quo_vadis 1.4.2 → 2.1.1

data/test/integration/password_change_test.rb

@@ -0,0 +1,99 @@
+require 'test_helper'
+
+class PasswordChangeTest < IntegrationTest
+
+  setup do
+    QuoVadis.two_factor_authentication_mandatory false
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    login
+  end
+
+
+  test 'requires login' do
+    logout
+
+    put quo_vadis.password_path
+    assert_redirected_to quo_vadis.login_path
+  end
+
+
+  test 'incorrect password' do
+    put quo_vadis.password_path(password: {password: 'x'})
+    assert_response :unprocessable_entity
+    assert_equal ['is incorrect'], password_instance.errors[:password]
+  end
+
+
+  test 'new password empty' do
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: ''})
+    assert_response :unprocessable_entity
+    assert_equal ["can't be blank"], password_instance.errors[:new_password]
+  end
+
+
+  test 'new password too short' do
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'x'})
+    assert_response :unprocessable_entity
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
+  end
+
+
+  test 'new password confirmation does not match' do
+    put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y'
+    })
+    assert_response :unprocessable_entity
+    assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
+  end
+
+
+  test 'success' do
+    assert_emails 1 do
+      assert_session_replaced do
+        put quo_vadis.password_path(password: {
+          password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+        })
+        assert_response :redirect
+        assert_equal 'Your password has been changed.', flash[:notice]
+      end
+    end
+  end
+
+
+  test 'logs out other sessions' do
+    desktop = session_login
+    phone = session_login
+
+    desktop.put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+    })
+    desktop.follow_redirect!
+    assert desktop.controller.logged_in?
+
+    phone.get articles_path
+    refute phone.controller.logged_in?
+  end
+
+
+  private
+
+  # starts a new rails session and logs in
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def logout
+    delete quo_vadis.logout_path
+  end
+
+  def password_instance
+    controller.instance_variable_get :@password
+  end
+
+end

data/test/integration/password_login_test.rb

@@ -0,0 +1,137 @@
+require 'test_helper'
+
+class PasswordLoginTest < IntegrationTest
+
+  setup do
+    QuoVadis.session_lifetime :session
+  end
+
+
+  test 'successful login' do
+    get quo_vadis.login_path
+    assert_response :success
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to secret_articles_path
+    assert_equal after_login_path, secret_articles_path
+  end
+
+
+  test 'successful login redirects to original path' do
+    get also_secret_articles_path
+    refute_nil session[:qv_bookmark]
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to also_secret_articles_path
+    assert_nil session[:qv_bookmark]
+  end
+
+
+  test 'successful login does not redirect to login path' do
+    get quo_vadis.login_path
+    assert_nil session[:qv_bookmark]
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to after_login_path
+  end
+
+
+  test 'failed login' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+
+    assert_response :unprocessable_entity
+    assert_equal quo_vadis.login_path, path
+  end
+
+
+  test 'unknown login' do
+    post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+
+    assert_response :unprocessable_entity
+    assert_equal quo_vadis.login_path, path
+  end
+
+
+  test 'logout' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    # logout
+    assert jar.encrypted[QuoVadis.cookie_name]
+    assert_difference 'QuoVadis::Session.count', -1 do
+      delete quo_vadis.logout_path
+    end
+    refute jar.encrypted[QuoVadis.cookie_name]
+    assert_redirected_to root_path
+  end
+
+
+  test 'login for browser session' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+      assert sess.controller.logged_in?
+    end
+
+    open_session do |sess|
+      sess.get articles_path
+      refute sess.controller.logged_in?
+    end
+  end
+
+
+  # Ideally we would use multiple sessions to distinguish this from a single
+  # browser session.  We would log in in one session then assert we can log in
+  # in another session within the timeframe.  But I can't find a way to share
+  # a cookie between test sessions (I tried nesting sessions).  So we do all
+  # this within a single session, even though it has the same effect as being
+  # within a single browser session.
+  test 'login for 1 week' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    refute QuoVadis::Session.last.send(:browser_session?)
+    assert controller.logged_in?
+
+    travel 5.days
+
+    get articles_path
+    assert controller.logged_in?  # flakey
+
+    travel 3.days
+
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'optional remember not opted in' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc', remember: '0')
+    assert QuoVadis::Session.last.send(:browser_session?)
+
+    # Cannot test this fully without being able to share cookies between test sessions.
+  end
+
+
+  test 'optional remember opted in' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc', remember: '1')
+    refute QuoVadis::Session.last.send(:browser_session?)
+
+    # Cannot test this fully without being able to share cookies between test sessions.
+  end
+end

