quo_vadis 2.0.0 → 2.0.1

data/test/models/recovery_code_test.rb

@@ -0,0 +1,54 @@
+require 'test_helper'
+
+class RecoveryCodeTest < ActiveSupport::TestCase
+
+  setup do
+    @user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @rc = QuoVadis::RecoveryCode.new(account: @user.qv_account).tap &:save!
+  end
+
+
+  test 'code can be retrieved initially' do
+    assert_equal 11, @rc.code.length
+  end
+
+
+  test 'code does not change' do
+    code = @rc.code
+    @rc.valid?
+    assert_equal code, @rc.code
+  end
+
+
+  test 'code not available after finding' do
+    rc = QuoVadis::RecoveryCode.find @rc.id
+    assert_nil rc.code
+  end
+
+
+  test 'authenticate' do
+    code = @rc.code
+    refute @rc.authenticate_code 'wrong'
+    assert @rc.authenticate_code code
+  end
+
+
+  test 'recovery code is destroyed after successful use' do
+    code = @rc.code
+    assert @rc.authenticate_code code
+    assert @rc.destroyed?
+  end
+
+  test 'generate a fresh set of codes' do
+    account = @user.qv_account
+    codes = []
+    assert_difference 'QuoVadis::RecoveryCode.count', 5 do
+      codes = account.generate_recovery_codes
+    end
+    assert_equal 5, codes.length
+    codes.each do |code|
+      assert_instance_of String, code
+    end
+  end
+
+end

data/test/models/session_test.rb

@@ -0,0 +1,67 @@
+require 'test_helper'
+
+class SessionTest < ActiveSupport::TestCase
+
+  test 'expired?' do
+    refute QuoVadis::Session.new.expired?
+    assert QuoVadis::Session.new(lifetime_expires_at: 1.day.ago).expired?
+    refute QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now).expired?
+
+    QuoVadis.session_idle_timeout 5.minutes
+    refute QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now, last_seen_at: 1.minute.ago).expired?
+    assert QuoVadis::Session.new(lifetime_expires_at: 1.day.from_now, last_seen_at: 10.minutes.ago).expired?
+  end
+
+
+  test 'logout_other_sessions' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+    s0 = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+    s1 = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+
+    s0.logout_other_sessions
+
+    refute s0.destroyed?
+    assert s1.destroyed?
+  end
+
+
+  test 'reset authenticated with second factor' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+    session = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+
+    refute session.second_factor_authenticated?
+    session.authenticated_with_second_factor
+    assert session.second_factor_authenticated?
+    session.reset_authenticated_with_second_factor
+    refute session.second_factor_authenticated?
+  end
+
+
+  test 'replace' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+
+    session = account.sessions.create! ip: 'ip', user_agent: 'useragent'
+    sess = session.replace
+
+    assert_instance_of QuoVadis::Session, sess
+    assert session.destroyed?
+    refute_equal session.id, sess.id
+
+    refute_includes account.sessions, session
+    assert_includes account.sessions, sess
+
+    session
+      .attributes
+      .reject { |name, _| %w[id created_at created_on updated_at updated_on].include? name }
+      .each do |name, value|
+        if value.nil?
+          assert_nil sess.send(name)
+        else
+          assert_equal value, sess.send(name)
+        end
+      end
+  end
+end

data/test/models/token_test.rb

@@ -0,0 +1,70 @@
+require 'test_helper'
+
+class TokenTest < ActiveSupport::TestCase
+
+  setup do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    @account = u.qv_account
+  end
+
+
+  test 'account confirmation' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    assert_match /^\d+-\d+--\h+$/, token
+    assert_equal @account, QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation expired' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    travel QuoVadis.account_confirmation_token_lifetime + 1.second
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation already done' do
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    @account.confirmed!
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
+  end
+
+  test 'account confirmation token tampered with' do
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(nil)
+    assert_nil QuoVadis::AccountConfirmationToken.find_account('')
+    assert_nil QuoVadis::AccountConfirmationToken.find_account('asdf')
+
+    token = QuoVadis::AccountConfirmationToken.generate @account
+    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
+    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
+    assert_nil QuoVadis::AccountConfirmationToken.find_account(fake_token)
+  end
+
+
+  test 'password reset' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    assert_match /^\d+-\d+--\h+$/, token
+    assert_equal @account, QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset expired' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    travel QuoVadis.password_reset_token_lifetime + 1.second
+    assert_nil QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset already done' do
+    token = QuoVadis::PasswordResetToken.generate @account
+    @account.password.update password: 'secretsecret'
+    assert_nil QuoVadis::PasswordResetToken.find_account(token)
+  end
+
+  test 'password reset token tampered with' do
+    assert_nil QuoVadis::PasswordResetToken.find_account(nil)
+    assert_nil QuoVadis::PasswordResetToken.find_account('')
+    assert_nil QuoVadis::PasswordResetToken.find_account('asdf')
+
+    token = QuoVadis::PasswordResetToken.generate @account
+    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
+    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
+    assert_nil QuoVadis::PasswordResetToken.find_account(fake_token)
+  end
+
+end

