quo_vadis 2.0.0 → 2.0.1

data/test/integration/password_reset_test.rb

@@ -0,0 +1,136 @@
+require 'test_helper'
+
+class PasswordResetTest < IntegrationTest
+
+  setup do
+    @user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+  end
+
+
+  test 'new password reset' do
+    get quo_vadis.new_password_reset_path
+    assert_response :success
+  end
+
+
+  test 'unknown identifier' do
+    post quo_vadis.password_resets_path(email: 'foo@example.com')
+    assert_response :success
+    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'known identifier' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    assert_redirected_to quo_vadis.password_resets_path
+    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+  end
+
+
+  test 'click link in email' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    get extract_url_from_email
+    assert_response :success
+  end
+
+
+  test 'expired link' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    travel QuoVadis.password_reset_token_lifetime + 1.minute
+    get extract_url_from_email
+    assert_redirected_to quo_vadis.new_password_reset_path
+    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
+  end
+
+
+  test 'link cannot be reused' do
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+    put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    assert controller.logged_in?
+
+    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    assert_redirected_to quo_vadis.new_password_reset_path
+    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
+  end
+
+
+  test 'new password invalid' do
+    digest = @user.qv_account.password.password_digest
+
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+
+    assert_no_difference 'QuoVadis::Session.count' do
+      put quo_vadis.password_reset_path(extract_token_from_email, password: '', password_confirmation: '')
+    end
+
+    assert_equal digest, @user.qv_account.password.reload.password_digest
+    assert_response :success
+    assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
+  end
+
+
+  test 'new password valid' do
+    QuoVadis.two_factor_authentication_mandatory false
+
+    digest = @user.qv_account.password.password_digest
+
+    desktop = session_login
+    phone = session_login
+
+    get articles_url
+    refute controller.logged_in?
+
+    assert_emails 1 do
+      post quo_vadis.password_resets_path(email: 'bob@example.com')
+    end
+
+    assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
+      put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    end
+
+    assert controller.logged_in?
+
+    desktop.get articles_url
+    refute desktop.controller.logged_in?  # NOTE: flaky; if this fails, re-migrate the database.
+
+    phone.get articles_url
+    refute phone.controller.logged_in?
+
+    refute_equal digest, @user.qv_account.password.reload.password_digest
+
+    assert_redirected_to '/articles/secret'
+    assert_equal 'Your password has been changed and you are logged in.', flash[:notice]
+  end
+
+
+  private
+
+  def session_login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  def extract_url_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
+  end
+
+  def extract_path_from_email
+    extract_url_from_email.sub 'http://www.example.com', ''
+  end
+
+  def extract_token_from_email
+    extract_url_from_email[%r{/([^/]*)$}, 1]
+  end
+
+end

data/test/integration/recovery_codes_test.rb

@@ -0,0 +1,48 @@
+require 'test_helper'
+
+class RecoveryCodesTest < IntegrationTest
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    u.qv_account.create_totp last_used_at: 1.day.ago
+    QuoVadis.two_factor_authentication_mandatory true
+    @codes = u.qv_account.generate_recovery_codes
+    login
+  end
+
+
+  test 'use recovery code' do
+    get quo_vadis.challenge_recovery_codes_path
+    assert_response :success
+
+    assert_difference 'QuoVadis::Totp.count', -1 do
+      assert_difference 'QuoVadis::RecoveryCode.count', -1 do
+        assert_session_replaced do
+          post quo_vadis.authenticate_recovery_codes_path(code: @codes.first)
+        end
+      end
+    end
+
+    assert_nil User.last.qv_account.totp
+
+    assert_redirected_to  '/articles/secret'
+
+    # use another recovery code to verify another TOTP-reset doesn't error
+    post quo_vadis.authenticate_recovery_codes_path(code: @codes[1])
+  end
+
+
+  test 'generate recovery codes' do
+    assert_emails 1 do
+      post quo_vadis.generate_recovery_codes_path
+    end
+    assert_redirected_to quo_vadis.recovery_codes_path
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+end

