refinerycms-authentication-devise 1.0.0

data/lib/refinery/authentication/devise/initialiser.rb

@@ -0,0 +1,228 @@
+require 'devise'
+
+# Use this hook to configure devise mailer, warden hooks and so forth.
+# Many of these configuration options can be set straight in your model.
+::Devise.setup do |config|
+  config.secret_key = ENV['DEVISE_SECRET_KEY'] || SecureRandom.hex
+
+  # ==> Mailer Configuration
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
+  # config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+
+  # Configure the class responsible to send e-mails.
+  # config.mailer = "Devise::Mailer"
+
+  # ==> ORM configuration
+  # Load and configure the ORM. Supports :active_record (default) and
+  # :mongoid (bson_ext recommended) by default. Other ORMs may be
+  # available as additional gems.
+  ActiveSupport.on_load(:active_record) do
+    ::Devise.setup do
+      require 'devise/orm/active_record'
+    end
+  end
+
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating a user. The default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating a user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply a hash where the value is a boolean determining whether
+  # or not authentication should be aborted when the value is not present.
+  config.authentication_keys = [ :login ]
+
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to the
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
+  # Configure which authentication keys should be case-insensitive.
+  # These keys will be downcased upon creating or modifying a user and when used
+  # to authenticate or find a user. Default is :email.
+  config.case_insensitive_keys = []
+
+  # Configure which authentication keys should have whitespace stripped.
+  # These keys will have whitespace before and after removed upon creating or
+  # modifying a user and when used to authenticate or find a user. Default is :email.
+  # config.strip_whitespace_keys = [ :email ]
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # It can be set to an array that will enable params authentication only for the
+  # given stratragies, for example, `config.params_authenticatable = [:database]` will
+  # enable it only for database (email + password) authentication.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # It can be set to an array that will enable http authentication only for the
+  # given stratragies, for example, `config.http_authenticatable = [:token]` will
+  # enable it only for token authentication.
+  # config.http_authenticatable = false
+
+  # If http headers should be returned for AJAX requests. True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication. "Application" by default.
+  # config.http_authentication_realm = "Application"
+
+  # It will change confirmation, password recovery and other workflows
+  # to behave the same regardless if the e-mail provided was right or wrong.
+  # Does not affect registerable.
+  # config.paranoid = true
+
+  # By default Devise will store the user in session. You can skip storage for
+  # :http_auth and :token_auth by adding those symbols to the array below.
+  # Notice that if you are skipping storage for all authentication paths, you
+  # may want to disable generating routes to Devise's sessions controller by
+  # passing :skip => :sessions to `devise_for` in your config/routes.rb
+  config.skip_session_storage = [:http_auth]
+
+  # ==> Configuration for :database_authenticatable
+  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # using other encryptors, it sets how many times you want the password re-encrypted.
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments.
+  config.stretches = Rails.env.test? ? 1 : 10
+
+  # Setup a pepper to generate the encrypted password.
+  # config.pepper = <%= SecureRandom.hex(64).inspect %>
+
+  # ==> Configuration for :confirmable
+  # A period that the user is allowed to access the website even without
+  # confirming his account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming his account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming his account.
+  # config.allow_unconfirmed_access_for = 2.days
+
+  # If true, requires any email changes to be confirmed (exctly the same way as
+  # initial account confirmation) to be applied. Requires additional unconfirmed_email
+  # db field (see migrations). Until confirmed new email is stored in
+  # unconfirmed email column, and copied to email column on successful confirmation.
+  # config.reconfirmable = true
+
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
+  # ==> Configuration for :rememberable
+  # The time the user will be remembered without asking for credentials again.
+  # config.remember_for = 2.weeks
+
+  # If true, extends the user's remember period when remembered via cookie.
+  # config.extend_remember_period = false
+
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.cookie_options = {}
+
+  # ==> Configuration for :validatable
+  # Range for password length. Default is 6..128.
+  config.password_length = 4..128
+
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
+
+  # ==> Configuration for :timeoutable
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
+
+  # ==> Configuration for :lockable
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
+
+  # Defines which key will be used when locking and unlocking an account
+  # config.unlock_keys = [ :email ]
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
+  # config.unlock_strategy = :both
+
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> Configuration for :recoverable
+  #
+  # Defines which key will be used when recovering the password for an account
+  # config.reset_password_keys = [ :email ]
+
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 6.hours
+
+  # ==> Configuration for :encryptable
+  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # REST_AUTH_SITE_KEY to pepper)
+  # config.encryptor = :sha512
+
+  # ==> Configuration for :token_authenticatable
+  # Defines name of the authentication token params key
+  # config.token_authentication_key = :auth_token
+
+  # ==> Scopes configuration
+  # Turn scoped views on. Before rendering "sessions/new", it will first check for
+  # "users/sessions/new". It's turned off by default because it's slower if you
+  # are using only default views.
+  # config.scoped_views = false
+
+  # Configure the default scope given to Warden. By default it's the first
+  # devise role declared in your routes (usually :user).
+  # config.default_scope = :user
+
+  # Configure sign_out behavior.
+  # Sign_out action can be scoped (i.e. /users/sign_out affects only :user scope).
+  # The default is true, which means any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = true
+
+  # ==> Navigation configuration
+  # Lists the formats that should be treated as navigational. Formats like
+  # :html, should redirect to the sign in page when the user does not have
+  # access, but formats like :xml or :json, should return 401.
+  #
+  # If you have any extra navigational formats, like :iphone or :mobile, you
+  # should add them to the navigational formats lists.
+  #
+  # The "*/*" below is required to match Internet Explorer requests.
+  # config.navigational_formats = ["*/*", :html]
+
+  # The default HTTP method used to sign out a resource. Default is :delete.
+  config.sign_out_via = :delete
+
+  # ==> OmniAuth
+  # Add a new OmniAuth provider. Check the wiki for more information on setting
+  # up on your models and hooks.
+  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
+
+  # ==> Warden configuration
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
+  #
+  # config.warden do |manager|
+  #   manager.intercept_401 = false
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
+  # end
+
+  # Please do not change the router_name away from :refinery
+  # otherwise Refinery may not function properly. Thanks!
+  config.router_name = :refinery
+end

