rodauth 1.20.0 → 2.1.0

data/spec/password_expiration_spec.rb

@@ -1,244 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth password expiration feature' do
-  it "should force password changes after x number of days" do
-    rodauth do
-      enable :login, :logout, :change_password, :reset_password, :password_expiration
-      allow_password_change_after 1000
-      change_password_requires_password? false
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password if rodauth.logged_in?
-      r.root{view :content=>""}
-    end
-
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-
-    visit link
-    page.current_path.must_equal '/reset-password'
-
-    login
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    logout
-
-    visit link
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-
-    visit link
-    page.current_path.must_equal '/reset-password'
-
-    login(:pass=>'banana')
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/change-password'
-
-    logout
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
-
-    login(:pass=>'banana')
-    page.current_path.must_equal '/change-password'
-    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
-
-    visit '/foo'
-    page.current_path.must_equal '/change-password'
-    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
-
-    fill_in 'New Password', :with=>'banana2'
-    fill_in 'Confirm Password', :with=>'banana2'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    logout
-
-    visit link
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-  end
-
-  it "should update password changed at when creating accounts" do
-    rodauth do
-      enable :login, :change_password, :password_expiration
-      password_expiration_default true
-      change_password_requires_password? false
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/change-password'
-
-    visit '/'
-    page.current_path.must_equal '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-  end
-
-  it "should update password changed at when creating accounts" do
-    rodauth do
-      enable :login, :create_account, :password_expiration
-      allow_password_change_after 1000
-      account_password_hash_column :ph
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    visit '/create-account'
-    fill_in 'Login', :with=>'foo2@example.com'
-    fill_in 'Confirm Login', :with=>'foo2@example.com'
-    fill_in 'Password', :with=>'apple2'
-    fill_in 'Confirm Password', :with=>'apple2'
-    click_button 'Create Account'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-  end
-
-  it "should remove password expiration data when closing accounts" do
-    rodauth do
-      enable :create_account, :close_account, :password_expiration
-      close_account_requires_password? false
-      create_account_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    visit '/create-account'
-    fill_in 'Login', :with=>'foo2@example.com'
-    fill_in 'Confirm Login', :with=>'foo2@example.com'
-    fill_in 'Password', :with=>'apple2'
-    fill_in 'Confirm Password', :with=>'apple2'
-    click_button 'Create Account'
-
-    DB[:account_password_change_times].count.must_equal 1
-    visit '/close-account'
-    click_button 'Close Account'
-    DB[:account_password_change_times].count.must_equal 0
-  end
-
-  it "should handle the case where the password is expired while the user has logged in" do
-    rodauth do
-      enable :login, :change_password, :password_expiration
-      password_expiration_default true
-      allow_password_change_after(-1000)
-      change_password_requires_password? false
-      require_password_change_after 3600
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password
-      r.get("expire", :d){|d| session[:password_changed_at] = Time.now.to_i - d.to_i; r.redirect '/'}
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/change-password'
-
-    visit '/'
-    page.current_path.must_equal '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit "/expire/90"
-    page.current_path.must_equal '/'
-
-    visit "/expire/7200"
-    page.current_path.must_equal '/change-password'
-  end
-
-  it "should force password changes via jwt" do
-    rodauth do
-      enable :login, :logout, :change_password, :reset_password, :password_expiration
-      allow_password_change_after 1000
-      change_password_requires_password? false
-      reset_password_email_body{reset_password_email_link}
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_current_password
-      if rodauth.authenticated?
