quo_vadis 1.4.1 → 2.1.0

data/test/integration/sign_up_test.rb

@@ -1,21 +1,35 @@
 require 'test_helper'
 
-class SignUpTest < ActiveSupport::IntegrationCase
+class SignUpTest < IntegrationTest
 
-  test 'sign in of a just-signed-up user' do
-    visit new_user_path
-    fill_in 'user_name',     :with => 'Robert'
-    fill_in 'user_username', :with => 'bob'
-    fill_in 'user_password', :with => 'secret'
-    click_button 'Sign up'
+  test 'successful sign up' do
+    assert_difference 'User.count' do
+      post "/users", params: {
+        user: {
+          name:                  'Bob',
+          email:                 'billy@example.com',
+          password:              '123456789abc',
+          password_confirmation: '123456789abc'
+        }
+      }, headers: { 'HTTP_USER_AGENT' => 'Blah' }
+      assert_redirected_to '/articles'
+      follow_redirect!
+      assert_select 'p', 'Public Articles'
+    end
+  end
 
-    assert_equal root_path, current_path
 
-    within '.flash.notice' do
-      assert page.has_content?('You have signed up!')
+  test 'failed sign up' do
+    assert_no_difference 'User.count' do
+      post "/users", params: {
+        user: {
+          name:     'Bob',
+          email:    'billy@example.com',
+          password: 'x'
+        }
+      }
+      assert_response :success
     end
-
-    assert page.has_content?('You are signed in as Robert')
   end
 
 end

data/test/integration/totps_test.rb

@@ -0,0 +1,96 @@
+require 'test_helper'
+
+class TotpsTest < IntegrationTest
+
+  setup do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+  end
+
+
+  test ':challenge redirects to :new when no second factor setup' do
+    get quo_vadis.challenge_totps_path
+    assert_redirected_to quo_vadis.new_totp_path
+    assert_equal 'Please set up two factor authentication.', flash[:alert]
+  end
+
+
+  test 'set up second factor' do
+    get quo_vadis.new_totp_path
+    assert_response :success
+
+    totp = controller.instance_variable_get :@totp
+    assert_emails 1 do
+      assert_difference 'QuoVadis::RecoveryCode.count', 5 do
+        assert_difference 'QuoVadis::Totp.count' do
+          post quo_vadis.totps_path(totp: {
+            key: totp.key,
+            hmac_key: totp.hmac_key,
+            otp: ROTP::TOTP.new(totp.key).now
+          })
+        end
+      end
+    end
+
+    assert_redirected_to quo_vadis.recovery_codes_path
+  end
+
+
+  test 'does not set up second factor when key tampered with' do
+    get quo_vadis.new_totp_path
+
+    totp = controller.instance_variable_get :@totp
+    assert_no_difference 'QuoVadis::Totp.count' do
+      post quo_vadis.totps_path(totp: {
+        key: 'dodgy',
+        hmac_key: totp.hmac_key,
+        otp: ROTP::TOTP.new('dodgy').now
+      })
+    end
+
+    assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
+    assert_redirected_to quo_vadis.new_totp_path
+  end
+
+
+  test 'authenticate with second factor' do
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+
+    get quo_vadis.challenge_totps_path
+    assert_response :success
+
+    assert_session_replaced do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+    assert QuoVadis::Session.last.second_factor_authenticated?
+    assert_equal 'Welcome back!', flash[:notice]
+    assert_redirected_to '/articles/secret'
+  end
+
+
+  test 'failed authentication with second factor' do
+    User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+
+    post quo_vadis.authenticate_totps_path(totp: '123456')
+    refute QuoVadis::Session.last.second_factor_authenticated?
+    assert_response :unprocessable_entity
+    assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
+  end
+
+
+  test '2fa code reused' do
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    assert_emails 1 do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+end

