rodauth 1.20.0 → 2.1.0

data/spec/reset_password_spec.rb

@@ -1,229 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth reset_password feature' do
-  it "should support resetting passwords for accounts" do
-    last_sent_column = nil
-    rodauth do
-      enable :login, :reset_password
-      reset_password_email_last_sent_column{last_sent_column}
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    login(:login=>'foo@example2.com', :pass=>'01234567')
-    page.html.wont_match(/notice_flash/)
-
-    login(:pass=>'01234567', :visit=>false)
-
-    click_button 'Request Password Reset'
-    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
-    page.current_path.must_equal '/'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-
-    visit link[0...-1]
-    page.find('#error_flash').text.must_equal "There was an error resetting your password: invalid or expired password reset key"
-
-    visit '/login'
-    click_link 'Forgot Password?'
-    fill_in 'Login', :with=>'foo@example.com'
-    click_button 'Request Password Reset'
-    email_link(/(\/reset-password\?key=.+)$/).must_equal link
-
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    email_link(/(\/reset-password\?key=.+)$/).must_equal link
-
-    last_sent_column = :email_last_sent
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to reset your password"
-    Mail::TestMailer.deliveries.must_equal []
-
-    DB[:account_password_reset_keys].update(:email_last_sent => Time.now - 250).must_equal 1
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to reset your password"
-    Mail::TestMailer.deliveries.must_equal []
-
-    DB[:account_password_reset_keys].update(:email_last_sent => Time.now - 350).must_equal 1
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    email_link(/(\/reset-password\?key=.+)$/).must_equal link
-
-    visit link
-    page.title.must_equal 'Reset Password'
-
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456789'
-    click_button 'Reset Password'
-    page.html.must_include("passwords do not match")
-    page.find('#error_flash').text.must_equal "There was an error resetting your password"
-    page.current_path.must_equal '/reset-password'
-
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Confirm Password', :with=>'0123456789'
-    click_button 'Reset Password'
-    page.body.must_include 'invalid password, same as current password'
-    page.find('#error_flash').text.must_equal "There was an error resetting your password"
-    page.current_path.must_equal '/reset-password'
-
-    fill_in 'Password', :with=>'012'
-    fill_in 'Confirm Password', :with=>'012'
-    click_button 'Reset Password'
-    page.html.must_include("invalid password, does not meet requirements")
-    page.find('#error_flash').text.must_equal "There was an error resetting your password"
-    page.current_path.must_equal '/reset-password'
-
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-    page.current_path.must_equal '/'
-
-    login(:pass=>'0123456')
-    page.current_path.must_equal '/'
-
-    login(:pass=>'bad')
-    click_link "Forgot Password?"
-    fill_in "Login", :with=>"foo@example.com"
-    click_button "Request Password Reset"
-    DB[:account_password_reset_keys].update(:deadline => Time.now - 60).must_equal 1
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-    page.find('#error_flash').text.must_equal "There was an error resetting your password: invalid or expired password reset key"
-  end
-
-  it "should support resetting passwords for accounts without confirmation" do
-    rodauth do
-      enable :login, :reset_password
-      require_password_confirmation? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    visit '/login'
-    login(:pass=>'01234567', :visit=>false)
-    click_button 'Request Password Reset'
-    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
-
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-    fill_in 'Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-  end
-
-  it "should support autologin when resetting passwords for accounts" do
-    rodauth do
-      enable :login, :reset_password
-      reset_password_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    login(:pass=>'01234567')
-
-    click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-    page.body.must_include("Logged In")
-  end
-
-  it "should clear reset password token when closing account" do
-    rodauth do
-      enable :login, :reset_password, :close_account
-      reset_password_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    email_link(/(\/reset-password\?key=.+)$/)
