rodauth 0.10.0 → 1.0.0

data/spec/close_account_spec.rb

@@ -0,0 +1,162 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth close_account feature' do
+  it "should support closing accounts when passwords are not required" do
+    rodauth do
+      enable :login, :close_account
+      close_account_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view(:content=>"")}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/close-account'
+    click_button 'Close Account'
+    page.current_path.must_equal '/'
+
+    DB[:accounts].select_map(:status_id).must_equal [3]
+  end
+
+  it "should update account information when closing accounts" do
+    statuses = nil
+    rodauth do
+      enable :login, :close_account
+      close_account_requires_password? false
+      after_close_account{statuses = [account[:status_id], account_ds.get(:status_id)]}
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view(:content=>"")}
+    end
+
+    login
+    visit '/close-account'
+    click_button 'Close Account'
+    statuses[0].must_equal 3
+    statuses[1].must_equal 3
+  end
+
+  it "should delete accounts when skip_status_checks? is true" do
+    rodauth do
+      enable :login, :close_account
+      close_account_requires_password? false
+      skip_status_checks? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view(:content=>"")}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/close-account'
+    click_button 'Close Account'
+    page.current_path.must_equal '/'
+
+    DB[:accounts].count.must_equal 0
+  end
+
+  it "should support closing accounts when passwords are required" do
+    rodauth do
+      enable :login, :close_account
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view(:content=>"")}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/close-account'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Close Account'
+    page.find('#error_flash').text.must_equal "There was an error closing your account"
+    page.html.must_include("invalid password")
+    DB[:accounts].select_map(:status_id).must_equal [2]
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    page.find('#notice_flash').text.must_equal "Your account has been closed"
+    page.current_path.must_equal '/'
+
+    DB[:accounts].select_map(:status_id).must_equal [3]
+  end
+
+  it "should support closing accounts with overrides" do
+    rodauth do
+      enable :login, :close_account
+      close_account do
+        account_ds.update(:email => 'foo@bar.com', :status_id=>3)
+      end
+      close_account_route 'close'
+      close_account_redirect '/login'
+    end
+    roda do |r|
+      r.rodauth
+      r.root{""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/close'
+    page.title.must_equal 'Close Account'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    page.find('#notice_flash').text.must_equal "Your account has been closed"
+    page.current_path.must_equal '/login'
+
+    DB[:accounts].select_map(:status_id).must_equal [3]
+    DB[:accounts].select_map(:email).must_equal ['foo@bar.com']
+  end
+
+  it "should close accounts when account_password_hash_column is set" do
+    rodauth do
+      enable :create_account, :close_account
+      close_account_requires_password? false
+      account_password_hash_column :ph
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view(:content=>"")}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+
+    visit '/close-account'
+    click_button 'Close Account'
+    page.current_path.must_equal '/'
+
+    DB[:accounts].reverse(:id).get(:status_id).must_equal 3
+  end
+
+  it "should support closing accounts via jwt" do
+    rodauth do
+      enable :login, :close_account
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    json_login
+
+    res = json_request('/close-account', :password=>'0123456')
+    res.must_equal [400, {'error'=>"There was an error closing your account", "field-error"=>["password", "invalid password"]}]
+    DB[:accounts].select_map(:status_id).must_equal [2]
+
+    res = json_request('/close-account', :password=>'0123456789')
+    res.must_equal [200, {'success'=>"Your account has been closed"}]
+    DB[:accounts].select_map(:status_id).must_equal [3]
+  end
+end

data/spec/confirm_password_spec.rb

@@ -0,0 +1,70 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth confirm password feature' do
+  it "should support confirming passwords" do
+    rodauth do
+      enable :login, :change_login, :confirm_password, :password_grace_period
+      before_change_login_route do
+        unless password_recently_entered?
+          session[:confirm_password_redirect] = request.path_info
+          redirect '/confirm-password'
+        end
+      end
+    end
+    roda do |r|
+      r.rodauth
+      r.get("reset"){session[:last_password_entry] = Time.now.to_i - 400; "a"}
+      view :content=>""
+    end
+
+    login
+
+    visit '/change-login'
+    page.title.must_equal 'Change Login'
+
+    visit '/reset'
+    page.body.must_equal 'a'
+
+    visit '/change-login'
+    page.title.must_equal 'Confirm Password'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Confirm Password'
+    page.find('#error_flash').text.must_equal "There was an error confirming your password"
+    page.html.must_include("invalid password")
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Confirm Password'
+    page.find('#notice_flash').text.must_equal "Your password has been confirmed"
+
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Confirm Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+  end
+
+  it "should support confirming passwords via jwt" do
+    rodauth do
+      enable :login, :change_password, :confirm_password, :password_grace_period
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      r.post("reset"){rodauth.send(:set_session_value, :last_password_entry, Time.now.to_i - 400); [1]}
+    end
+
+    json_login
+
+    res = json_request('/change-password', "new-password"=>'0123456', "password-confirm"=>'0123456')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    json_request('/reset').must_equal [200, [1]]
+
+    res = json_request('/change-password', "new-password"=>'01234567', "password-confirm"=>'01234567')
+    res.must_equal [400, {"field-error"=>["password", "invalid password"], "error"=>"There was an error changing your password"}]
+
+    res = json_request('/confirm-password', "password"=>'0123456')
+    res.must_equal [200, {'success'=>"Your password has been confirmed"}]
+
+    res = json_request('/change-password', "new-password"=>'01234567', "password-confirm"=>'01234567')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+  end
+end

