signinable 2.0.12 → 2.0.15

data/spec/models/signin_spec.rb

@@ -3,50 +3,100 @@
 require 'rails_helper'
 
 describe Signin do
-  it 'has a valid factory' do
-    signin = build(:signin)
-    expect(signin).to be_valid
-  end
+  describe '#expired?' do
+    let(:expiration_time) { Time.zone.now + 1.hour }
+    let(:signin) { create(:signin, expiration_time: expiration_time) }
 
-  context 'is invalid without' do
-    it 'a token' do
-      signin = create(:signin)
-      signin.token = nil
-      expect(signin).to_not be_valid
+    it 'returns false when not expired' do
+      expect(signin).to_not be_expired
     end
 
-    it 'an ip' do
-      expect(build(:signin, ip: nil)).to_not be_valid
+    it 'returns true when expired' do
+      Timecop.travel(expiration_time) do
+        expect(signin).to be_expired
+      end
     end
   end
 
-  it 'should generate token on create' do
-    signin = create(:signin, token: nil)
-    expect(signin.token).to_not be_nil
-  end
-
-  context 'not valid with' do
-    it 'wrong ip' do
-      expect(build(:signin, ip: '123')).to_not be_valid
+  describe '#expireable?' do
+    it 'returns false when expireable' do
+      signin = create(:signin, expiration_time: nil)
+      expect(signin).to_not be_expireable
     end
-  end
 
-  it 'should expire' do
-    Timecop.freeze
-    expiration_time = Time.zone.now + 1.hour
-    signin = create(:signin, expiration_time: expiration_time)
-    Timecop.travel(expiration_time)
-    expect(signin).to be_expired
-    Timecop.return
+    it 'returns true when expireable' do
+      signin = create(:signin, expiration_time: Time.zone.now)
+      expect(signin).to be_expireable
+    end
   end
 
-  describe '.expire!' do
-    it 'should set expiration_time to now' do
-      Timecop.freeze
+  describe '#expire!' do
+    it 'sets expiration_time to now' do
       signin = create(:signin, expiration_time: (Time.zone.now + 1.hour))
+      allow(signin).to receive(:renew!)
       signin.expire!
-      expect(signin).to be_expired
-      Timecop.return
+      expect(signin).to have_received(:renew!).with(period: 0, ip: signin.ip, user_agent: signin.user_agent)
+    end
+  end
+
+  describe '#renew!' do
+    let(:signin) { create(:signin) }
+    let(:attrs) do
+      {
+        period: 100,
+        ip: signin.ip,
+        user_agent: signin.user_agent,
+        refresh_token: false
+      }
+    end
+
+    before(:each) do
+      allow(signin).to receive(:update!)
+    end
+
+    it 'updates ip and user_agent' do
+      signin.renew!(**attrs)
+      expect(signin).to have_received(:update!).with(hash_including(ip: signin.ip, user_agent: signin.user_agent))
+    end
+
+    context 'when expireable' do
+      before(:each) do
+        allow(signin).to receive(:expireable?).and_return(true)
+      end
+
+      it 'updates expiration_time' do
+        Timecop.freeze do
+          signin.renew!(**attrs)
+          expect(signin).to have_received(:update!).with(hash_including(expiration_time: Time.zone.now + attrs[:period]))
+        end
+      end
+    end
+
+    context 'when not expireable' do
+      before(:each) do
+        allow(signin).to receive(:expireable?).and_return(false)
+      end
+
+      it 'does not update expiration_time' do
+        signin.renew!(**attrs)
+        expect(signin).to have_received(:update!).with(hash_excluding(expiration_time: Time.zone.now + attrs[:period]))
+      end
+    end
+
+    context 'when need to refresh_token' do
+      it 'updates expiration_time' do
+        allow(SecureRandom).to receive(:urlsafe_base64).and_return('bla')
+        signin.renew!(**attrs.merge(refresh_token: true))
+        expect(signin).to have_received(:update!).with(hash_including(token: 'bla'))
+      end
+    end
+
+    context 'when no need to refresh_token' do
+      it 'does not update expiration_time' do
+        allow(SecureRandom).to receive(:urlsafe_base64).and_return('bla')
+        signin.renew!(**attrs)
+        expect(signin).to have_received(:update!).with(hash_excluding(token: 'bla'))
+      end
     end
   end
 end

