solidus_auth_devise 2.2.0 → 2.5.2

data/spec/controllers/spree/users_controller_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::UsersController, type: :controller do
+# frozen_string_literal: true
 
+RSpec.describe Spree::UsersController, type: :controller do
   let(:admin_user) { create(:user) }
   let(:user) { create(:user) }
   let(:role) { create(:role) }
@@ -22,7 +23,6 @@ RSpec.describe Spree::UsersController, type: :controller do
     before { sign_in(user) }
 
     context 'when updating own account' do
-
       context 'when user updated successfuly' do
         before { put :update, params: { user: { email: 'mynew@email-address.com' } } }
 

data/spec/factories/confirmed_user.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 FactoryBot.define do
   factory :confirmed_user, parent: :user do
-    confirmed_at { Time.now }
-    confirmation_sent_at { Time.now }
+    confirmed_at { Time.zone.now }
+    confirmation_sent_at { Time.zone.now }
     confirmation_token { "12345" }
   end
-end
+end

data/spec/features/account_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Accounts', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Accounts', type: :feature do
   context 'editing' do
     scenario 'can edit an admin user' do
       user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')
@@ -14,7 +15,7 @@ RSpec.feature 'Accounts', type: :feature do
     end
 
     scenario 'can edit a new user' do
-      Spree::Auth::Config.set(signout_after_password_change: false)
+      stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: false)
       visit spree.signup_path
 
       fill_in 'Email', with: 'email@person.com'
@@ -35,7 +36,7 @@ RSpec.feature 'Accounts', type: :feature do
     end
 
     scenario 'can edit an existing user account' do
-      Spree::Auth::Config.set(signout_after_password_change: false)
+      stub_spree_preferences(Spree::Auth::Config ,signout_after_password_change: false)
       user = create(:user, email: 'email@person.com', password: 'secret', password_confirmation: 'secret')
       visit spree.login_path
 

data/spec/features/admin/password_reset_spec.rb

@@ -1,24 +1,80 @@
-RSpec.feature 'Admin - Reset Password', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Reset Password', type: :feature do
   let!(:store) { create(:store) }
 
   background do
     ActionMailer::Base.default_url_options[:host] = 'http://example.com'
   end
 
-  scenario 'allows a user to supply an email for the password reset' do
-    user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
-    visit spree.admin_login_path
-    click_link 'Forgot Password?'
-    fill_in 'Email', with: 'foobar@example.com'
-    click_button 'Reset my password'
-    expect(page).to have_text 'You will receive an email with instructions'
+  context 'when an account with this email address exists' do
+    let!(:user) { create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret') }
+
+    scenario 'allows a user to supply an email for the password reset' do
+      visit spree.admin_login_path
+      click_link 'Forgot Password?'
+      fill_in_email
+      click_button 'Reset my password'
+      expect(page).to have_text 'you will receive an email with instructions'
+    end
   end
 
-  scenario 'shows errors if no email is supplied' do
+  # Revealing that an admin email address is not found allows an attacker to
+  # find admin account email addresses by trying email addresses until this
+  # error is not shown.
+  scenario 'does not reveal email addresses if they are not found' do
     visit spree.admin_login_path
     click_link 'Forgot Password?'
+    fill_in_email
     click_button 'Reset my password'
-    expect(page).to have_text "Email can't be blank"
+    expect(page).to_not have_text "Email not found"
+    expect(page).to have_text 'you will receive an email with instructions'
+  end
+
+  def fill_in_email
+    fill_in 'Email', with: 'foobar@example.com'
+  end
+
+  context 'password management' do
+    let!(:admin) do
+      create(:admin_user,
+        email: 'admin@example.com',
+        password: 'secret',
+        password_confirmation: 'secret'
+      )
+    end
+
+    let!(:user) do
+      create(:user,
+        email: 'user@example.com',
+        password: 'test123',
+        password_confirmation: 'test123'
+      )
+    end
+
+    before do
+      visit spree.admin_login_path
+      fill_in 'Email', with: admin.email
+      fill_in 'Password', with: admin.password
+      click_button 'Login'
+      visit spree.admin_users_path
+    end
+
+    context 'if currently logged-in admin' do
+      context "clicks on an user's page" do
+        it 'can reset its password' do
+          within("#spree_user_#{user.id}") do
+            click_link user.email
+          end
+
+          click_button 'Reset password'
+          expect(page).to have_content(
+            'If an account with that email address exists, '\
+            'you will receive an email with instructions about '\
+            'how to reset your password in a few minutes.'
+          )
+        end
+      end
+    end
   end
 end

data/spec/features/admin/products_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin products', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin products', type: :feature do
   context 'as anonymous user' do
     # Regression test for #1250
     scenario 'redirects to login page when attempting to access product listing' do

data/spec/features/admin/sign_in_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin - Sign In', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Sign In', type: :feature do
   background do
     @user = create(:user, email: 'email@person.com')
     visit spree.admin_login_path