data/lib/refinery/authentication/devise/system.rb

@@ -0,0 +1,63 @@
+module Refinery
+  module Authentication
+    module Devise
+      module System
+        # Store the URI of the current request in the session.
+        #
+        # We can return to this location by calling #redirect_back_or_default.
+        def store_location
+          session[:return_to] = request.fullpath
+        end
+
+        # Clear and return the stored location
+        def pop_stored_location
+          session.delete(:return_to)
+        end
+
+        # Redirect to the URI stored by the most recent store_location call or
+        # to the passed default.
+        def redirect_back_or_default(default)
+          redirect_to(pop_stored_location || default)
+        end
+
+        # This defines the devise method for refinery routes
+        def signed_in_root_path(resource_or_scope)
+          scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+          home_path = "#{scope}_root_path"
+          if respond_to?(home_path, true)
+            refinery.send(home_path)
+          else
+            Refinery::Core.backend_path
+          end
+        end
+
+        # Pops the stored url, trims the sneaky "//" from it, and returns it.
+        #
+        # Making sure bad urls aren't stored in the first place should probably be
+        # a part of the Devise::FailureApp
+        def sanitized_stored_location_for(resource_or_scope)
+          # `stored_location_for` is the devise method that pops the
+          # scoped `return_to` key
+          location = stored_location_for(resource_or_scope)
+          location.sub!("//", "/") if location.respond_to?(:sub!)
+          location
+        end
+
+        # This just defines the devise method for after sign in to support
+        # extension namespace isolation...
+        def after_sign_in_path_for(resource_or_scope)
+          pop_stored_location ||
+            sanitized_stored_location_for(resource_or_scope) ||
+            signed_in_root_path(resource_or_scope)
+        end
+
+        def after_sign_out_path_for(resource_or_scope)
+          refinery.root_path
+        end
+
+        protected :store_location, :pop_stored_location, :redirect_back_or_default,
+                  :sanitized_stored_location_for
+      end
+    end
+  end
+end