data/test/models/totp_test.rb

@@ -0,0 +1,68 @@
+require 'test_helper'
+
+class TotpTest < ActiveSupport::TestCase
+
+  test 'key changes for each new object' do
+    totp = QuoVadis::Totp.new
+    refute_empty totp.key
+
+    totp2 = QuoVadis::Totp.new
+    refute_empty totp2.key
+
+    refute_equal totp.key, totp2.key
+  end
+
+
+  test 'key is encrypted in database' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    totp = user.qv_account.create_totp last_used_at: 1.minute.ago
+    refute_equal totp.key, totp.read_attribute_before_type_cast(:key)
+  end
+
+
+  test 'validates provided hmac' do
+    totp = QuoVadis::Totp.new account: QuoVadis::Account.new
+    hmac = totp.hmac_key
+    assert totp.valid?
+
+    totp.provided_hmac_key = 'wrong'
+    refute totp.valid?
+    refute_empty totp.errors[:key]
+
+    totp.provided_hmac_key = hmac
+    assert totp.valid?
+  end
+
+
+  test 'verify' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    qv_totp = QuoVadis::Totp.new account: user.qv_account
+    totp = ROTP::TOTP.new qv_totp.key
+
+    otp = totp.now
+
+    assert qv_totp.verify otp  # one time
+    refute qv_totp.verify otp
+
+    travel 30.seconds
+    otp2 = totp.now
+    refute_equal otp, otp2
+    assert qv_totp.verify otp2
+  end
+
+
+  test 'reused?' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+
+    qv_totp = QuoVadis::Totp.new account: user.qv_account
+    totp = ROTP::TOTP.new qv_totp.key
+
+    otp = totp.now
+
+    assert qv_totp.verify otp  # one time
+    refute qv_totp.verify otp
+    assert qv_totp.reused? otp
+  end
+
+end

