quo_vadis 1.4.2 → 2.1.1

data/test/models/crypt_test.rb

@@ -0,0 +1,22 @@
+require 'test_helper'
+
+class CryptTest < ActiveSupport::TestCase
+
+  setup do
+    @crypt = QuoVadis::Crypt
+  end
+
+  test 'round trip' do
+    plaintext = 'the quick brown fox'
+    ciphertext = @crypt.encrypt plaintext
+    refute_equal plaintext, ciphertext
+    assert_equal plaintext, @crypt.decrypt(ciphertext)
+  end
+
+  test 'same plaintext encrypts to different ciphertexts' do
+    plaintext = 'the quick brown fox'
+    ciphertext = @crypt.encrypt plaintext
+    refute_equal ciphertext, @crypt.encrypt(plaintext)
+  end
+
+end

data/test/models/log_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+
+class LogTest < ActiveSupport::TestCase
+
+  test 'smoke' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+
+    log = account.logs.create! action: QuoVadis::Log::LOGIN_SUCCESS, ip: '1.2.3.4', metadata: {foo: 'bar'}
+
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+    assert_equal '1.2.3.4', log.ip
+    assert_equal 'bar', log.metadata['foo']
+  end
+
+end

data/test/models/mask_ip_test.rb

@@ -0,0 +1,27 @@
+require 'test_helper'
+
+class MaskIpTest < ActiveSupport::TestCase
+
+  setup do
+    @masking = QuoVadis.mask_ips
+  end
+
+  teardown do
+    QuoVadis.mask_ips @masking
+  end
+
+
+  test 'mask ips' do
+    [ QuoVadis::Log, QuoVadis::Session ].each do |klass|
+      QuoVadis.mask_ips false
+      instance = klass.new(ip: '1.2.3.4')
+      instance.valid?
+      assert_equal '1.2.3.4', instance.ip
+
+      QuoVadis.mask_ips true
+      instance.valid?
+      assert_equal '1.2.3.0', instance.ip
+    end
+  end
+
+end

data/test/models/model_test.rb

@@ -0,0 +1,66 @@
+require 'test_helper'
+
+class ModelTest < ActiveSupport::TestCase
+  include ActionMailer::TestHelper
+
+  test 'responds to' do
+    assert_respond_to User, :authenticates
+    u = User.new
+    assert_respond_to u, :password
+    assert_respond_to u, :password=
+    assert_respond_to u, :password_confirmation
+    assert_respond_to u, :password_confirmation=
+  end
+
+
+  test 'creates account' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert u.persisted?
+    assert u.qv_account.persisted?
+  end
+
+
+  test 'destroys account' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    ac = u.qv_account
+    u.destroy
+    assert ac.destroyed?
+  end
+
+
+  test 'copies model identifier to account' do
+    email = 'bob@example.com'
+    u = User.create! name: 'bob', email: email, password: '123456789abc'
+    assert_equal email, u.qv_account.identifier
+
+    email = 'b@foo.com'
+    u.update email: email
+    u.qv_account.reload
+    assert_equal email, u.qv_account.identifier
+
+    u.update name: nil, email: 'xyz'  # nil name is invalid
+    u.qv_account.reload
+    refute_equal 'xyz', u.qv_account.identifier
+  end
+
+
+  test 'ensures uniqueness validation on identifier' do
+    Foo = Class.new ActiveRecord::Base
+    assert_raises NotImplementedError, 'missing uniqueness validation on ModelTest::Foo#email.  Try adding: `validates :email, uniqueness: true`' do
+      Foo.instance_eval 'authenticates'
+    end
+
+    Bar = Class.new ActiveRecord::Base
+    Bar.instance_eval 'validates :email, uniqueness: true'
+    Bar.instance_eval 'authenticates'
+    # no error raised
+  end
+
+
+  test 'notifies on email change' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+      u.update email: 'robert@example.com'
+    end
+  end
+end