data/spec/features/admin/sign_out_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin - Sign Out', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin - Sign Out', type: :feature, js: true do
   given!(:user) do
    create :user, email: 'email@person.com'
   end

data/spec/features/admin_permissions_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Admin Permissions', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Admin Permissions', type: :feature do
   context 'orders' do
     background do
       user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')

data/spec/features/change_email_spec.rb

@@ -1,7 +1,8 @@
-RSpec.feature 'Change email', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Change email', type: :feature do
   background do
-    Spree::Auth::Config.set(signout_after_password_change: false)
+    stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: false)
 
     user = create(:user)
     visit spree.root_path

data/spec/features/checkout_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.feature 'Checkout', :js, type: :feature do
   given!(:store) { create(:store) }
   given!(:country) { create(:country, name: 'United States', states_required: true) }
@@ -15,17 +17,17 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
   background do
     @product = create(:product, name: 'RoR Mug')
-    @product.master.stock_items.first.update_column(:count_on_hand, 1)
+    @product.master.stock_items.first.set_count_on_hand(1)
 
     # Bypass gateway error on checkout | ..or stub a gateway
-    Spree::Config[:allow_checkout_on_gateway_error] = true
+    stub_spree_preferences(allow_checkout_on_gateway_error: true)
 
     visit spree.root_path
   end
 
   # Regression test for https://github.com/solidusio/solidus/issues/1588
   scenario 'leaving and returning to address step' do
-    Spree::Auth::Config.set(registration_step: true)
+    stub_spree_preferences(Spree::Auth::Config, registration_step: true)
     click_link 'RoR Mug'
     click_button 'Add To Cart'
     within('h1') { expect(page).to have_text 'Shopping Cart' }
@@ -58,15 +60,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
       expect(page).to have_text(/Billing Address/i)
       expect(page).to have_text(/Shipping Address/i)
 
-      str_addr = 'bill_address'
-      select 'United States', from: "order_#{str_addr}_attributes_country_id"
-      %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
-      end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
-      check 'order_use_billing'
-
+      fill_addresses_fields_with(address)
       click_button 'Save and Continue'
+
       click_button 'Save and Continue'
       click_button 'Save and Continue'
       click_button 'Place Order'
@@ -90,15 +86,9 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
       click_button 'Checkout'
 
-      str_addr = 'bill_address'
-      select 'United States', from: "order_#{str_addr}_attributes_country_id"
-      %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
-      end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
-      check 'order_use_billing'
-
+      fill_addresses_fields_with(address)
       click_button 'Save and Continue'
+
       click_button 'Save and Continue'
       click_button 'Save and Continue'
       click_button 'Place Order'
@@ -109,7 +99,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
     # Regression test for #890
     scenario 'associate an incomplete guest order with user after successful password reset' do
-      user = create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
+      create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
       click_link 'RoR Mug'
       click_button 'Add To Cart'
 
@@ -132,14 +122,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
       click_link 'Cart'
       click_button 'Checkout'
 
-      str_addr = 'bill_address'
-      select 'United States', from: "order_#{str_addr}_attributes_country_id"
-      %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
-      end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
-      check 'order_use_billing'
-
+      fill_addresses_fields_with(address)
       click_button 'Save and Continue'
 
       expect(page).not_to have_text 'Email is invalid'
@@ -161,21 +144,15 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
       expect(page).to have_text 'You have signed up successfully.'
 
-      str_addr = 'bill_address'
-      select 'United States', from: "order_#{str_addr}_attributes_country_id"
-      %w(firstname lastname address1 city zipcode phone).each do |field|
-        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
-      end
-      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
-      check 'order_use_billing'
-
+      fill_addresses_fields_with(address)
       click_button 'Save and Continue'
+
       click_button 'Save and Continue'
       click_button 'Save and Continue'
       click_button 'Place Order'
 
       expect(page).to have_text 'Your order has been processed successfully'
-      expect(Spree::Order.first.user).to eq Spree::User.find_by_email('email@person.com')
+      expect(Spree::Order.first.user).to eq Spree::User.find_by(email: 'email@person.com')
     end
   end
 end

data/spec/features/confirmation_spec.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
-feature 'Confirmation' do
+RSpec.feature 'Confirmation' do
   before do
-    set_confirmable_option(false)
     allow(Spree::UserMailer).to receive(:confirmation_instructions)
       .and_return(double(deliver: true))
   end
@@ -13,7 +14,7 @@ feature 'Confirmation' do
     ActionMailer::Base.default_url_options[:host] = 'http://example.com'
   end
 
