quo_vadis 2.0.2 → 2.1.3

data/config/locales/quo_vadis.en.yml

@@ -31,7 +31,6 @@ en:
           other: You have %{count} recovery codes left.
       2fa:
         invalidated: You have invalidated your 2FA credentials and recovery codes.
-
     mailer:
       password_reset:
         subject: Change your password
@@ -46,6 +45,36 @@ en:
         totp_reuse: Your two-factor authentication code was reused just now
         twofa_deactivated: Two-factor authentication was deactivated just now
         recovery_codes_generation: Recovery codes have been generated for your account
+    log:
+      action:
+        login:
+          success: Logged in
+          failure: Failed login attempt (incorrect password)
+          unknown: Failed login attempt (unknown identifier)
+        totp:
+          setup: TOTP set up for 2FA
+          success: Authenticated via TOTP
+          failure: Failed authentication attempt via TOTP
+          reuse: Failed attempt to reuse TOTP code
+        recovery_code:
+          success: Authenticated via 2FA recovery code
+          failure: Failed authentication attempt via 2FA recovery code
+          generate: Generated new 2FA recovery codes
+        2fa:
+          deactivated: Deactivated 2FA
+        identifier:
+          change: Changed identifier
+        email:
+          change: Changed email address
+        password:
+          change: Changed password
+          reset: Reset password
+        account:
+          confirmation: Confirmed account
+        logout:
+          self: Logged out
+          other: Logged out session remotely
+        revoke: Revoked access
   activerecord:
     errors:
       models:

data/config/routes.rb

@@ -12,8 +12,8 @@ QuoVadis::Engine.routes.draw do
   resource  :password, only: [:edit, :update]
 
   resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update'
 
   resources :confirmations, only: [:new, :create, :index] do
     collection do
@@ -22,8 +22,8 @@ QuoVadis::Engine.routes.draw do
       post :resend
     end
   end
-  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
-  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
+  put '/confirm/:token', to: 'confirmations#update'
 
   resources :totps, only: [:new, :create] do
     collection do

data/lib/generators/quo_vadis/install_generator.rb

@@ -1,6 +1,6 @@
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'app' / 'views' / 'quo_vadis'
 
     desc "Copy QuoVadis' views into your app."
     def copy_views

data/lib/quo_vadis/controller.rb

@@ -17,9 +17,8 @@ module QuoVadis
 
     def require_password_authentication
       return if logged_in?
-      flash[:notice] = QuoVadis.translate 'flash.require_authentication'
       session[:qv_bookmark] = request.original_fullpath
-      redirect_to quo_vadis.login_path
+      redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
     end
     alias_method :require_authentication, :require_password_authentication
 
@@ -88,7 +87,7 @@ module QuoVadis
 
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, {email: model.email, url: quo_vadis.confirmation_url(token)}
       session[:account_pending_confirmation] = model.qv_account.id
 
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'

data/lib/quo_vadis/defaults.rb

@@ -3,7 +3,7 @@ require 'active_support/core_ext'
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime

data/lib/quo_vadis/model.rb

@@ -14,11 +14,9 @@ module QuoVadis
 
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
 
-        before_validation :qv_build_account_and_password, on: :create
-        before_validation :qv_copy_identifier_to_account
+        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
 
-        # Enable a new-user form to set a password.
-        validate :qv_copy_password_errors, on: :create
+        validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
 
         unless validators_on(identifier).any? { |v| ActiveRecord::Validations::UniquenessValidator === v }
           raise NotImplementedError, <<~END
@@ -44,24 +42,23 @@ module QuoVadis
 
       def password=(val)
         @password = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         raise PasswordExistsError if qv_account.password&.persisted?
         (qv_account.password || qv_account.build_password).password = val
       end
 
       def password_confirmation=(val)
         @password_confirmation = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
 
-      private
-
-      def qv_build_account_and_password
-        self.qv_account ||= build_qv_account
-        qv_account.password || qv_account.build_password
+      def revoke_authentication_credentials
+        qv_account.revoke
       end
 