data/test/models/password_test.rb

@@ -0,0 +1,179 @@
+require 'test_helper'
+
+class PasswordTest < ActiveSupport::TestCase
+
+  VALID_PASSWORD = '123456789abc'
+  SIXTY_FOUR_CHARS = '1234567890123456789012345678901234567890123456789012345678901234'
+
+  test 'validations' do
+    pw = QuoVadis::Password.new
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = nil
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = ''
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = 'x'
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = VALID_PASSWORD
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+
+  test 'confirmation' do
+    pw = QuoVadis::Password.new password: VALID_PASSWORD, password_confirmation: nil
+    pw.valid?
+    assert_empty pw.errors[:password_confirmation]
+
+    pw = QuoVadis::Password.new password: VALID_PASSWORD, password_confirmation: ''
+    pw.valid?
+    refute_empty pw.errors[:password_confirmation]
+
+    pw.password_confirmation = VALID_PASSWORD
+    pw.valid?
+    assert_empty pw.errors[:password_confirmation]
+    assert_empty pw.errors[:password]
+  end
+
+
+  test 'model passes through password to quo_vadis' do
+    user = User.new name: 'bob', email: 'bob@example.com'
+    assert user.valid?
+
+    user = User.new name: 'bob', email: 'bob@example.com', password: ''
+    refute user.valid?
+    refute_empty user.errors[:password]
+
+    user.password = 'x'
+    refute user.valid?
+    refute_empty user.errors[:password]
+
+    user.password = VALID_PASSWORD
+    assert user.save
+
+    _user = User.last
+    assert _user.valid?
+
+    _pw = _user.qv_account.password
+    assert _pw.valid?
+  end
+
+
+  test 'model passes through password confirmation to quo_vadis' do
+    user = User.new name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD, password_confirmation: 'x'
+    refute user.valid?
+    refute_empty user.errors[:password_confirmation]
+
+    user.password_confirmation = VALID_PASSWORD
+    assert user.valid?
+  end
+
+
+  test 'change' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.change('wrong', '', '')
+    assert_equal ['is incorrect'], pw.errors[:password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, '', '')
+    assert_equal ["can't be blank"], pw.errors[:new_password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, 'x', 'x')
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], pw.errors[:new_password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, 'xxxxxxxxxxxx', 'yyyyyyyyyyyy')
+    assert_equal ["doesn't match Password"], pw.errors[:new_password_confirmation]
+
+    pw = QuoVadis::Password.find pw.id
+    assert pw.change(VALID_PASSWORD, 'xxxxxxxxxxxx', 'xxxxxxxxxxxx')
+    assert pw.authenticate 'xxxxxxxxxxxx'
+  end
+
+
+  test 'reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.reset('', '')
+    assert_equal ["can't be blank"], pw.errors[:password]
+
+    refute pw.reset('x', 'x')
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], pw.errors[:password]
+
+    refute pw.reset('xxxxxxxxxxxx', 'yyyyyyyyyyyy')
+    assert_equal ["doesn't match Password"], pw.errors[:password_confirmation]
+
+    assert pw.reset('xxxxxxxxxxxx', 'xxxxxxxxxxxx')
+    assert pw.authenticate 'xxxxxxxxxxxx'
+  end
+
+
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
+
+
+  test 'cascade destroy' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    assert user.qv_account.persisted?
+    assert user.qv_account.password.persisted?
+
+    user.destroy
+    assert user.qv_account.destroyed?
+    assert user.qv_account.password.destroyed?
+  end
+
+
+  test 'cannot override existing password' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+
+    assert_raises QuoVadis::PasswordExistsError do
+      user.password = 'cba987654321'
+    end
+  end
+
+
+  test 'passwords may be 64 characters or longer' do
+    pw = QuoVadis::Password.new password: SIXTY_FOUR_CHARS
+    pw.valid?
+    assert_empty pw.errors[:password]
+
+    pw.password = "#{SIXTY_FOUR_CHARS}abc"
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+  test 'passwords may contain spaces, no truncation' do
+    pw = QuoVadis::Password.new password: '            '
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+  test 'passwords may contain unicode characters' do
+    pw = QuoVadis::Password.new password: '★ ★ ★ ★ ★ ★ '
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+
+end