data/test/integration/password_reset_test.rb

@@ -0,0 +1,136 @@
+require 'test_helper'
+
+class PasswordResetTest < IntegrationTest
+
+  setup do
+    @user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+  end
+
+
+  test 'new password reset' do
+    get quo_vadis.new_password_reset_path
+    assert_response :success
+  end
+
+
+  test 'unknown identifier' do
+    post quo_vadis.password_resets_path(email: 'foo@example.com')
+    assert_redirected_to quo_vadis.password_resets_path
+    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'known identifier' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    assert_redirected_to quo_vadis.password_resets_path
+    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'click link in email' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    get extract_url_from_email
+    assert_response :success
+  end
+
+
+  test 'expired link' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    travel QuoVadis.password_reset_token_lifetime + 1.minute
+    get extract_url_from_email
+    assert_redirected_to quo_vadis.new_password_reset_path
+    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
+  end
+
+
+  test 'link cannot be reused' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+    assert controller.logged_in?
+
+    get quo_vadis.password_reset_url(extract_token_from_email)
+    assert_redirected_to quo_vadis.new_password_reset_path
+    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
+  end
+
+
+  test 'new password invalid' do
+    digest = @user.qv_account.password.password_digest
+
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+
+    assert_no_difference 'QuoVadis::Session.count' do
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
+    end
+
+    assert_equal digest, @user.qv_account.password.reload.password_digest
+    assert_response :unprocessable_entity
+    assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
+  end
+
+
+  test 'new password valid' do
+    QuoVadis.two_factor_authentication_mandatory false
+
+    digest = @user.qv_account.password.password_digest
+
+    desktop = session_login
+    phone = session_login
+
+    get articles_url
+    refute controller.logged_in?
+
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+
+    assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+    end
+
+    assert controller.logged_in?
+
+    desktop.get articles_url
+    refute desktop.controller.logged_in?  # NOTE: flaky; if this fails, re-migrate the database.
+
+    phone.get articles_url
+    refute phone.controller.logged_in?
+
+    refute_equal digest, @user.qv_account.password.reload.password_digest
+
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Your password has been changed and you are logged in.', flash[:notice]
+  end
+
+
+  private
+
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  def extract_url_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
+  end
+
+  def extract_path_from_email
+    extract_url_from_email.sub 'http://www.example.com', ''
+  end
+
+  def extract_token_from_email
+    extract_url_from_email[%r{/([^/]*)$}, 1]
+  end
+
+end

data/test/integration/recovery_codes_test.rb

@@ -0,0 +1,48 @@
+require 'test_helper'
+
+class RecoveryCodesTest < IntegrationTest
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    u.qv_account.create_totp last_used_at: 1.day.ago
+    QuoVadis.two_factor_authentication_mandatory true
+    @codes = u.qv_account.generate_recovery_codes
+    login
+  end
+
+
+  test 'use recovery code' do
+    get quo_vadis.challenge_recovery_codes_path
+    assert_response :success
+
+    assert_difference 'QuoVadis::Totp.count', -1 do
+      assert_difference 'QuoVadis::RecoveryCode.count', -1 do
+        assert_session_replaced do
+          post quo_vadis.authenticate_recovery_codes_path(code: @codes.first)
+        end
+      end
+    end
+
+    assert_nil User.last.qv_account.totp
+
+    assert_redirected_to  '/articles/secret'
+
+    # use another recovery code to verify another TOTP-reset doesn't error
+    post quo_vadis.authenticate_recovery_codes_path(code: @codes[1])
+  end
+
+
+  test 'generate recovery codes' do
+    assert_emails 1 do
+      post quo_vadis.generate_recovery_codes_path
+    end
+    assert_redirected_to quo_vadis.recovery_codes_path
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+end

data/test/integration/sessions_test.rb

@@ -0,0 +1,86 @@
+require 'test_helper'
+
+# sqlite: primary key needs AUTOINCREMENT to not reuse previous values
+# https://www.sqlite.org/faq.html#q1
+# AR should do this by default (but it seems sometimes doesn't)
+
+class SessionsTest < IntegrationTest
+
+  setup do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.session_lifetime :session
+    QuoVadis.two_factor_authentication_mandatory false
+  end
+
+
+  test 'sessions require authentication' do
+    get quo_vadis.sessions_path
+    assert_redirected_to quo_vadis.login_path
+  end
+
+
+  test "user's sessions are independent" do
+    desktop = login
+    phone = login
+
+    refute_equal jar(desktop).encrypted[QuoVadis.cookie_name],
+                 jar(phone).encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test 'user can logout without logging out another session' do
+    desktop = login
+    phone = login
+
+    # logout on phone
+    phone.delete quo_vadis.logout_path
+
+    # assert phone logged out
+    phone.assert_response :redirect
+    assert_equal 'You have logged out.', phone.flash[:notice]
+    refute jar(phone).encrypted[QuoVadis.cookie_name]
+    refute phone.controller.logged_in?
+
+    # assert desktop still logged in
+    assert jar(desktop).encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test "user can log out a separate session" do
+    desktop = login
+    phone = login
+
+    # on phone, list sessions
+    phone.get quo_vadis.sessions_path
+    phone.assert_response :success
+    phone.assert_select 'td', 'This session'
+    phone.assert_select 'td input[type=submit][value="Log out"]', 1
+
+    # on phone, log out the desktop session
+    phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)
+    phone.assert_redirected_to quo_vadis.sessions_path
+
+    # phone is still logged in
+    assert_equal 'You have logged out of the other session.', phone.flash[:notice]
+
+    # desktop is logged out
+    desktop.get '/articles'
+    refute desktop.controller.logged_in?
+  end
+
+
+  private
+
+  # starts a new rails session and logs in
+  def login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  # logs in in current session
+  def plain_login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+end