-
-    login
-
-    DB[:account_password_reset_keys].count.must_equal 1
-    visit '/close-account'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Close Account'
-    DB[:account_password_reset_keys].count.must_equal 0
-  end
-
-  it "should handle uniqueness errors raised when inserting password reset token" do
-    rodauth do
-      enable :login, :reset_password
-    end
-    roda do |r|
-      def rodauth.raised_uniqueness_violation(*) super; true; end
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    login(:pass=>'01234567')
-
-    click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-    visit link
-
-    fill_in 'Password', :with=>'0123456'
-    fill_in 'Confirm Password', :with=>'0123456'
-    click_button 'Reset Password'
-    page.find('#notice_flash').text.must_equal "Your password has been reset"
-  end
-
-  it "should support resetting passwords for accounts via jwt" do
-    rodauth do
-      enable :login, :reset_password
-      reset_password_email_body{reset_password_email_link}
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-
-    res = json_login(:pass=>'1', :no_check=>true)
-    res.must_equal [401, {"field-error"=>["password", "invalid password"], "error"=>"There was an error logging in"}]
-
-    res = json_request('/reset-password')
-    res.must_equal [401, {"error"=>"There was an error resetting your password"}]
-
-    res = json_request('/reset-password-request', :login=>'foo@example2.com')
-    res.must_equal [401, {"error"=>"There was an error requesting a password reset"}]
-
-    res = json_request('/reset-password-request', :login=>'foo@example.com')
-    res.must_equal [200, {"success"=>"An email has been sent to you with a link to reset the password for your account"}]
-
-    link = email_link(/key=.+$/)
-    res = json_request('/reset-password', :key=>link[4...-1])
-    res.must_equal [401, {"error"=>"There was an error resetting your password"}]
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'2')
-    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'passwords do not match']}]
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'invalid password, same as current password']}]
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'1')
-    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (minimum 6 characters)"]}]
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>"\0ab123456", "password-confirm"=>"\0ab123456")
-    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (contains null byte)"]}]
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456', "password-confirm"=>'0123456')
-    res.must_equal [200, {"success"=>"Your password has been reset"}]
-
-    json_login(:pass=>'0123456')
-  end
-end

data/spec/rodauth_spec.rb

@@ -1,343 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth' do
-  it "should keep private methods private when overridden" do
-    rodauth do
-      use_database_authentication_functions? false
-    end
-    roda do |r|
-      rodauth.use_database_authentication_functions?.to_s
-    end
-
-    proc{visit '/'}.must_raise NoMethodError
-  end
-
-  it "should support template_opts" do
-    rodauth do
-      enable :login
-      template_opts(:layout_opts=>{:path=>'spec/views/layout-other.str'})
-    end
-    roda do |r|
-      r.rodauth
-    end
-
-    visit '/login'
-    page.title.must_equal 'Foo Login'
-  end
-
-  it "should support flash_error_key and flash_notice_key" do
-    rodauth do
-      enable :login
-      template_opts(:layout_opts=>{:path=>'spec/views/layout-other.str'})
-      flash_error_key 'error2'
-      flash_notice_key 'notice2'
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_login
-      view(:content=>'', :layout_opts=>{:path=>'spec/views/layout-other.str'})
-    end
-
-    visit '/'
-    page.html.must_include 'Please login to continue'
-    login(:visit=>false)
-    page.html.must_include 'You have been logged in'
-  end
-
-  it "should work without preloading the templates" do
-    @no_precompile = true
-    rodauth do
-      enable :login
-    end
-    roda do |r|
-      r.rodauth
-    end
-
-    visit '/login'
-    page.title.must_equal 'Login'
-  end
-
-  it "should warn when using deprecated configuration methods" do
-    warning = nil
-    rodauth do
-      enable :email_auth
-      (class << self; self end).send(:define_method, :warn) do |*a|
-        warning = a.first
-      end
-      auth_class_eval do
-        define_method(:warn) do |*a|
-          warning = a.first
-        end
-      end
-      no_matching_email_auth_key_message 'foo'
-    end
