rodauth 1.21.0 → 2.2.0

data/spec/lockout_spec.rb

@@ -1,250 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth lockout feature' do
-  it "should support account lockouts without autologin on unlock" do
-    lockouts = []
-    rodauth do
-      enable :lockout
-      max_invalid_logins 2
-      unlock_account_autologin? false
-      after_account_lockout{lockouts << true}
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
-    end
-
-    login(:pass=>'012345678910')
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-    page.body.must_include("Logged In")
-
-    remove_cookie('rack.session')
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    2.times do
-      fill_in 'Password', :with=>'012345678910'
-      click_button 'Login'
-      page.find('#error_flash').text.must_equal 'There was an error logging in'
-    end
-    lockouts.must_equal [true]
-
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
-    page.body.must_include("This account is currently locked out")
-    click_button 'Request Account Unlock'
-    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
-    link = email_link(/(\/unlock-account\?key=.+)$/)
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    click_button 'Request Account Unlock'
-    email_link(/(\/unlock-account\?key=.+)$/).must_equal link
-
-    visit link[0...-1]
-    page.find('#error_flash').text.must_equal "There was an error unlocking your account: invalid or expired unlock account key"
-
-    visit link
-    click_button 'Unlock Account'
-    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
-    page.body.must_include('Not Logged')
-
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-    page.body.must_include("Logged In")
-  end
-
-  it "should support account lockouts with autologin and password required on unlock" do
-    rodauth do
-      enable :lockout
-      unlock_account_requires_password? true
-      account_lockouts_email_last_sent_column :email_last_sent
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
-    end
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    100.times do
-      fill_in 'Password', :with=>'012345678910'
-      click_button 'Login'
-      page.find('#error_flash').text.must_equal 'There was an error logging in'
-    end
-
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
-    page.body.must_include("This account is currently locked out")
-    click_button 'Request Account Unlock'
-    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
-    link = email_link(/(\/unlock-account\?key=.+)$/)
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    click_button 'Request Account Unlock'
-    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to unlock the account"
-    Mail::TestMailer.deliveries.must_equal []
-
-    visit link
-    click_button 'Unlock Account'
-
-    page.find('#error_flash').text.must_equal 'There was an error unlocking your account'
-    page.body.must_include('invalid password')
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Unlock Account'
-
-    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
-    page.body.must_include("Logged In")
-  end
-
-  it "should autounlock after enough time" do
-    rodauth do
-      enable :lockout
-      max_invalid_logins 2
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
-    end
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    2.times do
-      fill_in 'Password', :with=>'012345678910'
-      click_button 'Login'
-      page.find('#error_flash').text.must_equal 'There was an error logging in'
-    end
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
-    page.body.must_include("This account is currently locked out")
-    DB[:account_lockouts].update(:deadline=>Date.today - 3)
-
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-    page.body.must_include("Logged In")
-  end
-
-  it "should clear unlock token when closing account" do
-    rodauth do
-      enable :lockout, :close_account
-      max_invalid_logins 2
-    end
-    roda do |r|
-      r.get('b') do
-        session[:account_id] = DB[:accounts].get(:id)
-        'b'
-      end
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
-    end
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    3.times do
-      fill_in 'Password', :with=>'012345678910'
-      click_button 'Login'
-    end
-    DB[:account_lockouts].count.must_equal 1
-    
-    visit 'b'
-
-    visit '/close-account'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Close Account'
-    DB[:account_lockouts].count.must_equal 0
-  end
-
-  it "should handle uniqueness errors raised when inserting unlock account token" do
-    lockouts = []
-    rodauth do
-      enable :lockout
-      max_invalid_logins 2
-      after_account_lockout{lockouts << true}
