rodauth 0.10.0 → 1.0.0

data/spec/password_grace_period_spec.rb

@@ -0,0 +1,93 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth password grace period feature' do
+  it "should not ask for password again if password was recently entered" do
+    grace = 300
+    rodauth do
+      enable :login, :change_login, :password_grace_period
+      password_grace_period{grace}
+      require_login_confirmation? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+    page.body.must_include "Logged In"
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+
+    grace = -1
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+
+    grace = 300
+    visit '/change-login'
+    grace = -1
+    fill_in 'Login', :with=>'foo4@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid password")
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+  end
+
+  it "should not ask for password again directly after creating an account" do
+    rodauth do
+      enable :create_account, :change_login, :password_grace_period
+      require_login_confirmation? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+  end
+
+  it "should not ask for password again directly after resetting a password" do
+    rodauth do
+      enable :login, :reset_password, :change_login, :password_grace_period
+      require_login_confirmation? false
+      reset_password_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login(:pass=>'01234567')
+    click_button 'Request Password Reset'
+    link = email_link(/(\/reset-password\?key=.+)$/)
+    visit link
+    fill_in 'Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456'
+    click_button 'Reset Password'
+    page.find('#notice_flash').text.must_equal "Your password has been reset"
+    page.current_path.must_equal '/'
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+  end
+end
+