data/test/models/recovery_code_test.rb

@@ -0,0 +1,54 @@
+require 'test_helper'
+
+class RecoveryCodeTest < ActiveSupport::TestCase
+
+  setup do
+    @user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @rc = QuoVadis::RecoveryCode.new(account: @user.qv_account).tap &:save!
+  end
+
+
+  test 'code can be retrieved initially' do
+    assert_equal 11, @rc.code.length
+  end
+
+
+  test 'code does not change' do
+    code = @rc.code
+    @rc.valid?
+    assert_equal code, @rc.code
+  end
+
+
+  test 'code not available after finding' do
+    rc = QuoVadis::RecoveryCode.find @rc.id
+    assert_nil rc.code
+  end
+
+
+  test 'authenticate' do
+    code = @rc.code
+    refute @rc.authenticate_code 'wrong'
+    assert @rc.authenticate_code code
+  end
+
+
+  test 'recovery code is destroyed after successful use' do
+    code = @rc.code
+    assert @rc.authenticate_code code
+    assert @rc.destroyed?
+  end
+
+  test 'generate a fresh set of codes' do
+    account = @user.qv_account
+    codes = []
+    assert_difference 'QuoVadis::RecoveryCode.count', 5 do
+      codes = account.generate_recovery_codes
+    end
+    assert_equal 5, codes.length
+    codes.each do |code|
+      assert_instance_of String, code
+    end
+  end
+
+end

data/test/models/session_test.rb

@@ -0,0 +1,67 @@
+require 'test_helper'
+
+class SessionTest < ActiveSupport::TestCase
+
+  test 'expired?' do
+    refute QuoVadis::Session.new.expired?
+    assert QuoVadis::Session.new(lifetime_expires_at: 1.day.ago).expired?
+    refute QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now).expired?
+
+    QuoVadis.session_idle_timeout 5.minutes
+    refute QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now, last_seen_at: 1.minute.ago).expired?
+    assert QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now, last_seen_at: 10.minutes.ago).expired?
+  end
+
+
+  test 'logout_other_sessions' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+    s0 = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+    s1 = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+
+    s0.logout_other_sessions
+
+    refute s0.destroyed?
+    assert s1.destroyed?
+  end
+
+
+  test 'reset authenticated with second factor' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+    session = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+
+    refute session.second_factor_authenticated?
+    session.authenticated_with_second_factor
+    assert session.second_factor_authenticated?
+    session.reset_authenticated_with_second_factor
+    refute session.second_factor_authenticated?
+  end
+
+
+  test 'replace' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+
+    session = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+    sess = session.replace
+
+    assert_instance_of QuoVadis::Session, sess
+    assert session.destroyed?
+    refute_equal session.id, sess.id
+
+    refute_includes account.sessions, session
+    assert_includes account.sessions, sess
+
+    session
+      .attributes
+      .reject { |name, _| %w[id created_at created_on updated_at updated_on].include? name }
+      .each do |name, value|
+        if value.nil?
+          assert_nil sess.send(name)
+        else
+          assert_equal value, sess.send(name)
+        end
+      end
+  end
+end

data/test/models/token_test.rb

@@ -0,0 +1,70 @@
+require 'test_helper'
+
+class TokenTest < ActiveSupport::TestCase
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = u.qv_account
+  end
+
+
+  test 'account confirmation' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    assert_match /^\d+-\d+--\h+$/, token
+    assert_equal @account, QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation expired' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    travel QuoVadis.account_confirmation_token_lifetime + 1.second
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation already done' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    @account.confirmed!
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation token tampered with' do
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(nil)
+    assert_nil QuoVadis::AccountConfirmationToken.find_account('')
+    assert_nil QuoVadis::AccountConfirmationToken.find_account('asdf')
+
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
+    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(fake_token)
+  end
+
+
+  test 'password reset' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    assert_match /^\d+-\d+--\h+$/, token
+    assert_equal @account, QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset expired' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    travel QuoVadis.password_reset_token_lifetime + 1.second
+    assert_nil QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset already done' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    @account.password.reset 'secretsecret', 'secretsecret'
+    assert_nil QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset token tampered with' do
+    assert_nil QuoVadis::PasswordResetToken.find_account(nil)
+    assert_nil QuoVadis::PasswordResetToken.find_account('')
+    assert_nil QuoVadis::PasswordResetToken.find_account('asdf')
+
+    token = QuoVadis::PasswordResetToken.generate @account
+    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
+    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
+    assert_nil QuoVadis::PasswordResetToken.find_account(fake_token)
+  end
+
+end