-        [1]
-      else
-        [2]
-      end
-    end
-
-    json_request.must_equal [200, [2]]
-
-    res = json_request('/reset-password-request', :login=>'foo@example.com')
-    res.must_equal [200, {"success"=>"An email has been sent to you with a link to reset the password for your account"}]
-    link = email_link(/key=.+$/)
-
-    json_login
-
-    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    json_request.must_equal [200, [1]]
-
-    res = json_request('/change-password', :password=>'0123456', "new-password"=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
-
-    json_logout
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [200, {"success"=>"Your password has been reset"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-    json_login(:pass=>'01234567')
-    res = json_request('/change-password', :password=>'01234567', "new-password"=>'012345678', "password-confirm"=>'012345678')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
-
-    json_logout
-    json_request.must_equal [200, [2]]
-
-    res = json_login(:pass=>'012345678', :no_check=>true)
-    res.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
-    json_request.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
-
-    res = json_request('/change-password', :password=>'012345678', "new-password"=>'012345678a', "password-confirm"=>'012345678a')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    json_request.must_equal [200, [1]]
-  end
-end

data/spec/password_grace_period_spec.rb

@@ -1,93 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth password grace period feature' do
-  it "should not ask for password again if password was recently entered" do
-    grace = 300
-    rodauth do
-      enable :login, :change_login, :password_grace_period
-      password_grace_period{grace}
-      require_login_confirmation? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    login
-    page.body.must_include "Logged In"
-
-    visit '/change-login'
-    fill_in 'Login', :with=>'foo2@example.com'
-    click_button 'Change Login'
-    page.find('#notice_flash').text.must_equal "Your login has been changed"
-
-    grace = -1
-    visit '/change-login'
-    fill_in 'Login', :with=>'foo3@example.com'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Change Login'
-    page.find('#notice_flash').text.must_equal "Your login has been changed"
-
-    grace = 300
-    visit '/change-login'
-    grace = -1
-    fill_in 'Login', :with=>'foo4@example.com'
-    click_button 'Change Login'
-    page.find('#error_flash').text.must_equal "There was an error changing your login"
-    page.html.must_include("invalid password")
-
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Change Login'
-    page.find('#notice_flash').text.must_equal "Your login has been changed"
-  end
-
-  it "should not ask for password again directly after creating an account" do
-    rodauth do
-      enable :create_account, :change_login, :password_grace_period
-      require_login_confirmation? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    visit '/create-account'
-    fill_in 'Login', :with=>'foo2@example.com'
-    fill_in 'Password', :with=>'apple2'
-    fill_in 'Confirm Password', :with=>'apple2'
-    click_button 'Create Account'
-
-    visit '/change-login'
-    fill_in 'Login', :with=>'foo3@example.com'
-    click_button 'Change Login'
-    page.find('#notice_flash').text.must_equal "Your login has been changed"
-  end
-
-  it "should not ask for password again directly after resetting a password" do
-    rodauth do
-      enable :login, :reset_password, :change_login, :password_grace_period
-      require_login_confirmation? false
-      reset_password_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-    page.current_path.must_equal '/'
-
-    visit '/change-login'
-    fill_in 'Login', :with=>'foo2@example.com'
-    click_button 'Change Login'
-    page.find('#notice_flash').text.must_equal "Your login has been changed"
-  end
-end
-

data/spec/remember_spec.rb

@@ -1,451 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth remember feature' do
-  it "should support login via remember token" do
-    secret = nil
-    raw_before = Time.now - 100000000
-    rodauth do
-      enable :login, :remember
-      hmac_secret{secret}
-      raw_remember_token_deadline{raw_before}
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root do
-        if rodauth.logged_in?
-          if rodauth.logged_in_via_remember_key?