data/lib/refinery/authentication/devise.rb

@@ -0,0 +1,26 @@
+require 'refinerycms-core'
+require 'action_mailer'
+require 'devise'
+require 'friendly_id'
+
+module Refinery
+  autoload :AuthenticationDeviseGenerator, 'generators/refinery/authentication/devise/authentication_generator'
+  autoload :AuthenticationSystem, 'refinery/authenticated_system'
+
+  module Authentication
+    module Devise
+      require 'refinery/authentication/devise/engine'
+      require 'refinery/authentication/devise/configuration'
+
+      class << self
+        def factory_paths
+          @factory_paths ||= [ root.join("spec/factories").to_s ]
+        end
+
+        def root
+          @root ||= Pathname.new(File.expand_path('../../../', __FILE__))
+        end
+      end
+    end
+  end
+end

data/lib/refinerycms-authentication-devise.rb

@@ -0,0 +1 @@
+require 'refinery/authentication/devise'

data/license.md

@@ -0,0 +1,21 @@
+# MIT License
+
+Copyright (c) 2015 [Philip Arndt](http://p.arndt.io)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/readme.md

@@ -0,0 +1,11 @@
+# Refinery CMS Authentication Extension for Devise
+
+This extension allows you to use Devise with Refinery CMS 3.0 and later.
+
+## Usage
+
+Simply put this in the Gemfile of your Refinery application:
+
+```ruby
+gem 'refinerycms-authentication-devise', '~> 1.0.0'
+```

data/refinerycms-authentication-devise.gemspec

@@ -0,0 +1,22 @@
+# Encoding: UTF-8
+Gem::Specification.new do |s|
+  s.platform          = Gem::Platform::RUBY
+  s.name              = %q{refinerycms-authentication-devise}
+  s.version           = %q{1.0.0}
+  s.summary           = %q{Devise based authentication extension for Refinery CMS}
+  s.description       = %q{A Devise authentication extension for Refinery CMS}
+  s.homepage          = %q{http://refinerycms.com}
+  s.authors           = ['Philip Arndt', 'Rob Yurkowski']
+  s.license           = %q{MIT}
+  s.require_paths     = %w(lib)
+
+  s.files             = `git ls-files`.split("\n")
+  s.test_files        = `git ls-files -- spec/*`.split("\n")
+
+  s.add_dependency 'refinerycms-core',  ['~> 3.0', '>= 3.0.0']
+  s.add_dependency 'actionmailer',      ['~> 4.2', '>= 4.2.0']
+  s.add_dependency 'devise',            ['~> 3.0', '>= 3.2.4']
+  s.add_dependency 'friendly_id',       '~> 5.1.0'
+
+  s.required_ruby_version = '>= 2.0.0'
+end

data/spec/controllers/refinery/authentication/devise/admin/users_controller_spec.rb

