RubyGems - quo_vadis - Versions diffs - 2.0.2 → 2.1.3 - Mend

quo_vadis 2.0.2 → 2.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

data/config/locales/quo_vadis.en.yml CHANGED Viewed

@@ -31,7 +31,6 @@ en:
           other: You have %{count} recovery codes left.
       2fa:
         invalidated: You have invalidated your 2FA credentials and recovery codes.
     mailer:
       password_reset:
         subject: Change your password
@@ -46,6 +45,36 @@ en:
         totp_reuse: Your two-factor authentication code was reused just now
         twofa_deactivated: Two-factor authentication was deactivated just now
         recovery_codes_generation: Recovery codes have been generated for your account
+    log:
+      action:
+        login:
+          success: Logged in
+          failure: Failed login attempt (incorrect password)
+          unknown: Failed login attempt (unknown identifier)
+        totp:
+          setup: TOTP set up for 2FA
+          success: Authenticated via TOTP
+          failure: Failed authentication attempt via TOTP
+          reuse: Failed attempt to reuse TOTP code
+        recovery_code:
+          success: Authenticated via 2FA recovery code
+          failure: Failed authentication attempt via 2FA recovery code
+          generate: Generated new 2FA recovery codes
+        2fa:
+          deactivated: Deactivated 2FA
+        identifier:
+          change: Changed identifier
+        email:
+          change: Changed email address
+        password:
+          change: Changed password
+          reset: Reset password
+        account:
+          confirmation: Confirmed account
+        logout:
+          self: Logged out
+          other: Logged out session remotely
+        revoke: Revoked access
   activerecord:
     errors:
       models:

data/config/routes.rb CHANGED Viewed

@@ -12,8 +12,8 @@ QuoVadis::Engine.routes.draw do
   resource  :password, only: [:edit, :update]
   resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update'
   resources :confirmations, only: [:new, :create, :index] do
     collection do
@@ -22,8 +22,8 @@ QuoVadis::Engine.routes.draw do
       post :resend
     end
   end
-  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
-  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
+  put '/confirm/:token', to: 'confirmations#update'
   resources :totps, only: [:new, :create] do
     collection do

data/lib/generators/quo_vadis/install_generator.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'app' / 'views' / 'quo_vadis'
     desc "Copy QuoVadis' views into your app."
     def copy_views

data/lib/quo_vadis/controller.rb CHANGED Viewed

@@ -17,9 +17,8 @@ module QuoVadis
     def require_password_authentication
       return if logged_in?
-      flash[:notice] = QuoVadis.translate 'flash.require_authentication'
       session[:qv_bookmark] = request.original_fullpath
-      redirect_to quo_vadis.login_path
+      redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
     end
     alias_method :require_authentication, :require_password_authentication
@@ -88,7 +87,7 @@ module QuoVadis
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, {email: model.email, url: quo_vadis.confirmation_url(token)}
       session[:account_pending_confirmation] = model.qv_account.id
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'

data/lib/quo_vadis/defaults.rb CHANGED Viewed

@@ -3,7 +3,7 @@ require 'active_support/core_ext'
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime

data/lib/quo_vadis/model.rb CHANGED Viewed

@@ -14,11 +14,9 @@ module QuoVadis
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
-        before_validation :qv_build_account_and_password, on: :create
-        before_validation :qv_copy_identifier_to_account
+        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
-        # Enable a new-user form to set a password.
-        validate :qv_copy_password_errors, on: :create
+        validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
         unless validators_on(identifier).any? { |v| ActiveRecord::Validations::UniquenessValidator === v }
           raise NotImplementedError, <<~END
@@ -44,24 +42,23 @@ module QuoVadis
       def password=(val)
         @password = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         raise PasswordExistsError if qv_account.password&.persisted?
         (qv_account.password || qv_account.build_password).password = val
       end
       def password_confirmation=(val)
         @password_confirmation = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
-      private
-      def qv_build_account_and_password
-        self.qv_account ||= build_qv_account
-        qv_account.password || qv_account.build_password
+      def revoke_authentication_credentials
+        qv_account.revoke
       end
+      private
       def qv_copy_password_errors
         qv_account.password.valid?  # force qv_account.password to validate
         qv_account.password.errors[:password             ].each { |message| errors.add :password,              message }

data/lib/quo_vadis/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module QuoVadis
-  VERSION = '2.0.2'
+  VERSION = '2.1.3'
 end

