rodauth 1.20.0 → 2.1.0

data/spec/http_basic_auth_spec.rb

@@ -1,143 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe "Rodauth http basic auth feature" do
-  def basic_auth_visit(opts={})
-    page.driver.browser.basic_authorize(opts.fetch(:username,"foo@example.com"), opts.fetch(:password, "0123456789"))
-    visit(opts.fetch(:path, '/'))
-  end
-
-  def authorization_header(opts={})
-    ["#{opts.delete(:username)||'foo@example.com'}:#{opts.delete(:password)||'0123456789'}"].pack("m*")
-  end
-
-  def basic_auth_json_request(opts={})
-    auth = opts.delete(:auth) || authorization_header(opts)
-    path = opts.delete(:path) || '/'
-    json_request(path, opts.merge(:headers => {"HTTP_AUTHORIZATION" => "Basic #{auth}"}, :method=>'GET'))
-  end
-
-  def newline_basic_auth_json_request(opts={})
-    auth = opts.delete(:auth) || authorization_header(opts)
-    auth.chomp!
-    basic_auth_json_request(opts.merge(:auth => auth))
-  end
-
-  describe "on page visit" do
-    before do
-      rodauth do
-        enable :http_basic_auth
-      end
-      roda do |r|
-        r.rodauth
-        r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-      end
-    end
-
-    it "handles logins" do
-      basic_auth_visit
-      page.text.must_include "Logged In"
-    end
-
-    it "keeps the user logged in" do
-      visit '/'
-      page.text.must_include "Not Logged"
-
-      basic_auth_visit
-      page.text.must_include "Logged In"
-
-      visit '/'
-      page.text.must_include "Logged In"
-    end
-
-    it "fails when no login is found" do
-      basic_auth_visit(:username => "foo2@example.com")
-      page.text.must_include "Not Logged"
-      page.response_headers.keys.must_include("WWW-Authenticate")
-    end
-
-    it "fails when passowrd does not match" do
-      basic_auth_visit(:password => "1111111111")
-      page.text.must_include "Not Logged"
-      page.response_headers.keys.must_include("WWW-Authenticate")
-    end
-  end
-
-  it "requires authentication if require_http_basic_auth is true" do
-    rodauth do
-      enable :http_basic_auth
-      require_http_basic_auth true
-    end
-    roda do |r|
-      rodauth.require_authentication
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-
-    visit '/'
-    page.status_code.must_equal 401
-    page.response_headers.keys.must_include("WWW-Authenticate")
-
-    basic_auth_visit
-    page.text.must_include "Logged In"
-  end
-
-  it "works with standard authentication" do
-    rodauth do
-      enable :login, :http_basic_auth
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-
-    login
-    page.text.must_include "Logged In"
-  end
-
-  it "does not allow login to unverified account" do
-    rodauth do
-      enable :http_basic_auth
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-    DB[:accounts].update(:status_id=>1)
-
-    basic_auth_visit
-    page.text.must_include "Not Logged"
-    page.response_headers.keys.must_include("WWW-Authenticate")
-  end
-
-  it "should login via jwt" do
-    rodauth do
-      enable :http_basic_auth
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      response['Content-Type'] = 'application/json'
-      rodauth.require_authentication
-      {"success"=>'You have been logged in'}
-    end
-
-    @authorization = nil
-    res = basic_auth_json_request(:auth=>'.')
