quo_vadis 1.4.2 → 2.1.1

data/test/integration/controller_test.rb

@@ -0,0 +1,280 @@
+require 'test_helper'
+
+class ControllerTest < IntegrationTest
+
+  setup do
+    User.first_or_create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.two_factor_authentication_mandatory false
+  end
+
+
+  teardown do
+    QuoVadis.session_lifetime_extend_to_end_of_day false
+    QuoVadis.session_idle_timeout :lifetime
+  end
+
+
+  test 'require_authentication when not logged in' do
+    get secret_articles_path
+
+    assert_redirected_to quo_vadis.login_path
+    assert_equal 'Please log in first.', flash[:notice]
+  end
+
+
+  test 'require_authentication when logged in' do
+    login
+    get secret_articles_path
+
+    assert_response :success
+    assert_equal secret_articles_path, path
+  end
+
+
+  test 'require_authentication remembers original path' do
+    get also_secret_articles_path
+    assert_equal '/articles/also_secret', session[:qv_bookmark]
+  end
+
+
+  test 'require_two_factor_authentication when not logged in' do
+    QuoVadis.two_factor_authentication_mandatory true
+    get very_secret_articles_path
+
+    assert_redirected_to quo_vadis.login_path
+    assert_equal 'Please log in first.', flash[:notice]
+  end
+
+
+  test 'require_two_factor_authentication when logged in but second factor not required' do
+    QuoVadis.two_factor_authentication_mandatory false
+    login
+    get very_secret_articles_path
+
+    assert_response :success
+    assert_equal very_secret_articles_path, path
+  end
+
+
+  test 'require_two_factor_authentication when logged in and second factor required' do
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    get very_secret_articles_path
+
+    assert_redirected_to quo_vadis.challenge_totps_path
+    follow_redirect!
+
+    # This second redirect is part of the totps controller but I think
+    # it makes sense to test here.
+    assert_redirected_to quo_vadis.new_totp_path
+    assert_equal 'Please set up two factor authentication.', flash[:alert]
+  end
+
+
+  test 'require_two_factor_authentication when already authenticated with two factors' do
+    User.first.qv_account.create_totp! last_used_at: Time.now
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    QuoVadis::Session.last.authenticated_with_second_factor
+
+    get very_secret_articles_path
+    assert_equal very_secret_articles_path, path
+  end
+
+
+  test 'second_factor_required?' do
+    # 2FA optional, user has not set up 2nd factor
+    QuoVadis.two_factor_authentication_mandatory false
+    login
+    get articles_path
+    assert controller.logged_in?
+    refute controller.qv.second_factor_required?
+
+    # 2FA optional, user has set up 2nd factor
+    QuoVadis.two_factor_authentication_mandatory false
+    User.first.qv_account.create_totp! last_used_at: Time.now
+    login
+    get articles_path
+    assert controller.logged_in?
+    assert controller.qv.second_factor_required?
+
+    # 2FA mandatory
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+    get articles_path
+    assert controller.logged_in?
+    assert controller.qv.second_factor_required?
+  end
+
+
+  test 'logged_in?' do
+    # not logged in
+    get articles_path
+    refute @controller.logged_in?
+
+    # logged in
+    login
+    get articles_path
+    assert @controller.logged_in?
+
+    # session remotely deleted
+    QuoVadis::Session.destroy jar.encrypted[QuoVadis.cookie_name]
+    get articles_path
+    refute @controller.logged_in?
+
+    # login and logout
+    login
+    get articles_path
+    logout
+    refute @controller.logged_in?
+  end
+
+
+  test 'login' do
+    QuoVadis.two_factor_authentication_mandatory false
+
+    get articles_path
+    session_id = session.id
+    assert_nil jar.encrypted[QuoVadis.cookie_name]
+
+    assert_difference 'QuoVadis::Session.count' do
+      # We want to test the controller mixin's login method, not the session
+      # controller's login action, i.e. the following:
+      #
+      #     @controller.login user
+      #
+      # But we store the QuoVadis session id in an encrypted cookie, and we can
+      # only access cookies as part of a request-response cycle.  So we have to
+      # trigger the mixin's login method via the session controller's login action.