data/spec/models/user_spec.rb

@@ -15,118 +15,248 @@ describe User do
     Timecop.return
   end
 
-  describe '.signin' do
+  describe '#signin' do
     it 'should create Signin' do
       expect do
         sign_in_user(user, credentials)
       end.to change(Signin, :count).by(1)
     end
 
+    it 'sets jwt on user instance' do
+      expect do
+        sign_in_user(user, credentials)
+      end.to change(user, :jwt).from(nil)
+    end
+
+    it 'should generate jwt with correct payload' do
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      payload = JWT.decode(user.jwt, 'test', true, { algorithm: 'HS256' })[0]
+      expect(payload).to include(
+        'refresh_token' => signin.token,
+        'signinable_id' => user.id
+      )
+    end
+
     it 'should set expiration_time' do
-      signin = sign_in_user(user, credentials)
-      expect(signin.expiration_time.to_i).to eq((Time.zone.now + User.signin_expiration).to_i)
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      expect(signin.expiration_time.to_i).to eq((Time.zone.now + User.refresh_exp).to_i)
     end
 
     it 'should not set expiration_time' do
-      allow(User).to receive(:signin_expiration).and_return(0)
-      signin = sign_in_user(user, credentials)
+      allow(described_class).to receive(:refresh_exp).and_return(0)
+      sign_in_user(user, credentials)
+      signin = user.last_signin
       expect(signin.expiration_time).to be_nil
     end
+
+    context 'when simultaneous signins enabled' do
+      before do
+        allow(described_class).to receive(:simultaneous_signings).and_return(true)
+      end
+
+      it 'does not expire active signins' do
+        sign_in_user(user, credentials)
+        sign_in_user(user, credentials)
+        expect(user.signins.active.count).to eq(2)
+      end
+    end
+
+    context 'when simultaneous signins disabled' do
+      before do
+        allow(described_class).to receive(:simultaneous_signings).and_return(false)
+      end
+
+      it 'expires active signins' do
+        sign_in_user(user, credentials)
+        sign_in_user(user, credentials)
+        expect(user.signins.active.count).to eq(1)
+      end
+    end
   end
 
-  describe '.signout' do
+  describe '#signout' do
     it 'should expire signin' do
-      signin = sign_in_user(user, credentials)
+      sign_in_user(user, credentials)
+      signin = user.last_signin
       sign_out_user(signin, credentials)
       expect(signin.reload).to be_expired
     end
 
-    context 'should be allowed with' do
+    context 'when has no restrictions' do
       %i[ip user_agent].each do |c|
-        it "changed #{c} if not restricted" do
-          signin = sign_in_user(user, credentials)
+        it "allows signout when #{c} changes" do
+          sign_in_user(user, credentials)
+          signin = user.last_signin
           expect(sign_out_user(signin, credentials)).to be_truthy
         end
       end
     end
 
-    context 'should not be allowed with' do
+    context 'when has restrictions' do
       %i[ip user_agent].each do |c|
-        it "changed #{c} if restricted" do
-          allow(User).to receive(:signin_restrictions).and_return([c])
-          signin = sign_in_user(user, credentials)
+        it "forbids signout when #{c} changes" do
+          allow(described_class).to receive(:signin_restrictions).and_return([c])
+          sign_in_user(user, credentials)
+          signin = user.last_signin
           expect(sign_out_user(signin, other_credentials)).to be_nil
         end
       end
     end
   end
 