@@ -0,0 +1,90 @@
+require "spec_helper"
+
+describe Refinery::Authentication::Devise::Admin::UsersController, :type => :controller do
+  refinery_login_with_devise [:refinery, :superuser]
+
+  shared_examples_for "new, create, update, edit and update actions" do
+    it "loads roles" do
+      get :new
+    end
+
+    it "loads plugins" do
+      user_plugin = Refinery::Plugins.registered.detect { |plugin| plugin.name == "refinery_authentication_devise" }
+      plugins = Refinery::Plugins.new
+      plugins << user_plugin
+      expect(plugins).to receive(:in_menu).once{ [user_plugin] }
+
+      expect(Refinery::Plugins).to receive(:registered).at_least(1).times{ plugins }
+      get :new
+    end
+  end
+
+  describe "#new" do
+    it "renders the new template" do
+      get :new
+      expect(response).to be_success
+      expect(response).to render_template("refinery/authentication/devise/admin/users/new")
+    end
+
+    it_should_behave_like "new, create, update, edit and update actions"
+  end
+
+  describe "#create" do
+    it "creates a new user with valid params" do
+      user = Refinery::Authentication::Devise::User.new :username => "bob"
+      expect(user).to receive(:save).once{ true }
+      expect(Refinery::Authentication::Devise::User).to receive(:new).once.with(instance_of(ActionController::Parameters)){ user }
+      post :create, :user => {:username => 'bobby'}
+      expect(response).to be_redirect
+    end
+
+    it_should_behave_like "new, create, update, edit and update actions"
+
+    it "re-renders #new if there are errors" do
+      user = Refinery::Authentication::Devise::User.new :username => "bob"
+      expect(user).to receive(:save).once{ false }
+      expect(Refinery::Authentication::Devise::User).to receive(:new).once.with(instance_of(ActionController::Parameters)){ user }
+      post :create, :user => {:username => 'bobby'}
+      expect(response).to be_success
+      expect(response).to render_template("refinery/authentication/devise/admin/users/new")
+    end
+  end
+
+  describe "#edit" do
+    refinery_login_with_devise [:refinery, :superuser]
+
+    it "renders the edit template" do
+      get :edit, :id => logged_in_user.id
+      expect(response).to be_success
+      expect(response).to render_template("refinery/authentication/devise/admin/users/edit")
+    end
+
+    it_should_behave_like "new, create, update, edit and update actions"
+  end
+
+  describe "#update" do
+    refinery_login_with_devise [:refinery, :superuser]
+
+    let(:additional_user) { FactoryGirl.create :authentication_devise_refinery_user }
+    it "updates a user" do
+      patch "update", :id => additional_user.id.to_s, :user => {:username => 'bobby'}
+      expect(response).to be_redirect
+    end
+
+    context "when specifying plugins" do
+      it "won't allow to remove 'Users' plugin from self" do
+        patch "update", :id => logged_in_user.id.to_s, :user => {:plugins => ["some plugin"]}
+
+        expect(flash[:error]).to eq("You cannot remove the 'Users' plugin from the currently logged in account.")
+      end
+
+      it "will update to the plugins supplied" do
+        expect(logged_in_user).to receive(:update_attributes).with({"plugins" => %w(refinery_authentication_devise some_plugin)})
+        allow(Refinery::Authentication::Devise::User).to receive_message_chain(:includes, :find) { logged_in_user }
+        patch "update", :id => logged_in_user.id.to_s, :user => {:plugins => %w(refinery_authentication_devise some_plugin)}
+      end
+    end
+
+    it_should_behave_like "new, create, update, edit and update actions"
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,27 @@
+FactoryGirl.define do
+  factory :authentication_devise_user, :class => Refinery::Authentication::Devise::User do
+    sequence(:username) { |n| "refinery#{n}" }
+    sequence(:email) { |n| "refinery#{n}@example.com" }
+    password  "refinerycms"
+    password_confirmation "refinerycms"
+  end
+
+  factory :authentication_devise_refinery_user, :parent => :authentication_devise_user do
+    roles { [ ::Refinery::Authentication::Devise::Role[:refinery] ] }
+
+    after(:create) do |user|
+      ::Refinery::Plugins.registered.each_with_index do |plugin, index|
+        user.plugins.create(:name => plugin.name, :position => index)
+      end
+    end
+  end
+
+  factory :authentication_devise_refinery_superuser, :parent => :authentication_devise_refinery_user do
+    roles {
+      [
+        ::Refinery::Authentication::Devise::Role[:refinery],
+        ::Refinery::Authentication::Devise::Role[:superuser]
+      ]
+    }
+  end
+end