-            view :content=>"Logged In via Remember"
-          else
-            view :content=>"Logged In Normally"
-          end
-        else
-          view :content=>"Not Logged In"
-        end
-      end
-    end
-
-    login
-    page.body.must_include 'Logged In Normally'
-
-    visit '/load'
-    page.body.must_include 'Logged In Normally'
-
-    visit '/remember'
-    click_button 'Change Remember Setting'
-    page.find('#error_flash').text.must_equal "There was an error updating your remember setting"
-
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.find('#notice_flash').text.must_equal "Your remember setting has been updated"
-    page.body.must_include 'Logged In Normally'
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_include 'Not Logged In'
-
-    secret = SecureRandom.random_bytes(32)
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-
-    secret = nil
-    raw_before = Time.now + 100000000
-    login
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    remove_cookie('rack.session')
-
-    secret = SecureRandom.random_bytes(32)
-    visit '/load'
-    page.body.must_include 'Logged In via Remember'
-
-    key = get_cookie('_remember')
-    visit '/remember'
-    choose 'Forget Me'
-    click_button 'Change Remember Setting'
-    page.body.must_include 'Logged In via Remember'
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_include 'Not Logged In'
-
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-
-    set_cookie('_remember', key)
-    visit '/load'
-    page.body.must_include 'Logged In via Remember'
-
-    visit '/remember'
-    choose 'Disable Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_include 'Logged In via Remember'
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_include 'Not Logged In'
-
-    set_cookie('_remember', key)
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-
-    login
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-
-    secret = SecureRandom.random_bytes(32)
-    remove_cookie('rack.session')
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-  end
-
-  it "should forget remember token when explicitly logging out" do
-    rodauth do
-      enable :login, :logout, :remember
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
-    end
-
-    login
-    page.body.must_equal 'Logged In'
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_equal 'Logged In'
-
-    logout
-
-    visit '/'
-    page.body.must_equal 'Not Logged In'
-
-    visit '/load'
-    page.body.must_equal 'Not Logged In'
-  end
-
-  it "should remove cookie if cookie is no longer valid" do
-    rodauth do
-      enable :login, :remember
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root do
-        if rodauth.logged_in?
-          if rodauth.logged_in_via_remember_key?
-            view :content=>"Logged In via Remember"
-          else
-            view :content=>"Logged In Normally"
-          end
-        else
-          view :content=>"Not Logged In"
-        end
-      end
-    end
-
-    login
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_include 'Logged In Normally'
-
-    cookie = get_cookie('_remember')
-    remove_cookie('rack.session')
-
-    rk = DB[:account_remember_keys].first
-    DB[:account_remember_keys].update(:key=>rk[:key][0...-1])
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-    get_cookie('_remember').must_equal ""
-
-    DB[:account_remember_keys].delete
-    set_cookie('_remember', cookie)
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-    get_cookie('_remember').must_equal ""
-
-    DB[:account_remember_keys].insert(rk)
-    DB[:accounts].update(:status_id=>3)
-    set_cookie('_remember', cookie)
-    visit '/load'
-    page.body.must_include 'Not Logged In'
-    get_cookie('_remember').must_equal ""
-    DB[:account_remember_keys].must_be :empty?
-  end
-
-  it "should support clearing remembered flag" do
-    rodauth do
-      enable :login, :remember
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root do
-        if rodauth.logged_in?
-          if rodauth.logged_in_via_remember_key?
-            view :content=>"Logged In via Remember"
-          else
-            view :content=>"Logged In Normally"
-          end
-        else
-          view :content=>"Not Logged In"
-        end
-      end
-    end
-
-    login
-    page.body.must_include 'Logged In Normally'
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_include 'Logged In Normally'
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_include 'Not Logged In'
-
-    visit '/load'
-    page.body.must_include 'Logged In via Remember'
-
-    visit '/confirm-password'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'Confirm Password'
-    page.find('#error_flash').text.must_equal "There was an error confirming your password"
-    page.html.must_include("invalid password")
-
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Confirm Password'
-    page.find('#notice_flash').text.must_equal "Your password has been confirmed"
-    page.body.must_include 'Logged In Normally'
-  end
-
-  it "should support extending remember token" do
-    rodauth do
-      enable :login, :remember
-      extend_remember_deadline? true
-      remember_period :days=>30
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root{rodauth.logged_in? ? "Logged In#{session[rodauth.remembered_session_key]}" : "Not Logged In"}
-    end
-
-    login
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    deadline = DB[:account_remember_keys].get(:deadline)
-    deadline = Time.parse(deadline) if deadline.is_a?(String)
-    deadline.must_be(:<, Time.now + 15*86400)
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_equal 'Not Logged In'
-
-    old_expiration = page.driver.browser.rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.expires
-    visit '/load'
-    page.body.must_equal 'Logged Intrue'
-    new_expiration = page.driver.browser.rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.expires
-    new_expiration.must_be :>=, old_expiration
-    deadline = DB[:account_remember_keys].get(:deadline)
-    deadline = Time.parse(deadline) if deadline.is_a?(String)
-    deadline.must_be(:>, Time.now + 29*86400)
-  end
-
-  it "should clear remember token when closing account" do
-    rodauth do
-      enable :login, :remember, :close_account
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.load_memory
-      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
-    end
-
-    login
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    DB[:account_remember_keys].count.must_equal 1
-
-    visit '/close-account'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Close Account'
-    DB[:account_remember_keys].count.must_equal 0
-  end
-
-  it "should not use remember token if the account is not open" do
-    rodauth do
-      enable :login, :remember
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root do
-        if rodauth.logged_in?