-  describe '#authenticate_with_token' do
-    context 'expiration_time' do
-      it 'should be changed after authentication' do
-        signin = sign_in_user(user, credentials)
-        old_time = signin.expiration_time
-        new_time = signin.expiration_time - 1.hour
-        Timecop.travel(new_time)
-        User.authenticate_with_token(signin.token, *credentials)
-        signin.reload
-        expect(signin.expiration_time.to_i).to eq((new_time + User.signin_expiration).to_i)
+  describe '#last_signin' do
+    it 'retuns nil when no signins' do
+      expect(user.last_signin).to be_nil
+    end
+
+    it 'returns last active signin' do
+      sign_in_user(user, credentials)
+      sign_in_user(user, credentials)
+      signin = user.signins.active.last
+      sign_in_user(user, credentials)
+      user.signins.last.expire!
+
+      expect(user.last_signin).to eq(signin)
+    end
+  end
+
+  describe '.generate_jwt' do
+    let(:token) { SecureRandom.urlsafe_base64(rand(50..100)) }
+
+    it 'sets correct payload' do
+      jwt = described_class.generate_jwt(token, user.id)
+      payload = JWT.decode(jwt, described_class.jwt_secret, true, { algorithm: 'HS256' })[0]
+      expect(payload).to eq(
+        'refresh_token' => token,
+        'signinable_id' => user.id,
+        'exp' => Time.zone.now.to_i + described_class.jwt_exp
+      )
+    end
+  end
+
+  describe '.authenticate_with_token' do
+    context 'when jwt is invalid' do
+      it 'returns nil' do
+        expect(described_class.authenticate_with_token('blablabla', *credentials)).to be_nil
+      end
+    end
+
+    context 'when jwt has not expired' do
+      before(:each) do
+        sign_in_user(user, credentials)
+      end
+
+      it 'returns nil if user not found' do
+        allow(described_class).to receive(:find_by).and_return(nil)
+        expect(described_class.authenticate_with_token(user.jwt, *credentials)).to be_nil
+      end
+
+      it 'returns user' do
+        expect(described_class.authenticate_with_token(user.jwt, *credentials)).to eq(user)
       end
 
-      it 'should not be changed after authentication' do
-        allow(User).to receive(:signin_expiration).and_return(0)
-        signin = sign_in_user(user, credentials)
-        old_time = signin.expiration_time
-        Timecop.travel(Time.zone.now + 1.hour)
-        User.authenticate_with_token(signin.token, *credentials)
-        signin.reload
-        expect(signin.expiration_time.to_i).to eq(old_time.to_i)
+      it 'returns jwt with user' do
+        expect(described_class.authenticate_with_token(user.jwt, *credentials).jwt).to eq(user.jwt)
+      end
+
+      it 'does not update refresh token' do
+        allow(described_class).to receive(:refresh_jwt)
+        described_class.authenticate_with_token(user.jwt, *credentials)
+        expect(described_class).not_to have_received(:refresh_jwt)
       end
     end
 
-    context 'should allow signin with' do
-      it 'not last token if simultaneous is permitted' do
-        signin1 = sign_in_user(user, credentials)
-        signin2 = sign_in_user(user, credentials)
-        expect(User.authenticate_with_token(signin1.token, *credentials)).to eq(user)
-        expect(User.authenticate_with_token(signin2.token, *credentials)).to eq(user)
+    context 'when jwt has expired' do
+      before(:each) do
+        sign_in_user(user, credentials)
+        Timecop.travel(Time.zone.now + described_class.jwt_exp)
       end
 
-      it 'valid token' do
-        signin = sign_in_user(user, credentials)
-        expect(User.authenticate_with_token(signin.token, *credentials)).to eq(user)
+      it 'does not do user lookup' do
+        allow(described_class).to receive(:find_by)
+        described_class.authenticate_with_token(user.jwt, *credentials)
+        expect(described_class).not_to have_received(:find_by)
       end
 
-      %i[ip user_agent].each do |c|
-        it "changed #{c} if not restricted" do
-          signin = sign_in_user(user, credentials)
-          expect(User.authenticate_with_token(signin.token, *other_credentials)).to eq(user)
-        end
+      it 'calls for refresh token' do
+        allow(described_class).to receive(:refresh_jwt)
+        described_class.authenticate_with_token(user.jwt, *credentials)
+        expect(described_class).to have_received(:refresh_jwt)
       end
     end
+  end
 