-  scenario 'create a new user', :js do
+  scenario 'create a new user', js: true, confirmable: false do
     visit spree.signup_path
 
     fill_in 'Email', with: 'email@person.com'

data/spec/features/order_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Orders', :js, type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Orders', :js, type: :feature do
   scenario 'allow a user to view their cart at any time' do
     visit spree.cart_path
     expect(page).to have_text 'Your cart is empty'

data/spec/features/password_reset_spec.rb

@@ -1,24 +1,37 @@
-RSpec.feature 'Reset Password', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Reset Password', type: :feature do
   let!(:store) { create(:store) }
 
   background do
     ActionMailer::Base.default_url_options[:host] = 'http://example.com'
   end
 
-  scenario 'allow a user to supply an email for the password reset' do
-    user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
-    visit spree.login_path
-    click_link 'Forgot Password?'
-    fill_in 'Email', with: 'foobar@example.com'
-    click_button 'Reset my password'
-    expect(page).to have_text 'You will receive an email with instructions'
+  context 'when an account with this email address exists' do
+    let!(:user) { create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret') }
+
+    scenario 'allows a user to supply an email for the password reset' do
+      visit spree.login_path
+      click_link 'Forgot Password?'
+      fill_in_email
+      click_button 'Reset my password'
+      expect(page).to have_text 'you will receive an email with instructions'
+    end
   end
 
-  scenario 'shows errors if no email is supplied' do
+  # Test that we are extending the functionality from
+  # https://github.com/solidusio/solidus_auth_devise/pull/155
+  # to the non-admin login
+  scenario 'does not reveal email addresses if they are not found' do
     visit spree.login_path
     click_link 'Forgot Password?'
+    fill_in_email
     click_button 'Reset my password'
-    expect(page).to have_text "Email can't be blank"
+    expect(page).to_not have_text "Email not found"
+    expect(page).to have_text 'you will receive an email with instructions'
+  end
+
+  def fill_in_email
+    fill_in 'Email', with: 'foobar@example.com'
   end
 end

data/spec/features/sign_in_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Sign In', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Sign In', type: :feature do
   background do
     @user = create(:user, email: 'email@person.com', password: 'secret', password_confirmation: 'secret')
     visit spree.login_path

data/spec/features/sign_out_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Sign Out', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Sign Out', type: :feature, js: true do
   given!(:user) do
    create(:user,
           email: 'email@person.com',
@@ -19,7 +20,7 @@ RSpec.feature 'Sign Out', type: :feature do
   scenario 'allow a signed in user to logout' do
     click_link 'Logout'
     visit spree.root_path
-    expect(page).to have_text 'Login'
-    expect(page).not_to have_text 'Logout'
+    expect(page).to have_text 'LOGIN'
+    expect(page).not_to have_text 'LOGOUT'
   end
 end

data/spec/features/sign_up_spec.rb

@@ -1,5 +1,6 @@
-RSpec.feature 'Sign Up', type: :feature do
+# frozen_string_literal: true
 
+RSpec.feature 'Sign Up', type: :feature do
   context 'with valid data' do
     scenario 'create a new user' do
       visit spree.signup_path

data/spec/mailers/user_mailer_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::UserMailer, type: :mailer do
+# frozen_string_literal: true
 
+RSpec.describe Spree::UserMailer, type: :mailer do
   let!(:store) { create(:store) }
   let(:user) { create(:user) }
 

data/spec/models/order_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::Order, type: :model do
+# frozen_string_literal: true
 
+RSpec.describe Spree::Order, type: :model do
   let(:order) { described_class.new }
 
   context '#associate_user!' do

data/spec/models/user_spec.rb

@@ -1,5 +1,6 @@
-RSpec.describe Spree::User, type: :model do
+# frozen_string_literal: true
 
+RSpec.describe Spree::User, type: :model do
   before(:all) { Spree::Role.create name: 'admin' }
 
   it '#admin?' do
@@ -77,17 +78,22 @@ RSpec.describe Spree::User, type: :model do
     end
   end
 
+  describe '#really_destroy!' do
+    let(:user) { create(:user) }
+
+    it 'removes the record from the database' do
+      user.really_destroy!
+      expect(Spree::User.with_deleted.exists?(id: user.id)).to eql false
+    end
+  end
+
   describe "confirmable" do
-    it "is confirmable if the confirmable option is enabled" do
-      set_confirmable_option(true)
-      allow(Spree::UserMailer).to receive(:confirmation_instructions).and_return(double(deliver: true))
-      expect(Spree::User.devise_modules).to include(:confirmable)
-      set_confirmable_option(false)
+    it "loads Devise's :confirmable module when :confirmable is true", confirmable: true do
+      expect(Spree::User.ancestors).to include(Devise::Models::Confirmable)
     end
 
-    it "is not confirmable if the confirmable option is disabled" do
-      set_confirmable_option(false)
-      expect(Spree::User.devise_modules).to_not include(:confirmable)
+    it "does not load Devise's :confirmable module when :confirmable is false", confirmable: false do
+      expect(Spree::User.ancestors).not_to include(Devise::Models::Confirmable)
     end
   end
 end