-    res.must_equal [401, {'error'=>"Please login to continue"}]
-
-    @authorization = nil
-    res = basic_auth_json_request(:username=>'foo@example2.com')
-    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["login", "no matching login"]}]
-
-    @authorization = nil
-    res = basic_auth_json_request(:password=>'012345678')
-    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["password", "invalid password"]}]
-
-    @authorization = nil
-    res = newline_basic_auth_json_request
-    res.must_equal [200, {"success"=>'You have been logged in'}]
-
-    @authorization = nil
-    res = basic_auth_json_request
-    res.must_equal [200, {"success"=>'You have been logged in'}]
-  end
-end

data/spec/jwt_refresh_spec.rb

@@ -1,256 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth login feature' do
-  it "should not have jwt refresh feature assume JWT token given during Basic/Digest authentication" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-    end
-    roda(:jwt) do |r|
-      rodauth.require_authentication
-      '1'
-    end
-
-    res = json_request("/jwt-refresh", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-
-    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-  end
-
-  it "should require json request content type in only json mode for rodauth endpoints only" do
-    oj = false
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-      only_json?{oj}
-    end
-    roda(:csrf=>false, :json=>true) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      '1'
-    end
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    res[1].delete('Set-Cookie')
-    res.must_equal [302, {"Content-Type"=>'text/html', "Content-Length"=>'0', "Location"=>"/login",}, []]
-
-    res = json_request("/", :content_type=>'application/vnd.api+json', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-
-    oj = true
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-
-    res = json_request("/", :method=>'GET')
-    res.must_equal [400, {'error'=>'Please login to continue'}]
-
-    res = json_request("/login", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    msg = "Only JSON format requests are allowed"
-    res[1].delete('Set-Cookie')
-    res.must_equal [400, {"Content-Type"=>'text/html', "Content-Length"=>msg.length.to_s}, [msg]]
-
-    jwt_refresh_login
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    # res.must_equal [200, {"Content-Type"=>'text/html', "Content-Length"=>'1'}, ['1']]
-  end
-
-  it "should allow non-json requests if only_json? is false" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      only_json? false
-    end
-    roda(:jwt_html) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      view(:content=>'1')
-    end
-
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-  end
-
-  it "should require POST for json requests" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
-  end
-
-  it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-      jwt_check_accept? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_request("/login", :headers=>{'HTTP_ACCEPT'=>'text/html'})
-    res.must_equal [406, {'error'=>'Unsupported Accept header. Must accept "application/json" or compatible content type'}]
-
-    jwt_refresh_validate_login(json_request("/login", :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'*/*'}, :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789'))
-  end
-
-  it "should clear jwt refresh token when closing account" do
-    rodauth do
-      enable :login, :jwt_refresh, :close_account
-      jwt_secret '1'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-
-    jwt_refresh_login
-
-    DB[:account_jwt_refresh_keys].count.must_equal 1
-    res = json_request('/close-account', :password=>'0123456789')
-    res[1].delete('access_token').must_be_kind_of(String)
-    res.must_equal [200, {'success'=>"Your account has been closed"}]
-    DB[:account_jwt_refresh_keys].count.must_equal 0
-  end
-
-
-  it "should set refresh tokens when creating accounts when using autologin" do
-    rodauth do
-      enable :login, :create_account, :jwt_refresh
-      after_create_account{json_response[:account_id] = account_id}
-      create_account_autologin? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-
-    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
-    refresh_token = res.last.delete('refresh_token')
-    @authorization = res.last.delete('access_token')
-    res.must_equal [200, {'success'=>"Your account has been created", 'account_id'=>DB[:accounts].max(:id)}]
-
-    res = json_request("/")
-    res.must_equal [200, {'hello'=>'world'}]
-
-    # We can refresh our token
-    res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-    jwt_refresh_validate(res)
-    @authorization = res.last.delete('access_token')
-
