sidecar_token_auth 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (175) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +13 -0
  3. data/README.md +12 -0
  4. data/Rakefile +42 -0
  5. data/app/controllers/devise_token_auth/application_controller.rb +79 -0
  6. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +44 -0
  7. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +162 -0
  8. data/app/controllers/devise_token_auth/confirmations_controller.rb +90 -0
  9. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +287 -0
  10. data/app/controllers/devise_token_auth/passwords_controller.rb +206 -0
  11. data/app/controllers/devise_token_auth/registrations_controller.rb +283 -0
  12. data/app/controllers/devise_token_auth/sessions_controller.rb +245 -0
  13. data/app/controllers/devise_token_auth/token_validations_controller.rb +31 -0
  14. data/app/controllers/devise_token_auth/unlocks_controller.rb +89 -0
  15. data/app/models/devise_token_auth/concerns/active_record_support.rb +16 -0
  16. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  17. data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
  18. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +19 -0
  19. data/app/models/devise_token_auth/concerns/user.rb +257 -0
  20. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +31 -0
  21. data/app/validators/devise_token_auth_email_validator.rb +23 -0
  22. data/app/views/devise/mailer/confirmation_instructions.html.erb +5 -0
  23. data/app/views/devise/mailer/reset_password_instructions.html.erb +8 -0
  24. data/app/views/devise/mailer/unlock_instructions.html.erb +7 -0
  25. data/app/views/devise_token_auth/omniauth_external_window.html.erb +38 -0
  26. data/config/locales/da-DK.yml +52 -0
  27. data/config/locales/de.yml +51 -0
  28. data/config/locales/en.yml +60 -0
  29. data/config/locales/es.yml +51 -0
  30. data/config/locales/fr.yml +51 -0
  31. data/config/locales/he.yml +52 -0
  32. data/config/locales/it.yml +48 -0
  33. data/config/locales/ja.yml +48 -0
  34. data/config/locales/ko.yml +51 -0
  35. data/config/locales/nl.yml +32 -0
  36. data/config/locales/pl.yml +51 -0
  37. data/config/locales/pt-BR.yml +48 -0
  38. data/config/locales/pt.yml +51 -0
  39. data/config/locales/ro.yml +48 -0
  40. data/config/locales/ru.yml +52 -0
  41. data/config/locales/sq.yml +48 -0
  42. data/config/locales/sv.yml +52 -0
  43. data/config/locales/uk.yml +61 -0
  44. data/config/locales/vi.yml +52 -0
  45. data/config/locales/zh-CN.yml +48 -0
  46. data/config/locales/zh-HK.yml +50 -0
  47. data/config/locales/zh-TW.yml +50 -0
  48. data/lib/devise_token_auth.rb +14 -0
  49. data/lib/devise_token_auth/blacklist.rb +2 -0
  50. data/lib/devise_token_auth/controllers/helpers.rb +157 -0
  51. data/lib/devise_token_auth/controllers/url_helpers.rb +10 -0
  52. data/lib/devise_token_auth/engine.rb +96 -0
  53. data/lib/devise_token_auth/errors.rb +8 -0
  54. data/lib/devise_token_auth/rails/routes.rb +116 -0
  55. data/lib/devise_token_auth/token_factory.rb +126 -0
  56. data/lib/devise_token_auth/url.rb +44 -0
  57. data/lib/devise_token_auth/version.rb +5 -0
  58. data/lib/generators/devise_token_auth/USAGE +31 -0
  59. data/lib/generators/devise_token_auth/install_generator.rb +91 -0
  60. data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
  61. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
  62. data/lib/generators/devise_token_auth/install_views_generator.rb +18 -0
  63. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +60 -0
  64. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +49 -0
  65. data/lib/generators/devise_token_auth/templates/user.rb.erb +9 -0
  66. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
  67. data/lib/tasks/devise_token_auth_tasks.rake +6 -0