data/test/integration/sessions_test.rb

@@ -0,0 +1,86 @@
+require 'test_helper'
+
+# sqlite: primary key needs AUTOINCREMENT to not reuse previous values
+# https://www.sqlite.org/faq.html#q1
+# AR should do this by default (but it seems sometimes doesn't)
+
+class SessionsTest < IntegrationTest
+
+  setup do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.session_lifetime :session
+    QuoVadis.two_factor_authentication_mandatory false
+  end
+
+
+  test 'sessions require authentication' do
+    get quo_vadis.sessions_path
+    assert_redirected_to quo_vadis.login_path
+  end
+
+
+  test "user's sessions are independent" do
+    desktop = login
+    phone = login
+
+    refute_equal jar(desktop).encrypted[QuoVadis.cookie_name],
+                 jar(phone).encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test 'user can logout without logging out another session' do
+    desktop = login
+    phone = login
+
+    # logout on phone
+    phone.delete quo_vadis.logout_path
+
+    # assert phone logged out
+    phone.assert_response :redirect
+    assert_equal 'You have logged out.', phone.flash[:notice]
+    refute jar(phone).encrypted[QuoVadis.cookie_name]
+    refute phone.controller.logged_in?
+
+    # assert desktop still logged in
+    assert jar(desktop).encrypted[QuoVadis.cookie_name]
+  end
+
+
+  test "user can log out a separate session" do
+    desktop = login
+    phone = login
+
+    # on phone, list sessions
+    phone.get quo_vadis.sessions_path
+    phone.assert_response :success
+    phone.assert_select 'td', 'This session'
+    phone.assert_select 'td input[type=submit][value="Log out"]', 1
+
+    # on phone, log out the desktop session
+    phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)
+    phone.assert_redirected_to quo_vadis.sessions_path
+
+    # phone is still logged in
+    assert_equal 'You have logged out of the other session.', phone.flash[:notice]
+
+    # desktop is logged out
+    desktop.get '/articles'
+    refute desktop.controller.logged_in?
+  end
+
+
+  private
+
+  # starts a new rails session and logs in
+  def login
+    open_session do |sess|
+      sess.post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    end
+  end
+
+  # logs in in current session
+  def plain_login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+end

data/test/integration/sign_up_test.rb

@@ -0,0 +1,35 @@
+require 'test_helper'
+
+class SignUpTest < IntegrationTest
+
+  test 'successful sign up' do
+    assert_difference 'User.count' do
+      post "/users", params: {
+        user: {
+          name:                  'Bob',
+          email:                 'billy@example.com',
+          password:              '123456789abc',
+          password_confirmation: '123456789abc'
+        }
+      }, headers: { 'HTTP_USER_AGENT' => 'Blah' }
+      assert_redirected_to '/articles'
+      follow_redirect!
+      assert_select 'p', 'Public Articles'
+    end
+  end
+
+
+  test 'failed sign up' do
+    assert_no_difference 'User.count' do
+      post "/users", params: {
+        user: {
+          name:     'Bob',
+          email:    'billy@example.com',
+          password: 'x'
+        }
+      }
+      assert_response :success
+    end
+  end
+
+end

