliveries.last.to
57
+ assert_redirected_to quo_vadis.confirmations_path
58
+ end
59
+
60
+
61
+ test 'resend confirmation email in same session' do
62
+ assert_emails 1 do
63
+ post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
64
+ end
65
+
66
+ assert_emails 1 do
67
+ post quo_vadis.resend_confirmations_path
68
+ end
69
+ end
70
+
71
+
72
+ test 'resend confirmation email: valid identifier' do
73
+ User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
74
+
75
+ get quo_vadis.new_confirmation_path
76
+ assert_response :success
77
+
78
+ assert_emails 1 do
79
+ post quo_vadis.confirmations_path(email: 'bob@example.com')
80
+ end
81
+
82
+ assert_redirected_to '/confirmations'
83
+ assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
84
+ end
85
+
86
+
87
+ test 'resend confirmation email: unknown identifier' do
88
+ assert_no_emails do
89
+ post quo_vadis.confirmations_path(email: 'bob@example.com')
90
+ end
91
+
92
+ assert_redirected_to quo_vadis.new_confirmation_path
93
+ assert_equal 'Sorry, your account could not be found. Please try again.', flash[:alert]
94
+ end
95
+
96
+
97
+ test 'reusing a token' do
98
+ assert_emails 1 do
99
+ post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
100
+ end
101
+
102
+ put extract_path_from_email
103
+
104
+ assert_redirected_to '/articles/secret'
105
+ assert_equal 'Thanks for confirming your account. You are now logged in.', flash[:notice]
106
+
107
+ put extract_path_from_email
108
+ assert_redirected_to quo_vadis.new_confirmation_path
109
+ assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
110
+ end
111
+
112
+
113
+ test 'token expired' do
114
+ assert_emails 1 do
115
+ post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
116
+ end
117
+
118
+ travel QuoVadis.account_confirmation_token_lifetime + 1.minute
119
+ get extract_url_from_email
120
+
121
+ assert_redirected_to quo_vadis.new_confirmation_path
122
+ assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
123
+ end
124
+
125
+
126
+ test 'accounts requiring confirmation cannot log in' do
127
+ User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
128
+ post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
129
+ assert_redirected_to quo_vadis.new_confirmation_path
130
+ assert_equal 'Please confirm your account first.', flash[:notice]
131
+ refute controller.logged_in?
132
+ end
133
+
134
+
135
+ private
136
+
137
+ def extract_url_from_email
138
+ ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
139
+ end
140
+
141
+ def extract_path_from_email
142
+ extract_url_from_email.sub 'http://www.example.com', ''
143
+ end
144
+
145
+ end