  68. data/test/controllers/custom/custom_confirmations_controller_test.rb +25 -0
  69. data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +33 -0
  70. data/test/controllers/custom/custom_passwords_controller_test.rb +79 -0
  71. data/test/controllers/custom/custom_registrations_controller_test.rb +63 -0
  72. data/test/controllers/custom/custom_sessions_controller_test.rb +39 -0
  73. data/test/controllers/custom/custom_token_validations_controller_test.rb +42 -0
  74. data/test/controllers/demo_group_controller_test.rb +151 -0
  75. data/test/controllers/demo_mang_controller_test.rb +284 -0
  76. data/test/controllers/demo_user_controller_test.rb +629 -0
  77. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +191 -0
  78. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +441 -0
  79. data/test/controllers/devise_token_auth/passwords_controller_test.rb +780 -0
  80. data/test/controllers/devise_token_auth/registrations_controller_test.rb +907 -0
  81. data/test/controllers/devise_token_auth/sessions_controller_test.rb +503 -0
  82. data/test/controllers/devise_token_auth/token_validations_controller_test.rb +102 -0
  83. data/test/controllers/devise_token_auth/unlocks_controller_test.rb +196 -0
  84. data/test/controllers/overrides/confirmations_controller_test.rb +47 -0
  85. data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +53 -0
  86. data/test/controllers/overrides/passwords_controller_test.rb +64 -0
  87. data/test/controllers/overrides/registrations_controller_test.rb +46 -0
  88. data/test/controllers/overrides/sessions_controller_test.rb +35 -0
  89. data/test/controllers/overrides/token_validations_controller_test.rb +43 -0
  90. data/test/dummy/README.rdoc +28 -0
  91. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  92. data/test/dummy/app/active_record/lockable_user.rb +7 -0
  93. data/test/dummy/app/active_record/mang.rb +5 -0
  94. data/test/dummy/app/active_record/only_email_user.rb +7 -0
  95. data/test/dummy/app/active_record/scoped_user.rb +9 -0
  96. data/test/dummy/app/active_record/unconfirmable_user.rb +9 -0
  97. data/test/dummy/app/active_record/unregisterable_user.rb +9 -0
  98. data/test/dummy/app/active_record/user.rb +6 -0
  99. data/test/dummy/app/controllers/application_controller.rb +18 -0
  100. data/test/dummy/app/controllers/auth_origin_controller.rb +7 -0
  101. data/test/dummy/app/controllers/custom/confirmations_controller.rb +13 -0
  102. data/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb +13 -0
  103. data/test/dummy/app/controllers/custom/passwords_controller.rb +39 -0
  104. data/test/dummy/app/controllers/custom/registrations_controller.rb +39 -0
  105. data/test/dummy/app/controllers/custom/sessions_controller.rb +29 -0
  106. data/test/dummy/app/controllers/custom/token_validations_controller.rb +19 -0
  107. data/test/dummy/app/controllers/demo_group_controller.rb +15 -0
  108. data/test/dummy/app/controllers/demo_mang_controller.rb +14 -0
  109. data/test/dummy/app/controllers/demo_user_controller.rb +27 -0
  110. data/test/dummy/app/controllers/overrides/confirmations_controller.rb +28 -0
  111. data/test/dummy/app/controllers/overrides/omniauth_callbacks_controller.rb +16 -0
  112. data/test/dummy/app/controllers/overrides/passwords_controller.rb +35 -0
  113. data/test/dummy/app/controllers/overrides/registrations_controller.rb +29 -0
  114. data/test/dummy/app/controllers/overrides/sessions_controller.rb +36 -0
  115. data/test/dummy/app/controllers/overrides/token_validations_controller.rb +23 -0
  116. data/test/dummy/app/helpers/application_helper.rb +1058 -0
  117. data/test/dummy/app/models/concerns/favorite_color.rb +19 -0
  118. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  119. data/test/dummy/app/mongoid/lockable_user.rb +38 -0