+      private
+
       def qv_copy_password_errors
         qv_account.password.valid?  # force qv_account.password to validate
         qv_account.password.errors[:password             ].each { |message| errors.add :password,              message }

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.0.2'
+  VERSION = '2.1.3'
 end

data/lib/quo_vadis.rb

@@ -73,12 +73,14 @@ module QuoVadis
     end
 
     def notify(action, params)
-      QuoVadis::Mailer.with(params).send(action).deliver_later
+      deliver(action, params, later: true)
     end
 
-    def deliver(action, params)
-      mail = QuoVadis::Mailer.with(params).send(action)
-      QuoVadis.enqueue_transactional_emails ?
+    def deliver(action, params, later: QuoVadis.enqueue_transactional_emails)
+      mail = QuoVadis::Mailer
+        .with(params.merge(ip: QuoVadis::CurrentRequestDetails.ip, timestamp: Time.now))
+        .send(action)
+      later ?
         mail.deliver_later :
         mail.deliver_now
     end

data/test/dummy/config/initializers/quo_vadis.rb

@@ -1,7 +1,3 @@
 QuoVadis.configure do
-  # Cannot use the __Host- prefix in a non-SSL environment.
-  # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
-  cookie_name 'qv'
-
   session_lifetime 1.week
 end

data/test/integration/logging_test.rb

@@ -15,13 +15,13 @@ class LoggingTest < IntegrationTest
     assert_response :success
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'password.change'
+      assert_select 'td', 'Changed password'
       assert_select 'td', '1.2.3.4'
       assert_select 'td', 'foo: bar, baz: qux'
     end
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'login.success'
+      assert_select 'td', 'Logged in'
       assert_select 'td', '127.0.0.1'
       assert_select 'td', ''
     end
@@ -157,7 +157,7 @@ class LoggingTest < IntegrationTest
   test 'password.change' do
     login
     assert_log QuoVadis::Log::PASSWORD_CHANGE do
-      put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'})
     end
   end
 
@@ -165,7 +165,7 @@ class LoggingTest < IntegrationTest
   test 'password.reset' do
     assert_difference 'QuoVadis::Log.count', 2 do
       token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
@@ -201,6 +201,15 @@ class LoggingTest < IntegrationTest
   end
 
 
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
+
+
   private
 
   def assert_log(action, metadata = {}, account = @account, &block)

data/test/integration/password_change_test.rb

@@ -18,29 +18,31 @@ class PasswordChangeTest < IntegrationTest
 
 
   test 'incorrect password' do
-    put quo_vadis.password_path(password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ['is incorrect'], password_instance.errors[:password]
   end
 
 
   test 'new password empty' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: '')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: ''})
+    assert_response :unprocessable_entity
     assert_equal ["can't be blank"], password_instance.errors[:new_password]
   end
 
 
   test 'new password too short' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
   end
 
 
   test 'new password confirmation does not match' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y')
-    assert_response :success
+    put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y'
+    })
+    assert_response :unprocessable_entity
     assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
   end
 
@@ -48,7 +50,9 @@ class PasswordChangeTest < IntegrationTest
   test 'success' do
     assert_emails 1 do
       assert_session_replaced do
-        put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+        put quo_vadis.password_path(password: {
+          password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+        })
         assert_response :redirect
         assert_equal 'Your password has been changed.', flash[:notice]
       end
@@ -60,7 +64,9 @@ class PasswordChangeTest < IntegrationTest
     desktop = session_login
     phone = session_login
 
-    desktop.put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    desktop.put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+    })
     desktop.follow_redirect!
     assert desktop.controller.logged_in?
 

data/test/integration/password_login_test.rb

@@ -21,6 +21,7 @@ class PasswordLoginTest < IntegrationTest
 
   test 'successful login redirects to original path' do
     get also_secret_articles_path
+    refute_nil session[:qv_bookmark]
 
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
@@ -30,11 +31,22 @@ class PasswordLoginTest < IntegrationTest
   end
 