-    # Which we can use to access protected resources
-    res = json_request("/")
-    res.must_equal [200, {'hello'=>'world'}]
-  end
-
-  [false, true].each do |hs|
-    it "generates and refreshes Refresh Tokens #{'with hmac_secret' if hs}" do
-      initial_secret = secret = SecureRandom.random_bytes(32) if hs
-      rodauth do
-        enable :login, :logout, :jwt_refresh
-        hmac_secret{secret} if hs
-        jwt_secret '1'
-      end
-      roda(:jwt) do |r|
-        r.rodauth
-        rodauth.require_authentication
-        response['Content-Type'] = 'application/json'
-        {'hello' => 'world'}.to_json
-      end
-      res = json_request("/")
-      res.must_equal [401, {'error'=>'Please login to continue'}]
-
-      # We can login
-      res = jwt_refresh_login
-      refresh_token = res.last['refresh_token']
-
-      # Which gives us an access token which grants us access to protected resources
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-
-      # We can refresh our token
-      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-      jwt_refresh_validate(res)
-      second_refresh_token = res.last['refresh_token']
-
-      # Which we can use to access protected resources
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-
-      # Subsequent refresh token is valid
-      res = json_request("/jwt-refresh", :refresh_token=>second_refresh_token)
-      jwt_refresh_validate(res)
-      third_refresh_token = res.last['refresh_token']
-
-      # First refresh token is now no longer valid
-      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-      res.must_equal [400, {"error"=>"invalid JWT refresh token"}]
-
-      # Third refresh token is valid
-      res = json_request("/jwt-refresh", :refresh_token=>third_refresh_token)
-      jwt_refresh_validate(res)
-      fourth_refresh_token = res.last['refresh_token']
-
-      # And still gives us a valid access token
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-
-      if hs
-        # Refresh secret doesn't work if hmac_secret changed
-        secret = SecureRandom.random_bytes(32)
-        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
-        res.first.must_equal 400
-        res.must_equal [400, {'error'=>'invalid JWT refresh token'}]
-
-        # Refresh secret works if hmac_secret changed back
-        secret = initial_secret
-        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
-        jwt_refresh_validate(res)
-
-        # And still gives us a valid access token
-        @authorization = res.last['access_token']
-        res = json_request("/")
-        res.must_equal [200, {'hello'=>'world'}]
-      end
-    end
-  end
-
-  it "should not return access_token for failed login attempt" do
-    rodauth do
-      enable :login, :create_account, :jwt_refresh
-      after_create_account{json_response[:account_id] = account_id}
-      create_account_autologin? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-
-    json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
-
-    res = json_request('/login', :login=>'foo@example2.com', :password=>'123123')
-    res.must_equal [401, {"field-error"=>['password', 'invalid password'], "error"=>"There was an error logging in"}]
-  end
-end

data/spec/jwt_spec.rb

@@ -1,235 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth login feature' do
-  it "should not have jwt feature assume JWT token given during Basic/Digest authentication" do
-    rodauth do
-      enable :login, :logout
-    end
-    roda(:jwt) do |r|
-      rodauth.require_authentication
-      '1'
-    end
-
-    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-
-    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-  end
-
-  it "should return error message if invalid JWT format used in request Authorization header" do
-    rodauth do
-      enable :login, :logout
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      '1'
-    end
-
-    res = json_request('/login', :include_headers=>true, :login=>'foo@example.com', :password=>'0123456789')
-
-    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>res[1]['Authorization'][1..-1]})
-    res.must_equal [400, {'error'=>'invalid JWT format or claim in Authorization header'}]
-  end
-
-  it "should use custom JSON error statuses even if the request isn't in JSON format if a JWT is in use" do
-    rodauth do
-      only_json? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      '1'
-    end
-
-    status, headers, body = json_request("/", :headers=>{'CONTENT_TYPE'=>'text/html'}, :include_headers=>true)
-    status.must_equal 401
-    headers['Content-Type'].must_equal 'application/json'
-    JSON.parse(body.join).must_equal("error"=>"Please login to continue")
-  end
-
-  it "should require json request content type in only json mode for rodauth endpoints only" do
-    oj = false