  120. data/test/dummy/app/mongoid/mang.rb +46 -0
  121. data/test/dummy/app/mongoid/only_email_user.rb +33 -0
  122. data/test/dummy/app/mongoid/scoped_user.rb +50 -0
  123. data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
  124. data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
  125. data/test/dummy/app/mongoid/user.rb +49 -0
  126. data/test/dummy/app/views/layouts/application.html.erb +14 -0
  127. data/test/dummy/config.ru +18 -0
  128. data/test/dummy/config/application.rb +48 -0
  129. data/test/dummy/config/application.yml.bk +0 -0
  130. data/test/dummy/config/boot.rb +11 -0
  131. data/test/dummy/config/environment.rb +7 -0
  132. data/test/dummy/config/environments/development.rb +46 -0
  133. data/test/dummy/config/environments/production.rb +84 -0
  134. data/test/dummy/config/environments/test.rb +50 -0
  135. data/test/dummy/config/initializers/assets.rb +10 -0
  136. data/test/dummy/config/initializers/backtrace_silencers.rb +9 -0
  137. data/test/dummy/config/initializers/cookies_serializer.rb +5 -0
  138. data/test/dummy/config/initializers/devise.rb +290 -0
  139. data/test/dummy/config/initializers/devise_token_auth.rb +55 -0
  140. data/test/dummy/config/initializers/figaro.rb +3 -0
  141. data/test/dummy/config/initializers/filter_parameter_logging.rb +6 -0
  142. data/test/dummy/config/initializers/inflections.rb +18 -0
  143. data/test/dummy/config/initializers/mime_types.rb +6 -0
  144. data/test/dummy/config/initializers/omniauth.rb +11 -0
  145. data/test/dummy/config/initializers/session_store.rb +5 -0
  146. data/test/dummy/config/initializers/wrap_parameters.rb +16 -0
  147. data/test/dummy/config/routes.rb +57 -0
  148. data/test/dummy/config/spring.rb +3 -0
  149. data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +58 -0
  150. data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +57 -0
  151. data/test/dummy/db/migrate/20140829044006_add_operating_thetan_to_user.rb +8 -0
  152. data/test/dummy/db/migrate/20140916224624_add_favorite_color_to_mangs.rb +7 -0
  153. data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +55 -0
  154. data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +56 -0
  155. data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +56 -0
  156. data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +56 -0
  157. data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +56 -0
  158. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  159. data/test/dummy/db/schema.rb +198 -0
  160. data/test/dummy/lib/migration_database_helper.rb +43 -0
  161. data/test/factories/users.rb +41 -0
  162. data/test/lib/devise_token_auth/blacklist_test.rb +11 -0
  163. data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
  164. data/test/lib/devise_token_auth/url_test.rb +26 -0
  165. data/test/lib/generators/devise_token_auth/install_generator_test.rb +217 -0
  166. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +222 -0
  167. data/test/lib/generators/devise_token_auth/install_views_generator_test.rb +25 -0
  168. data/test/models/concerns/mongoid_support_test.rb +31 -0
  169. data/test/models/concerns/tokens_serialization_test.rb +70 -0
  170. data/test/models/confirmable_user_test.rb +35 -0
  171. data/test/models/only_email_user_test.rb +29 -0
  172. data/test/models/user_test.rb +108 -0
  173. data/test/support/controllers/routes.rb +43 -0
  174. data/test/test_helper.rb +103 -0
  175. metadata +481 -0
@@ -0,0 +1,191 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'test_helper'
4
+
5
+ # was the web request successful?
6
+ # was the user redirected to the right page?
7
+ # was the user successfully authenticated?
8
+ # was the correct object stored in the response?
9
+ # was the appropriate message delivered in the json payload?