+      login
+    end
+
+    refute_equal session_id, session.id
+    qv_session = QuoVadis::Session.last
+    assert_equal qv_session.id, jar.encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test 'logout' do
+    login
+
+    session_id = session.id
+    qv_session_id = jar.encrypted[QuoVadis.cookie_name]
+    assert QuoVadis::Session.exists?(qv_session_id)
+
+    assert_difference 'QuoVadis::Session.count', -1 do
+      # We want to test the controller mixin's logout method, not the session
+      # controller's logout action, i.e. the following:
+      #
+      #     @controller.logout
+      #
+      # But we store the QuoVadis session id in an encrypted cookie, and we can
+      # only access cookies as part of a request-response cycle.  So we have to
+      # trigger the mixin's logout method via the session controller's logout action.
+      logout
+    end
+
+    refute_equal session_id, session.id
+    assert_nil jar.encrypted[QuoVadis.cookie_name]
+    refute QuoVadis::Session.exists?(qv_session_id)
+  end
+
+
+  test 'qv_logout_other_sessions' do
+    desktop = session_login
+    phone = session_login
+
+    desktop.controller.qv.logout_other_sessions
+
+    phone.get articles_path
+    refute phone.controller.logged_in?
+
+    desktop.get articles_path
+    assert desktop.controller.logged_in?
+  end
+
+
+  test 'authenticated_model' do
+    # not logged in
+    get articles_path
+    assert_nil @controller.authenticated_model
+
+    # logged in
+    login
+    get articles_path
+    assert_equal User.first, @controller.authenticated_model
+  end
+
+
+  test 'request_confirmation' do
+    get articles_path
+
+    assert_emails 1 do
+      controller.request_confirmation User.last
+    end
+    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'session lifetime exceeded' do
+    QuoVadis.session_lifetime 1.week
+    login
+
+    travel 1.week
+    travel (-5).minutes
+    get articles_path
+    assert controller.logged_in?
+
+    travel 10.minutes
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'session lifetime extended to end of day' do
+    QuoVadis.session_lifetime 1.week
+    QuoVadis.session_lifetime_extend_to_end_of_day true
+    login
+
+    travel 1.week
+    travel 10.minutes
+    get articles_path
+    assert controller.logged_in?
+
+    travel 1.day
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'idle timeout exceeded' do
+    QuoVadis.session_lifetime 1.week
+    QuoVadis.session_idle_timeout 1.day
+    login
+
+    get articles_path
+    assert controller.logged_in?
+
+    travel 2.days
+
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def logout
+    delete quo_vadis.logout_path
+  end
+
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+end

data/test/integration/logging_test.rb

@@ -0,0 +1,244 @@
+require 'test_helper'
+
+class LoggingTest < IntegrationTest
+
+  setup do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = user.qv_account
+  end
+
+
+  test 'logs endpoint' do
+    QuoVadis::Log.create account: @account, action: 'password.change', ip: '1.2.3.4', metadata: {foo: 'bar', baz: 'qux'}
+    login
+    get quo_vadis.logs_path
+    assert_response :success
+
+    assert_select 'tbody tr' do
+      assert_select 'td', 'Changed password'
+      assert_select 'td', '1.2.3.4'
+      assert_select 'td', 'foo: bar, baz: qux'
+    end
+
+    assert_select 'tbody tr' do
+      assert_select 'td', 'Logged in'
+      assert_select 'td', '127.0.0.1'
+      assert_select 'td', ''
+    end
+  end
+
+
+  test 'login.success' do
+    assert_log QuoVadis::Log::LOGIN_SUCCESS do
+      login
+    end
+  end
+
+
+  test 'login.failure' do
+    assert_log QuoVadis::Log::LOGIN_FAILURE do
+      post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+    end
+  end
+
+
+  test 'login.unknown' do
+    assert_log QuoVadis::Log::LOGIN_UNKNOWN, {'identifier' => 'wrong'}, nil do
+      post quo_vadis.login_path(email: 'wrong', password: 'wrong')
+    end
+  end
+
+
+  test 'totp.setup' do
+    login
+    get quo_vadis.new_totp_path
+    totp = controller.instance_variable_get :@totp
+    assert_log QuoVadis::Log::TOTP_SETUP do
+      post quo_vadis.totps_path(totp: {
+        key: totp.key,
+        hmac_key: totp.hmac_key,
+        otp: ROTP::TOTP.new(totp.key).now
+      })
+    end