-    end
-    roda do |r|
-      def rodauth.raised_uniqueness_violation(*) super; true; end
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
-    end
-
-    visit '/login'
-    fill_in 'Login', :with=>'foo@example.com'
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-
-    fill_in 'Password', :with=>'012345678910'
-    click_button 'Login'
-    lockouts.must_equal [true]
-    page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
-    page.body.must_include("This account is currently locked out")
-    click_button 'Request Account Unlock'
-    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
-
-    link = email_link(/(\/unlock-account\?key=.+)$/)
-    visit link
-    click_button 'Unlock Account'
-    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
-    page.body.must_include("Logged In")
-  end
-
-  it "should support account lockouts via jwt" do
-    rodauth do
-      enable :logout, :lockout
-      max_invalid_logins 2
-      unlock_account_autologin? false
-      unlock_account_email_body{unlock_account_email_link}
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      [rodauth.logged_in? ? "Logged In" : "Not Logged"]
-    end
-
-    res = json_request('/unlock-account-request', :login=>'foo@example.com')
-    res.must_equal [401, {'error'=>"No matching login"}]
-
-    res = json_login(:pass=>'1', :no_check=>true)
-    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
-
-    json_login
-    json_logout
-
-    2.times do
-      res = json_login(:pass=>'1', :no_check=>true)
-      res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
-    end
-
-    2.times do
-      res = json_login(:pass=>'1', :no_check=>true)
-      res.must_equal [403, {'error'=>"This account is currently locked out and cannot be logged in to."}]
-    end
-
-    res = json_request('/unlock-account')
-    res.must_equal [401, {'error'=>"There was an error unlocking your account: invalid or expired unlock account key"}]
-
-    res = json_request('/unlock-account-request', :login=>'foo@example.com')
-    res.must_equal [200, {'success'=>"An email has been sent to you with a link to unlock your account"}]
-
-    link = email_link(/key=.+$/)
-    res = json_request('/unlock-account', :key=>link[4...-1])
-    res.must_equal [401, {'error'=>"There was an error unlocking your account: invalid or expired unlock account key"}]
-
-    res = json_request('/unlock-account', :key=>link[4..-1])
-    res.must_equal [200, {'success'=>"Your account has been unlocked"}]
-
-    res = json_request.must_equal [200, ['Not Logged']]
-
-    json_login
-  end
-end

data/spec/login_spec.rb

@@ -1,328 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth login feature' do
-  it "should handle logins and logouts" do
-    rodauth{enable :login, :logout}
-    roda do |r|
-      r.rodauth
-      next unless rodauth.logged_in?
-      r.root{view :content=>"Logged In"}
-    end
-
-    visit '/login'
-    page.title.must_equal 'Login'
-
-    login(:login=>'foo@example2.com', :visit=>false)
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.html.must_include("no matching login")
-    page.all('[type=text]').first.value.must_equal 'foo@example2.com'
-
-    login(:pass=>'012345678', :visit=>false)
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.html.must_include("invalid password")
-
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Login'
-    page.current_path.must_equal '/'
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-    page.html.must_include("Logged In")
-
-    visit '/logout'
-    page.title.must_equal 'Logout'
-
-    click_button 'Logout'
-    page.find('#notice_flash').text.must_equal 'You have been logged out'
-    page.current_path.must_equal '/login'
-  end
-
-  it "should handle multi phase login (email first, then password)" do
-    rodauth do
-      enable :login, :logout
-      use_multi_phase_login? true
-      login_input_type 'email'
-      input_field_label_suffix ' (Required)'
-      input_field_error_class ' bad-input'
-      input_field_error_message_class 'err-msg'
-      mark_input_fields_as_required? true
-      field_attributes do |field|
-        if field == 'login'
-          'custom_field="custom_value"'
-        else
-          super(field)
-        end
-      end
-      field_error_attributes do |field|
-        if field == 'login'
-          'custom_error_field="custom_error_value"'
-        else
-          super(field)
-        end
-      end
-      formatted_field_error do |field, error|
-        if field == 'login'
-          super(field, error)
-        else
-          "<span class='err-msg2'>1#{error}2</span>"
-        end
-      end
-    end
-    roda do |r|
-      r.rodauth
-      next unless rodauth.logged_in?