10
+
11
+ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
12
+ describe DeviseTokenAuth::ConfirmationsController do
13
+ def token_and_client_config_from(body)
14
+ token = body.match(/confirmation_token=([^&]*)&/)[1]
15
+ client_config = body.match(/config=([^&]*)&/)[1]
16
+ [token, client_config]
17
+ end
18
+
19
+ describe 'Confirmation' do
20
+ before do
21
+ @redirect_url = Faker::Internet.url
22
+ @new_user = create(:user)
23
+ @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
24
+ mail = ActionMailer::Base.deliveries.last
25
+ @token, @client_config = token_and_client_config_from(mail.body)
26
+ @token_params = %w[access-token client client_id config expiry token uid]
27
+ end
28
+
29
+ test 'should generate raw token' do
30
+ assert @token
31
+ end
32
+
33
+ test "should include config name as 'default' in confirmation link" do
34
+ assert_equal 'default', @client_config
35
+ end
36
+
37
+ test 'should store token hash in user' do
38
+ assert @new_user.confirmation_token
39
+ end
40
+
41
+ describe 'success' do
42
+ describe 'when authenticated' do
43
+ before do
44
+ sign_in(@new_user)
45
+ get :show,
46
+ params: { confirmation_token: @token,
47
+ redirect_url: @redirect_url },
48
+ xhr: true
49
+ @resource = assigns(:resource)
50
+ end
51
+
52
+ test 'user should now be confirmed' do
53
+ assert @resource.confirmed?
54
+ end
55
+
56
+ test 'should save the authentication token' do
57
+ assert @resource.reload.tokens.present?
58
+ end
59
+
60
+ test 'should redirect to success url' do
61
+ assert_redirected_to(/^#{@redirect_url}/)
62
+ end
63
+
64
+ test 'redirect url includes token params' do
65
+ assert @token_params.all? { |param| response.body.include?(param) }
66
+ assert response.body.include?('account_confirmation_success')
67
+ end
68
+ end
69
+
70
+ describe 'when unauthenticated' do
71
+ before do
72
+ sign_out(@new_user)
73
+ get :show,
74
+ params: { confirmation_token: @token,
75
+ redirect_url: @redirect_url },
76
+ xhr: true
77
+ @resource = assigns(:resource)
78
+ end
79
+
80
+ test 'user should now be confirmed' do
81
+ assert @resource.confirmed?
82
+ end
83
+
84
+ test 'should redirect to success url' do
85
+ assert_redirected_to(/^#{@redirect_url}/)
86
+ end
87
+
88
+ test 'redirect url does not include token params' do
89
+ refute @token_params.any? { |param| response.body.include?(param) }
90
+ assert response.body.include?('account_confirmation_success')
91
+ end
92
+ end
93
+
94
+ describe 'resend confirmation' do
95
+ before do
96
+ post :create,
97
+ params: { email: @new_user.email,
98
+ redirect_url: @redirect_url },
99
+ xhr: true
100
+ @resource = assigns(:resource)
101
+
102
+ @mail = ActionMailer::Base.deliveries.last
103
+ @token, @client_config = token_and_client_config_from(@mail.body)
104
+ end
105
+
106
+ test 'user should not be confirmed' do
107
+ assert_nil @resource.confirmed_at
108
+ end
109
+
110
+ test 'should generate raw token' do
111
+ assert @token
112
+ assert_equal @new_user.confirmation_token, @token
113
+ end
114
+
115
+ test 'user should receive confirmation email' do
116
+ assert_equal @resource.email, @mail['to'].to_s
117
+ end
118
+
119
+ end
120
+ end
121
+
122
+ describe 'failure' do
123
+ test 'user should not be confirmed' do
124
+ assert_raises(ActionController::RoutingError) do
125
+ get :show, params: { confirmation_token: 'bogus' }
126
+ end
127
+ @resource = assigns(:resource)
128
+ refute @resource.confirmed?