data/spec/create_account_spec.rb

@@ -0,0 +1,127 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth create_account feature' do
+  [false, true].each do |ph|
+    it "should support creating accounts #{'with account_password_hash_column' if ph}" do
+      rodauth do
+        enable :login, :create_account
+        account_password_hash_column :ph if ph
+        create_account_autologin? false
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      visit '/create-account'
+      fill_in 'Login', :with=>'foo@example.com'
+      fill_in 'Confirm Login', :with=>'foo@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.html.must_include("invalid login, already an account with this login")
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Login', :with=>'foobar'
+      fill_in 'Confirm Login', :with=>'foobar'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.html.must_include("invalid login, not a valid email address")
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Login', :with=>'foo@example2.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.html.must_include("logins do not match")
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Confirm Login', :with=>'foo@example2.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'012345678'
+      click_button 'Create Account'
+      page.html.must_include("passwords do not match")
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.find('#notice_flash').text.must_equal "Your account has been created"
+      page.current_path.must_equal '/'
+
+      login(:login=>'foo@example2.com')
+      page.current_path.must_equal '/'
+    end
+  end
+
+  it "should support creating accounts without login/password confirmation" do
+    rodauth do
+      enable :login, :create_account
+      require_login_confirmation? false
+      require_password_confirmation? false
+      create_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "Your account has been created"
+  end
+
+  it "should support autologin after account creation" do
+    rodauth do
+      enable :create_account
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In: #{DB[:accounts].where(:id=>session[:account_id]).get(:email)}"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+    page.html.must_include("Logged In: foo2@example.com")
+  end
+
+  it "should support creating accounts via jwt" do
+    rodauth do
+      enable :login, :create_account
+      after_create_account{json_response[:account_id] = account_id}
+      create_account_autologin? false
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request('/create-account', :login=>'foo@example.com', "login-confirm"=>'foo@example.com', :password=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, already an account with this login"]}]
+
+    res = json_request('/create-account', :login=>'foobar', "login-confirm"=>'foobar', :password=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, not a valid email address"]}]
+
+    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foobar', :password=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "logins do not match"]}]
+
+    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'012345678', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["password", "passwords do not match"]}]
+
+    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [200, {'success'=>"Your account has been created", 'account_id'=>DB[:accounts].max(:id)}]
+
+    json_login(:login=>'foo@example2.com')
+  end
+end

data/spec/disallow_password_reuse_spec.rb

@@ -0,0 +1,84 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth disallow_password_reuse feature' do
+  it "should disallow reuse of passwords" do
+    rodauth do
+      enable :login, :change_password, :disallow_password_reuse, :close_account
+      change_password_requires_password? false
+      close_account_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    8.times do |i|
+      visit '/change-password'
+      fill_in 'New Password', :with=>"password#{i}"
+      fill_in 'Confirm Password', :with=>"password#{i}"
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+    end
+
+    visit '/change-password'
+
+    (1..6).each do |i|
+      fill_in 'New Password', :with=>"password#{i}"
+      fill_in 'Confirm Password', :with=>"password#{i}"
+      click_button 'Change Password'
+      page.html.must_include("invalid password, does not meet requirements (same as previous password)")
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+    end
+
+    fill_in 'New Password', :with=>"password7"
+    fill_in 'Confirm Password', :with=>"password7"
+    click_button 'Change Password'
+    page.html.must_include("invalid password, same as current password")
+
+    fill_in 'New Password', :with=>'password0'
+    fill_in 'Confirm Password', :with=>'password0'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+    DB[:account_previous_password_hashes].get{count(:id)}.must_equal 7
+    visit '/close-account'
+    click_button 'Close Account'
+    DB[:account_previous_password_hashes].get{count(:id)}.must_equal 0
+  end
+
+  it "should handle create account when account_password_hash_column is true" do
+    rodauth do
+      enable :login, :create_account, :change_password, :disallow_password_reuse
+      account_password_hash_column :ph
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'bar@example.com'
+    fill_in 'Confirm Login', :with=>'bar@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.current_path.must_equal '/'
+    page.find('#notice_flash').text.must_equal "Your account has been created"
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>"012345678"
+    fill_in 'Confirm Password', :with=>"012345678"
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>"0123456789"
+    fill_in 'Confirm Password', :with=>"0123456789"
+    click_button 'Change Password'
+    page.html.must_include("invalid password, does not meet requirements (same as previous password)")
+  end
+end

