quo_vadis 2.0.0 → 2.0.1

data/test/integration/logging_test.rb

@@ -0,0 +1,235 @@
+require 'test_helper'
+
+class LoggingTest < IntegrationTest
+
+  setup do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = user.qv_account
+  end
+
+
+  test 'logs endpoint' do
+    QuoVadis::Log.create account: @account, action: 'password.change', ip: '1.2.3.4', metadata: {foo: 'bar', baz: 'qux'}
+    login
+    get quo_vadis.logs_path
+    assert_response :success
+
+    assert_select 'tbody tr' do
+      assert_select 'td', 'password.change'
+      assert_select 'td', '1.2.3.4'
+      assert_select 'td', 'foo: bar, baz: qux'
+    end
+
+    assert_select 'tbody tr' do
+      assert_select 'td', 'login.success'
+      assert_select 'td', '127.0.0.1'
+      assert_select 'td', ''
+    end
+  end
+
+
+  test 'login.success' do
+    assert_log QuoVadis::Log::LOGIN_SUCCESS do
+      login
+    end
+  end
+
+
+  test 'login.failure' do
+    assert_log QuoVadis::Log::LOGIN_FAILURE do
+      post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+    end
+  end
+
+
+  test 'login.unknown' do
+    assert_log QuoVadis::Log::LOGIN_UNKNOWN, {}, nil do
+      post quo_vadis.login_path(email: 'wrong', password: 'wrong')
+    end
+  end
+
+
+  test 'totp.setup' do
+    login
+    get quo_vadis.new_totp_path
+    totp = controller.instance_variable_get :@totp
+    assert_log QuoVadis::Log::TOTP_SETUP do
+      post quo_vadis.totps_path(totp: {
+        key: totp.key,
+        hmac_key: totp.hmac_key,
+        otp: ROTP::TOTP.new(totp.key).now
+      })
+    end
+  end
+
+
+  test 'totp.success' do
+    login
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    assert_log QuoVadis::Log::TOTP_SUCCESS do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  test 'totp.failure' do
+    login
+    User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    assert_log QuoVadis::Log::TOTP_FAILURE do
+      post quo_vadis.authenticate_totps_path(totp: '000000')
+    end
+  end
+
+
+  test 'totp.reuse' do
+    login
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    assert_log QuoVadis::Log::TOTP_REUSE do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  test 'recovery_code.success' do
+    login
+    codes = @account.generate_recovery_codes
+    assert_log QuoVadis::Log::RECOVERY_CODE_SUCCESS do
+      post quo_vadis.authenticate_recovery_codes_path(code: codes.first)
+    end
+  end
+
+
+  test 'recovery_code.failure' do
+    login
+    assert_log QuoVadis::Log::RECOVERY_CODE_FAILURE do
+      post quo_vadis.authenticate_recovery_codes_path(code: 'nope')
+    end
+  end
+
+
+  test 'recovery_code.generate' do
+    login
+    assert_log QuoVadis::Log::RECOVERY_CODE_GENERATE do
+      post quo_vadis.generate_recovery_codes_path
+    end
+  end
+
+
+  test '2fa.deactivated' do
+    login
+    assert_log QuoVadis::Log::TWOFA_DEACTIVATED do
+      delete quo_vadis.twofa_path
+    end
+  end
+
+
+  test 'identifier.change on account' do
+    assert_log QuoVadis::Log::IDENTIFIER_CHANGE, {'from' => 'bob@example.com', 'to' => 'x'} do
+      QuoVadis::CurrentRequestDetails.set(ip: '127.0.0.1') do
+        @account.update identifier: 'x'
+      end
+    end
+  end
+
+
+  test 'email.change aka identifier.change on model' do
+    # In our setup the identifier is the email so we expect changing the
+    # email to change the identifier too.
+    assert_difference 'QuoVadis::Log.count', 2 do
+      QuoVadis::CurrentRequestDetails.set(ip: '127.0.0.1') do
+        @account.model.update email: 'x'
+      end
+    end
+    log = QuoVadis::Log.first
+    assert_equal @account, log.account
+    assert_equal QuoVadis::Log::IDENTIFIER_CHANGE, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal({'from' => 'bob@example.com', 'to' => 'x'}, log.metadata)
+    log = QuoVadis::Log.last
+    assert_equal @account, log.account
+    assert_equal QuoVadis::Log::EMAIL_CHANGE, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal({'from' => 'bob@example.com', 'to' => 'x'}, log.metadata)
+  end
+
+
+  test 'password.change' do
+    login
+    assert_log QuoVadis::Log::PASSWORD_CHANGE do
+      put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    end
+  end
+
+
+  test 'password.reset' do
+    assert_difference 'QuoVadis::Log.count', 2 do
+      token = QuoVadis::PasswordResetToken.generate @account
+      put quo_vadis.password_reset_path(token, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    end
+    assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+  end
+
+
+  test 'account.confirmation' do
+    assert_difference 'QuoVadis::Log.count', 2 do
+      token = QuoVadis::AccountConfirmationToken.generate @account
+      put quo_vadis.confirmation_path(token)
+    end
+    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, QuoVadis::Log.first.action
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+  end
+
+
+  test 'logout.other' do
+    login_new_session
+    phone = login_new_session
+
+    # logout first session from phone
+    assert_log QuoVadis::Log::LOGOUT_OTHER do
+      phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)
+    end
+  end
+
+
+  test 'logout' do
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    assert_log QuoVadis::Log::LOGOUT do
+      delete quo_vadis.logout_path
+    end
+  end
+
+
+  private
+
+  def assert_log(action, metadata = {}, account = @account, &block)
+    assert_difference 'QuoVadis::Log.count' do
+      yield
+    end
+
+    if account.nil?
+      assert_nil log.account
+    else
+      assert_equal account, log.account
+    end
+    assert_equal action, log.action
+    assert_equal '127.0.0.1', log.ip
+    assert_equal metadata, log.metadata
+  end
+
+  def log
+    QuoVadis::Log.last
+  end
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def login_new_session
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+end