129
+ end
130
+
131
+ test 'request resend confirmation without email' do
132
+ post :create, params: { email: nil }, xhr: true
133
+
134
+ assert_equal 401, response.status
135
+ end
136
+
137
+ test 'user should not be found on resend confirmation request' do
138
+ post :create, params: { email: 'bogus' }, xhr: true
139
+
140
+ assert_equal 404, response.status
141
+ end
142
+ end
143
+ end
144
+
145
+ # test with non-standard user class
146
+ describe 'Alternate user model' do
147
+ setup do
148
+ @request.env['devise.mapping'] = Devise.mappings[:mang]
149
+ end
150
+
151
+ teardown do
152
+ @request.env['devise.mapping'] = Devise.mappings[:user]
153
+ end
154
+
155
+ before do
156
+ @config_name = 'altUser'
157
+ @new_user = create(:mang_user)
158
+
159
+ @new_user.send_confirmation_instructions(client_config: @config_name)
160
+
161
+ mail = ActionMailer::Base.deliveries.last
162
+ @token, @client_config = token_and_client_config_from(mail.body)
163
+ end
164
+
165
+ test 'should generate raw token' do
166
+ assert @token
167
+ end
168
+
169
+ test 'should include config name in confirmation link' do
170
+ assert_equal @config_name, @client_config
171
+ end
172
+
173
+ test 'should store token hash in user' do
174
+ assert @new_user.confirmation_token
175
+ end
176
+
177
+ describe 'success' do
178
+ before do
179
+ @redirect_url = Faker::Internet.url
180
+ get :show, params: { confirmation_token: @token,
181
+ redirect_url: @redirect_url }
182
+ @resource = assigns(:resource)
183
+ end
184
+
185
+ test 'user should now be confirmed' do
186
+ assert @resource.confirmed?
187
+ end
188
+ end
189
+ end
190
+ end
191
+ end
@@ -0,0 +1,441 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'test_helper'
4
+ # was the web request successful?
5
+ # was the user redirected to the right page?
6
+ # was the user successfully authenticated?
7
+ # was the correct object stored in the response?
8
+ # was the appropriate message delivered in the json payload?
9
+
10
+ class OmniauthTest < ActionDispatch::IntegrationTest
11
+ setup do
12
+ OmniAuth.config.test_mode = true
13
+ end
14
+
15
+ before do
16
+ @redirect_url = 'http://ng-token-auth.dev/'
17
+ end
18
+
19
+ def get_parsed_data_json
20
+ encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
21
+ JSON.parse(URI.unescape(encoded_json_data))
22
+ end
23
+
24
+ describe 'success callback' do
25
+ setup do
26
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
27
+ provider: 'facebook',
28
+ uid: '123545',
29
+ info: {
30
+ name: 'chong',
31
+ email: 'chongbong@aol.com'
32
+ }
33
+ )
34
+ end
35
+
36
+ test 'request should pass correct redirect_url' do
37
+ get_success
38
+ assert_equal @redirect_url,
39
+ controller.send(:omniauth_params)['auth_origin_url']
40
+ end
41
+
42
+ test 'user should have been created' do
43
+ get_success
44
+ assert @resource
45
+ end
46
+
47
+ test 'user should be assigned info from provider' do
48
+ get_success
49
+ assert_equal 'chongbong@aol.com', @resource.email
50
+ end
51
+
52
+ test 'user should be assigned token' do
53
+ get_success
54
+
55
+ client_id = controller.auth_params[:client_id]
56
+ token = controller.auth_params[:auth_token]
57
+ expiry = controller.auth_params[:expiry]
58
+
59
+ # the expiry should have been set
60
+ assert_equal expiry, @resource.tokens[client_id]['expiry'] || @resource.tokens[client_id][:expiry]
61
+
62
+ # the token sent down to the client should now be valid
63
+ assert @resource.valid_token?(token, client_id)
64
+ end
65
+
66
+ test 'session vars have been cleared' do
67
+ get_success
68
+ refute request.session['dta.omniauth.auth']
69
+ refute request.session['dta.omniauth.params']
70
+ end
71
+
72
+ test 'sign_in was called' do
73
+ DeviseTokenAuth::OmniauthCallbacksController.any_instance\
74
+ .expects(:sign_in).with(
75
+ :user, instance_of(User), has_entries(store: false, bypass: false)
76
+ )
77
+ get_success
78
+ end
79
+
80
+ test 'should be redirected via valid url' do
81
+ get_success
82
+ assert_equal 'http://www.example.com/auth/facebook/callback',
83
+ request.original_url
84
+ end
85
+
86
+ describe 'with default user model' do
87
+ before do
88
+ get_success
89
+ end
90
+ test 'request should determine the correct resource_class' do
91
+ assert_equal 'User', controller.send(:omniauth_params)['resource_class']
92
+ end
93
+
94
+ test 'user should be of the correct class' do
95
+ assert_equal User, @resource.class
96
+ end
97
+ end
98
+
99
+ describe 'with alternate user model' do
100
+ before do
101
+ get '/mangs/facebook',
102
+ params: {
103
+ auth_origin_url: @redirect_url,
104
+ omniauth_window_type: 'newWindow'
105
+ }
106
+
107
+ follow_all_redirects!