data/spec/remember_spec.rb

@@ -0,0 +1,424 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth remember feature' do
+  it "should support login via remember token" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root do
+        if rodauth.logged_in?
+          if rodauth.logged_in_via_remember_key?
+            view :content=>"Logged In via Remember"
+          else
+            view :content=>"Logged In Normally"
+          end
+        else
+          view :content=>"Not Logged In"
+        end
+      end
+    end
+
+    login
+    page.body.must_include 'Logged In Normally'
+
+    visit '/load'
+    page.body.must_include 'Logged In Normally'
+
+    visit '/remember'
+    click_button 'Change Remember Setting'
+    page.find('#error_flash').text.must_equal "There was an error updating your remember setting"
+
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.find('#notice_flash').text.must_equal "Your remember setting has been updated"
+    page.body.must_include 'Logged In Normally'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_include 'Not Logged In'
+
+    visit '/load'
+    page.body.must_include 'Logged In via Remember'
+
+    key = get_cookie('_remember')
+    visit '/remember'
+    choose 'Forget Me'
+    click_button 'Change Remember Setting'
+    page.body.must_include 'Logged In via Remember'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_include 'Not Logged In'
+
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+
+    set_cookie('_remember', key)
+    visit '/load'
+    page.body.must_include 'Logged In via Remember'
+
+    visit '/remember'
+    choose 'Disable Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_include 'Logged In via Remember'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_include 'Not Logged In'
+
+    set_cookie('_remember', key)
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+  end
+
+  it "should forget remember token when explicitly logging out" do
+    rodauth do
+      enable :login, :logout, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    login
+    page.body.must_equal 'Logged In'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In'
+
+    logout
+
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Not Logged In'
+  end
+
+  it "should remove cookie if cookie is no longer valid" do
+    rodauth do
+      enable :login, :remember
+      skip_status_checks? false
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root do
+        if rodauth.logged_in?
+          if rodauth.logged_in_via_remember_key?
+            view :content=>"Logged In via Remember"
+          else
+            view :content=>"Logged In Normally"
+          end
+        else
+          view :content=>"Not Logged In"
+        end
+      end
+    end
+
+    login
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_include 'Logged In Normally'
+
+    cookie = get_cookie('_remember')
+    remove_cookie('rack.session')
+
+    rk = DB[:account_remember_keys].first
+    DB[:account_remember_keys].update(:key=>rk[:key][0...-1])
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+    get_cookie('_remember').must_equal ""
+
+    DB[:account_remember_keys].delete
+    set_cookie('_remember', cookie)
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+    get_cookie('_remember').must_equal ""
+
+    DB[:account_remember_keys].insert(rk)
+    DB[:accounts].update(:status_id=>3)
+    set_cookie('_remember', cookie)
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+    get_cookie('_remember').must_equal ""
+    DB[:account_remember_keys].must_be :empty?
+  end
+
+  it "should support clearing remembered flag" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root do
+        if rodauth.logged_in?
+          if rodauth.logged_in_via_remember_key?
+            view :content=>"Logged In via Remember"
+          else
+            view :content=>"Logged In Normally"
+          end
+        else
+          view :content=>"Not Logged In"
+        end
+      end
+    end
+
+    login
+    page.body.must_include 'Logged In Normally'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_include 'Logged In Normally'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_include 'Not Logged In'
+
+    visit '/load'
+    page.body.must_include 'Logged In via Remember'
+
+    visit '/confirm-password'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Confirm Password'
+    page.find('#error_flash').text.must_equal "There was an error confirming your password"
+    page.html.must_include("invalid password")
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Confirm Password'
+    page.find('#notice_flash').text.must_equal "Your password has been confirmed"
+    page.body.must_include 'Logged In Normally'
+  end
+
+  it "should support extending remember token" do
+    rodauth do
+      enable :login, :remember
+      extend_remember_deadline? true
+      remember_period :days=>30
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    login
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    deadline = DB[:account_remember_keys].get(:deadline)
+    deadline = Time.parse(deadline) if deadline.is_a?(String)
+    deadline.must_be(:<, Time.now + 15*86400)
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    old_expiration = page.driver.browser.rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.expires
+    visit '/load'
+    page.body.must_equal 'Logged Intrue'
+    new_expiration = page.driver.browser.rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.expires
+    new_expiration.must_be :>=, old_expiration
+    deadline = DB[:account_remember_keys].get(:deadline)
+    deadline = Time.parse(deadline) if deadline.is_a?(String)
+    deadline.must_be(:>, Time.now + 29*86400)
+  end
+
+  it "should clear remember token when closing account" do
+    rodauth do
+      enable :login, :remember, :close_account
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.load_memory
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    login
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    DB[:account_remember_keys].count.must_equal 1
+
+    visit '/close-account'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    DB[:account_remember_keys].count.must_equal 0
+  end
+
+  it "should not use remember token if the account is not open" do
+    rodauth do
+      enable :login, :remember
+      skip_status_checks? false
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root do
+        if rodauth.logged_in?
+          if rodauth.logged_in_via_remember_key?
+            "Logged In via Remember"
+          else
+            "Logged In Normally"
+          end
+        else
+          "Not Logged In"
+        end
+      end
+    end
+
+    login
+    page.body.must_equal 'Logged In Normally'
+
+    visit '/load'
+    page.body.must_equal 'Logged In Normally'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In Normally'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    DB[:accounts].update(:status_id=>3)
+
+    visit '/load'
+    page.body.must_equal 'Not Logged In'
+  end
+
+  it "should handle uniqueness errors raised when inserting remember token" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda do |r|
+      def rodauth.raised_uniqueness_violation(*) super; true; end
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root do
+        if rodauth.logged_in?
+          if rodauth.logged_in_via_remember_key?
+            "Logged In via Remember"
+          else
+            "Logged In Normally"
+          end
+        else
+          "Not Logged In"
+        end
+      end
+    end
+
+    login
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In Normally'
+  end
+
+  it "should support login via remember token via jwt" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+
+      r.post 'load' do
+        rodauth.load_memory
+        [4]
+      end
+
+      if rodauth.logged_in?
+        if rodauth.logged_in_via_remember_key?
+          [1]
+        else
+          [2]
+        end
+      else
+        [3]
+      end
+    end
+
+    json_request.must_equal [200, [3]]
+    json_login
+    json_request.must_equal [200, [2]]
+
+    json_request('/load').must_equal [200, [4]]
+    json_request.must_equal [200, [2]]
+
+    res = json_request('/remember', :remember=>'remember')
+    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
+
+    @authorization = nil
+    json_request.must_equal [200, [3]]
+    json_request('/load').must_equal [200, [4]]
+    json_request.must_equal [200, [1]]
+
+    cookie = @cookie
+    res = json_request('/remember', :remember=>'forget')
+    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
+    json_request.must_equal [200, [1]]
+
+    @cookie = nil
+    @authorization = nil
+    json_request.must_equal [200, [3]]
+
+    json_request('/load').must_equal [200, [4]]
+    json_request.must_equal [200, [3]]
+
+    @cookie = cookie
+    json_request('/load').must_equal [200, [4]]
+    json_request.must_equal [200, [1]]
+
+    res = json_request('/confirm-password', :password=>'123456')
+    res.must_equal [400, {'error'=>"There was an error confirming your password", "field-error"=>["password", "invalid password"]}]
+
+    res = json_request('/confirm-password', :password=>'0123456789')
+    res.must_equal [200, {'success'=>"Your password has been confirmed"}]
+    json_request.must_equal [200, [2]]
+
+    res = json_request('/remember', :remember=>'disable')
+    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
+
+    @authorization = nil
+    @cookie = nil
+    json_request.must_equal [200, [3]]
+
+    @cookie = cookie
+    json_request('/load').must_equal [200, [4]]
+    json_request.must_equal [200, [3]]
+  end
+end