data/spec/features/refinery/authentication/devise/admin/users_spec.rb

@@ -0,0 +1,88 @@
+require "spec_helper"
+
+describe "User admin page", :type => :feature do
+  refinery_login_with_devise :authentication_devise_refinery_superuser
+
+  describe "new/create" do
+    def visit_and_fill_form
+      visit refinery.authentication_devise_admin_users_path
+      click_link "Add new user"
+
+      fill_in "user[username]", :with => "test"
+      fill_in "user[email]", :with => "test@example.com"
+      fill_in "user[password]", :with => "123456"
+      fill_in "user[password_confirmation]", :with => "123456"
+    end
+
+    it "can create a user" do
+      visit_and_fill_form
+
+      click_button "Save"
+
+      expect(page).to have_content("test was successfully added.")
+      expect(page).to have_content("test (test@example.com)")
+    end
+
+    context "when assigning roles config is enabled" do
+      before do
+        allow(Refinery::Authentication::Devise).to receive(:superuser_can_assign_roles).and_return(true)
+      end
+
+      it "allows superuser to assign roles" do
+        visit_and_fill_form
+
+        within "#roles" do
+          check "roles_#{Refinery::Authentication::Devise::Role.first.title.downcase}"
+        end
+        click_button "Save"
+
+        expect(page).to have_content("test was successfully added.")
+        expect(page).to have_content("test (test@example.com)")
+      end
+    end
+  end
+
+  describe "edit/update" do
+    it "can update a user" do
+      visit refinery.authentication_devise_admin_users_path
+      click_link "Edit this user"
+
+      fill_in "Username", :with => "cmsrefinery"
+      fill_in "Email", :with => "cms@example.com"
+      click_button "Save"
+
+      expect(page).to have_content("cmsrefinery was successfully updated.")
+      expect(page).to have_content("cmsrefinery (cms@example.com)")
+    end
+
+    let(:dotty_user) { FactoryGirl.create(:authentication_devise_refinery_user, :username => 'user.name.with.lots.of.dots') }
+    it "accepts a username with a '.' in it" do
+      dotty_user # create the user
+      visit refinery.authentication_devise_admin_users_path
+
+      expect(page).to have_css("#sortable_#{dotty_user.id}")
+
+      within "#sortable_#{dotty_user.id}" do
+        click_link "Edit this user"
+      end
+
+      expect(page).to have_css("form#edit_user_#{dotty_user.id}")
+    end
+  end
+
+  describe "destroy" do
+    let!(:user) {
+      FactoryGirl.create(:authentication_devise_refinery_user, username: "ugisozols")
+    }
+
+    it "can only destroy regular users" do
+      visit refinery.authentication_devise_admin_users_path
+      expect(page).to have_selector("a[href='/refinery/users/#{user.username}']")
+      expect(page).to have_no_selector("a[href='/refinery/users/#{logged_in_user.username}']")
+
+      click_link "Remove this user"
+      expect(page).to have_content("'#{user.username}' was successfully removed.")
+      expect(page).to have_content("#{logged_in_user.username} (#{logged_in_user.email})")
+    end
+  end
+end

data/spec/features/refinery/authentication/devise/passwords_spec.rb

@@ -0,0 +1,71 @@
+require "spec_helper"
+
+describe "password recovery", :type => :feature do
+  let!(:user) { FactoryGirl.create(:authentication_devise_refinery_user, :email => "refinery@example.com") }
+
+  it "asks user to specify email address" do
+    visit refinery.login_path
+    click_link "I forgot my password"
+    expect(page).to have_content("Please enter the email address for your account.")
+  end
+
+  context "when existing email specified" do
+    it "shows success message" do
+      visit refinery.new_authentication_devise_user_password_path
+      fill_in "authentication_devise_user_email", :with => user.email
+      click_button "Reset password"
+      expect(page).to have_content("An email has been sent to you with a link to reset your password.")
+    end
+  end
+
+  context "when non-existing email specified" do
+    it "shows failure message" do
+      visit refinery.new_authentication_devise_user_password_path
+      fill_in "authentication_devise_user_email", :with => "none@example.com"
+      click_button "Reset password"
+      expect(page).to have_content("Sorry, 'none@example.com' isn't associated with any accounts.")
+      expect(page).to have_content("Are you sure you typed the correct email address?")
+    end
+  end
+
+  context "when good reset code" do
+    let!(:token) { user.generate_reset_password_token! }
+
+    it "allows to change password" do
+      visit refinery.edit_authentication_devise_user_password_path(:reset_password_token => token)
+      expect(page).to have_content("Pick a new password for #{user.email}")
+
+      fill_in "authentication_devise_user_password", :with => "123456"
+      fill_in "authentication_devise_user_password_confirmation", :with => "123456"
+      click_button "Reset password"
+
+      expect(page).to have_content("Password reset successfully for '#{user.email}'")
+    end
+  end
+
+  context "when invalid reset code" do
+    let!(:token) { user.generate_reset_password_token! }
+
+    it "shows error message" do
+      visit refinery.edit_authentication_devise_user_password_path(:reset_password_token => "hmmm")
+      expect(page).to have_content("Reset password token is invalid")
+    end
+  end
+
+  context "when expired reset code" do
+    let!(:token) { user.generate_reset_password_token! }
+    before do
+      user.update_attribute(:reset_password_sent_at, 1.day.ago)
+    end
+
+    it "shows error message" do
+      visit refinery.edit_authentication_devise_user_password_path(:reset_password_token => token)
+
+      fill_in "authentication_devise_user_password", :with => "123456"
+      fill_in "authentication_devise_user_password_confirmation", :with => "123456"
+      click_button "Reset password"
+
+      expect(page).to have_content("Reset password token has expired, please request a new one")
+    end
+  end
+end