108
+
109
+ assert_equal 200, response.status
110
+ @resource = assigns(:resource)
111
+ end
112
+
113
+ test 'request should determine the correct resource_class' do
114
+ assert_equal 'Mang', controller.send(:omniauth_params)['resource_class']
115
+ end
116
+
117
+ test 'user should be of the correct class' do
118
+ assert_equal Mang, @resource.class
119
+ end
120
+ end
121
+
122
+ describe 'pass additional params' do
123
+ before do
124
+ @fav_color = 'alizarin crimson'
125
+ @unpermitted_param = 'M. Bison'
126
+ get '/auth/facebook',
127
+ params: { auth_origin_url: @redirect_url,
128
+ favorite_color: @fav_color,
129
+ name: @unpermitted_param,
130
+ omniauth_window_type: 'newWindow' }
131
+
132
+ follow_all_redirects!
133
+
134
+ @resource = assigns(:resource)
135
+ end
136
+
137
+ test 'status shows success' do
138
+ assert_equal 200, response.status
139
+ end
140
+
141
+ test 'additional attribute was passed' do
142
+ assert_equal @fav_color, @resource.favorite_color
143
+ end
144
+
145
+ test 'non-whitelisted attributes are ignored' do
146
+ refute_equal @unpermitted_param, @resource.name
147
+ end
148
+ end
149
+
150
+ describe 'oauth registration attr' do
151
+ after do
152
+ User.any_instance.unstub(:new_record?)
153
+ end
154
+
155
+ describe 'with new user' do
156
+ before do
157
+ User.any_instance.expects(:new_record?).returns(true).at_least_once
158
+ # https://docs.mongodb.com/mongoid/master/tutorials/mongoid-documents/#notes-on-persistence
159
+ User.any_instance.expects(:save!).returns(true)
160
+ end
161
+
162
+ test 'response contains oauth_registration attr' do
163
+ get '/auth/facebook',
164
+ params: { auth_origin_url: @redirect_url,
165
+ omniauth_window_type: 'newWindow' }
166
+
167
+ follow_all_redirects!
168
+
169
+ assert_equal true, controller.auth_params[:oauth_registration]
170
+ end
171
+ end
172
+
173
+ describe 'with existing user' do
174
+ before do
175
+ User.any_instance.expects(:new_record?).returns(false).at_least_once
176
+ end
177
+
178
+ test 'response does not contain oauth_registration attr' do
179
+ get '/auth/facebook',
180
+ params: { auth_origin_url: @redirect_url,
181
+ omniauth_window_type: 'newWindow' }
182
+
183
+ follow_all_redirects!
184
+
185
+ assert_equal false, controller.auth_params.key?(:oauth_registration)
186
+ end
187
+ end
188
+ end
189
+
190
+ describe 'using namespaces' do
191
+ before do
192
+ get '/api/v1/auth/facebook',
193
+ params: { auth_origin_url: @redirect_url,
194
+ omniauth_window_type: 'newWindow' }
195
+
196
+ follow_all_redirects!