-      r.root{view :content=>"Logged In"}
-    end
-
-    visit '/login'
-    page.title.must_equal 'Login'
-
-    page.find('[custom_field=custom_value]').value.must_equal ''
-    page.all('[custom_error_field=custom_error_value]').must_be_empty
-    page.all('input[type=password]').must_be_empty
-    fill_in 'Login (Required)', :with=>'foo2@example.com'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.find('[custom_field=custom_value]').value.must_equal 'foo2@example.com'
-    page.find('[custom_error_field=custom_error_value]').value.must_equal 'foo2@example.com'
-    page.find('[type=email]').value.must_equal 'foo2@example.com'
-    page.find('.bad-input').value.must_equal 'foo2@example.com'
-    page.find('.err-msg').text.must_equal 'no matching login'
-
-    page.all('input[type=password]').must_be_empty
-    fill_in 'Login (Required)', :with=>'foo@example.com'
-    click_button 'Login'
-    page.find('#notice_flash').text.must_equal 'Login recognized, please enter your password'
-
-    page.all('[custom_field=custom_value]').must_be_empty
-    page.all('[custom_error_field=custom_error_value]').must_be_empty
-    page.all('[aria-invalid=true]').must_be_empty
-    page.all('[aria-describedby]').must_be_empty
-    page.find('[required=required]').value.to_s.must_equal ''
-    page.all('input[type=text]').must_be_empty
-    fill_in 'Password (Required)', :with=>'012345678'
-    click_button 'Login'
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.find('[aria-invalid=true]').value.to_s.must_equal ''
-    page.find('[aria-describedby=password_error_message]').value.to_s.must_equal ''
-    page.all('[custom_error_field=custom_error_value]').must_be_empty
-    page.find('.err-msg2').text.must_equal '1invalid password2'
-
-    page.all('input[type=text]').must_be_empty
-    fill_in 'Password (Required)', :with=>'0123456789'
-    click_button 'Login'
-    page.current_path.must_equal '/'
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-    page.html.must_include("Logged In")
-
-    visit '/logout'
-    page.title.must_equal 'Logout'
-
-    click_button 'Logout'
-    page.find('#notice_flash').text.must_equal 'You have been logged out'
-    page.current_path.must_equal '/login'
-  end
-
-  it "should not allow login to unverified account" do
-    rodauth do
-      enable :login
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-      next unless rodauth.logged_in?
-      r.root{view :content=>"Logged In"}
-    end
-
-    DB[:accounts].update(:status_id=>1)
-    login
-    page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.html.must_include("unverified account, please verify account before logging in")
-  end
-
-  it "should handle overriding login action" do
-    rodauth do
-      enable :login
-    end
-    roda do |r|
-      r.post 'login' do
-        if r.params['login'] == 'apple' && r.params['password'] == 'banana'
-          session['user_id'] = 'pear'
-          r.redirect '/'
-        end
-        r.redirect '/login'
-      end
-      r.rodauth
-      next unless session['user_id'] == 'pear'
-      r.root{"Logged In"}
-    end
-
-    login(:login=>'appl', :pass=>'banana')
-    page.html.wont_match(/Logged In/)
-
-    login(:login=>'apple', :pass=>'banan', :visit=>false)
-    page.html.wont_match(/Logged In/)
-
-    login(:login=>'apple', :pass=>'banana', :visit=>false)
-    page.current_path.must_equal '/'
-    page.html.must_include("Logged In")
-  end
-
-  it "should handle overriding some login attributes" do
-    rodauth do
-      enable :login
-      account_from_login do |login|
-        DB[:accounts].first if login == 'apple'
-      end
-      password_match? do |password|
-        password == 'banana'
-      end
-      update_session do
-        session['user_id'] = 'pear'
-      end
-      no_matching_login_message "no user"
-      invalid_password_message "bad password"
-    end
-    roda do |r|
-      r.rodauth
-      next unless session['user_id'] == 'pear'
-      r.root{"Logged In"}
-    end
-
-    login(:login=>'appl', :pass=>'banana')
-    page.html.must_include("no user")
-
-    login(:login=>'apple', :pass=>'banan', :visit=>false)
-    page.html.must_include("bad password")
-
-    fill_in 'Password', :with=>'banana'
-    click_button 'Login'
-    page.current_path.must_equal '/'
-    page.html.must_include("Logged In")
-  end
-
-  it "should handle a prefix and some other login options" do
-    rodauth do
-      enable :login, :logout
-      prefix '/auth'
-      session_key 'login_email'
-      account_from_session{DB[:accounts].first(:email=>session_value)}
-      account_session_value{account[:email]}
-      login_param{param('lp')}
-      login_additional_form_tags "<input type='hidden' name='lp' value='l' />"
-      password_param 'p'
-      login_redirect{"/foo/#{account[:email]}"}
-      logout_redirect '/auth/lin'
-      login_route 'lin'
-      logout_route 'lout'
-    end
-    no_freeze!