-    roda do |r|
-      rodauth.no_matching_email_auth_key_message
-    end
-
-    warning.must_equal "Deprecated no_matching_email_auth_key_message method used during configuration, switch to using no_matching_email_auth_key_error_flash"
-    visit '/'
-    body.must_equal 'foo'
-    warning.must_equal "Deprecated no_matching_email_auth_key_message method called at runtime, switch to using no_matching_email_auth_key_error_flash"
-  end
-
-  it "should pick up template changes if not caching templates" do
-    begin
-      @no_freeze = true
-      cache = true
-      rodauth do
-        enable :login
-        cache_templates{cache}
-      end
-      roda do |r|
-        r.rodauth
-      end
-      dir = 'spec/views2'
-      file = "#{dir}/login.str"
-      app.plugin :render, :views=>dir, :engine=>'str'
-      Dir.mkdir(dir) unless File.directory?(dir)
-
-      text = File.read('spec/views/login.str')
-      File.open(file, 'wb'){|f| f.write text}
-      visit '/login'
-      page.all('label').first.text.must_equal 'Login'
-
-      File.open(file, 'wb'){|f| f.write text.gsub('Login', 'Banana')}
-      visit '/login'
-      page.all('label').first.text.must_equal 'Login'
-
-      cache = false
-      visit '/login'
-      page.all('label').first.text.must_equal 'Banana'
-    ensure
-      File.delete(file) if File.file?(file)
-      Dir.rmdir(dir) if File.directory?(dir)
-    end
-  end
-
-  it "should require login to perform certain actions" do
-    rodauth do
-      enable :login, :change_password, :change_login, :close_account
-    end
-    roda do |r|
-      r.rodauth
-
-      r.is "a" do
-        rodauth.require_login
-      end
-    end
-
-    visit '/change-password'
-    page.current_path.must_equal '/login'
-
-    visit '/change-login'
-    page.current_path.must_equal '/login'
-
-    visit '/close-account'
-    page.current_path.must_equal '/login'
-
-    visit '/a'
-    page.current_path.must_equal '/login'
-  end
-
-  it "should handle case where account is no longer valid during session" do
-    rodauth do
-      enable :login, :change_password
-      already_logged_in{request.redirect '/'}
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-
-      r.root do
-        view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")
-      end
-    end
-
-    login
-    page.body.must_include("Logged In")
-
-    DB[:accounts].update(:status_id=>3)
-    visit '/change-password'
-    page.current_path.must_equal '/login'
-    visit '/'
-    page.body.must_include("Not Logged")
-  end
-
-  it "should handle cases where you are already logged in on pages that don't expect a login" do
-    rodauth do
-      enable :login, :logout, :create_account, :reset_password, :verify_account
-      already_logged_in{request.redirect '/'}
-    end
-    roda do |r|
-      r.rodauth
-
-      r.root do
-        view :content=>''
-      end
-    end
-
-    login
-
-    visit '/login'
-    page.current_path.must_equal '/'
-
-    visit '/create-account'
-    page.current_path.must_equal '/'
-
-    visit '/reset-password'
-    page.current_path.must_equal '/'
-
-    visit '/verify-account'
-    page.current_path.must_equal '/'
-
-    visit '/logout'
-    page.current_path.must_equal '/logout'
-  end
-
-  it "should have rodauth.features and rodauth.session_value work when not logged in" do
-    rodauth do
-      enable :login
-    end
-    roda do |r|
-      "#{rodauth.features.first.inspect}#{rodauth.session_value.inspect}"
-    end
-
-    visit '/'
-    page.body.must_equal ':loginnil'
-  end
-
-  it "should support auth_class_eval for evaluation inside Auth class" do
-    rodauth do
-      enable :login
-      login_label{foo}
-      auth_class_eval do
-        def foo
-          'Lonig'
-        end
-      end
-    end
-    roda do |r|
-      r.rodauth
-    end
-
-    visit '/login'
-    fill_in 'Lonig', :with=>'foo@example.com'
-  end
-
-  it "should support multiple rodauth configurations in an app" do
-    app = Class.new(Base)
-    app.plugin(:rodauth, rodauth_opts) do
-      enable :login
-      if ENV['RODAUTH_SEPARATE_SCHEMA']
-        password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
-        function_name do |name|
-          "rodauth_test_password.#{name}"
-        end
-      end
-    end
-    app.plugin(:rodauth, rodauth_opts.merge(:name=>:r2)) do
-      enable :logout
-    end
-
-    if Minitest::HooksSpec::USE_ROUTE_CSRF
-      app.plugin :route_csrf, Minitest::HooksSpec::ROUTE_CSRF_OPTS
-    end
-
-    app.route do |r|
-      if Minitest::HooksSpec::USE_ROUTE_CSRF
-        check_csrf!