-          if rodauth.logged_in_via_remember_key?
-            "Logged In via Remember"
-          else
-            "Logged In Normally"
-          end
-        else
-          "Not Logged In"
-        end
-      end
-    end
-
-    login
-    page.body.must_equal 'Logged In Normally'
-
-    visit '/load'
-    page.body.must_equal 'Logged In Normally'
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_equal 'Logged In Normally'
-
-    remove_cookie('rack.session')
-    visit '/'
-    page.body.must_equal 'Not Logged In'
-
-    DB[:accounts].update(:status_id=>3)
-
-    visit '/load'
-    page.body.must_equal 'Not Logged In'
-  end
-
-  it "should handle uniqueness errors raised when inserting remember token" do
-    rodauth do
-      enable :login, :remember
-    end
-    roda do |r|
-      def rodauth.raised_uniqueness_violation(*) super; true; end
-      r.rodauth
-      r.get 'load' do
-        rodauth.load_memory
-        r.redirect '/'
-      end
-      r.root do
-        if rodauth.logged_in?
-          if rodauth.logged_in_via_remember_key?
-            "Logged In via Remember"
-          else
-            "Logged In Normally"
-          end
-        else
-          "Not Logged In"
-        end
-      end
-    end
-
-    login
-
-    visit '/remember'
-    choose 'Remember Me'
-    click_button 'Change Remember Setting'
-    page.body.must_equal 'Logged In Normally'
-  end
-
-  it "should support login via remember token via jwt" do
-    rodauth do
-      enable :login, :remember
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-
-      r.post 'load' do
-        rodauth.load_memory
-        [4]
-      end
-
-      if rodauth.logged_in?
-        if rodauth.logged_in_via_remember_key?
-          [1]
-        else
-          [2]
-        end
-      else
-        [3]
-      end
-    end
-
-    json_request.must_equal [200, [3]]
-    json_login
-    json_request.must_equal [200, [2]]
-
-    json_request('/load').must_equal [200, [4]]
-    json_request.must_equal [200, [2]]
-
-    res = json_request('/remember', :remember=>'remember')
-    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
-
-    @authorization = nil
-    json_request.must_equal [200, [3]]
-    json_request('/load').must_equal [200, [4]]
-    json_request.must_equal [200, [1]]
-
-    cookie = @cookie
-    res = json_request('/remember', :remember=>'forget')
-    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
-    json_request.must_equal [200, [1]]
-
-    @cookie = nil
-    @authorization = nil
-    json_request.must_equal [200, [3]]
-
-    json_request('/load').must_equal [200, [4]]
-    json_request.must_equal [200, [3]]
-
-    @cookie = cookie
-    json_request('/load').must_equal [200, [4]]
-    json_request.must_equal [200, [1]]
-
-    res = json_request('/confirm-password', :password=>'123456')
-    res.must_equal [401, {'error'=>"There was an error confirming your password", "field-error"=>["password", "invalid password"]}]
-
-    res = json_request('/confirm-password', :password=>'0123456789')
-    res.must_equal [200, {'success'=>"Your password has been confirmed"}]
-    json_request.must_equal [200, [2]]
-
-    res = json_request('/remember', :remember=>'disable')
-    res.must_equal [200, {'success'=>"Your remember setting has been updated"}]
-
-    @authorization = nil
-    @cookie = nil
-    json_request.must_equal [200, [3]]
-
-    @cookie = cookie
-    json_request('/load').must_equal [200, [4]]
-    json_request.must_equal [200, [3]]
-  end
-end