 
+  test 'successful login does not redirect to login path' do
+    get quo_vadis.login_path
+    assert_nil session[:qv_bookmark]
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to after_login_path
+  end
+
+
   test 'failed login' do
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 
@@ -42,7 +54,7 @@ class PasswordLoginTest < IntegrationTest
   test 'unknown login' do
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 

data/test/integration/password_reset_test.rb

@@ -15,7 +15,7 @@ class PasswordResetTest < IntegrationTest
 
   test 'unknown identifier' do
     post quo_vadis.password_resets_path(email: 'foo@example.com')
-    assert_response :success
+    assert_redirected_to quo_vadis.password_resets_path
     assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
   end
 
@@ -53,10 +53,10 @@ class PasswordResetTest < IntegrationTest
     assert_emails 1 do
       post quo_vadis.password_resets_path(email: 'bob@example.com')
     end
-    put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
 
-    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    get quo_vadis.password_reset_url(extract_token_from_email)
     assert_redirected_to quo_vadis.new_password_reset_path
     assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end
@@ -70,11 +70,11 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_no_difference 'QuoVadis::Session.count' do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: '', password_confirmation: '')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
     end
 
     assert_equal digest, @user.qv_account.password.reload.password_digest
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
   end
 
@@ -95,7 +95,7 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
 
     assert controller.logged_in?

data/test/integration/totps_test.rb

@@ -74,7 +74,7 @@ class TotpsTest < IntegrationTest
 
     post quo_vadis.authenticate_totps_path(totp: '123456')
     refute QuoVadis::Session.last.second_factor_authenticated?
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
   end
 

data/test/mailers/mailer_test.rb

@@ -44,14 +44,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'email change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').email_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).email_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -62,14 +64,17 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'identifier change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>', identifier: 'email').identifier_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      identifier: 'email',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).identifier_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -80,14 +85,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'password change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -98,14 +105,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'password reset notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_reset_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_reset_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -116,14 +125,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'totp setup notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_setup_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_setup_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -134,14 +145,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'totp reuse notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_reuse_notification
+    email = QuoVadis::Mailer.with(
+      email:     'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_reuse_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -152,14 +165,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test '2fa deactivated notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').twofa_deactivated_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).twofa_deactivated_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -170,14 +185,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'recovery codes generation notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').recovery_codes_generation_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).recovery_codes_generation_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to

data/test/models/account_test.rb

@@ -13,8 +13,11 @@ class AccountTest < ActiveSupport::TestCase
 
 
   test 'notifies on identifier change when notifier is not email' do
+    freeze_time
     p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
-    assert_enqueued_email_with QuoVadis::Mailer, :identifier_change_notification, args: {email: 'bob@example.com', identifier: 'username'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :identifier_change_notification,
+      args: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         p.update username: 'robert@example.com'
       end
@@ -23,12 +26,31 @@ class AccountTest < ActiveSupport::TestCase
 
 
   test 'does not notify on identifier change when notifier is email' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         u.update email: 'robert@example.com'
       end
     end
   end
 
+
+  test 'revoke' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+    account.create_totp last_used_at: 1.minute.ago
+    account.generate_recovery_codes
+
+    u.revoke_authentication_credentials
+    account.reload
+
+    assert_nil account.password
+    assert_nil account.totp
+    assert_empty account.recovery_codes
+    assert_empty account.sessions
+  end
+
 end

data/test/models/model_test.rb

@@ -58,8 +58,11 @@ class ModelTest < ActiveSupport::TestCase
 
 
   test 'notifies on email change' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       u.update email: 'robert@example.com'
     end
   end

data/test/models/password_test.rb

@@ -46,6 +46,9 @@ class PasswordTest < ActiveSupport::TestCase
 
   test 'model passes through password to quo_vadis' do
     user = User.new name: 'bob', email: 'bob@example.com'
+    assert user.valid?
+
+    user = User.new name: 'bob', email: 'bob@example.com', password: ''
     refute user.valid?
     refute_empty user.errors[:password]
 
@@ -117,6 +120,19 @@ class PasswordTest < ActiveSupport::TestCase
   end
 
 
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
+
+
   test 'cascade destroy' do
     user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
     assert user.qv_account.persisted?