-    context 'should not allow signin with' do
-      it 'not last token if simultaneous not permitted' do
-        allow(User).to receive(:simultaneous_signings).and_return(false)
-        signin1 = sign_in_user(user, credentials)
-        signin2 = sign_in_user(user, credentials)
-        expect(User.authenticate_with_token(signin1.token, *credentials)).to be_nil
-        expect(User.authenticate_with_token(signin2.token, *credentials)).to eq(user)
+  describe '.refresh_jwt' do
+    context 'when jwt is invalid' do
+      it 'returns nil' do
+        expect(described_class.refresh_jwt('blablabla', *credentials)).to be_nil
       end
+    end
 
-      it 'expired token' do
-        signin = sign_in_user(user, credentials)
-        user.signout(signin.token, *credentials)
-        expect(User.authenticate_with_token(signin.token, *credentials)).to be_nil
+    it 'returns nil when signin not found' do
+      jwt = described_class.generate_jwt('blablabla', 0)
+      expect(described_class.refresh_jwt(jwt, *credentials)).to be_nil
+    end
+
+    it 'returns nil when signin expired' do
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      Timecop.travel(Time.zone.now + described_class.refresh_exp)
+      expect(described_class.refresh_jwt(user.jwt, *credentials)).to be_nil
+    end
+
+    context 'when has no restrictions' do
+      %i[ip user_agent].each do |c|
+        it "allows signin when #{c} changed" do
+          sign_in_user(user, credentials)
+          expect(described_class.refresh_jwt(user.jwt, *other_credentials)).to eq(user)
+        end
       end
+    end
 
+    context 'when has restrictions' do
       %i[ip user_agent].each do |c|
-        it "changed #{c} if restricted" do
+        it "forbids signin when #{c} changed" do
           allow(User).to receive(:signin_restrictions).and_return([c])
-          signin = sign_in_user(user, credentials)
-          expect(User.authenticate_with_token(signin.token, *other_credentials)).to be_nil
+          sign_in_user(user, credentials)
+          expect(described_class.refresh_jwt(user.jwt, *other_credentials)).to be_nil
         end
       end
     end
+
+    it 'renews signin' do
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      allow(signin).to receive(:renew!)
+      allow(Signin).to receive(:find_by).with(token: signin.token).and_return(signin)
+
+      described_class.refresh_jwt(user.jwt, *credentials)
+      expect(signin).to have_received(:renew!).with(period: described_class.expiration_period, ip: credentials[0],
+                                                    user_agent: credentials[1], refresh_token: true)
+    end
+
+    it 'assigns new jwt' do
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      allow(user).to receive(:jwt=)
+      allow(signin).to receive(:signinable).and_return(user)
+      allow(Signin).to receive(:find_by).with(token: signin.token).and_return(signin)
+      allow(described_class).to receive(:generate_jwt).and_return('bla')
+
+      described_class.refresh_jwt(user.jwt, *credentials)
+      expect(user).to have_received(:jwt=).with('bla')
+    end
+
+    it 'regenerates jwt' do
+      sign_in_user(user, credentials)
+      signin = user.last_signin
+      allow(described_class).to receive(:generate_jwt)
+
+      described_class.refresh_jwt(user.jwt, *credentials)
+      signin.reload
+      expect(described_class).to have_received(:generate_jwt).with(signin.token, signin.signinable_id)
+    end
   end
 end

data/spec/support/utilities.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 def sign_in_user(user, credentials)
-  token = user.signin(*credentials, 'referer')
-  Signin.find_by_token(token)
+  user.signin(*credentials, 'referer')
 end
 
 def sign_out_user(signin, credentials)

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: signinable
 version: !ruby/object:Gem::Version
-  version: 2.0.12
+  version: 2.0.15
 platform: ruby
 authors:
 - Ivan Novozhenets
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-14 00:00:00.000000000 Z
+date: 2022-06-16 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.1
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement