quo_vadis 1.4.1 → 2.1.0

data/test/dummy/config/initializers/quo_vadis.rb

@@ -1,77 +1,3 @@
-QuoVadis.configure do |config|
-
-  #
-  # Sign in
-  #
-
-  # The URL to redirect the user to after s/he signs in.
-  # Use a proc if the URL depends on the user.  E.g.:
-  #
-  # config.signed_in_url = Proc.new do |user|
-  #   user.admin? ? :admin : :root
-  # end
-  #
-  # See also `:override_original_url`.
-  config.signed_in_url = :root
-
-  # Whether the `:signed_in_url` should override the URL the user was trying
-  # to reach when they were made to authenticate.
-  config.override_original_url = false
-
-  # Code to run when the user has signed in.  E.g.:
-  #
-  # config.signed_in_hook = Proc.new do |user, controller|
-  #   user.increment! :sign_in_count  # assuming this attribute exists
-  # end
-  config.signed_in_hook = nil
-
-  # Code to run when someone has tried but failed to sign in.  E.g.:
-  #
-  # config.failed_sign_in_hook = Proc.new do |controller|
-  #   Rails.logger.info "Failed sign in from #{controller.request.remote_ip}"
-  # end
-  config.failed_sign_in_hook = nil
-
-  # How long to remember user across browser sessions.
-  # Set to <tt>nil</tt> to never remember user.
-  config.remember_for = 2.weeks
-
-  # Code to run to determine whether the sign-in process is blocked to the user.  E.g.:
-  #
-  # config.blocked = Proc.new do |controller|
-  #   # Assuming a SignIn model with scopes for `failed`, `last_day`, `for_ip`.
-  #   SignIn.failed.last_day.for_ip(controller.request.remote_ip) >= 5
-  # end
-  config.blocked = false
-
-
-  #
-  # Sign out
-  #
-
-  # The URL to redirect the user to after s/he signs out.
-  config.signed_out_url = :root
-
-  # Code to run just before the user has signed out.  E.g.:
-  #
-  # config.signed_out_hook = Proc.new do |user, controller|
-  #   controller.session.reset
-  # end
-  config.signed_out_hook = nil
-
-
-  #
-  # Forgotten-password Mailer
-  #
-
-  # From whom the forgotten-password email should be sent.
-  config.from = 'noreply@example.com'
-
-  #
-  # Miscellaneous
-  #
-
-  # Layout for the sign-in view.  Pass a string or a symbol.
-  config.layout = 'application'
-
+QuoVadis.configure do
+  session_lifetime 1.week
 end

data/test/dummy/config/routes.rb

@@ -1,5 +1,13 @@
-Dummy::Application.routes.draw do
-  resources :articles
+Rails.application.routes.draw do
   resources :users
-  root :to => 'articles#index'
+  resources :sign_ups
+  resources :articles do
+    collection do
+      get 'secret'
+      get 'also_secret'
+      get 'very_secret'
+    end
+  end
+  get '/articles/secret', as: 'after_login'
+  root 'articles#index'
 end

data/test/dummy/db/migrate/202102121932_create_users.rb

@@ -0,0 +1,10 @@
+class CreateUsers < ActiveRecord::Migration[6.1]
+  def change
+    create_table :users do |t|
+      t.string :name, null: false
+      t.string :email, null: false
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/202102121935_create_people.rb

@@ -0,0 +1,10 @@
+class CreatePeople < ActiveRecord::Migration[6.1]
+  def change
+    create_table :people do |t|
+      t.string :username, null: false
+      t.string :email, null: false
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -2,32 +2,91 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
-# It's strongly recommended to check this file into your version control system.
+# It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20110127094709) do
+ActiveRecord::Schema.define(version: 202102150904) do
 
-  create_table "articles", :force => true do |t|
-    t.string   "title"
-    t.text     "content"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+  create_table "people", force: :cascade do |t|
+    t.string "username", null: false
+    t.string "email", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
   end
 
-  create_table "users", :force => true do |t|
-    t.string   "name"
-    t.datetime "created_at"
-    t.datetime "updated_at"
-    t.string   "username"
-    t.string   "password_digest"
-    t.string   "email"
-    t.string   "token"
-    t.string   "token_created_at"
+  create_table "qv_accounts", force: :cascade do |t|
+    t.string "model_type", null: false
+    t.bigint "model_id", null: false
+    t.string "identifier", null: false
+    t.datetime "confirmed_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["identifier"], name: "index_qv_accounts_on_identifier", unique: true
+    t.index ["model_type", "model_id"], name: "index_qv_accounts_on_model_type_and_model_id", unique: true
   end
 