data/test/integration/twofa_test.rb

@@ -0,0 +1,82 @@
+require 'test_helper'
+
+class TwofaTest < IntegrationTest
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = u.qv_account
+    QuoVadis.two_factor_authentication_mandatory true
+    # @codes = u.qv_account.generate_recovery_codes
+    login
+  end
+
+
+  test 'no totp, no recovery codes' do
+    get quo_vadis.twofa_path
+    assert_response :success
+    assert_select "a[href=?]", quo_vadis.new_totp_path
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'totp, no recovery codes' do
+    setup_totp
+    get quo_vadis.twofa_path
+    assert_select 'form[action=?]', quo_vadis.twofa_path do
+      assert_select 'input[value=delete]'
+    end
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'no totp, recovery codes' do
+    setup_recovery_codes
+    get quo_vadis.twofa_path
+    assert_select "a[href=?]", quo_vadis.new_totp_path
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'totp, recovery codes' do
+    setup_totp
+    setup_recovery_codes
+    get quo_vadis.twofa_path
+    assert_select 'form[action=?]', quo_vadis.twofa_path do
+      assert_select 'input[value=delete]'
+    end
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'deactivate' do
+    setup_totp
+    setup_recovery_codes
+
+    assert_emails 1 do
+      delete quo_vadis.twofa_path
+    end
+
+    # The flash only seems to be set before the redirect.  No idea why.
+    assert_equal 'You have invalidated your 2FA credentials and recovery codes.', flash[:notice]
+    @account.reload
+    assert_nil @account.totp
+    assert_empty @account.recovery_codes
+    @account.sessions.each { |s| refute s.second_factor_authenticated? }
+    assert_redirected_to quo_vadis.twofa_path
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def setup_totp
+    @account.create_totp last_used_at: 1.day.ago
+  end
+
+  def setup_recovery_codes
+    @account.generate_recovery_codes
+  end
+end

data/test/mailers/mailer_test.rb

@@ -0,0 +1,200 @@
+require 'test_helper'
+
+class MailerTest < ActionMailer::TestCase
+
+  tests QuoVadis::Mailer
+
+  setup do
+    QuoVadis.mail_headers({from: 'Bar <bar@example.com>'})
+  end
+
+
+  test 'reset_password' do
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      url: 'http://example.com/pwd-reset/123abc'
+    ).reset_password
+
+    assert_emails 1 do
+      email.deliver_now
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Change your password', email.subject
+    assert_equal read_fixture('reset_password.text').join, email.body.to_s
+  end
+
+
+  test 'account_confirmation' do
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      url: 'http://example.com/confirm/123abc'
+    ).account_confirmation
+
+    assert_emails 1 do
+      email.deliver_now
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Please confirm your account', email.subject
+    assert_equal read_fixture('account_confirmation.text').join, email.body.to_s
+  end
+
+
+  test 'email change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').email_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your email address has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('email_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'identifier change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>', identifier: 'email').identifier_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your email has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('identifier_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'password change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your password has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('password_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'password reset notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_reset_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your password has been reset', email.subject
+    assert_equal with_timestamp(read_fixture('password_reset_notification.text').join), email.body.to_s
+  end
+
+
+  test 'totp setup notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_setup_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Two-factor authentication was set up just now', email.subject
+    assert_equal with_timestamp(read_fixture('totp_setup_notification.text').join), email.body.to_s
+  end
+
+
+  test 'totp reuse notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_reuse_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your two-factor authentication code was reused just now', email.subject
+    assert_equal with_timestamp(read_fixture('totp_reuse_notification.text').join), email.body.to_s
+  end
+
+
+  test '2fa deactivated notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').twofa_deactivated_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Two-factor authentication was deactivated just now', email.subject
+    assert_equal with_timestamp(read_fixture('twofa_deactivated_notification.text').join), email.body.to_s
+  end
+
+
+  test 'recovery codes generation notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').recovery_codes_generation_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Recovery codes have been generated for your account', email.subject
+    assert_equal with_timestamp(read_fixture('recovery_codes_generation_notification.text').join), email.body.to_s
+  end
+
+
+  private
+
+  def read_fixture(action)
+    IO.readlines(File.join(__dir__, '..', 'fixtures', self.class.mailer_class.name.underscore, action))
+  end
+
+  def with_timestamp(str)
+    str.sub 'TIMESTAMP', Time.now.strftime('%e %B at %H:%M (%Z)')
+  end
+
+end

data/test/models/account_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+
+class AccountTest < ActiveSupport::TestCase
+  include ActionMailer::TestHelper
+
+  test 'confirmed?' do
+    account = QuoVadis::Account.new
+    refute account.confirmed?
+
+    account.confirmed_at = Time.now
+    assert account.confirmed?
+  end
+
+
+  test 'notifies on identifier change when notifier is not email' do
+    p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
+    assert_enqueued_email_with QuoVadis::Mailer, :identifier_change_notification, args: {email: 'bob@example.com', identifier: 'username'} do
+      assert_enqueued_emails 1 do
+        p.update username: 'robert@example.com'
+      end
+    end
+  end
+
+
+  test 'does not notify on identifier change when notifier is email' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+      assert_enqueued_emails 1 do
+        u.update email: 'robert@example.com'
+      end
+    end
+  end
+
+end