-    roda do |r|
-      r.on 'auth' do
-        r.rodauth
-      end
-      next unless session['login_email'] =~ /example/
-      r.get('foo', :email){|e| "Logged In: #{e}"}
-    end
-    app.plugin :render, :views=>'spec/views', :engine=>'str'
-
-    visit '/auth/lin?lp=l'
-
-    login(:login=>'foo@example2.com', :visit=>false)
-    page.html.must_include("no matching login")
-
-    login(:pass=>'012345678', :visit=>false)
-    page.html.must_include("invalid password")
-
-    login(:visit=>false)
-    page.current_path.must_equal '/foo/foo@example.com'
-    page.html.must_include("Logged In: foo@example.com")
-
-    visit '/auth/lout'
-    click_button 'Logout'
-    page.current_path.must_equal '/auth/lin'
-  end
-
-  it "should use correct redirect paths when using prefix" do
-    rodauth do
-      enable :login, :logout
-      prefix '/auth'
-    end
-    roda do |r|
-      r.on 'auth' do
-        r.rodauth
-        rodauth.require_login
-      end
-      rodauth.send("#{r.remaining_path[1..-1]}_redirect")
-    end
-
-    visit '/login'
-    page.html.must_equal '/'
-    visit '/logout'
-    page.html.must_equal '/auth/login'
-    visit '/require_login'
-    page.html.must_equal '/auth/login'
-
-    visit '/auth'
-    page.current_path.must_equal '/auth/login'
-  end
-
-  it "should login and logout via jwt" do
-    rodauth do
-      enable :login, :logout
-      json_response_custom_error_status? false
-      jwt_secret{proc{super()}.must_raise ArgumentError; "1"}
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      response['Content-Type'] = 'application/json'
-      rodauth.logged_in? ? '1' : '2'
-    end
-
-    json_request.must_equal [200, 2]
-
-    res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
-
-    res = json_request("/login", :login=>'foo@example.com', :password=>'012345678')
-    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
-
-    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-    json_request.must_equal [200, 1]
-
-    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
-    json_request.must_equal [200, 2]
-  end
-
-  it "should login and logout via jwt with custom error statuses" do
-    rodauth do
-      enable :login, :logout
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      response['Content-Type'] = 'application/json'
-      r.post('foo') do
-        rodauth.require_login
-        '3'
-      end
-      rodauth.logged_in? ? '1' : '2'
-    end
-
-    json_request.must_equal [200, 2]
-
-    res = json_request("/foo")
-    res.must_equal [401, {"error"=>"Please login to continue"}]
-
-    res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
-    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
-
-    res = json_request("/login", :login=>'foo@example.com', :password=>'012345678')
-    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
-
-    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
-    json_request.must_equal [200, 1]
-
-    res = json_request("/foo").must_equal [200, 3]
-
-    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
-    json_request.must_equal [200, 2]
-  end
-end