+  create_table "qv_logs", force: :cascade do |t|
+    t.bigint "account_id"
+    t.string "action", null: false
+    t.string "ip", null: false
+    t.json "metadata", default: {}, null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_logs_on_account_id"
+  end
+
+  create_table "qv_passwords", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "password_digest", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_passwords_on_account_id"
+  end
+
+  create_table "qv_recovery_codes", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "code_digest", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_recovery_codes_on_account_id"
+  end
+
+  create_table "qv_sessions", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "ip", null: false
+    t.string "user_agent", null: false
+    t.datetime "lifetime_expires_at"
+    t.datetime "last_seen_at"
+    t.datetime "second_factor_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_sessions_on_account_id"
+  end
+
+  create_table "qv_totps", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.string "key", null: false
+    t.integer "last_used_at", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_qv_totps_on_account_id"
+  end
+
+  create_table "users", force: :cascade do |t|
+    t.string "name", null: false
+    t.string "email", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+  end
+
+  add_foreign_key "qv_logs", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_passwords", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_recovery_codes", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_sessions", "qv_accounts", column: "account_id"
+  add_foreign_key "qv_totps", "qv_accounts", column: "account_id"
 end

data/test/fixtures/quo_vadis/mailer/account_confirmation.text

@@ -0,0 +1,4 @@
+You can confirm your account here:
+
+http://example.com/confirm/123abc
+

data/test/fixtures/quo_vadis/mailer/email_change_notification.text

@@ -0,0 +1,8 @@
+Your email address was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/identifier_change_notification.text

@@ -0,0 +1,8 @@
+Your email was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/password_change_notification.text

@@ -0,0 +1,8 @@
+Your password was changed just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/password_reset_notification.text

@@ -0,0 +1,8 @@
+Your password was reset just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/recovery_codes_generation_notification.text

@@ -0,0 +1,8 @@
+Recovery codes for two-factor authentication were generated for your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/reset_password.text

@@ -0,0 +1,4 @@
+You can reset your password here:
+
+http://example.com/pwd-reset/123abc
+

data/test/fixtures/quo_vadis/mailer/totp_reuse_notification.text

@@ -0,0 +1,6 @@
+Your two-factor authentication code was reused just now.
+
+It was rejected and whoever reused it was not able to log in.
+
+Location: 1.2.3.4
+Time: TIMESTAMP

data/test/fixtures/quo_vadis/mailer/totp_setup_notification.text

@@ -0,0 +1,8 @@
+Two-factor authentication was set up on your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/fixtures/quo_vadis/mailer/twofa_deactivated_notification.text

@@ -0,0 +1,8 @@
+Two-factor authentication was deactivated on your account just now.
+
+Location: 1.2.3.4
+Time: TIMESTAMP
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/integration/account_confirmation_test.rb

@@ -0,0 +1,145 @@
+require 'test_helper'
+
+class AccountConfirmationTest < IntegrationTest
+
+  setup do
+    QuoVadis.accounts_require_confirmation true
+  end
+
+  teardown do
+    QuoVadis.accounts_require_confirmation false
+  end
+
+
+  test 'new signup requiring confirmation' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+    refute QuoVadis::Account.last.confirmed?
+
+    # verify response
+    assert_response :redirect
+    follow_redirect!
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+
+    # click link in email
+    url = extract_url_from_email
+    get url
+    assert_response :success
+    action_path = extract_path_from_email
+    assert_select "form[action='#{action_path}']"
+
+    # click button on confirmation page
+    put action_path
+
+    # verify logged in
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
+    assert controller.logged_in?
+    assert QuoVadis::Account.last.confirmed?
+  end
+
+
+  test 'new signup updates email' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    get quo_vadis.edit_email_confirmations_path
+    assert_response :success
+
+    # First email: changed-email notifier sent to original address
+    # Second email: confirmation email sent to new address
+    assert_emails 2 do
+      put quo_vadis.update_email_confirmations_path(email: 'bobby@example.com')
+    end
+    assert_equal ['bobby@example.com'], ActionMailer::Base.deliveries.last.to
+    assert_redirected_to quo_vadis.confirmations_path
+  end
+
+
+  test 'resend confirmation email in same session' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    assert_emails 1 do
+      post quo_vadis.resend_confirmations_path
+    end
+  end
+
+
+  test 'resend confirmation email: valid identifier' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    get quo_vadis.new_confirmation_path
+    assert_response :success
+
+    assert_emails 1 do
+      post quo_vadis.confirmations_path(email: 'bob@example.com')
+    end
+
+    assert_redirected_to  '/confirmations'
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'resend confirmation email: unknown identifier' do
+    assert_no_emails do
+      post quo_vadis.confirmations_path(email: 'bob@example.com')
+    end
+
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Sorry, your account could not be found.  Please try again.', flash[:alert]
+  end
+
+
+  test 'reusing a token' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    put extract_path_from_email
+
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
+
+    put extract_path_from_email
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
+  end
+
+
+  test 'token expired' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    travel QuoVadis.account_confirmation_token_lifetime + 1.minute
+    get extract_url_from_email
+
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
+  end
+
+
+  test 'accounts requiring confirmation cannot log in' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    assert_redirected_to quo_vadis.new_confirmation_path
+    assert_equal 'Please confirm your account first.', flash[:notice]
+    refute controller.logged_in?
+  end
+
+
+  private
+
+  def extract_url_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
+  end
+
+  def extract_path_from_email
+    extract_url_from_email.sub 'http://www.example.com', ''
+  end
+
+end