data/lib/quo_vadis.rb CHANGED Viewed

@@ -73,12 +73,14 @@ module QuoVadis
     end
     def notify(action, params)
-      QuoVadis::Mailer.with(params).send(action).deliver_later
+      deliver(action, params, later: true)
     end
-    def deliver(action, params)
-      mail = QuoVadis::Mailer.with(params).send(action)
-      QuoVadis.enqueue_transactional_emails ?
+    def deliver(action, params, later: QuoVadis.enqueue_transactional_emails)
+      mail = QuoVadis::Mailer
+        .with(params.merge(ip: QuoVadis::CurrentRequestDetails.ip, timestamp: Time.now))
+        .send(action)
+      later ?
         mail.deliver_later :
         mail.deliver_now
     end

data/test/dummy/config/initializers/quo_vadis.rb CHANGED Viewed

@@ -1,7 +1,3 @@
 QuoVadis.configure do
-  # Cannot use the __Host- prefix in a non-SSL environment.
-  # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
-  cookie_name 'qv'
   session_lifetime 1.week
 end

data/test/integration/logging_test.rb CHANGED Viewed

@@ -15,13 +15,13 @@ class LoggingTest < IntegrationTest
     assert_response :success
     assert_select 'tbody tr' do
-      assert_select 'td', 'password.change'
+      assert_select 'td', 'Changed password'
       assert_select 'td', '1.2.3.4'
       assert_select 'td', 'foo: bar, baz: qux'
     end
     assert_select 'tbody tr' do
-      assert_select 'td', 'login.success'
+      assert_select 'td', 'Logged in'
       assert_select 'td', '127.0.0.1'
       assert_select 'td', ''
     end
@@ -157,7 +157,7 @@ class LoggingTest < IntegrationTest
   test 'password.change' do
     login
     assert_log QuoVadis::Log::PASSWORD_CHANGE do
-      put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'})
     end
   end
@@ -165,7 +165,7 @@ class LoggingTest < IntegrationTest
   test 'password.reset' do
     assert_difference 'QuoVadis::Log.count', 2 do
       token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
@@ -201,6 +201,15 @@ class LoggingTest < IntegrationTest
   end
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
   private
   def assert_log(action, metadata = {}, account = @account, &block)

data/test/integration/password_change_test.rb CHANGED Viewed

@@ -18,29 +18,31 @@ class PasswordChangeTest < IntegrationTest
   test 'incorrect password' do
-    put quo_vadis.password_path(password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ['is incorrect'], password_instance.errors[:password]
   end
   test 'new password empty' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: '')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: ''})
+    assert_response :unprocessable_entity
     assert_equal ["can't be blank"], password_instance.errors[:new_password]
   end
   test 'new password too short' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
   end
   test 'new password confirmation does not match' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y')
-    assert_response :success
+    put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y'
+    })
+    assert_response :unprocessable_entity
     assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
   end
@@ -48,7 +50,9 @@ class PasswordChangeTest < IntegrationTest
   test 'success' do
     assert_emails 1 do
       assert_session_replaced do
-        put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+        put quo_vadis.password_path(password: {
+          password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+        })
         assert_response :redirect
         assert_equal 'Your password has been changed.', flash[:notice]
       end
@@ -60,7 +64,9 @@ class PasswordChangeTest < IntegrationTest
     desktop = session_login
     phone = session_login
-    desktop.put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    desktop.put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+    })
     desktop.follow_redirect!
     assert desktop.controller.logged_in?

data/test/integration/password_login_test.rb CHANGED Viewed

@@ -21,6 +21,7 @@ class PasswordLoginTest < IntegrationTest
   test 'successful login redirects to original path' do
     get also_secret_articles_path
+    refute_nil session[:qv_bookmark]
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
@@ -30,11 +31,22 @@ class PasswordLoginTest < IntegrationTest
   end
+  test 'successful login does not redirect to login path' do
+    get quo_vadis.login_path
+    assert_nil session[:qv_bookmark]
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+    assert_redirected_to after_login_path
+  end
   test 'failed login' do
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
@@ -42,7 +54,7 @@ class PasswordLoginTest < IntegrationTest
   test 'unknown login' do
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end