+  end
+
+
+  test 'totp.success' do
+    login
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    assert_log QuoVadis::Log::TOTP_SUCCESS do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  test 'totp.failure' do
+    login
+    User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    assert_log QuoVadis::Log::TOTP_FAILURE do
+      post quo_vadis.authenticate_totps_path(totp: '000000')
+    end
+  end
+
+
+  test 'totp.reuse' do
+    login
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    assert_log QuoVadis::Log::TOTP_REUSE do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  test 'recovery_code.success' do
+    login
+    codes = @account.generate_recovery_codes
+    assert_log QuoVadis::Log::RECOVERY_CODE_SUCCESS do
+      post quo_vadis.authenticate_recovery_codes_path(code: codes.first)
+    end
+  end
+
+
+  test 'recovery_code.failure' do
+    login
+    assert_log QuoVadis::Log::RECOVERY_CODE_FAILURE do
+      post quo_vadis.authenticate_recovery_codes_path(code: 'nope')
+    end
+  end
+
+
+  test 'recovery_code.generate' do
+    login
+    assert_log QuoVadis::Log::RECOVERY_CODE_GENERATE do
+      post quo_vadis.generate_recovery_codes_path
+    end
+  end
+
+
+  test '2fa.deactivated' do
+    login
+    assert_log QuoVadis::Log::TWOFA_DEACTIVATED do
+      delete quo_vadis.twofa_path
+    end
+  end
+
+
+  test 'identifier.change on account' do
+    assert_log QuoVadis::Log::IDENTIFIER_CHANGE, {'from' => 'bob@example.com', 'to' => 'x'} do
+      QuoVadis::CurrentRequestDetails.set(ip: '127.0.0.1') do
+        @account.update identifier: 'x'
+      end
+    end
+  end
+
+
+  test 'email.change aka identifier.change on model' do
+    # In our setup the identifier is the email so we expect changing the
+    # email to change the identifier too.
+    assert_difference 'QuoVadis::Log.count', 2 do
+      QuoVadis::CurrentRequestDetails.set(ip: '127.0.0.1') do
+        @account.model.update email: 'x'
+      end
+    end
+    log = QuoVadis::Log.first
+    assert_equal @account, log.account
+    assert_equal QuoVadis::Log::IDENTIFIER_CHANGE, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal({'from' => 'bob@example.com', 'to' => 'x'}, log.metadata)
+    log = QuoVadis::Log.last
+    assert_equal @account, log.account
+    assert_equal QuoVadis::Log::EMAIL_CHANGE, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal({'from' => 'bob@example.com', 'to' => 'x'}, log.metadata)
+  end
+
+
+  test 'password.change' do
+    login
+    assert_log QuoVadis::Log::PASSWORD_CHANGE do
+      put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'})
+    end
+  end
+
+
+  test 'password.reset' do
+    assert_difference 'QuoVadis::Log.count', 2 do
+      token = QuoVadis::PasswordResetToken.generate @account
+      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+    end
+    assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+  end
+
+
+  test 'account.confirmation' do
+    assert_difference 'QuoVadis::Log.count', 2 do
+      token = QuoVadis::AccountConfirmationToken.generate @account
+      put quo_vadis.confirmation_path(token)
+    end
+    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, QuoVadis::Log.first.action
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+  end
+
+
+  test 'logout.other' do
+    login_new_session
+    phone = login_new_session
+
+    # logout first session from phone
+    assert_log QuoVadis::Log::LOGOUT_OTHER do
+      phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)
+    end
+  end
+
+
+  test 'logout' do
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    assert_log QuoVadis::Log::LOGOUT do
+      delete quo_vadis.logout_path
+    end
+  end
+
+
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
+
+
+  private
+
+  def assert_log(action, metadata = {}, account = @account, &block)
+    assert_difference 'QuoVadis::Log.count' do
+      yield
+    end
+
+    if account.nil?
+      assert_nil log.account
+    else
+      assert_equal account, log.account
+    end
+    assert_equal action, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal metadata, log.metadata
+  end
+
+  def log
+    QuoVadis::Log.last
+  end
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def login_new_session
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+end