data/test/quo_vadis_test.rb

@@ -0,0 +1,43 @@
+require "test_helper"
+
+class QuoVadisTest < ActiveSupport::TestCase
+
+  def test_that_it_has_a_version_number
+    assert QuoVadis::VERSION
+  end
+
+
+  test 'translate' do
+    assert_equal 'Welcome back!', QuoVadis.translate('flash.login.success')
+    assert_equal 'You have 3 recovery codes left.', QuoVadis.translate('flash.recovery_code.success', count: 3)
+    assert_nil QuoVadis.translate('does_not_exist')
+  end
+
+
+  test 'identifier' do
+    assert_equal :email, QuoVadis.identifier('User')
+  end
+
+
+  test 'humanise_identifier' do
+    assert_equal 'Email', QuoVadis.humanise_identifier('User')
+  end
+
+
+  test 'identifiers' do
+    assert_equal [:username, :email], QuoVadis.send(:identifiers)
+  end
+
+
+  test 'detect_identifier' do
+    assert_equal 'email', QuoVadis.send(:detect_identifier, ['foo', 'email', 'commit'])
+  end
+
+
+  test 'find_account_by_identifier_in_params' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert_equal u.qv_account,
+      QuoVadis.find_account_by_identifier_in_params({'foo' => 'bar', 'email' => 'bob@example.com', 'commit' => 'Save'})
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,58 @@
+ENV["RAILS_ENV"] = "test"
+
+require_relative "../test/dummy/config/environment"
+ActiveRecord::Migrator.migrations_paths = [File.expand_path("../test/dummy/db/migrate", __dir__)]
+ActiveRecord::Migrator.migrations_paths << File.expand_path('../db/migrate', __dir__)
+require "rails/test_help"
+
+require 'capybara/rails'
+require 'capybara/minitest'
+
+# integration tests or system tests?
+#
+# system ones use a real browser and can therefore test css layout and js
+# but integration ones are faster
+class IntegrationTest < ActionDispatch::IntegrationTest
+  # include Capybara::DSL
+  # include Capybara::Minitest::Assertions
+
+  # include QuoVadis::Engine.routes.url_helpers
+
+  # setup do
+  #   @routes = QuoVadis::Engine.routes
+  # end
+
+  teardown do
+    Capybara.reset_session!
+    Capybara.use_default_driver
+  end
+
+  # https://philna.sh/blog/2020/01/15/test-signed-cookies-in-rails
+  #
+  # ActionDispatch::IntegrationTest's `cookies` is a Rack::Test::CookieJar
+  # not an ActionDispatch::Cookies::CookieJar, and doesn't have the #encrypted
+  # or #signed methods.  So construct an ActionDispatch cookie jar.
+  def jar(_session = nil)
+    _request, _cookies = if _session
+                           [_session.request, _session.cookies]
+                         else
+                           [@request, cookies]
+                         end
+
+    ActionDispatch::Cookies::CookieJar.build(_request, _cookies.to_hash)
+  end
+
+
+  def assert_session_replaced(&block)
+    id = jar.encrypted[QuoVadis.cookie_name]
+
+    yield
+
+    _id = jar.encrypted[QuoVadis.cookie_name]
+
+    refute_equal id, _id
+    refute QuoVadis::Session.exists? id
+    assert QuoVadis::Session.exists? _id
+    assert controller.logged_in?
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-14 00:00:00.000000000 Z
+date: 2021-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -38,6 +38,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.1.7
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description:
 email:
 - boss@airbladesoftware.com
@@ -48,7 +76,6 @@ files:
 - ".gitignore"
 - CHANGELOG.md
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -89,6 +116,94 @@ files:
 - lib/quo_vadis/model.rb
 - lib/quo_vadis/version.rb
 - quo_vadis.gemspec
+- test/dummy/README.markdown
+- test/dummy/Rakefile
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/articles_controller.rb
+- test/dummy/app/controllers/sign_ups_controller.rb
+- test/dummy/app/controllers/users_controller.rb
+- test/dummy/app/models/application_record.rb
+- test/dummy/app/models/article.rb
+- test/dummy/app/models/person.rb
+- test/dummy/app/models/user.rb
+- test/dummy/app/views/articles/also_secret.html.erb
+- test/dummy/app/views/articles/index.html.erb
+- test/dummy/app/views/articles/secret.html.erb
+- test/dummy/app/views/articles/very_secret.html.erb
+- test/dummy/app/views/layouts/application.html.erb
+- test/dummy/app/views/quo_vadis/confirmations/edit.html.erb
+- test/dummy/app/views/quo_vadis/confirmations/index.html.erb
+- test/dummy/app/views/quo_vadis/confirmations/new.html.erb
+- test/dummy/app/views/quo_vadis/logs/index.html.erb
+- test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb
+- test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb
+- test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb
+- test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
+- test/dummy/app/views/quo_vadis/password_resets/edit.html.erb
+- test/dummy/app/views/quo_vadis/password_resets/index.html.erb
+- test/dummy/app/views/quo_vadis/password_resets/new.html.erb
+- test/dummy/app/views/quo_vadis/passwords/edit.html.erb
+- test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb
+- test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb
+- test/dummy/app/views/quo_vadis/sessions/index.html.erb
+- test/dummy/app/views/quo_vadis/sessions/new.html.erb
+- test/dummy/app/views/quo_vadis/totps/challenge.html.erb
+- test/dummy/app/views/quo_vadis/totps/new.html.erb
+- test/dummy/app/views/quo_vadis/twofas/show.html.erb
+- test/dummy/app/views/sign_ups/new.html.erb
+- test/dummy/app/views/sign_ups/show.html.erb
+- test/dummy/app/views/users/new.html.erb
+- test/dummy/config.ru
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/database.yml
+- test/dummy/config/environment.rb
+- test/dummy/config/initializers/quo_vadis.rb
+- test/dummy/config/routes.rb
+- test/dummy/db/migrate/202102121932_create_users.rb
+- test/dummy/db/migrate/202102121935_create_people.rb
+- test/dummy/db/schema.rb
+- test/dummy/public/favicon.ico
+- test/fixtures/quo_vadis/mailer/account_confirmation.text
+- test/fixtures/quo_vadis/mailer/email_change_notification.text
+- test/fixtures/quo_vadis/mailer/identifier_change_notification.text
+- test/fixtures/quo_vadis/mailer/password_change_notification.text
+- test/fixtures/quo_vadis/mailer/password_reset_notification.text
+- test/fixtures/quo_vadis/mailer/recovery_codes_generation_notification.text
+- test/fixtures/quo_vadis/mailer/reset_password.text
+- test/fixtures/quo_vadis/mailer/totp_reuse_notification.text
+- test/fixtures/quo_vadis/mailer/totp_setup_notification.text
+- test/fixtures/quo_vadis/mailer/twofa_deactivated_notification.text
+- test/integration/account_confirmation_test.rb
+- test/integration/controller_test.rb
+- test/integration/logging_test.rb
+- test/integration/password_change_test.rb
+- test/integration/password_login_test.rb
+- test/integration/password_reset_test.rb
+- test/integration/recovery_codes_test.rb
+- test/integration/sessions_test.rb
+- test/integration/sign_up_test.rb
+- test/integration/totps_test.rb
+- test/integration/twofa_test.rb
+- test/mailers/mailer_test.rb
+- test/models/account_test.rb
+- test/models/crypt_test.rb
+- test/models/log_test.rb
+- test/models/mask_ip_test.rb
+- test/models/model_test.rb
+- test/models/password_test.rb
+- test/models/recovery_code_test.rb
+- test/models/session_test.rb
+- test/models/token_test.rb
+- test/models/totp_test.rb
+- test/quo_vadis_test.rb
+- test/test_helper.rb
 homepage: https://github.com/airblade/quo_vadis
 licenses:
 - MIT
@@ -108,7 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6.