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      json_response_success_key 'success'
-      only_json?{oj}
-    end
-    roda(:csrf=>false, :json=>true) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      '1'
-    end
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    res[1].delete('Set-Cookie')
-    res.must_equal [302, {"Content-Type"=>'text/html', "Content-Length"=>'0', "Location"=>"/login",}, []]
-
-    res = json_request("/", :content_type=>'application/vnd.api+json', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-
-    oj = true
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-
-    res = json_request("/", :method=>'GET')
-    res.must_equal [400, {'error'=>'Please login to continue'}]
-
-    res = json_request("/login", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    msg = "Only JSON format requests are allowed"
-    res[1].delete('Set-Cookie')
-    res.must_equal [400, {"Content-Type"=>'text/html', "Content-Length"=>msg.length.to_s}, [msg]]
-
-    json_login
-
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    res.must_equal [200, {"Content-Type"=>'text/html', "Content-Length"=>'1'}, ['1']]
-  end
-
-  it "should allow non-json requests if only_json? is false" do
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      only_json? false
-    end
-    roda(:jwt_html) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      view(:content=>'1')
-    end
-
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-  end
-
-  it "should require POST for json requests" do
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      json_response_success_key 'success'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
-  end
-
-  it "should allow customizing JSON response bodies" do
-    rodauth do
-      enable :login, :logout, :jwt
-      json_response_body do |hash|
-        super('status'=>response.status, 'detail'=>hash)
-      end
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'status'=>405, 'detail'=>{'error'=>'non-POST method used in JSON API'}}]
-  end
-
-  it "should support valid_jwt? method for checking for valid JWT tokens" do
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      json_response_success_key 'success'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      [rodauth.valid_jwt?.to_s]
-    end
-
-    res = json_request("/", :method=>'GET')
-    res.must_equal [200, ['false']]
-
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
-
-    res = json_request("/", :method=>'GET')
-    res.must_equal [200, ['true']]
-  end
-
-  it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      json_response_success_key 'success'
-      jwt_check_accept? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_request("/login", :headers=>{'HTTP_ACCEPT'=>'text/html'})
-    res.must_equal [406, {'error'=>'Unsupported Accept header. Must accept "application/json" or compatible content type'}]
-
-    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'*/*'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-  end
-
-  it "generates and verifies JWTs with claims" do
-    invalid_jti = false
-
-    rodauth do
-      enable :login, :logout, :jwt
-      jwt_secret '1'
-      json_response_success_key 'success'
-      jwt_session_key 'data'
-      jwt_symbolize_deeply? true
-      jwt_session_hash do
-        h = super()
-        h['data']['foo'] = {:bar=>[1]}
-        h.merge(
-          :aud => %w[Young Old],
-          :exp => Time.now.to_i + 120,
-          :iat => Time.now.to_i,
-          :iss => "Foobar, Inc.",
-          :jti => SecureRandom.hex(10),
-          :nbf => Time.now.to_i - 30,
-          :sub => session_value
-        )
-      end
-      jwt_decode_opts(
-        :aud => 'Old',
-        :iss => "Foobar, Inc.",
-        :leeway => 30,
-        :verify_aud => true,
-        :verify_expiration => true,
-        :verify_iat => true,
-        :verify_iss => true,
-        :verify_jti => proc{|jti| invalid_jti ? false : !!jti},
-        :verify_not_before => true
-      )
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      r.post{rodauth.session[:foo][:bar]}
-    end
-
-    json_login.must_equal [200, {"success"=>'You have been logged in'}]
-
-    payload = JWT.decode(@authorization, nil, false)[0]
-    payload['sub'].must_equal payload['data']['account_id']
-    payload['iat'].must_be_kind_of Integer
-    payload['exp'].must_be_kind_of Integer
-    payload['nbf'].must_be_kind_of Integer
-    payload['iss'].must_equal "Foobar, Inc."
-    payload['aud'].must_equal %w[Young Old]
-    payload['jti'].must_match(/^[0-9a-f]{20}$/)
-
-    json_request.must_equal [200, [1]]
-
-    invalid_jti = true
-    if RUBY_VERSION >= '1.9'
-      json_login(:no_check=>true).must_equal [400, {"error"=>'invalid JWT format or claim in Authorization header'}]
-    end
-  end
-end