-      end
-      r.on 'r1' do
-        r.rodauth
-        'r1'
-      end
-      r.on 'r2' do
-        r.rodauth(:r2)
-        'r2'
-      end
-      rodauth.session_value.inspect
-    end
-    app.freeze
-    self.app = app
-
-    login(:path=>'/r1/login')
-    page.body.must_equal DB[:accounts].get(:id).to_s
-
-    visit '/r2/logout'
-    click_button 'Logout'
-    page.body.must_equal 'nil'
-
-    visit '/r1/logout'
-    page.body.must_equal 'r1'
-    visit '/r2/login'
-    page.body.must_equal 'r2'
-  end
-
-  it "should support account_model setting for backwards compatibility" do
-    warning = nil
-    rodauth do
-      enable :login
-      (class << self; self end).send(:define_method, :warn){|msg| warning = msg}
-      account_model Sequel::Model(DB[:accounts].select(:id))
-    end
-    roda do |r|
-      "#{rodauth.accounts_table}#{rodauth.account_select.length}"
-    end
-
-    visit '/'
-    page.body.must_equal 'accounts1'
-    warning.must_equal "account_model is deprecated, use db and accounts_table settings"
-  end
-
-  it "should support account_select setting for choosing account columns" do
-    rodauth do
-      enable :login
-      account_select [:id, :email]
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.account_from_session
-      rodauth.account.keys.map(&:to_s).sort.join(' ')
-    end
-
-    login
-    page.body.must_equal 'email id'
-  end
-
-  it "should support :csrf=>false and :flash=>false plugin options" do
-    c = Class.new(Roda)
-    c.plugin(:rodauth, :csrf=>false, :flash=>false){}
-    c.route{}
-    c.instance_variable_get(:@middleware).length.must_equal 0
-    c.ancestors.map(&:to_s).wont_include 'Roda::RodaPlugins::Flash::InstanceMethods'
-    c.ancestors.map(&:to_s).wont_include 'Roda::RodaPlugins::RouteCsrf::InstanceMethods'
-  end
-
-  it "should inherit rodauth configuration in subclass" do
-    auth_class = nil
-    no_freeze!
-    rodauth{auth_class = auth}
-    roda(:csrf=>false, :flash=>false){|r|}
-    Class.new(app).rodauth.must_equal auth_class
-  end
-
-  it "should use subclass of rodauth configuration if modifying rodauth configuration in subclass" do
-    auth_class = nil
-    no_freeze!
-    rodauth{auth_class = auth; auth_class_eval{def foo; 'foo' end}}
-    roda{|r| rodauth.foo}
-    visit '/'
-    page.html.must_equal 'foo'
-
-    a = Class.new(app)
-    a.plugin(:rodauth, rodauth_opts){auth_class_eval{def foo; "#{super}bar" end}}
-    a.rodauth.superclass.must_equal auth_class
-
-    visit '/'
-    page.html.must_equal 'foo'
-    self.app = a
-    visit '/'
-    page.html.must_equal 'foobar'
-  end
-end