data/test/integration/password_reset_test.rb CHANGED Viewed

@@ -15,7 +15,7 @@ class PasswordResetTest < IntegrationTest
   test 'unknown identifier' do
     post quo_vadis.password_resets_path(email: 'foo@example.com')
-    assert_response :success
+    assert_redirected_to quo_vadis.password_resets_path
     assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
   end
@@ -53,10 +53,10 @@ class PasswordResetTest < IntegrationTest
     assert_emails 1 do
       post quo_vadis.password_resets_path(email: 'bob@example.com')
     end
-    put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
-    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    get quo_vadis.password_reset_url(extract_token_from_email)
     assert_redirected_to quo_vadis.new_password_reset_path
     assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end
@@ -70,11 +70,11 @@ class PasswordResetTest < IntegrationTest
     end
     assert_no_difference 'QuoVadis::Session.count' do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: '', password_confirmation: '')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
     end
     assert_equal digest, @user.qv_account.password.reload.password_digest
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
   end
@@ -95,7 +95,7 @@ class PasswordResetTest < IntegrationTest
     end
     assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
     assert controller.logged_in?

data/test/integration/totps_test.rb CHANGED Viewed

@@ -74,7 +74,7 @@ class TotpsTest < IntegrationTest
     post quo_vadis.authenticate_totps_path(totp: '123456')
     refute QuoVadis::Session.last.second_factor_authenticated?
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
   end

data/test/mailers/mailer_test.rb CHANGED Viewed

@@ -44,14 +44,16 @@ class MailerTest < ActionMailer::TestCase
   test 'email change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').email_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).email_change_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -62,14 +64,17 @@ class MailerTest < ActionMailer::TestCase
   test 'identifier change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>', identifier: 'email').identifier_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      identifier: 'email',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).identifier_change_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -80,14 +85,16 @@ class MailerTest < ActionMailer::TestCase
   test 'password change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_change_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -98,14 +105,16 @@ class MailerTest < ActionMailer::TestCase
   test 'password reset notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_reset_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_reset_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -116,14 +125,16 @@ class MailerTest < ActionMailer::TestCase
   test 'totp setup notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_setup_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_setup_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -134,14 +145,16 @@ class MailerTest < ActionMailer::TestCase
   test 'totp reuse notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_reuse_notification
+    email = QuoVadis::Mailer.with(
+      email:     'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_reuse_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -152,14 +165,16 @@ class MailerTest < ActionMailer::TestCase
   test '2fa deactivated notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').twofa_deactivated_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).twofa_deactivated_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to
@@ -170,14 +185,16 @@ class MailerTest < ActionMailer::TestCase
   test 'recovery codes generation notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').recovery_codes_generation_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).recovery_codes_generation_notification
     # freeze_time
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
     assert_equal ['foo@example.com'], email.to

data/test/models/account_test.rb CHANGED Viewed

@@ -13,8 +13,11 @@ class AccountTest < ActiveSupport::TestCase
   test 'notifies on identifier change when notifier is not email' do
+    freeze_time
     p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
-    assert_enqueued_email_with QuoVadis::Mailer, :identifier_change_notification, args: {email: 'bob@example.com', identifier: 'username'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :identifier_change_notification,
+      args: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         p.update username: 'robert@example.com'
       end
@@ -23,12 +26,31 @@ class AccountTest < ActiveSupport::TestCase
   test 'does not notify on identifier change when notifier is email' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         u.update email: 'robert@example.com'
       end
     end
   end
+  test 'revoke' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+    account.create_totp last_used_at: 1.minute.ago
+    account.generate_recovery_codes
+    u.revoke_authentication_credentials
+    account.reload
+    assert_nil account.password
+    assert_nil account.totp
+    assert_empty account.recovery_codes
+    assert_empty account.sessions
+  end
 end

data/test/models/model_test.rb CHANGED Viewed

@@ -58,8 +58,11 @@ class ModelTest < ActiveSupport::TestCase
   test 'notifies on email change' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       u.update email: 'robert@example.com'
     end
   end

data/test/models/password_test.rb CHANGED Viewed

@@ -46,6 +46,9 @@ class PasswordTest < ActiveSupport::TestCase
   test 'model passes through password to quo_vadis' do
     user = User.new name: 'bob', email: 'bob@example.com'
+    assert user.valid?
+    user = User.new name: 'bob', email: 'bob@example.com', password: ''
     refute user.valid?
     refute_empty user.errors[:password]
@@ -117,6 +120,19 @@ class PasswordTest < ActiveSupport::TestCase
   end
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
   test 'cascade destroy' do
     user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
     assert user.qv_account.persisted?