data/test/integration/totps_test.rb

@@ -0,0 +1,96 @@
+require 'test_helper'
+
+class TotpsTest < IntegrationTest
+
+  setup do
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    QuoVadis.two_factor_authentication_mandatory true
+    login
+  end
+
+
+  test ':challenge redirects to :new when no second factor setup' do
+    get quo_vadis.challenge_totps_path
+    assert_redirected_to quo_vadis.new_totp_path
+    assert_equal 'Please set up two factor authentication.', flash[:alert]
+  end
+
+
+  test 'set up second factor' do
+    get quo_vadis.new_totp_path
+    assert_response :success
+
+    totp = controller.instance_variable_get :@totp
+    assert_emails 1 do
+      assert_difference 'QuoVadis::RecoveryCode.count', 5 do
+        assert_difference 'QuoVadis::Totp.count' do
+          post quo_vadis.totps_path(totp: {
+            key: totp.key,
+            hmac_key: totp.hmac_key,
+            otp: ROTP::TOTP.new(totp.key).now
+          })
+        end
+      end
+    end
+
+    assert_redirected_to quo_vadis.recovery_codes_path
+  end
+
+
+  test 'does not set up second factor when key tampered with' do
+    get quo_vadis.new_totp_path
+
+    totp = controller.instance_variable_get :@totp
+    assert_no_difference 'QuoVadis::Totp.count' do
+      post quo_vadis.totps_path(totp: {
+        key: 'dodgy',
+        hmac_key: totp.hmac_key,
+        otp: ROTP::TOTP.new('dodgy').now
+      })
+    end
+
+    assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
+    assert_redirected_to quo_vadis.new_totp_path
+  end
+
+
+  test 'authenticate with second factor' do
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+
+    get quo_vadis.challenge_totps_path
+    assert_response :success
+
+    assert_session_replaced do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+    assert QuoVadis::Session.last.second_factor_authenticated?
+    assert_equal 'Welcome back!', flash[:notice]
+    assert_redirected_to '/articles/secret'
+  end
+
+
+  test 'failed authentication with second factor' do
+    User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+
+    post quo_vadis.authenticate_totps_path(totp: '123456')
+    refute QuoVadis::Session.last.second_factor_authenticated?
+    assert_response :success
+    assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
+  end
+
+
+  test '2fa code reused' do
+    totp = User.last.qv_account.create_totp(last_used_at: 1.minute.ago)
+    post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    assert_emails 1 do
+      post quo_vadis.authenticate_totps_path(totp: ROTP::TOTP.new(totp.key).now)
+    end
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+end

data/test/integration/twofa_test.rb

@@ -0,0 +1,82 @@
+require 'test_helper'
+
+class TwofaTest < IntegrationTest
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = u.qv_account
+    QuoVadis.two_factor_authentication_mandatory true
+    # @codes = u.qv_account.generate_recovery_codes
+    login
+  end
+
+
+  test 'no totp, no recovery codes' do
+    get quo_vadis.twofa_path
+    assert_response :success
+    assert_select "a[href=?]", quo_vadis.new_totp_path
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'totp, no recovery codes' do
+    setup_totp
+    get quo_vadis.twofa_path
+    assert_select 'form[action=?]', quo_vadis.twofa_path do
+      assert_select 'input[value=delete]'
+    end
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'no totp, recovery codes' do
+    setup_recovery_codes
+    get quo_vadis.twofa_path
+    assert_select "a[href=?]", quo_vadis.new_totp_path
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'totp, recovery codes' do
+    setup_totp
+    setup_recovery_codes
+    get quo_vadis.twofa_path
+    assert_select 'form[action=?]', quo_vadis.twofa_path do
+      assert_select 'input[value=delete]'
+    end
+    assert_select "a[href=?]", quo_vadis.recovery_codes_path
+  end
+
+
+  test 'deactivate' do
+    setup_totp
+    setup_recovery_codes
+
+    assert_emails 1 do
+      delete quo_vadis.twofa_path
+    end
+
+    # The flash only seems to be set before the redirect.  No idea why.
+    assert_equal 'You have invalidated your 2FA credentials and recovery codes.', flash[:notice]
+    @account.reload
+    assert_nil @account.totp
+    assert_empty @account.recovery_codes
+    @account.sessions.each { |s| refute s.second_factor_authenticated? }
+    assert_redirected_to quo_vadis.twofa_path
+  end
+
+
+  private
+
+  def login
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+  end
+
+  def setup_totp
+    @account.create_totp last_used_at: 1.day.ago
+  end
+
+  def setup_recovery_codes
+    @account.generate_recovery_codes
+  end
+end