data/spec/lockout_spec.rb

@@ -0,0 +1,228 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth lockout feature' do
+  it "should support account lockouts without autologin on unlock" do
+    rodauth do
+      enable :lockout
+      max_invalid_logins 2
+      unlock_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    login(:pass=>'012345678910')
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+
+    login
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.body.must_include("Logged In")
+
+    remove_cookie('rack.session')
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    2.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+      page.find('#error_flash').text.must_equal 'There was an error logging in'
+    end
+
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal 'No matching unlock account key'
+
+    visit link
+    click_button 'Unlock Account'
+    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
+    page.body.must_include('Not Logged')
+
+    login
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.body.must_include("Logged In")
+  end
+
+  it "should support account lockouts with autologin and password required on unlock" do
+    rodauth do
+      enable :lockout
+      unlock_account_requires_password? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    100.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+      page.find('#error_flash').text.must_equal 'There was an error logging in'
+    end
+
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+    visit link
+    click_button 'Unlock Account'
+
+    page.find('#error_flash').text.must_equal 'There was an error unlocking your account'
+    page.body.must_include('invalid password')
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Unlock Account'
+
+    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
+    page.body.must_include("Logged In")
+  end
+
+  it "should autounlock after enough time" do
+    rodauth do
+      enable :lockout
+      max_invalid_logins 2
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    2.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+      page.find('#error_flash').text.must_equal 'There was an error logging in'
+    end
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
+    page.body.must_include("This account is currently locked out")
+    DB[:account_lockouts].update(:deadline=>Date.today - 3)
+
+    login
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.body.must_include("Logged In")
+  end
+
+  it "should clear unlock token when closing account" do
+    rodauth do
+      enable :lockout, :close_account
+      max_invalid_logins 2
+    end
+    roda do |r|
+      r.get('b') do
+        session[:account_id] = DB[:accounts].get(:id)
+        'b'
+      end
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    3.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+    end
+    DB[:account_lockouts].count.must_equal 1
+    
+    visit 'b'
+
+    visit '/close-account'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    DB[:account_lockouts].count.must_equal 0
+  end
+
+  it "should handle uniqueness errors raised when inserting unlock account token" do
+    rodauth do
+      enable :lockout
+      max_invalid_logins 2
+    end
+    roda do |r|
+      def rodauth.raised_uniqueness_violation(*) super; true; end
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+    visit link
+    click_button 'Unlock Account'
+    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
+    page.body.must_include("Logged In")
+  end
+
+  it "should support account lockouts via jwt" do
+    rodauth do
+      enable :logout, :lockout
+      max_invalid_logins 2
+      unlock_account_autologin? false
+      unlock_account_email_body{unlock_account_email_link}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      [rodauth.logged_in? ? "Logged In" : "Not Logged"]
+    end
+
+    res = json_request('/unlock-account-request', :login=>'foo@example.com')
+    res.must_equal [400, {'error'=>"no matching login"}]
+
+    res = json_login(:pass=>'1', :no_check=>true)
+    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+
+    json_login
+    json_logout
+
+    2.times do
+      res = json_login(:pass=>'1', :no_check=>true)
+      res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+    end
+
+    2.times do
+      res = json_login(:pass=>'1', :no_check=>true)
+      res.must_equal [400, {'error'=>"This account is currently locked out and cannot be logged in to."}]
+    end
+
+    res = json_request('/unlock-account')
+    res.must_equal [400, {'error'=>"No matching unlock account key"}]
+
+    res = json_request('/unlock-account-request', :login=>'foo@example.com')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to unlock your account"}]
+
+    link = email_link(/key=.+$/)
+    res = json_request('/unlock-account', :key=>link[4...-1])
+    res.must_equal [400, {'error'=>"No matching unlock account key"}]
+
+    res = json_request('/unlock-account', :key=>link[4..-1])
+    res.must_equal [200, {'success'=>"Your account has been unlocked"}]
+
+    res = json_request.must_equal [200, ['Not Logged']]
+
+    json_login
+  end
+end