data/test/integration/password_change_test.rb

@@ -0,0 +1,93 @@
+require 'test_helper'
+
+class PasswordChangeTest < IntegrationTest
+
+  setup do
+    QuoVadis.two_factor_authentication_mandatory false
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    login
+  end
+
+
+  test 'requires login' do
+    logout
+
+    put quo_vadis.password_path
+    assert_redirected_to quo_vadis.login_path
+  end
+
+
+  test 'incorrect password' do
+    put quo_vadis.password_path(password: 'x')
+    assert_response :success
+    assert_equal ['is incorrect'], password_instance.errors[:password]
+  end
+
+
+  test 'new password empty' do
+    put quo_vadis.password_path(password: '123456789abc', new_password: '')
+    assert_response :success
+    assert_equal ["can't be blank"], password_instance.errors[:new_password]
+  end
+
+
+  test 'new password too short' do
+    put quo_vadis.password_path(password: '123456789abc', new_password: 'x')
+    assert_response :success
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
+  end
+
+
+  test 'new password confirmation does not match' do
+    put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y')
+    assert_response :success
+    assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
+  end
+
+
+  test 'success' do
+    assert_emails 1 do
+      assert_session_replaced do
+        put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+        assert_response :redirect
+        assert_equal 'Your password has been changed.', flash[:notice]
+      end
+    end
+  end
+
+
+  test 'logs out other sessions' do
+    desktop = session_login
+    phone = session_login
+
+    desktop.put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    desktop.follow_redirect!
+    assert desktop.controller.logged_in?
+
+    phone.get articles_path
+    refute phone.controller.logged_in?
+  end
+
+
+  private
+
+  # starts a new rails session and logs in
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def logout
+    delete quo_vadis.logout_path
+  end
+
+  def password_instance
+    controller.instance_variable_get :@password
+  end
+
+end

data/test/integration/password_login_test.rb

@@ -0,0 +1,125 @@
+require 'test_helper'
+
+class PasswordLoginTest < IntegrationTest
+
+  setup do
+    QuoVadis.session_lifetime :session
+  end
+
+
+  test 'successful login' do
+    get quo_vadis.login_path
+    assert_response :success
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to secret_articles_path
+    assert_equal after_login_path, secret_articles_path
+  end
+
+
+  test 'successful login redirects to original path' do
+    get also_secret_articles_path
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to also_secret_articles_path
+    assert_nil session[:qv_bookmark]
+  end
+
+
+  test 'failed login' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+
+    assert_response :success
+    assert_equal quo_vadis.login_path, path
+  end
+
+
+  test 'unknown login' do
+    post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
+
+    assert_response :success
+    assert_equal quo_vadis.login_path, path
+  end
+
+
+  test 'logout' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    # logout
+    assert jar.encrypted[QuoVadis.cookie_name]
+    assert_difference 'QuoVadis::Session.count', -1 do
+      delete quo_vadis.logout_path
+    end
+    refute jar.encrypted[QuoVadis.cookie_name]
+    assert_redirected_to root_path
+  end
+
+
+  test 'login for browser session' do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+      assert sess.controller.logged_in?
+    end
+
+    open_session do |sess|
+      sess.get articles_path
+      refute sess.controller.logged_in?
+    end
+  end
+
+
+  # Ideally we would use multiple sessions to distinguish this from a single
+  # browser session.  We would log in in one session then assert we can log in
+  # in another session within the timeframe.  But I can't find a way to share
+  # a cookie between test sessions (I tried nesting sessions).  So we do all
+  # this within a single session, even though it has the same effect as being
+  # within a single browser session.
+  test 'login for 1 week' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    refute QuoVadis::Session.last.send(:browser_session?)
+    assert controller.logged_in?
+
+    travel 5.days
+
+    get articles_path
+    assert controller.logged_in?  # flakey
+
+    travel 3.days
+
+    get articles_path
+    refute controller.logged_in?
+  end
+
+
+  test 'optional remember not opted in' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc', remember: '0')
+    assert QuoVadis::Session.last.send(:browser_session?)
+
+    # Cannot test this fully without being able to share cookies between test sessions.
+  end
+
+
+  test 'optional remember opted in' do
+    QuoVadis.session_lifetime 1.week
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc', remember: '1')
+    refute QuoVadis::Session.last.send(:browser_session?)
+
+    # Cannot test this fully without being able to share cookies between test sessions.
+  end
+end