197
+
198
+ @resource = assigns(:resource)
199
+ end
200
+
201
+ test 'request is successful' do
202
+ assert_equal 200, response.status
203
+ end
204
+
205
+ test 'user should have been created' do
206
+ assert @resource
207
+ end
208
+
209
+ test 'user should be of the correct class' do
210
+ assert_equal User, @resource.class
211
+ end
212
+ end
213
+
214
+ describe 'with omniauth_window_type=inAppBrowser' do
215
+ test 'response contains all expected data' do
216
+ get_success(omniauth_window_type: 'inAppBrowser')
217
+ assert_expected_data_in_new_window
218
+ end
219
+ end
220
+
221
+ describe 'with omniauth_window_type=newWindow' do
222
+ test 'response contains all expected data' do
223
+ get_success(omniauth_window_type: 'newWindow')
224
+ assert_expected_data_in_new_window
225
+ end
226
+ end
227
+
228
+ def assert_expected_data_in_new_window
229
+ data = get_parsed_data_json
230
+ expected_data = @resource.as_json.merge(controller.auth_params.as_json)
231
+ expected_data = ActiveSupport::JSON.decode(expected_data.to_json)
232
+ assert_equal(expected_data.merge('message' => 'deliverCredentials'), data)
233
+ end
234
+
235
+ describe 'with omniauth_window_type=sameWindow' do
236
+ test 'redirects to auth_origin_url with all expected query params' do
237
+ get '/auth/facebook',
238
+ params: { auth_origin_url: '/auth_origin',
239
+ omniauth_window_type: 'sameWindow' }
240
+
241
+ follow_all_redirects!
242
+
243
+ assert_equal 200, response.status
244
+
245
+ # We have been forwarded to a url with all the expected
246
+ # data in the query params.
247
+
248
+ # Assert that a uid was passed along. We have to assume
249
+ # that the rest of the values were as well, as we don't
250
+ # have access to @resource in this test anymore
251
+ assert(controller.params['uid'], 'No uid found')
252
+
253
+ # check that all the auth stuff is there
254
+ %i[auth_token client_id uid expiry config].each do |key|
255
+ assert(controller.params.key?(key), "No value for #{key.inspect}")
256
+ end
257
+ end
258
+ end
259
+
260
+ def get_success(params = {})
261
+ get '/auth/facebook',
262
+ params: {
263
+ auth_origin_url: @redirect_url,
264
+ omniauth_window_type: 'newWindow'
265
+ }.merge(params)
266
+
267
+ follow_all_redirects!
268
+
269
+ assert_equal 200, response.status
270
+
271
+ @resource = assigns(:resource)
272
+ end
273
+ end
274
+
275
+ describe 'failure callback' do
276
+ setup do
277
+ OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
278
+ OmniAuth.config.on_failure = proc { |env|
279
+ OmniAuth::FailureEndpoint.new(env).redirect_to_failure
280
+ }
281
+ end
282
+
283
+ test 'renders expected data' do
284
+ silence_omniauth do
285
+ get '/auth/facebook',
286
+ params: { auth_origin_url: @redirect_url,
287
+ omniauth_window_type: 'newWindow' }
288
+
289
+ follow_all_redirects!
290
+ end
291
+
292
+ assert_equal 200, response.status
293
+
294
+ data = get_parsed_data_json
295
+
296
+ assert_equal({ 'error' => 'invalid_credentials', 'message' => 'authFailure' }, data)
297
+ end
298
+
299
+ test 'renders something with no auth_origin_url' do
300
+ silence_omniauth do
301
+ get '/auth/facebook'
302
+ follow_all_redirects!
303
+ end
304
+ assert_equal 200, response.status
305
+ assert_select 'body', 'invalid_credentials'
306
+ end
307
+ end
308
+
309
+ describe 'User with only :database_authenticatable and :registerable included' do
310
+ test 'OnlyEmailUser should not be able to use OAuth' do
311
+ assert_raises(ActionController::RoutingError) do
312
+ get '/only_email_auth/facebook',
313
+ params: { auth_origin_url: @redirect_url }
314
+ follow_all_redirects!
315
+ end
316
+ end
317
+ end
318
+
319
+ describe 'Using redirect_whitelist' do
320
+
321
+ describe "newWindow" do
322
+ before do
323
+ @user_email = 'slemp.diggler@sillybandz.gov'
324
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
325
+ provider: 'facebook',
326
+ uid: '123545',
327
+ info: {
328
+ name: 'chong',
329
+ email: @user_email
330
+ }
331
+ )
332
+ @good_redirect_url = Faker::Internet.url
333
+ @bad_redirect_url = Faker::Internet.url
334
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
335
+ end
336
+
337
+ teardown do
338
+ DeviseTokenAuth.redirect_whitelist = nil
339
+ end
340
+
341
+ test 'request using non-whitelisted redirect fail' do
342
+ get '/auth/facebook',
343
+ params: { auth_origin_url: @bad_redirect_url,
344
+ omniauth_window_type: 'newWindow' }
345
+
346
+ follow_all_redirects!
347
+
348
+ data = get_parsed_data_json
349
+ assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
350
+ data['error']
351
+ end
352
+
353
+ test 'request to whitelisted redirect should succeed' do
354
+ get '/auth/facebook',
355
+ params: {
356
+ auth_origin_url: @good_redirect_url,
357
+ omniauth_window_type: 'newWindow'
358
+ }
359
+
360
+ follow_all_redirects!
361
+
362
+ data = get_parsed_data_json
363
+ assert_equal @user_email, data['email']
364
+ end
365
+
366
+ test 'should support wildcards' do
367
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
368
+ get '/auth/facebook',
369
+ params: { auth_origin_url: @good_redirect_url,
370
+ omniauth_window_type: 'newWindow' }
371
+
372
+ follow_all_redirects!
373
+
374
+ data = get_parsed_data_json
375
+ assert_equal @user_email, data['email']
376
+ end
377
+ end
378
+
379
+ describe "sameWindow" do
380
+ before do
381
+ @user_email = 'slemp.diggler@sillybandz.gov'
382
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
383
+ provider: 'facebook',
384
+ uid: '123545',
385
+ info: {
386
+ name: 'chong',
387
+ email: @user_email
388
+ }
389
+ )
390
+ @good_redirect_url = '/auth_origin'
391
+ @bad_redirect_url = Faker::Internet.url
392
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
393
+ end
394
+
395
+ teardown do
396
+ DeviseTokenAuth.redirect_whitelist = nil
397
+ end
398
+
399
+ test 'request using non-whitelisted redirect fail' do
400
+ get '/auth/facebook',
401
+ params: { auth_origin_url: @bad_redirect_url,
402
+ omniauth_window_type: 'sameWindow' }
403
+
404
+ follow_all_redirects!
405
+
406
+ assert_equal 200, response.status
407
+ assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
408
+ end
409
+
410
+ test 'request to whitelisted redirect should succeed' do
411
+ get '/auth/facebook',
412
+ params: {
413
+ auth_origin_url: '/auth_origin',
414
+ omniauth_window_type: 'sameWindow'
415
+ }
416
+
417
+ follow_all_redirects!
418
+
419
+ assert_equal 200, response.status
420
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
421
+ end
422
+
423
+ test 'should support wildcards' do
424
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
425
+ get '/auth/facebook',
426
+ params: {
427
+ auth_origin_url: '/auth_origin',
428
+ omniauth_window_type: 'sameWindow'
429
+ }
430
+
431
+ follow_all_redirects!
432
+
433
+ assert_equal 200, response.status
434
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
435
+ end
436
+
437
+
438
+ end
439
+
440
+ end
441
+ end